From 8e7f586ff2c52a7a30cf55973ba8a15303dcdff1 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Tue, 8 Sep 2020 19:17:27 +0200 Subject: [PATCH 1/2] Fix ansible remediation of accounts_max_concurrent_login_sessions. Add test scenarios. --- .../ansible/shared.yml | 27 +++++++++++++++++-- .../tests/correct_value.pass.sh | 2 ++ .../tests/correct_value_2.pass.sh | 2 ++ .../tests/line_not_there.fail.sh | 2 ++ .../tests/wrong_value_1000.fail.sh | 2 ++ .../tests/wrong_value_1000_limits_d.fail.sh | 3 +++ 6 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml index ed3d15331a..f901edee4d 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml @@ -3,7 +3,29 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_accounts_max_concurrent_login_sessions) + +{{{ ansible_instantiate_variables("var_accounts_max_concurrent_login_sessions") }}} + +- name: Find /etc/security/limits.d files contains maxlogins configuration + shell: "grep -q '^[^#]*\\' /etc/security/limits.d/*.conf" + register: maxlogins + failed_when: False + +- name: Find /etc/security/limits.d files contains maxlogins configuration 2 + find: + paths: + - /etc/security/limits.d + register: configuration_files + when: maxlogins.rc == 0 + +- name: "Limit the Number of Concurrent Login Sessions Allowed Per User limits.d" + replace: + dest: "{{ item.path }}" + regexp: "^#?\\*.*maxlogins.*" + replace: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}" + with_items: + - "{{ configuration_files.files }}" + when: maxlogins.rc == 0 - name: "Limit the Number of Concurrent Login Sessions Allowed Per User" lineinfile: @@ -11,5 +33,6 @@ dest: /etc/security/limits.conf insertbefore: "^# End of file" regexp: "^#?\\*.*maxlogins" - line: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}" + line: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}" create: yes + when: maxlogins.rc != 0 # no files found on /etc/security/limits.d diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh new file mode 100644 index 0000000000..0edb1e2873 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh @@ -0,0 +1,2 @@ +#!/bin/bash +echo "* hard maxlogins 1" >> /etc/security/limits.conf diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh new file mode 100644 index 0000000000..a58f18abf1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh @@ -0,0 +1,2 @@ +#!/bin/bash +echo "* hard maxlogins 1" >> /etc/security/limits.d/limits.conf diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh new file mode 100644 index 0000000000..05a7907cf5 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh @@ -0,0 +1,2 @@ +#!/bin/bash + diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh new file mode 100644 index 0000000000..bbf7622d87 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh @@ -0,0 +1,2 @@ +#!/bin/bash +echo "* hard maxlogins 1000" >> /etc/security/limits.conf diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh new file mode 100644 index 0000000000..49ed331a3e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash +mkdir -p /etc/security/limits.d/ +echo "* hard maxlogins 1000" >> /etc/security/limits.d/limits.conf From c84d31d789675ac2373bc1dec5cb218f15a06ec0 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 9 Sep 2020 14:05:53 +0200 Subject: [PATCH 2/2] Use ansible find module in accounts_max_concurrent_login_sessions. --- .../ansible/shared.yml | 22 +++++++------------ 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml index f901edee4d..9d50a9d20c 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml @@ -6,26 +6,20 @@ {{{ ansible_instantiate_variables("var_accounts_max_concurrent_login_sessions") }}} -- name: Find /etc/security/limits.d files contains maxlogins configuration - shell: "grep -q '^[^#]*\\' /etc/security/limits.d/*.conf" - register: maxlogins - failed_when: False - -- name: Find /etc/security/limits.d files contains maxlogins configuration 2 +- name: Find /etc/security/limits.d files containing maxlogins configuration find: - paths: - - /etc/security/limits.d - register: configuration_files - when: maxlogins.rc == 0 + paths: "/etc/security/limits.d" + contains: '^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins' + patterns: "*.conf" + register: maxlogins -- name: "Limit the Number of Concurrent Login Sessions Allowed Per User limits.d" +- name: "Limit the Number of Concurrent Login Sessions Allowed Per User in files from limits.d" replace: dest: "{{ item.path }}" regexp: "^#?\\*.*maxlogins.*" replace: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}" with_items: - - "{{ configuration_files.files }}" - when: maxlogins.rc == 0 + - "{{ maxlogins.files }}" - name: "Limit the Number of Concurrent Login Sessions Allowed Per User" lineinfile: @@ -35,4 +29,4 @@ regexp: "^#?\\*.*maxlogins" line: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}" create: yes - when: maxlogins.rc != 0 # no files found on /etc/security/limits.d + when: maxlogins.matched == 0 # no files found on /etc/security/limits.d matching maxlogins