Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add possibility to keep .netrc files in users homedir #563

Merged
merged 1 commit into from Aug 17, 2022
Merged

add possibility to keep .netrc files in users homedir #563

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions galaxy.yml
View file
Open in desktop
@@ -1,3 +1,4 @@
---
namespace: devsec
name: hardening
version: 7.16.0
Expand Down
1 change: 1 addition & 0 deletions molecule/os_hardening/converge.yml
View file
Open in desktop
Expand Up @@ -27,6 +27,7 @@
os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
os_filesystem_whitelist: []
os_yum_repo_file_whitelist: ['foo.repo']
os_netrc_enabled: false
sysctl_config:
net.ipv4.ip_forward: 0
net.ipv6.conf.all.forwarding: 0
Expand Down
4 changes: 4 additions & 0 deletions molecule/os_hardening/prepare.yml
View file
Open in desktop
Expand Up @@ -58,3 +58,7 @@
- name: include YUM prepare tasks
include_tasks: prepare_tasks/yum.yml
when: ansible_facts.os_family == 'RedHat'

- name: include YUM prepare tasks
include_tasks: prepare_tasks/netrc.yml

9 changes: 9 additions & 0 deletions molecule/os_hardening/prepare_tasks/netrc.yml
View file
Open in desktop
@@ -0,0 +1,9 @@
---
- name: create '.netrc' in /root
ansible.builtin.copy:
dest: '/root/.netrc'
mode: '0600'
content: |
machine localhost
login root
password ipsum
3 changes: 3 additions & 0 deletions molecule/os_hardening/verify.yml
View file
Open in desktop
Expand Up @@ -37,6 +37,9 @@
name: procps
when: ansible_facts.os_family == 'Debian'

- name: include netrc tests
include_tasks: verify_tasks/netrc.yml

- name: include PAM tests
include_tasks: verify_tasks/pam.yml
when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
Expand Down
19 changes: 19 additions & 0 deletions molecule/os_hardening/verify_tasks/netrc.yml
View file
Open in desktop
@@ -0,0 +1,19 @@
---
- name: test that .netrc in root homedir exists
ansible.builtin.file:
path: '/root/.netrc'
state: file
register: result_test_netrc

- name: output result if .netrc for user root exists
ansible.builtin.assert:
that:
- "result_test_netrc.state == 'file'"
fail_msg: ".netrc in /root/ not present"
success_msg: ".netrc exists in /root/"

- name: delete '.netrc' in /root
ansible.builtin.file:
path: '/root/.netrc'
state: absent
when: result_test_netrc.state == 'file'
6 changes: 6 additions & 0 deletions roles/os_hardening/README.md
View file
Open in desktop
Expand Up @@ -422,6 +422,12 @@ We know that this is the case on Raspberry Pi.
- `os_mnt_var_tmp_filesystem`
- Default: `ext4`
- Description: Configure file system for fstab entry /var/tmp
- `os_netrc_enabled`
- Default: `True`
- Description: Configure filesystem for existence of .netrc file in homedir
- `os_netrc_whitelist_user`
- Default: ``
- Description: Add list of user to allow creation of .netrc in users homedir

## Packages

Expand Down
6 changes: 6 additions & 0 deletions roles/os_hardening/defaults/main.yml
View file
Open in desktop
Expand Up @@ -439,3 +439,9 @@ os_mnt_var_tmp_enabled: false
os_mnt_var_tmp_src: ""
os_mnt_var_tmp_options: 'rw,nosuid,nodev,noexec'
os_mnt_var_tmp_filesystem: "ext4"

#
# .netrc User whitelist
# keep .netrc file for users in whitelist
os_netrc_enabled: true
os_netrc_whitelist_user: []
4 changes: 4 additions & 0 deletions roles/os_hardening/tasks/hardening.yml
View file
Open in desktop
Expand Up @@ -78,6 +78,10 @@
tags: rhosts
when: os_rhosts_enabled | bool

- import_tasks: netrc.yml
tags: netrc
when: os_netrc_enabled | bool

- import_tasks: yum.yml
tags: yum
when:
Expand Down
13 changes: 13 additions & 0 deletions roles/os_hardening/tasks/netrc.yml
View file
Open in desktop
@@ -0,0 +1,13 @@
---
- name: Get user accounts | os-09
command: "awk -F: '{print $1}' /etc/passwd"
changed_when: false
check_mode: false
register: users_accounts

- name: Delete .netrc-files from system | os-09
file:
dest: '~{{ item }}/.netrc'
state: 'absent'
loop: '{{ users_accounts.stdout_lines | flatten | default([]) }}'
when: item not in os_netrc_whitelist_user
7 changes: 1 addition & 6 deletions roles/os_hardening/tasks/rhosts.yml
View file
Open in desktop
Expand Up @@ -9,15 +9,10 @@
file:
dest: '~{{ item }}/.rhosts'
state: 'absent'
with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'
loop: '{{ users_accounts.stdout_lines | flatten | default([]) }}'

- name: Delete hosts.equiv from system | os-01
file:
dest: '/etc/hosts.equiv'
state: 'absent'

- name: Delete .netrc-files from system | os-09
file:
dest: '~{{ item }}/.netrc'
state: 'absent'
with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'