Merge pull request #798 from abhishek-sa1/control_plane_security

Issue  #797: Configure authentication alerting

control_plane/input_params/login_vars.yml

@@ -98,8 +98,8 @@ powervault_me4_password: ""
 # and will be added to the instance of directory server created for IPA.
 # The password must be at least 8 characters long
 # The password must not contain -,\, ',"
-directory_manager_password: ""
+ms_directory_manager_password: ""
 
 # The IPA server requires an administrative user, named 'admin'.
 # This user is a regular system account used for IPA server administration
-ipa_admin_password: ""
+ms_ipa_admin_password: ""

control_plane/input_params/security_vars.yml

@@ -11,6 +11,7 @@
 #  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 #  See the License for the specific language governing permissions and
 #  limitations under the License.
+---
 
 # This variable is used to accept the domain name the user intends to configure
 # Eg: ipa.test
@@ -44,3 +45,8 @@ lockout_duration: 10
 # Min: 90
 # Max: 180
 session_timeout: 180
+
+# Email address used for sending alerts in case of authentication failure
+# If this variable is left blank, authentication failure alerts will be disabled.
+# Required value
+alert_email_address: ""

control_plane/roles/control_plane_common/tasks/fetch_security_inputs.yml

@@ -43,6 +43,67 @@
     success_msg: "{{ realm_success_msg }}"
     fail_msg: "{{ realm_fail_msg }}"
   tags: [ validate, security ]
+  
+- name: Fetch the short hostname
+  command: hostname -s
+  register: short_hostname
+  changed_when: false
+  tags: [ validate, security ]
+
+- name: Verify the hostname is not blank in hostname
+  fail:
+    msg: " {{ hostname_blank_msg }}"
+  when: short_hostname.stdout | length < 1
+  tags: [ validate, security ]
+
+- name: Validate the host name
+  assert:
+    that:
+      - short_hostname.stdout is regex(("^(([a-z]|[a-z][a-z0-9\-]*[a-z0-9])\.)*([a-z]|[a-z][a-z0-9\-]*[a-z0-9])$"))
+      - short_hostname.stdout != "localhost"
+    success_msg: "{{ server_hostname_success }}"
+    fail_msg: "{{ server_hostname_fail }}"
+  tags: [ validate, security ]
+
+- name: Fetch the domain name
+  command: hostname -d
+  register: domain_name_set
+  changed_when: false
+  tags: [ validate, security ]
+
+- name: Verify the domain name is not blank in hostname
+  fail:
+    msg: " {{ domain_name_blank_msg }}"
+  when: domain_name_set.stdout | length < 1
+  tags: [ validate, security ]
+
+- name: Set fact for the domain name in hostname
+  set_fact:
+    ms_domain_name: "{{ domain_name_set.stdout }}"
+  tags: [ validate, security ]
+
+- name: Validate the domain name set on the host
+  assert:
+    that:
+      - domain_name == ms_domain_name
+    success_msg: "{{ server_domain_name_success }}"
+    fail_msg: "{{ server_domain_name_fail }}"
+  tags: [ validate, security ]
+
+- name: Get the hostname
+  command: hostname
+  register: machine_hostname
+  changed_when: false
+  tags: [ validate, security ]
+
+- name: Add host name in hosts file
+  lineinfile:
+    dest: "{{ hosts_file_path }}"
+    line: "{{ public_ip }} {{ machine_hostname.stdout }}"
+    state: present
+    create: yes
+    mode: "{{ hosts_file_mode }}"
+  tags: [ validate, security ]
 
