Adds the ability to enforce a policy to manage local accounts.
- STIG compliance
- Ensure deprecated PAM modules are not present
- Ensure deprecated host access are not present (shost, rhost and similar)
- Manages pwquality policies.
- Ensures SHA512 is used consistently to hash passwords.
- Ensures no accounts with UID 0 exist other than
root
. - Configure faillock
- Controls
root
access. - Ensure critical files have appropriate permissions and security context
- Enforce a sensible
umask
. - Prevent information leakage via coredumps
- Limit the number of concurrent sessions for all accounts and/or account types.
- Report non-compliant scenarios:
- Print warning about accounts with password lifetimes under 24 hours
- Print warning for accounts with a password lifetime over 60 days
- Print warning for groups in /etc/passwd that are not in /etc/group
- Print warnings for non-root users with UID 0
- Print warning for local interactive users without a home directory assigned
- Print warning for users with an assigned home directory that does not exist
- Users must provide a password for privilege escalation.
- Users must re-authenticate for privilege escalation.
None. This role does not install packages.
- From
defaults/main.yml
## Authentication (auth)
# Set the package install state for distribution packages
# Options are 'present' and 'latest'
security_package_state: present
stig_id: 'rhel7'
## Accounts (accounts)
# Set minimum password lifetime to 1 day for interactive accounts.
security_set_minimum_password_lifetime: no # V-71927
security_set_maximum_password_lifetime: no # V-71931
# Disallow logins from accounts with blank/null passwords via PAM.
security_disallow_blank_password_login: 'yes' # V-71937
# Apply password quality rules.
# NOTE: The security_pwquality_apply_rules variable is a "master switch".
# Set the 'security_pwquality_apply_rules' variable to 'yes' to apply all of
# the password quality rules. Each rule can be disabled with a value of 'no'.
security_pwquality_apply_rules: 'yes'
