Merge pull request #871 from Lakshmi-Patneedi/devel

Restrict non-essential programs

control_plane/input_params/security_vars.yml

@@ -59,3 +59,14 @@ user: ''
 # This variable provides the type of access
 # Accepted values 'Allow' or 'Deny' by default 'Allow'
 allow_deny: 'Allow'
+
+# This variable is used to disable services.
+# Accepted values: "true" or "false". 
+# Default values are: true  
+# Root access is needed.
+restrict_program_support: false
+
+# The below mentioned services can be disabled, by adding values in comma separated values format for restrict_softwares variable
+# Services: telnet,lpd,bluetooth,rlogin,rexec
+# Ex: restrict_softwares: 'telnet,rlogin,bluetooth' ( This disables 3 services, to disable more services, add services with comma separation. )
+restrict_softwares: ''

control_plane/roles/control_plane_common/tasks/fetch_security_inputs.yml

@@ -185,3 +185,57 @@
     success_msg: "{{ allow_deny_success_msg }}"
     fail_msg: "{{ allow_deny_fail_msg }}"
   tags: [ validate, security ]
+
+- name: Assert restrict_program_support
+  assert:
+    that:
+      - restrict_program_support == true or restrict_program_support == false
+    success_msg: "{{ restrict_program_support_success_msg }}"
+    fail_msg: "{{ restrict_program_support_failure_msg }}"
+  tags: [ validate, security ]
+
+- name: Initialize variables for restrict_softwares
+  set_fact:
+    restrict_program_status: false
+    disable_services: []
+  tags: security
+
+- block:
+    - name: The services needs to be disabled are appending to list
+      set_fact:
+          services_list: "{{ lookup('vars', 'restrict_softwares').split(',')| map('trim') | unique | select| list }}"
+      tags: security
+
+    - name: Assert restrict_softwares variable
+      assert:
+        that:
+          - item == 'telnet' or
+            item == 'lpd' or
+            item == 'bluetooth' or
+            item == 'rlogin' or
+            item == 'rexec'
+        success_msg: "{{ restrict_softwares_success_msg }}"
+        fail_msg: "{{ restrict_softwares_failure_msg }}"
+      failed_when: false
+      with_items: "{{ services_list }}"
+      tags: [ validate, security ]
+
+    - name: Creating a list for disabling services
+      set_fact:
+          disable_services: "{{ disable_services + [ item ] }}"
+      when:
+        - item == 'telnet' or
+          item == 'lpd' or
+          item == 'bluetooth' or
+          item == 'rlogin' or
+          item == 'rexec'
+      with_items: "{{ services_list }}"
+      tags: security
+
+    - name: Setting restrict_program_status
+      set_fact:
+        restrict_program_status: true
+      when:
+        - disable_services | length > 0
+      tags: security
+  when: restrict_program_support

control_plane/roles/control_plane_common/vars/main.yml

@@ -283,6 +283,10 @@ user_success_msg: "user successfully validated"
 user_fail_msg: "Failed. Incorrect user format in security_vars.yml"
 allow_deny_success_msg: "Access successfully validated"
 allow_deny_fail_msg: "Failed. Incorrect Access format in security_vars.yml"
+restrict_program_support_success_msg: "restrict_program_support successfully validated"
+restrict_program_support_failure_msg: "Failed. Accepted values are true or false."
+restrict_softwares_success_msg: "restrict_softwares successfully validated"
+restrict_softwares_failure_msg: "Warning. Values should be comma separated. The supported services are telnet, lpd, bluetooth, rlogin, rexec. Please check restrict_softwares variable"
 
 # Usage: validate_idrac_vars.yml
 idrac_input_filename: input_params/idrac_vars.yml

control_plane/roles/control_plane_security/tasks/main.yml

@@ -59,4 +59,8 @@
      
     - name: Session timeout configuration
       include_tasks: session_timeout.yml
+
+    - name: Restrict nonessential programs
+      include_tasks: restrict_nonessentials.yml
+      when: restrict_program_status
   when: enable_security_support

control_plane/roles/control_plane_security/tasks/restrict_nonessentials.yml

@@ -0,0 +1,89 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Gathering service facts
+  service_facts:
+
+- name: Disable bluetooth services
+  block:
+    - name: Disabling bluetooth service
+      service:
+        name: bluetooth
+        enabled: no
+        state: stopped
+      when:
+        - "'bluetooth.service' in ansible_facts.services"
+        - ansible_facts.services['bluetooth.service'].status in service_status
+ 
+    - name: Disabling bluez service
+      service:
+        name: dbus-org.bluez.service
+        enabled: no
+        state: stopped
+      failed_when: false
+      when:
+        - "'dbus-org.bluez.service' in ansible_facts.services"
+        - ansible_facts.services['dbus-org.bluez.service'].status in service_status
+ 
+    - name: Disabling blueman service
+      systemd:
+        name: blueman-mechanism.service
+        state: stopped
+        enabled: no
+      when: 
+        - "'blueman-mechanism.service' in ansible_facts.services"
+        - ansible_facts.services['blueman-mechanism.service'].status in service_status
+  when: "'bluetooth' in disable_services"
+
+- name: Disabling telnet service
+  service:
+    name: telnet.socket
+    enabled: no
+    state: stopped
+  when:
+    - "'telnet' in disable_services"
+    - "'telnet@.service' in ansible_facts.services"
+    - ansible_facts.services['telnet@.service'].status in service_status
+
+- name: Disabling lpd service
+  service:
+    name: cups-lpd.socket
+    enabled: no
+    state: stopped
+  when:
+    - "'lpd' in disable_services"
+    - "'cups-lpd@.service' in ansible_facts.services"
+    - ansible_facts.services['cups-lpd@.service'].status in service_status
+ 
+- name: Disabling rlogin service
+  service:
+    name: rlogin.socket
+    enabled: no
+    state: stopped
+  when: 
+    - "'rlogin' in disable_services"
+    - "'rlogin.socket' in ansible_facts.services"
+    - ansible_facts.services['rlogin.socket'].status in service_status
+ 
+- name: Disabling rexec service
+  service:
+    name: rexec.socket
+    enabled: no
+    state: stopped
+    changed_when: false
+  when: 
+    -  "'rexec' in disable_services"
+    - "'rexec.socket' in ansible_facts.services"
+    -  ansible_facts.services['rexec.socket'].status in service_status

control_plane/roles/control_plane_security/vars/main.yml

@@ -100,3 +100,6 @@ kerberos_packages:
 kerberos_principal_path: /var/lib/kerberos/krb5kdc/principal
 kerberos_conf_path: /etc/krb5.conf
 kerberos_env_path: /usr/lib/mit/sbin/
+
+# Usage: restrict_nonessentials.yml
+service_status: ['enabled','alias','static','indirect','enabled-runtime','active','inactive']