 - name: Validate max_failures
   assert:
@@ -81,3 +142,19 @@
     success_msg: "{{ session_timeout_success_msg }}"
     fail_msg: "{{ session_timeout_fail_msg }}"
   tags: [ validate, security ]
+
+- name: Validate alert_email_address
+  assert:
+    that:
+      - email_search_key in alert_email_address
+      - alert_email_address | length < email_max_length
+    success_msg: "{{ alert_email_success_msg }}"
+    fail_msg: "{{ alert_email_fail_msg }}"
+  tags: [ validate, security ]
+  when: alert_email_address | length > 1
+
+- name: Warning - alert_email_address is empty
+  debug:
+    msg: "{{ alert_email_warning_msg }}"
+  tags: security
+  when: alert_email_address | length < 1

control_plane/roles/control_plane_common/tasks/verify_login_inputs.yml

@@ -49,8 +49,8 @@
     msg: "{{ login_input_config_failure_msg }} for ipa server installation"
   tags: [ validate, security ]
   when:
-    - ( directory_manager_password | length < 1 or
-      ipa_admin_password | length < 1 ) and
+    - ( ms_directory_manager_password | length < 1 or
+      ms_ipa_admin_password | length < 1 ) and
       enable_security_support
 
 - name: Assert provision credentials
@@ -220,29 +220,29 @@
   when: powervault_support
   tags: [ validate, network-device ]
 
-- name: Assert directory_manager_password
+- name: Assert ms_directory_manager_password
   assert:
     that:
-      - directory_manager_password | length > min_length | int - 1
-      - directory_manager_password | length < max_length | int + 1
-      - '"-" not in directory_manager_password '
-      - '"\\" not in directory_manager_password '
-      - '"\"" not in directory_manager_password '
-      - " \"'\" not in directory_manager_password "
+      - ms_directory_manager_password | length > min_length | int - 1
+      - ms_directory_manager_password | length < max_length | int + 1
+      - '"-" not in ms_directory_manager_password '
+      - '"\\" not in ms_directory_manager_password '
+      - '"\"" not in ms_directory_manager_password '
+      - " \"'\" not in ms_directory_manager_password "
     success_msg: "{{ success_msg_dir_manager_password }}"
     fail_msg: "{{ fail_msg_dir_manager_password }}"
   when: enable_security_support
   tags: [ validate, security ]
 
-- name: Assert ipa_admin_password
+- name: Assert ms_ipa_admin_password
   assert:
     that:
-      - ipa_admin_password | length > min_length | int - 1
-      - ipa_admin_password | length < max_length | int + 1
-      - '"-" not in ipa_admin_password '
-      - '"\\" not in ipa_admin_password '
-      - '"\"" not in ipa_admin_password '
-      - " \"'\" not in ipa_admin_password "
+      - ms_ipa_admin_password | length > min_length | int - 1
+      - ms_ipa_admin_password | length < max_length | int + 1
+      - '"-" not in ms_ipa_admin_password '
+      - '"\\" not in ms_ipa_admin_password '
+      - '"\"" not in ms_ipa_admin_password '
+      - " \"'\" not in ms_ipa_admin_password "
     success_msg: "{{ success_msg_ipa_admin_pwd }}"
     fail_msg: "{{ fail_msg_ipa_admin_pwd }}"
   when: enable_security_support

control_plane/roles/control_plane_common/vars/main.yml

@@ -219,6 +219,14 @@ dom_name_success_msg: "domain name successfully validated"
 dom_name_fail_msg: "Failed. Incorrect format provided for domain name in security_vars.yml"
 realm_success_msg: "realm_name successfully validated"
 realm_fail_msg: "Failed. Incorrect realm_name format in security_vars.yml"
+domain_name_blank_msg: "Failed. Domain name is not set in hostname It should have hostname.domain_name format"
+server_domain_name_success: "Domain name in server hostname validated"
+server_domain_name_fail: "Failed. Domain name set is not same as domain name in security_vars.yml"
+hosts_file_path: /etc/hosts
+hosts_file_mode: "0644"
+hostname_blank_msg: "Failed. Domain name is not set in hostname It should have hostname.domain_name format"
+server_hostname_success: "Hostname in server hostname validated"
+server_hostname_fail: "Failed. Hostname set is not valid"
 max_failures_success_msg: "max_failures successfully validated"
 max_failures_fail_msg: "Failed. Incorrect max_failures value in security_vars.yml"
 failure_reset_interval_success_msg: "failure_reset_interval successfully validated"
@@ -234,10 +242,15 @@ lockout_duration_min_value: 5
 lockout_duration_max_value: 10
 session_timeout_min_value: 90
 session_timeout_max_value: 180
+alert_email_success_msg: "alert_email_address successfully validated"
+alert_email_fail_msg: "Failed. Incorrect alert_email_address value in security_vars.yml"
+alert_email_warning_msg: "[WARNING] alert_email_address is empty. Authentication failure alerts won't be configured."
+email_max_length: 320
+email_search_key: "@"
 
