Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix pam #688

Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion molecule/mysql_hardening/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ driver:
name: docker
platforms:
- name: instance
image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
Expand Down
2 changes: 1 addition & 1 deletion molecule/nginx_hardening/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ driver:
name: docker
platforms:
- name: instance
image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
Expand Down
2 changes: 1 addition & 1 deletion molecule/os_hardening/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ driver:
name: docker
platforms:
- name: instance
image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
Expand Down
43 changes: 21 additions & 22 deletions molecule/os_hardening/prepare.yml
Original file line number Diff line number Diff line change
@@ -1,63 +1,62 @@
---
- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
- name: Wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
hosts: all
become: true
environment:
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
set_fact:
ansible_python_interpreter: "/usr/bin/python3"
when: ansible_facts.distribution == 'Fedora'

- name: Run the equivalent of "apt-get update && apt-get upgrade"
apt:
name: "*"
state: latest
- name: Install Python3 on Debian 10
ansible.builtin.apt:
name: python3
state: present
update_cache: true
when: ansible_os_family == 'Debian'

- name: install required tools on SuSE
- name: Set ansible_python_interpreter to "/usr/bin/python3"
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3

- name: Install required tools on SuSE
# cannot use zypper module, since it depends on python-xml
shell: "zypper -n install python-xml"
ansible.builtin.shell: zypper -n install python-xml
when: ansible_facts.os_family == 'Suse'

- name: install required tools on fedora
dnf:
- name: Install required tools on fedora
ansible.builtin.dnf:
name:
- python
- findutils
- procps-ng
when: ansible_facts.distribution == 'Fedora'

- name: install required tools on Arch
- name: Install required tools on Arch
community.general.pacman:
name:
- awk
state: present
update_cache: true
when: ansible_facts.os_family == 'Archlinux'

- name: install required tools on RHEL # noqa ignore-errors
yum:
- name: Install required tools on RHEL # noqa ignore-errors
ansible.builtin.yum:
name:
- openssh-clients
- openssh
state: present
update_cache: true
ignore_errors: true

- name: create recursing symlink to test minimize access
shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
- name: Create recursing symlink to test minimize access
ansible.builtin.shell: rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz
changed_when: false

- name: include YUM prepare tasks
include_tasks: prepare_tasks/yum.yml
- name: Include YUM prepare tasks
ansible.builtin.include_tasks: prepare_tasks/yum.yml
when: ansible_facts.os_family == 'RedHat'

- name: include preparation tasks
- name: Include preparation tasks
ansible.builtin.include_tasks:
file: "{{ item }}"
loop:
Expand Down
43 changes: 21 additions & 22 deletions molecule/os_hardening/verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,28 +7,27 @@
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: set ansible_python_interpreter to "/usr/bin/python3"
set_fact:
ansible_python_interpreter: "/usr/bin/python3"
- name: Set ansible_python_interpreter to "/usr/bin/python3"
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3

- name: include verification tasks
- name: Include verification tasks
ansible.builtin.include_tasks:
file: "{{ item }}"
loop:
loop:
- verify_tasks/sys_account_shell.yml
- verify_tasks/pw_ageing.yml
- verify_tasks/netrc.yml
- verify_tasks/ignore_home_folders.yml

# temp. disabled - https://github.com/dev-sec/ansible-collection-hardening/issues/690
# - name: include PAM tests
# include_tasks: verify_tasks/pam.yml
# when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'

- name: include YUM tests
include_tasks: verify_tasks/yum.yml
- name: Include YUM tests
ansible.builtin.include_tasks: verify_tasks/yum.yml
when: ansible_facts.os_family == 'RedHat'

- name: Include PAM tests
ansible.builtin.include_tasks: verify_tasks/pam.yml
when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'

- name: Verify
hosts: localhost
environment:
Expand All @@ -37,7 +36,7 @@
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: Execute cinc-auditor tests
command: >
ansible.builtin.command: >
docker run
--volume /run/docker.sock:/run/docker.sock
--volume {{ playbook_dir }}/waivers.yaml:/waivers.yaml
Expand All @@ -51,12 +50,12 @@
ignore_errors: true

- name: Display details about the cinc-auditor results
debug:
ansible.builtin.debug:
msg: "{{ test_results.stdout_lines }}"

- name: Fail when tests fail
fail:
msg: "Inspec failed to validate"
ansible.builtin.fail:
msg: Inspec failed to validate
when: test_results.rc != 0

- name: Verify
Expand All @@ -70,15 +69,15 @@
- devsec.hardening
tasks:
# test if variable can be overridden
- name: workaround for https://github.com/ansible/ansible/issues/66304
set_fact:
ansible_virtualization_type: "docker"
- name: Workaround for https://github.com/ansible/ansible/issues/66304
ansible.builtin.set_fact:
ansible_virtualization_type: docker
os_env_umask: "027 #override"

- include_role:
- ansible.builtin.include_role:
name: os_hardening

- name: verify os_env_umask
shell:
- name: Verify os_env_umask
ansible.builtin.shell:
cmd: "grep '027 #override' /etc/login.defs"
changed_when: false
10 changes: 5 additions & 5 deletions molecule/os_hardening/verify_tasks/netrc.yml
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
---
- name: test that .netrc in root homedir exists
ansible.builtin.file:
path: '/root/.netrc'
path: /root/.netrc
state: file
register: result_test_netrc

