Merge pull request #181 from dev-sec/minimize_access

change minimize access method
dev-sec · Aug 1, 2018 · 30aa3fe · 30aa3fe
2 parents c8657c8 + e439904
commit 30aa3fe
Show file tree

Hide file tree

Showing 8 changed files with 96 additions and 18 deletions.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -21,7 +21,7 @@ provisioner:
   roles_path: ../ansible-os-hardening/
   http_proxy: <%= ENV['http_proxy'] || nil %>
   https_proxy: <%= ENV['https_proxy'] || nil %>
-  playbook: default.yml
+  playbook: tests/test.yml
 
 platforms:
 - name: centos6-ansible-latest

diff --git a/.travis.yml b/.travis.yml
@@ -56,7 +56,7 @@ script:
   - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
 
    # Test role.
-  - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/default.yml --diff --skip-tags "sysctl"'
+  - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff --skip-tags "sysctl"'
 
    # Verify role
   - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-05b os-06 os-07 os-09 os-10 os-11 package-01 package-02 package-03 package-05 package-06 package-08 package-09 --no-distinct-exit'

diff --git a/README.md b/README.md
@@ -27,8 +27,7 @@ It will not:
 
 ## Requirements
 
-* Ansible 2.4.2
-
+* Ansible 2.5.0
 
 ## Warning
 

diff --git a/default.yml b/default.yml
@@ -8,6 +8,10 @@
       apt:
         update_cache: yes
       when: ansible_os_family == 'Debian'
+    - name: Install firefox to get Xorg
+      package:
+        name: firefox
+        state: present
   vars:
     os_security_users_allow: change_user
     os_security_kernel_enable_core_dump: false

diff --git a/meta/main.yml b/meta/main.yml
@@ -4,7 +4,7 @@ galaxy_info:
   description: 'This Ansible role provides numerous security-related configurations, providing all-round base protection.'
   company: Hardening Framework Team
   license: Apache License 2.0
-  min_ansible_version: '2.4.2'
+  min_ansible_version: '2.5'
   platforms:
     - name: EL
       versions:

diff --git a/tasks/find_files.yml b/tasks/find_files.yml
@@ -0,0 +1,12 @@
+- name: find directories for minimizing access
+  find:
+    paths: '{{ outer_item }}'
+    recurse: yes
+  register: minimize_access_directories
+
+- name: minimize access on found files
+  file:
+    path: '{{ item.path }}'
+    mode: 'go-w'
+    state: file
+  with_items: '{{ minimize_access_directories.files }}'
diff --git a/tasks/minimize_access.yml b/tasks/minimize_access.yml
@@ -1,10 +1,9 @@
 ---
 # Using a two-pass approach for checking directories in order to support symlinks.
-- name: find directories for minimizing access
-  stat:
-    path: '{{ item }}'
-  register: minimize_access_directories
-  with_items:
+- include_tasks: find_files.yml
+  loop_control:
+    loop_var: outer_item
+  loop:
     - '/usr/local/sbin'
     - '/usr/local/bin'
     - '/usr/sbin'
@@ -13,14 +12,6 @@
     - '/bin'
     - '{{ os_env_extra_user_paths }}'
 
-- name: minimize access
-  file:
-    path: '{{ item.stat.path }}'
-    mode: 'go-w'
-    recurse: 'yes'
-  when: item.stat.isdir
-  with_items: '{{ minimize_access_directories.results }}'
-
 - name: change shadow ownership to root and mode to 0600 | os-02
   file:
     dest: '/etc/shadow'

diff --git a/tests/test.yml b/tests/test.yml
@@ -0,0 +1,72 @@
+---
+- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
+  hosts: localhost
+  roles:
+    - ansible-os-hardening
+  pre_tasks:
+    - name: Run the equivalent of "apt-get update" as a separate step
+      apt:
+        update_cache: yes
+      when: ansible_os_family == 'Debian'
+    - name: create recursing symlink to test minimize access
+      shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
+  vars:
+    os_security_users_allow: change_user
+    os_security_kernel_enable_core_dump: false
+    os_security_suid_sgid_remove_from_unknown: true
+    os_auth_pam_passwdqc_enable: false
+    os_desktop_enable: true
+    os_env_extra_user_paths: ['/home']
+    os_auth_allow_homeless: true
+    os_security_suid_sgid_blacklist: ['/bin/umount']
+    os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
+    os_filesystem_whitelist: ['vfat']
+    sysctl_config:
+      net.ipv4.ip_forward: 0
+      net.ipv6.conf.all.forwarding: 0
+      net.ipv6.conf.all.accept_ra: 0
+      net.ipv6.conf.default.accept_ra: 0
+      net.ipv4.conf.all.rp_filter: 1
+      net.ipv4.conf.default.rp_filter: 1
+      net.ipv4.icmp_echo_ignore_broadcasts: 1
+      net.ipv4.icmp_ignore_bogus_error_responses: 1
+      net.ipv4.icmp_ratelimit: 100
+      net.ipv4.icmp_ratemask: 88089
+      net.ipv6.conf.all.disable_ipv6: 1
+      net.ipv4.conf.all.arp_ignore: 1
+      net.ipv4.conf.all.arp_announce: 2
+      net.ipv4.conf.all.shared_media: 1
+      net.ipv4.conf.default.shared_media: 1
+      net.ipv4.conf.all.accept_source_route: 0
+      net.ipv4.conf.default.accept_source_route: 0
+      net.ipv4.conf.default.accept_redirects: 0
+      net.ipv4.conf.all.accept_redirects: 0
+      net.ipv4.conf.all.secure_redirects: 0
+      net.ipv4.conf.default.secure_redirects: 0
+      net.ipv6.conf.default.accept_redirects: 0
+      net.ipv6.conf.all.accept_redirects: 0
+      net.ipv4.conf.all.send_redirects: 0
+      net.ipv4.conf.default.send_redirects: 0
+      net.ipv4.conf.all.log_martians: 1
+      net.ipv6.conf.default.router_solicitations: 0
+      net.ipv6.conf.default.accept_ra_rtr_pref: 0
+      net.ipv6.conf.default.accept_ra_pinfo: 0
+      net.ipv6.conf.default.accept_ra_defrtr: 0
+      net.ipv6.conf.default.autoconf: 0
+      net.ipv6.conf.default.dad_transmits: 0
+      net.ipv6.conf.default.max_addresses: 1
+      kernel.sysrq: 0
+      fs.suid_dumpable: 0
+      kernel.randomize_va_space: 2
+
+
+- name: wrapper playbook for kitchen testing "ansible-os-hardening"
+  hosts: localhost
+  pre_tasks:
+    - name: Run the equivalent of "apt-get update" as a separate step
+      apt:
+        update_cache: yes
+      when: ansible_os_family == 'Debian'
+  roles:
+    - ansible-os-hardening
+