 # Usage: validate_idrac_vars.yml
 idrac_input_filename: input_params/idrac_vars.yml
 firmware_update_success_msg: "firmware_update_required validated"
 firmware_update_fail_msg: "Failed. firmware_update_required accepts only true or false in idrac_vars.yml"
 poweredge_model_success_msg: "poweredge_model validated"
-poweredge_model_fail_msg: "Failed. poweredge_model is incorrect or unsupported. Please update the list with the supported models in the correct format"
+poweredge_model_fail_msg: "Failed. poweredge_model is incorrect or unsupported. Please update the list with the supported models in the correct format"

control_plane/roles/control_plane_security/files/auth_failure_check.yml

@@ -0,0 +1,62 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Authentication failure alert mail
+  hosts: localhost
+  connection: local
+  vars:
+    alert_file_path: /tmp/alerting
+    auth_failure_check_time: 60
+    auth_failure_search_key: "authentication failure"
+    auth_failure_info_file: "{{ alert_file_path }}/auth_failure_{{ ansible_date_time.iso8601_basic_short }}.txt"
+    auth_failure_mail_subject: "Alert - Authentication Failure"
+    auth_failure_mail_body: "Attached the authentication failure report"
+    auth_failure_mail_sender: omnia-alert
+    file_mode: 644
+  tasks:
+    - name: Check auth failure in last {{ auth_failure_check_time }} minutes
+      shell: journalctl -u sshd --since "{{ auth_failure_check_time }} minutes ago" | grep "{{ auth_failure_search_key }}"
+      changed_when: false
+      failed_when: false
+      register: auth_failure_check
+
+    - name: Create alerting log directory
+      file:
+        path: "{{ alert_file_path }}"
+        state: directory
+        mode: "{{ file_mode }}"
+
+    - name: Save the authentication failure info
+      copy:
+        dest: "{{ auth_failure_info_file }}"
+        content: |
+          "{{ auth_failure_check.stdout }}"
+        mode: "{{ file_mode }}"
+      when: auth_failure_search_key in auth_failure_check.stdout
+
+    - name: Sent mail on auth failure
+      community.general.mail:
+        subject: "{{ auth_failure_mail_subject }}"
+        body: "{{ auth_failure_mail_body }}"
+        sender: "{{ auth_failure_mail_sender }}"
+        to: "{{ alert_email_address }}"
+        attach:
+          - "{{ auth_failure_info_file }}"
+      when: auth_failure_search_key in auth_failure_check.stdout
+
+    - name: Delete the authentication failure info file
+      file:
+        path: "{{ auth_failure_info_file }}"
+        state: absent

control_plane/roles/control_plane_security/tasks/check_prerequisites.yml

@@ -26,20 +26,6 @@
   set_fact:
     server_hostname_ms: "{{ new_serv_hostname.stdout }}"
 
-- name: Create files directory
-  file:
-    path: "{{ role_path }}/files"
-    state: directory
-    mode: "{{ file_mode }}"
-    
-- name: Save the hostname
-  copy:
-    dest: "{{ server_file }}"
-    content: |
-      ipaddress: "{{ public_ip }}"
-      server_hostname: "{{ server_hostname_ms }}"
-      server_domain: "{{ domain_name }}"
-    mode: "{{ file_mode }}"
     
 - name: Check freeipa ui accessible or not
   uri:
@@ -50,7 +36,7 @@
   failed_when: false
 