- name: output result if .netrc for user root exists
ansible.builtin.assert:
that:
- "result_test_netrc.state == 'file'"
fail_msg: ".netrc in /root/ not present"
success_msg: ".netrc exists in /root/"
- result_test_netrc.state == 'file'
fail_msg: .netrc in /root/ not present
success_msg: .netrc exists in /root/

- name: delete '.netrc' in /root
ansible.builtin.file:
path: '/root/.netrc'
path: /root/.netrc
state: absent
when: result_test_netrc.state == 'file'
51 changes: 25 additions & 26 deletions molecule/os_hardening/verify_tasks/pam.yml
Original file line number Diff line number Diff line change
@@ -1,66 +1,65 @@
---

- name: install pip
package:
- name: Install pip
ansible.builtin.package:
name:
- python3-pip
- python3-setuptools
state: present

- name: install pam-tester
- name: Install pam-tester
ansible.builtin.pip:
name: pam-tester
state: present
executable: /usr/bin/pip3

- name: set password for test
set_fact:
test_pw: "myTest!pw"
- name: Set password for test
ansible.builtin.set_fact:
test_pw: myTestpwSage

- name: set locale for test
set_fact:
locale: "en_US.UTF-8"
- name: Set locale for test
ansible.builtin.set_fact:
locale: en_US.UTF-8
when:
- ansible_facts.os_family == 'RedHat'
- ansible_facts.distribution_major_version < '8'

- name: create testuser
user:
- name: Create testuser
ansible.builtin.user:
name: testuser
password: "{{ test_pw | password_hash('sha512') }}"

- name: check successful login with correct password
shell:
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
- name: Check successful login with correct password
ansible.builtin.shell:
cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }}
environment:
TMPDIR: /var/tmp
LC_ALL: "{{ locale | default('C.UTF-8') }}"
LANG: "{{ locale | default('C.UTF-8') }}"

- name: check unsuccessful login with incorrect password
shell:
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
- name: Check unsuccessful login with incorrect password
ansible.builtin.shell:
cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail
environment:
TMPDIR: /var/tmp
LC_ALL: "{{ locale | default('C.UTF-8') }}"
LANG: "{{ locale | default('C.UTF-8') }}"
with_sequence: count=6

- name: check unsuccessful login, with correct password (lockout)
shell:
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail"
- name: Check unsuccessful login, with correct password (lockout)
ansible.builtin.shell:
cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail
environment:
TMPDIR: /var/tmp
LC_ALL: "{{ locale | default('C.UTF-8') }}"
LANG: "{{ locale | default('C.UTF-8') }}"

- name: wait for account to unlock
pause:
- name: Wait for account to unlock
ansible.builtin.pause:
seconds: 20

- name: check successful login
shell:
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
- name: Check successful login
ansible.builtin.shell:
cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }}
environment:
TMPDIR: /var/tmp
LC_ALL: "{{ locale | default('C.UTF-8') }}"
Expand Down
5 changes: 3 additions & 2 deletions molecule/os_hardening/verify_tasks/sys_account_shell.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
---
- name: Read local linux user database
getent:
ansible.builtin.getent:
database: passwd

- name: Check that shell_sys_acc's shell is still bash
assert:
ansible.builtin.assert:
that:
- getent_passwd['shell_sys_acc'][5] == "/bin/bash"
4 changes: 2 additions & 2 deletions molecule/os_hardening/verify_tasks/yum.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
- name: verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist)
command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
ansible.builtin.command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
changed_when: false

- name: verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist)
command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
ansible.builtin.command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
changed_when: false
10 changes: 6 additions & 4 deletions molecule/os_hardening_vm/verify_tasks/pam.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---

- name: install pip
package:
name:
Expand All @@ -10,6 +11,7 @@
ansible.builtin.pip:
name: pam-tester
state: present
executable: /usr/bin/pip3

- name: set password for test
set_fact:
Expand All @@ -29,15 +31,15 @@

- name: check successful login with correct password
shell:
cmd: "pam-tester --user testuser --password {{ test_pw }}"
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
environment:
TMPDIR: /var/tmp
LC_ALL: "{{ locale | default('C.UTF-8') }}"
LANG: "{{ locale | default('C.UTF-8') }}"

- name: check unsuccessful login with incorrect password
shell:
cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
environment:
TMPDIR: /var/tmp
LC_ALL: "{{ locale | default('C.UTF-8') }}"
Expand All @@ -46,7 +48,7 @@

- name: check unsuccessful login, with correct password (lockout)
shell:
cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail"
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail"
environment:
TMPDIR: /var/tmp
LC_ALL: "{{ locale | default('C.UTF-8') }}"
Expand All @@ -58,7 +60,7 @@

- name: check successful login
shell:
cmd: "pam-tester --user testuser --password {{ test_pw }}"
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
environment:
TMPDIR: /var/tmp
LC_ALL: "{{ locale | default('C.UTF-8') }}"
Expand Down
2 changes: 1 addition & 1 deletion molecule/ssh_hardening/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ driver:
name: docker
platforms:
- name: instance
image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
Expand Down
Loading