add option to bypass .netrc check function

add option to whitelist specific user that need a .netrc file in there home dirs
add test for .netrc files if option os_netrc_enabled is false

Signed-off-by: Philipp Funk <philipp.funk@t-systems.com>

molecule/os_hardening/converge.yml

@@ -27,6 +27,7 @@
     os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
     os_filesystem_whitelist: []
     os_yum_repo_file_whitelist: ['foo.repo']
+    os_netrc_enabled: false
     sysctl_config:
       net.ipv4.ip_forward: 0
       net.ipv6.conf.all.forwarding: 0

molecule/os_hardening/prepare.yml

@@ -58,3 +58,7 @@
     - name: include YUM prepare tasks
       include_tasks: prepare_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'
+
+    - name: include YUM prepare tasks
+      include_tasks: prepare_tasks/netrc.yml
+

molecule/os_hardening/prepare_tasks/netrc.yml

@@ -0,0 +1,9 @@
+---
+- name: create '.netrc' in /root
+  ansible.builtin.copy:
+    dest: '/root/.netrc'
+    mode: '0600'
+    content: |
+      machine localhost
+      login root
+      password ipsum

molecule/os_hardening/verify.yml

@@ -37,6 +37,9 @@
         name: procps
       when: ansible_facts.os_family == 'Debian'
 
+    - name: include netrc tests
+      include_tasks: verify_tasks/netrc.yml
+
     - name: include PAM tests
       include_tasks: verify_tasks/pam.yml
       when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'

molecule/os_hardening/verify_tasks/netrc.yml

@@ -0,0 +1,19 @@
+---
+- name: test that .netrc in root homedir exists
+  ansible.builtin.file:
+    path: '/root/.netrc'
+    state: file
+  register: result_test_netrc
+
+- name: output result if .netrc for user root exists
+  ansible.builtin.assert:
+    that:
+      - "result_test_netrc.state == 'file'"
+    fail_msg: ".netrc in /root/ not present"
+    success_msg: ".netrc exists in /root/"
+
+- name: delete '.netrc' in /root
+  ansible.builtin.file:
+    path: '/root/.netrc'
+    state: absent
+  when: result_test_netrc.state == 'file'

roles/os_hardening/README.md

@@ -422,6 +422,12 @@ We know that this is the case on Raspberry Pi.
 - `os_mnt_var_tmp_filesystem`
   - Default: `ext4`
   - Description: Configure file system for fstab entry /var/tmp
+- `os_netrc_enabled`
+  - Default: `True`
+  - Description: Configure filesystem for existence of .netrc file in homedir
+- `os_netrc_whitelist_user`
+  - Default: ``
+  - Description: Add list of user to allow creation of .netrc in users homedir
 
 ## Packages
 

roles/os_hardening/defaults/main.yml

@@ -439,3 +439,9 @@ os_mnt_var_tmp_enabled: false
 os_mnt_var_tmp_src: ""
 os_mnt_var_tmp_options: 'rw,nosuid,nodev,noexec'
 os_mnt_var_tmp_filesystem: "ext4"
+
+#
+# .netrc User whitelist
+# keep .netrc file for users in whitelist
+os_netrc_enabled: true
+os_netrc_whitelist_user: []

roles/os_hardening/tasks/hardening.yml

@@ -78,6 +78,10 @@
   tags: rhosts
   when: os_rhosts_enabled | bool
 
+- import_tasks: netrc.yml
+  tags: netrc
+  when: os_netrc_enabled | bool
+
 - import_tasks: yum.yml
   tags: yum
   when:

roles/os_hardening/tasks/netrc.yml

@@ -0,0 +1,13 @@
+---
+- name: Get user accounts | os-09
+  command: "awk -F: '{print $1}' /etc/passwd"
+  changed_when: false
+  check_mode: false
+  register: users_accounts
+
+- name: Delete .netrc-files from system | os-09
+  file:
+    dest: '~{{ item }}/.netrc'
+    state: 'absent'
+  loop: '{{ users_accounts.stdout_lines | flatten | default([]) }}'
+  when: item not in os_netrc_whitelist_user

roles/os_hardening/tasks/rhosts.yml

@@ -9,15 +9,10 @@
   file:
     dest: '~{{ item }}/.rhosts'
     state: 'absent'
-  with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'
+  loop: '{{ users_accounts.stdout_lines | flatten | default([]) }}'
 
 - name: Delete hosts.equiv from system | os-01
   file:
     dest: '/etc/hosts.equiv'
     state: 'absent'
 
-- name: Delete .netrc-files from system | os-09
-  file:
-    dest: '~{{ item }}/.netrc'
-    state: 'absent'
-  with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'