security_pwquality_require_uppercase: 'yes' # V-71903
security_pwquality_require_lowercase: 'yes' # V-71905
security_pwquality_require_numeric: 'yes' # V-71907
security_pwquality_require_special: 'yes' # V-71909
security_pwquality_require_characters_changed: 'yes' # V-71911
security_pwquality_require_character_classes_changed: 'yes' # V-71913
security_pwquality_limit_repeated_characters: 'yes' # V-71915
security_pwquality_limit_repeated_character_classes: 'yes' # V-71917
security_pwquality_require_minimum_password_length: 'yes' # V-71935
# Use pwquality when passwords are changed or established.
security_enable_pwquality_password_set: 'yes' # V-73159
# Ensure passwords are stored using SHA512.
security_password_encrypt_method: SHA512 # V-71921
# Ensure user/group admin utilities only store encrypted passwords.
security_libuser_crypt_style_sha512: 'yes' # V-71923
# Set a minimum/maximum lifetime limit for user passwords.
security_password_min_lifetime_days: 1 # V-71925
security_password_max_lifetime_days: 90 # V-71929
security_password_min_length: 15 # CCE-27123-9
# Set a delay (in seconds) between failed login attempts.
security_shadow_utils_fail_delay: 4 # V-71951
# Set a umask for all authenticated users.
security_shadow_utils_umask: '077' # V-71995
# Create home directories for new users by default.
security_shadow_utils_create_home: 'yes' # V-72013
# How many old user password to remember to prevent password re-use.
security_password_remember_password: 5 # V-71933
# Disable user accounts if the password expires.
security_disable_account_if_password_expires: 'yes' # V-71941
# Lock user accounts with excessive login failures. See documentation.
security_pam_faillock_enable: 'yes' # V-71945 / V-71943 / RHEL-07-010373
security_pam_faillock_interval: 900
security_pam_faillock_attempts: 3
security_pam_faillock_deny_root: 'yes' # RHEL-07-010373
security_pam_faillock_unlock_time: never # V-71943
# Limit the number of concurrent connections per account.
security_rhel7_concurrent_session_limit: 10 # V-72217
# Disable creation of core dumps.
security_rhel7_core_limit: 0 # V-72057
# Remove .shosts and shosts.equiv files.
security_rhel7_remove_shosts_files: 'yes' # V-72277
# Remove /etc/hosts.equiv file.
security_rhel7_remove_hosts_equiv_file: 'yes' # V-72277
# Remove .rhosts files.
security_rhel7_remove_rhosts_files: 'yes' # V-72277
security_rhel7_auth_root_ttys:
- console
- vc/1
- vc/2
- tty1
- tty2
- tty3
security_rhel7_init_prompt: 'True'
security_rhel7_init_single: 'True'
- From
vars/main.yml
# RHEL 7 STIG: Packages to add/remove
stig_packages_rhel7:
- packages:
- pam_ccreds
- pam_cracklib
state: absent
enabled: 'True'
# Password quality settings
#
# Each dictionary has this structure:
#
# parameter: the pwquality parameter to set
# value: the value of the parameter
# stig_id: the STIG id number
# description: description of the control from the STIG
# enabled: whether the change should be applied
#
password_quality_rhel7:
- parameter: ucredit
value: -1
stig_id: V-71903
description: "Password must contain at least one upper-case character"
enabled: "{{ security_pwquality_require_uppercase }}"
- parameter: lcredit
value: -1
stig_id: V-71905
description: "Password must contain at least one lower-case character"
enabled: "{{ security_pwquality_require_lowercase }}"
- parameter: dcredit
value: -1
stig_id: V-71907
description: "Password must contain at least one numeric character"
enabled: "{{ security_pwquality_require_numeric }}"
- parameter: ocredit
value: -1
stig_id: V-71909
description: "Password must contain at least one special character"
enabled: "{{ security_pwquality_require_special }}"
- parameter: difok
value: 8
stig_id: V-71911
description: "Password must have at least eight characters changed"
enabled: "{{ security_pwquality_require_characters_changed }}"
- parameter: minclass
value: 4
stig_id: V-71913
description: "Password must have at least four character classes changed"
enabled: "{{ security_pwquality_require_character_classes_changed }}"
- parameter: maxrepeat
value: 4
stig_id: V-71915
# yamllint disable-line rule:line-length
description: "Password must have at most four characters repeated consecutively"
enabled: "{{ security_pwquality_limit_repeated_characters }}"
- parameter: maxclassrepeat
value: 4
stig_id: V-71917
# yamllint disable-line rule:line-length
description: "Password must have at most four characters in the same character class repeated consecutively"
enabled: "{{ security_pwquality_limit_repeated_character_classes }}"
- parameter: minlen
value: 15
stig_id: V-71935
description: "Passwords must be a minimum of 15 characters in length"
enabled: "{{ security_pwquality_require_minimum_password_length }}"
## shadow-utils settings
# This variable is used in main/rhel7stig/auth.yml to set shadow file-related
# configurations in /etc/login.defs.
#
# Each dictionary has this structure:
#
# parameter: the parameter to set
# value: the value for the parameter
# stig_id: the STIG ID number for the requirement
#
shadow_utils_rhel7:
- parameter: ENCRYPT_METHOD
value: "{{ security_password_encrypt_method | default('') }}"
stig_id: V-71921
ansible_os_family: all
- parameter: PASS_MIN_DAYS
value: "{{ security_password_min_lifetime_days | default('') }}"
stig_id: V-71925
ansible_os_family: all
- parameter: PASS_MAX_DAYS
value: "{{ security_password_max_lifetime_days | default('') }}"
stig_id: V-71929
ansible_os_family: all
- parameter: PASS_MIN_LEN
value: "{{ security_password_min_length | default('') }}"
stig_id: V-72013
ansible_os_family: all
- parameter: FAIL_DELAY
value: "{{ security_shadow_utils_fail_delay | default('') }}"
stig_id: V-71951
ansible_os_family: all
- parameter: UMASK
value: "{{ security_shadow_utils_umask | default('') }}"
stig_id: V-71995
ansible_os_family: all
- parameter: CREATE_HOME
value: "{{ security_shadow_utils_create_home | default('') }}"
stig_id: V-72013
ansible_os_family: all
This role requires the ansible-os-hardening-selinux
role to be used for security
context enforcement.
Some files related to the ansible-os-hardening-sudo
role are also inspected for
compliance.
Example of how to use this role:
- hosts: servers
roles:
- { role: ansible-os-hardening-selinux }
- { role: ansible-os-hardening-sudo }
- { role: ansible-os-hardening-local-accounts }
This repository uses git-flow.
To contribute to the role, create a new feature branch (feature/foo_bar_baz
),
write Molecule tests for the new functionality
and submit a pull request targeting the develop
branch.
Happy hacking!
GPLv3