 - name: Check freeipa admin authentication
-  shell: set -o pipefail && echo $'{{ ipa_admin_password }}' | kinit {{ ipa_admin_username }}
+  shell: set -o pipefail && echo $'{{ ms_ipa_admin_password }}' | kinit {{ ms_ipa_admin_username }}
   register: freeipa_authentication
   no_log: true
   changed_when: false

control_plane/roles/control_plane_security/tasks/configure_alerting.yml

@@ -0,0 +1,35 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Install mailx and postfix
+  package:
+    name: "{{ mail_packages }}"
+    state: present
+
+- name: Start postfix service
+  systemd:
+    name: postfix
+    state: started
+
+- name: Fetch ansible-playbook path
+  command: whereis ansible-playbook
+  changed_when: false
+  register: ansible_playbook_path
+
+- name: Schedule cron job for alerting
+  cron:
+    name: Auth failure alerting
+    special_time: hourly
+    job: "{{ ansible_playbook_path.stdout.split(' ')[1] }} {{ role_path }}/files/auth_failure_check.yml -e 'alert_email_address={{ alert_email_address }}'"

control_plane/roles/control_plane_security/tasks/enable_dnf_module.yml

@@ -13,9 +13,6 @@
 #  limitations under the License.
 ---
 
-- name: Enable module idm in Rocky or CentOS
+- name: Enable module idm
   command: dnf module enable idm:DL1 -y
   changed_when: false
-  when:
-    - ( os_supported_centos in mgmt_os ) or
-      ( os_supported_rocky in mgmt_os )

control_plane/roles/control_plane_security/tasks/firewall_settings.yml

@@ -17,14 +17,12 @@
   package:
     name: firewalld
     state: present
-  tags: firewalld
 
 - name: Start and enable firewalld
   service:
     name: firewalld
     state: started
     enabled: yes
-  tags: firewalld
 
 - name: Firewall ports addition - tcp/udp ports
   firewalld:
@@ -45,16 +43,13 @@
     - "{{ dns_port2 }}"
     - "{{ ntp_port1 }}"
     - "{{ dt_port1 }}"
-  tags: firewalld
 
 - name: Reload firewalld
   command: firewall-cmd --reload
   changed_when: true
-  tags: firewalld
 
 - name: Stop and disable firewalld
   service:
     name: firewalld
     state: stopped
     enabled: no
-  tags: firewalld

control_plane/roles/control_plane_security/tasks/install_ipa_server.yml

@@ -13,18 +13,15 @@
 #  limitations under the License.
 ---
 
-- name: Install ipa server in CentOS > 8 or Rocky 8.4
+- name: Install ipa server in CentOS or Rocky
   command: >-
-    ipa-server-install -n '{{ domain_name }}' --hostname='{{ server_hostname_ms }}' -a '{{ ipa_admin_password }}'
-    -p '{{ directory_manager_password }}' -r '{{ realm_name }}' --setup-dns --no-forwarders --no-reverse --no-ntp -U
+    ipa-server-install -n '{{ domain_name }}' --hostname='{{ server_hostname_ms }}' -a '{{ ms_ipa_admin_password }}'
+    -p '{{ ms_directory_manager_password }}' -r '{{ realm_name }}' --setup-dns --no-forwarders --no-reverse --no-ntp -U
   changed_when: true
   no_log: true
-  when:
-    - ( os_supported_centos in mgmt_os ) or
-      ( os_supported_rocky in mgmt_os )
-
+  
 - name: Authenticate as admin
-  shell: set -o pipefail && echo $'{{ ipa_admin_password }}' | kinit {{ ipa_admin_username }}
+  shell: set -o pipefail && echo $'{{ ms_ipa_admin_password }}' | kinit {{ ms_ipa_admin_username }}
   no_log: true
   changed_when: false
 
