Issue #879: Restrict non-essentials for login server

Signed-off-by: Lakshmi-Patneedi <Lakshmi_Patneedi@Dellteam.com>

omnia_security_config.yml

@@ -49,4 +49,15 @@ user: ''
 # This variable provides the type of access
 # Accepted values: "Allow" or "Deny"
 # Default value: "Allow"
-allow_deny: "Allow"
+allow_deny: "Allow"
+
+# This variable is used to disable services.
+# Accepted values: "true" or "false". 
+# Default values are: true  
+# Root access is needed.
+restrict_program_support: false
+
+# The below mentioned services can be disabled, by adding values in comma separated values format for restrict_softwares variable
+# Services: telnet,lpd,bluetooth,rlogin,rexec
+# Ex: restrict_softwares: 'telnet,lpd,bluetooth' ( This disables 3 services, to disable more services, add services with comma separation. )
+restrict_softwares: ''

roles/cluster_validation/tasks/fetch_security_inputs.yml

@@ -86,3 +86,51 @@
       - allow_deny == 'Allow' or allow_deny == 'Deny'
     success_msg: "{{ allow_deny_success_msg }}"
     fail_msg: "{{ allow_deny_fail_msg }}"
+
+- name: Assert restrict_program_support
+  assert:
+    that:
+      - restrict_program_support == true or restrict_program_support == false
+    success_msg: "{{ restrict_program_support_success_msg }}"
+    fail_msg: "{{ restrict_program_support_failure_msg }}"
+
+- name: Initialize variables for restrict_softwares
+  set_fact:
+    restrict_program_status: false
+    disable_services: []
+
+- block:
+    - name: The services needs to be disabled are appending to list
+      set_fact:
+          services_list: "{{ lookup('vars', 'restrict_softwares').split(',')| map('trim') | unique | select| list }}"
+
+    - name: Assert restrict_softwares variable
+      assert:
+        that:
+          - item == 'telnet' or
+            item == 'lpd' or
+            item == 'bluetooth' or
+            item == 'rlogin' or
+            item == 'rexec'
+        success_msg: "{{ restrict_softwares_success_msg }}"
+        fail_msg: "{{ restrict_softwares_failure_msg }}"
+      failed_when: false
+      with_items: "{{ services_list }}"
+
+    - name: Creating a list for disabling services
+      set_fact:
+          disable_services: "{{ disable_services + [ item ] }}"
+      when:
+        - item == 'telnet' or
+          item == 'lpd' or
+          item == 'bluetooth' or
+          item == 'rlogin' or
+          item == 'rexec'
+      with_items: "{{ services_list }}"
+
+    - name: Setting restrict_program_status
+      set_fact:
+        restrict_program_status: true
+      when:
+        - disable_services | length > 0
+  when: restrict_program_support

roles/cluster_validation/vars/main.yml

@@ -95,4 +95,8 @@ email_search_key: "@"
 user_success_msg: "user successfully validated"
 user_fail_msg: "Failed. Incorrect user format in security_vars.yml"
 allow_deny_success_msg: "Access successfully validated"
-allow_deny_fail_msg: "Failed. Incorrect Access format in security_vars.yml"
+allow_deny_fail_msg: "Failed. Incorrect Access format in security_vars.yml"
+restrict_program_support_success_msg: "restrict_program_support successfully validated"
+restrict_program_support_failure_msg: "Failed. Accepted values are true or false."
+restrict_softwares_success_msg: "restrict_softwares successfully validated"
+restrict_softwares_failure_msg: "Warning. Values should be comma separated. The supported services are telnet, lpd, bluetooth, rlogin, rexec. Please check restrict_softwares variable"

roles/common/tasks/main.yml

@@ -110,6 +110,16 @@
   when: ( os_supported_leap not in compute_os )
 
 - block:
+    - name: Add leap repos
+      zypper_repository:
+        name: "{{ item.name }}"
+        repo: "{{ item.repo }}"
+        state: present
+        autorefresh: yes
+      with_items:
+        - "{{ leap_repo }}"
+      tags: install
+      
     - name: Installing python-xml
       package:
         name: python-xml

