diff --git a/galaxy.yml b/galaxy.yml index e5f6a8ce1..7b1533e54 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,3 +1,4 @@ +--- namespace: devsec name: hardening version: 7.16.0 diff --git a/molecule/os_hardening/converge.yml b/molecule/os_hardening/converge.yml index 2669f7d7a..2b4cd3e1a 100644 --- a/molecule/os_hardening/converge.yml +++ b/molecule/os_hardening/converge.yml @@ -27,6 +27,7 @@ os_security_suid_sgid_whitelist: ['/usr/bin/rlogin'] os_filesystem_whitelist: [] os_yum_repo_file_whitelist: ['foo.repo'] + os_netrc_enabled: false sysctl_config: net.ipv4.ip_forward: 0 net.ipv6.conf.all.forwarding: 0 diff --git a/molecule/os_hardening/prepare.yml b/molecule/os_hardening/prepare.yml index 2fdcbe9e9..aab8b77fe 100644 --- a/molecule/os_hardening/prepare.yml +++ b/molecule/os_hardening/prepare.yml @@ -58,3 +58,7 @@ - name: include YUM prepare tasks include_tasks: prepare_tasks/yum.yml when: ansible_facts.os_family == 'RedHat' + + - name: include YUM prepare tasks + include_tasks: prepare_tasks/netrc.yml + diff --git a/molecule/os_hardening/prepare_tasks/netrc.yml b/molecule/os_hardening/prepare_tasks/netrc.yml new file mode 100644 index 000000000..c4c7c9aac --- /dev/null +++ b/molecule/os_hardening/prepare_tasks/netrc.yml @@ -0,0 +1,9 @@ +--- +- name: create '.netrc' in /root + ansible.builtin.copy: + dest: '/root/.netrc' + mode: '0600' + content: | + machine localhost + login root + password ipsum diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml index 57d2d61a2..346c45f08 100644 --- a/molecule/os_hardening/verify.yml +++ b/molecule/os_hardening/verify.yml @@ -37,6 +37,9 @@ name: procps when: ansible_facts.os_family == 'Debian' + - name: include netrc tests + include_tasks: verify_tasks/netrc.yml + - name: include PAM tests include_tasks: verify_tasks/pam.yml when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat' diff --git a/molecule/os_hardening/verify_tasks/netrc.yml b/molecule/os_hardening/verify_tasks/netrc.yml new file mode 100644 index 000000000..cee31463d --- /dev/null +++ b/molecule/os_hardening/verify_tasks/netrc.yml @@ -0,0 +1,19 @@ +--- +- name: test that .netrc in root homedir exists + ansible.builtin.file: + path: '/root/.netrc' + state: file + register: result_test_netrc + +- name: output result if .netrc for user root exists + ansible.builtin.assert: + that: + - "result_test_netrc.state == 'file'" + fail_msg: ".netrc in /root/ not present" + success_msg: ".netrc exists in /root/" + +- name: delete '.netrc' in /root + ansible.builtin.file: + path: '/root/.netrc' + state: absent + when: result_test_netrc.state == 'file' diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index 1ffaae145..09aaacbc5 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -422,6 +422,12 @@ We know that this is the case on Raspberry Pi. - `os_mnt_var_tmp_filesystem` - Default: `ext4` - Description: Configure file system for fstab entry /var/tmp +- `os_netrc_enabled` + - Default: `True` + - Description: Configure filesystem for existence of .netrc file in homedir +- `os_netrc_whitelist_user` + - Default: `` + - Description: Add list of user to allow creation of .netrc in users homedir ## Packages diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 3c002f8a2..3fac801ce 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -439,3 +439,9 @@ os_mnt_var_tmp_enabled: false os_mnt_var_tmp_src: "" os_mnt_var_tmp_options: 'rw,nosuid,nodev,noexec' os_mnt_var_tmp_filesystem: "ext4" + +# +# .netrc User whitelist +# keep .netrc file for users in whitelist +os_netrc_enabled: true +os_netrc_whitelist_user: [] diff --git a/roles/os_hardening/tasks/hardening.yml b/roles/os_hardening/tasks/hardening.yml index 8d1a845d7..3981df6e5 100644 --- a/roles/os_hardening/tasks/hardening.yml +++ b/roles/os_hardening/tasks/hardening.yml @@ -78,6 +78,10 @@ tags: rhosts when: os_rhosts_enabled | bool +- import_tasks: netrc.yml + tags: netrc + when: os_netrc_enabled | bool + - import_tasks: yum.yml tags: yum when: diff --git a/roles/os_hardening/tasks/netrc.yml b/roles/os_hardening/tasks/netrc.yml new file mode 100644 index 000000000..467221907 --- /dev/null +++ b/roles/os_hardening/tasks/netrc.yml @@ -0,0 +1,13 @@ +--- +- name: Get user accounts | os-09 + command: "awk -F: '{print $1}' /etc/passwd" + changed_when: false + check_mode: false + register: users_accounts + +- name: Delete .netrc-files from system | os-09 + file: + dest: '~{{ item }}/.netrc' + state: 'absent' + loop: '{{ users_accounts.stdout_lines | flatten | default([]) }}' + when: item not in os_netrc_whitelist_user diff --git a/roles/os_hardening/tasks/rhosts.yml b/roles/os_hardening/tasks/rhosts.yml index 63b27ba1a..91e5c274d 100644 --- a/roles/os_hardening/tasks/rhosts.yml +++ b/roles/os_hardening/tasks/rhosts.yml @@ -9,15 +9,10 @@ file: dest: '~{{ item }}/.rhosts' state: 'absent' - with_flattened: '{{ users_accounts.stdout_lines | default([]) }}' + loop: '{{ users_accounts.stdout_lines | flatten | default([]) }}' - name: Delete hosts.equiv from system | os-01 file: dest: '/etc/hosts.equiv' state: 'absent' -- name: Delete .netrc-files from system | os-09 - file: - dest: '~{{ item }}/.netrc' - state: 'absent' - with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'