@@ -34,3 +31,12 @@
     dest: "{{ resolv_conf_path }}"
     mode: "{{ file_mode }}"
     remote_src: yes
+
+- name: Save the hostname
+  copy:
+    dest: "{{ server_file }}"
+    content: |
+      ipaddress: "{{ hpc_ip }}"
+      server_hostname: "{{ server_hostname_ms }}"
+      server_domain: "{{ domain_name }}"
+    mode: "{{ file_mode }}"

control_plane/roles/control_plane_security/tasks/ipa_configuration.yml

@@ -19,8 +19,8 @@
     failinterval: "{{ failure_reset_interval }}"
     lockouttime: "{{ lockout_duration }}"
     ipa_host: "{{ server_hostname_ms }}"
-    ipa_user: "{{ ipa_admin_username }}"
-    ipa_pass: "{{ ipa_admin_password }}"
+    ipa_user: "{{ ms_ipa_admin_username }}"
+    ipa_pass: "{{ ms_ipa_admin_password }}"
 
 - name: Create sysadmin group
   community.general.ipa_group:
@@ -28,8 +28,8 @@
     description: "{{ sysadmin_group_description }}"
     state: present
     ipa_host: "{{ server_hostname_ms }}"
-    ipa_user: "{{ ipa_admin_username }}"
-    ipa_pass: "{{ ipa_admin_password }}"
+    ipa_user: "{{ ms_ipa_admin_username }}"
+    ipa_pass: "{{ ms_ipa_admin_password }}"
     
 - name: Create sysadmin_sudo rule
   community.general.ipa_sudorule:
@@ -42,5 +42,5 @@
     usergroup:
       - "{{ sysadmin_user_group }}"
     ipa_host: "{{ server_hostname_ms }}"
-    ipa_user: "{{ ipa_admin_username }}"
-    ipa_pass: "{{ ipa_admin_password }}"
+    ipa_user: "{{ ms_ipa_admin_username }}"
+    ipa_pass: "{{ ms_ipa_admin_password }}"

control_plane/roles/control_plane_security/tasks/main.yml

@@ -14,29 +14,32 @@
 ---
 
 - block:
-    - name: Check freeipa installed or not
-      include_tasks: check_prerequisites.yml
-
     - block:
-        - name: Add ports of manager and login node to firewall
-          include_tasks: firewall_settings.yml
+        - name: Check freeipa installed or not
+          include_tasks: check_prerequisites.yml
+
+        - block:
+            - name: Add ports of manager and login node to firewall
+              include_tasks: firewall_settings.yml
 
-        - name: Enable module idm in Rocky or Centos >= 8.0
-          include_tasks: enable_dnf_module.yml
+            - name: Enable module idm
+              include_tasks: enable_dnf_module.yml
 
-        - name: Install required packages
-          include_tasks: install_packages.yml
+            - name: Install required packages
+              include_tasks: install_packages.yml
 
-        - name: Install FreeIPA server
-          include_tasks: install_ipa_server.yml
-      when: not freeipa_status
-    
-    - name: FreeIPA configuration
-      include_tasks: ipa_configuration.yml
+            - name: Install FreeIPA server
+              include_tasks: install_ipa_server.yml
+          when: not freeipa_status
+        
+        - name: FreeIPA configuration
+          include_tasks: ipa_configuration.yml
+      when: os_supported_leap not in mgmt_os
 
     - name: Session timeout configuration
       include_tasks: session_timeout.yml
-  when: 
-    - enable_security_support
-    - ( os_supported_centos in mgmt_os ) or
-      ( os_supported_rocky in mgmt_os )
+
+    - name: Alert configuration
+      include_tasks: configure_alerting.yml
+      when: alert_email_address | length > 1
+  when: enable_security_support

control_plane/roles/control_plane_security/vars/main.yml

@@ -46,7 +46,7 @@ ipa_server_packages:
 # Usage: install_ipa_server.yml
 resolv_conf_path: /etc/resolv.conf
 temp_resolv_conf_path: /tmp/resolv.conf
-ipa_admin_username: admin
+ms_ipa_admin_username: admin
 
 # Usage: ipa_configuration.yml
 sysadmin_sudo_rule: sysadmin_sudo
@@ -56,3 +56,8 @@ sysadmin_group_description: "User group with sudo permission"
 
 # Usage: session_timeout.yml
 sshd_conf_file: /etc/ssh/sshd_config
+
+# Usage: configure_alerting.yml
+mail_packages:
+  - mailx
+  - postfix