roles/common/vars/main.yml

@@ -13,6 +13,12 @@
 #  limitations under the License.
 ---
 
+leap_repo:
+  - { name: repo-non-oss, repo: http://download.opensuse.org/distribution/leap/15.3/repo/non-oss/ }
+  - { name: repo-oss, repo: http://download.opensuse.org/distribution/leap/15.3/repo/oss/ }
+  - { name: repo-update-oss, repo: http://download.opensuse.org/update/leap/15.3/oss/ }
+  - { name: repo-update-non-oss, repo: http://download.opensuse.org/update/leap/15.3/non-oss/ }
+
 nvidia_repo: https://download.nvidia.com/opensuse/leap/15.3/
 docker_repo_url_leap: https://download.docker.com/linux/sles/docker-ce.repo
 docker_repo_dest_leap: /etc/YaST2/docker-ce.repo

roles/login_node/tasks/configure_sshd.yml

@@ -13,6 +13,11 @@
 #  limitations under the License.
 ---
 
+- name: Set values for user and allow_deny variables
+  set_fact:
+    user: "{{ hostvars['127.0.0.1']['user'] }}"
+    allow_deny: "{{ hostvars['127.0.0.1']['allow_deny'] }}"
+    
 - name: Check if AllowUsers entry exixts
   shell: cat "{{ sshd_conf_file }}"
   register: file_content

roles/login_node/tasks/main.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -51,6 +51,10 @@
         
         - name: Session timeout configuration
           include_tasks: session_timeout.yml
+
+        - name: Restrict nonessential programs
+          include_tasks: restrict_nonessentials.yml
+          when: hostvars['127.0.0.1']['restrict_program_status']
       when: hostvars['127.0.0.1']['enable_secure_login_node']
   when:
     - hostvars['127.0.0.1']['login_node_required']

roles/login_node/tasks/restrict_nonessentials.yml

@@ -0,0 +1,89 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Gathering service facts
+  service_facts:
+
+- name: Disable bluetooth services
+  block:
+    - name: Disabling bluetooth service
+      service:
+        name: bluetooth
+        enabled: no
+        state: stopped
+      when:
+        - "'bluetooth.service' in ansible_facts.services"
+        - ansible_facts.services['bluetooth.service'].status in service_status
+ 
+    - name: Disabling bluez service
+      service:
+        name: dbus-org.bluez.service
+        enabled: no
+        state: stopped
+      failed_when: false
+      when:
+        - "'dbus-org.bluez.service' in ansible_facts.services"
+        - ansible_facts.services['dbus-org.bluez.service'].status in service_status
+ 
+    - name: Disabling blueman service
+      systemd:
+        name: blueman-mechanism.service
+        state: stopped
+        enabled: no
+      when: 
+        - "'blueman-mechanism.service' in ansible_facts.services"
+        - ansible_facts.services['blueman-mechanism.service'].status in service_status
+  when: "'bluetooth' in hostvars['127.0.0.1']['disable_services']"
+
+- name: Disabling telnet service
+  service:
+    name: telnet.socket
+    enabled: no
+    state: stopped
+  when:
+    - "'telnet' in hostvars['127.0.0.1']['disable_services']"
+    - "'telnet@.service' in ansible_facts.services"
+    - ansible_facts.services['telnet@.service'].status in service_status
+
+- name: Disabling lpd service
+  service:
+    name: cups-lpd.socket
+    enabled: no
+    state: stopped
+  when:
+    - "'lpd' in hostvars['127.0.0.1']['disable_services']"
+    - "'cups-lpd@.service' in ansible_facts.services"
+    - ansible_facts.services['cups-lpd@.service'].status in service_status
+ 
+- name: Disabling rlogin service
+  service:
+    name: rlogin.socket
+    enabled: no
+    state: stopped
+  when: 
+    - "'rlogin' in hostvars['127.0.0.1']['disable_services']"
+    - "'rlogin.socket' in ansible_facts.services"
+    - ansible_facts.services['rlogin.socket'].status in service_status
+ 
+- name: Disabling rexec service
+  service:
+    name: rexec.socket
+    enabled: no
+    state: stopped
+    changed_when: false
+  when: 
+    -  "'rexec' in hostvars['127.0.0.1']['disable_services']"
+    - "'rexec.socket' in ansible_facts.services"
+    -  ansible_facts.services['rexec.socket'].status in service_status

roles/login_node/vars/main.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -85,4 +85,7 @@ kerberos_packages:
   - krb5-client
 kerberos_principal_path: /var/lib/kerberos/krb5kdc/principal
 kerberos_conf_path: /etc/krb5.conf
-kerberos_env_path: /usr/lib/mit/sbin/
+kerberos_env_path: /usr/lib/mit/sbin/
+
+# Usage: restrict_nonessentials.yml
+service_status: ['enabled','alias','static','indirect','enabled-runtime','active','inactive']