From 502fde7a64895259646e3ebc1e16bc983f3ad84a Mon Sep 17 00:00:00 2001 From: lhinds Date: Wed, 19 Apr 2017 10:48:45 +0100 Subject: [PATCH] Implements management of `/etc/login.defs` Enables management of shadow password directives in login.defs By allowing operators to set values in login.defs, they are able to improve password security for newly created system accounts. This change will in turn allow operators to adhere with security hardening frameworks, such as STIG DISA & CIS Security Benchmarks. bp login-defs Change-Id: Id4fe88cb9569f18f27f94c35b5c27a85fe7947ae Depends-On: Iec8c032adb44593da3770d3c6bb5a4655e463637 --- capabilities-map.yaml | 6 ++ .../scenario001-multinode-containers.yaml | 1 + environments/hyperconverged-ceph.yaml | 2 + environments/login-defs.yaml | 9 +++ overcloud-resource-registry-puppet.j2.yaml | 1 + puppet/services/login-defs.yaml | 66 +++++++++++++++++++ roles/BlockStorage.yaml | 1 + roles/CephStorage.yaml | 1 + roles/Compute.yaml | 1 + roles/ComputeHCI.yaml | 1 + roles/ComputeOvsDpdk.yaml | 1 + roles/ComputeSriov.yaml | 1 + roles/Controller.yaml | 1 + roles/ControllerOpenstack.yaml | 2 +- roles/Database.yaml | 1 + roles/IronicConductor.yaml | 1 + roles/Messaging.yaml | 1 + roles/Networker.yaml | 1 + roles/ObjectStorage.yaml | 1 + roles/Telemetry.yaml | 1 + roles/Undercloud.yaml | 1 + roles/UndercloudLight.yaml | 1 + roles_data.yaml | 5 ++ roles_data_undercloud.yaml | 1 + 24 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 environments/login-defs.yaml create mode 100644 puppet/services/login-defs.yaml diff --git a/capabilities-map.yaml b/capabilities-map.yaml index c2ed54e972..0ed8dfcce4 100644 --- a/capabilities-map.yaml +++ b/capabilities-map.yaml @@ -531,6 +531,11 @@ topics: environments: - file: environments/securetty.yaml title: SecureTTY Values + - title: login.defs values + description: Set values within /etc/login.defs + environments: + - file: environments/login-defs.yaml + title: login.defs Values - title: Additional Services description: @@ -642,3 +647,4 @@ topics: description: requires: - overcloud-resource-registry-puppet.yaml + diff --git a/ci/environments/scenario001-multinode-containers.yaml b/ci/environments/scenario001-multinode-containers.yaml index 129eb02cec..c1ad42624c 100644 --- a/ci/environments/scenario001-multinode-containers.yaml +++ b/ci/environments/scenario001-multinode-containers.yaml @@ -36,6 +36,7 @@ parameter_defaults: - OS::TripleO::Services::Docker - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::GlanceApi - OS::TripleO::Services::HeatApi - OS::TripleO::Services::HeatApiCfn diff --git a/environments/hyperconverged-ceph.yaml b/environments/hyperconverged-ceph.yaml index fd4ecfd7fd..077b4ca6b8 100644 --- a/environments/hyperconverged-ceph.yaml +++ b/environments/hyperconverged-ceph.yaml @@ -52,3 +52,5 @@ parameter_defaults: - OS::TripleO::Services::Iscsid - OS::TripleO::Services::OVNController - OS::TripleO::Services::RsyslogSidecar + - OS::TripleO::Services::LoginDefs + diff --git a/environments/login-defs.yaml b/environments/login-defs.yaml new file mode 100644 index 0000000000..033bce02c8 --- /dev/null +++ b/environments/login-defs.yaml @@ -0,0 +1,9 @@ +resource_registry: + OS::TripleO::Services::LoginDefs: ../puppet/services/login-defs.yaml + +parameter_defaults: + PasswordMaxDays: 60 + PasswordMinDays: 1 + PasswordMinLen: 5 + PasswordWarnAge: 7 + FailDelay: 4 diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 822478d88d..099ffeacaf 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -302,6 +302,7 @@ resource_registry: OS::TripleO::Services::VRTSHyperScale: OS::Heat::None OS::TripleO::Services::SkydiveAgent: OS::Heat::None OS::TripleO::Services::SkydiveAnalyzer: OS::Heat::None + OS::TripleO::Services::LoginDefs: OS::Heat::None # Logging OS::TripleO::Services::Logging::BarbicanApi: docker/services/logging/files/barbican-api.yaml diff --git a/puppet/services/login-defs.yaml b/puppet/services/login-defs.yaml new file mode 100644 index 0000000000..acd4a8faf2 --- /dev/null +++ b/puppet/services/login-defs.yaml @@ -0,0 +1,66 @@ +heat_template_version: pike + +description: > + Configure login.defs values + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + PasswordMaxDays: + default: {} + description: Set the maximum age allowed for passwords + type: number + PasswordMinDays: + default: {} + description: Set the minimum age allowed for passwords + type: number + PasswordWarnAge: + default: {} + description: Set the warning period for password expiration + type: number + PasswordMinLen: + default: {} + description: Set the minimum length allowed for passwords + type: number + FailDelay: + default: {} + description: The period of time between password retries + type: number + +outputs: + role_data: + description: Parameters for configuration of the login.defs file + value: + service_name: login_defs + config_settings: + tripleo::profile::base::login_defs::password_max_days: {get_param: PasswordMaxDays} + tripleo::profile::base::login_defs::password_min_days: {get_param: PasswordMinDays} + tripleo::profile::base::login_defs::password_warn_age: {get_param: PasswordWarnAge} + tripleo::profile::base::login_defs::password_min_len: {get_param: PasswordMinLen} + tripleo::profile::base::login_defs::fail_delay: {get_param: FailDelay} + step_config: | + include ::tripleo::profile::base::login_defs diff --git a/roles/BlockStorage.yaml b/roles/BlockStorage.yaml index 351277bfe0..f16bff1792 100644 --- a/roles/BlockStorage.yaml +++ b/roles/BlockStorage.yaml @@ -19,6 +19,7 @@ - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond diff --git a/roles/CephStorage.yaml b/roles/CephStorage.yaml index 6b6073b717..e7efd5f3db 100644 --- a/roles/CephStorage.yaml +++ b/roles/CephStorage.yaml @@ -16,6 +16,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond diff --git a/roles/Compute.yaml b/roles/Compute.yaml index 60dcbc86c9..7bcab4d6c9 100644 --- a/roles/Compute.yaml +++ b/roles/Compute.yaml @@ -36,6 +36,7 @@ - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronBgpVpnBagpipe - OS::TripleO::Services::NeutronLinuxbridgeAgent diff --git a/roles/ComputeHCI.yaml b/roles/ComputeHCI.yaml index d9f0bc3985..3e6242cc4f 100644 --- a/roles/ComputeHCI.yaml +++ b/roles/ComputeHCI.yaml @@ -27,6 +27,7 @@ - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronBgpVpnBagpipe - OS::TripleO::Services::NeutronLinuxbridgeAgent diff --git a/roles/ComputeOvsDpdk.yaml b/roles/ComputeOvsDpdk.yaml index 9bf0a44096..ac9be84837 100644 --- a/roles/ComputeOvsDpdk.yaml +++ b/roles/ComputeOvsDpdk.yaml @@ -27,6 +27,7 @@ - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronBgpVpnBagpipe - OS::TripleO::Services::NovaCompute diff --git a/roles/ComputeSriov.yaml b/roles/ComputeSriov.yaml index 415577f22f..1082c49bae 100644 --- a/roles/ComputeSriov.yaml +++ b/roles/ComputeSriov.yaml @@ -27,6 +27,7 @@ - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronBgpVpnBagpipe - OS::TripleO::Services::NeutronSriovAgent diff --git a/roles/Controller.yaml b/roles/Controller.yaml index 40456e559a..590b186a56 100644 --- a/roles/Controller.yaml +++ b/roles/Controller.yaml @@ -76,6 +76,7 @@ - OS::TripleO::Services::Keepalived - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::ManilaApi - OS::TripleO::Services::ManilaBackendCephFs - OS::TripleO::Services::ManilaBackendIsilon diff --git a/roles/ControllerOpenstack.yaml b/roles/ControllerOpenstack.yaml index 221d8d9906..1d59aee831 100644 --- a/roles/ControllerOpenstack.yaml +++ b/roles/ControllerOpenstack.yaml @@ -61,6 +61,7 @@ - OS::TripleO::Services::Keepalived - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::ManilaApi - OS::TripleO::Services::ManilaBackendCephFs - OS::TripleO::Services::ManilaBackendIsilon @@ -118,4 +119,3 @@ - OS::TripleO::Services::Tuned - OS::TripleO::Services::Vpp - OS::TripleO::Services::Zaqar - diff --git a/roles/Database.yaml b/roles/Database.yaml index 2a91068dbd..e890272f25 100644 --- a/roles/Database.yaml +++ b/roles/Database.yaml @@ -16,6 +16,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQL - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp diff --git a/roles/IronicConductor.yaml b/roles/IronicConductor.yaml index 550ad9744b..6463a68a63 100644 --- a/roles/IronicConductor.yaml +++ b/roles/IronicConductor.yaml @@ -15,6 +15,7 @@ - OS::TripleO::Services::IronicConductor - OS::TripleO::Services::IronicPxe - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond diff --git a/roles/Messaging.yaml b/roles/Messaging.yaml index 1a4c403ed6..519d0a6c0e 100644 --- a/roles/Messaging.yaml +++ b/roles/Messaging.yaml @@ -15,6 +15,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond - OS::TripleO::Services::Pacemaker diff --git a/roles/Networker.yaml b/roles/Networker.yaml index 7f8a943689..5b129dc70a 100644 --- a/roles/Networker.yaml +++ b/roles/Networker.yaml @@ -16,6 +16,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronDhcpAgent - OS::TripleO::Services::NeutronL2gwAgent diff --git a/roles/ObjectStorage.yaml b/roles/ObjectStorage.yaml index 9367eb109d..136fe626d3 100644 --- a/roles/ObjectStorage.yaml +++ b/roles/ObjectStorage.yaml @@ -24,6 +24,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond diff --git a/roles/Telemetry.yaml b/roles/Telemetry.yaml index d24f1ff02c..aa0284cf2b 100644 --- a/roles/Telemetry.yaml +++ b/roles/Telemetry.yaml @@ -21,6 +21,7 @@ - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQL - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond diff --git a/roles/Undercloud.yaml b/roles/Undercloud.yaml index 67f5c214d2..6e360df8cc 100644 --- a/roles/Undercloud.yaml +++ b/roles/Undercloud.yaml @@ -23,6 +23,7 @@ - OS::TripleO::Services::IronicPxe - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::Memcached - OS::TripleO::Services::MistralApi - OS::TripleO::Services::MistralEngine diff --git a/roles/UndercloudLight.yaml b/roles/UndercloudLight.yaml index c365efef8a..7a809b353c 100644 --- a/roles/UndercloudLight.yaml +++ b/roles/UndercloudLight.yaml @@ -19,6 +19,7 @@ - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::Memcached - OS::TripleO::Services::MistralApi - OS::TripleO::Services::MistralEngine diff --git a/roles_data.yaml b/roles_data.yaml index cbd7145ed1..ffe6211bdc 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -79,6 +79,7 @@ - OS::TripleO::Services::Keepalived - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::ManilaApi - OS::TripleO::Services::ManilaBackendCephFs - OS::TripleO::Services::ManilaBackendIsilon @@ -187,6 +188,7 @@ - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronBgpVpnBagpipe - OS::TripleO::Services::NeutronLinuxbridgeAgent @@ -230,6 +232,7 @@ - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond @@ -268,6 +271,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond @@ -300,6 +304,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond diff --git a/roles_data_undercloud.yaml b/roles_data_undercloud.yaml index 49a5864538..d5e9c2cb50 100644 --- a/roles_data_undercloud.yaml +++ b/roles_data_undercloud.yaml @@ -26,6 +26,7 @@ - OS::TripleO::Services::IronicPxe - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::Memcached - OS::TripleO::Services::MistralApi - OS::TripleO::Services::MistralEngine