Issue #844: code changes for ssh access to MS and login node

Signed-off-by: Bhagyashree-shetty <Bhagyashree_Shetty@dellteam.com>

control_plane/input_params/security_vars.yml

@@ -50,3 +50,12 @@ session_timeout: 180
 # If this variable is left blank, authentication failure alerts will be disabled.
 # Required value
 alert_email_address: ""
+
+# This variable mentions the users to whom the access will be provided
+# format of user shall be username@ip or username 
+# Ex1- root@1.2.3.4 Ex2- root Ex3- root@1.2.3.4 root (if multiple user, provide space seperated values) by default empty
+user: ''
+
+# This variable provides the type of access
+# Accepted values 'Allow' or 'Deny' by default 'Allow'
+allow_deny: 'Allow'

control_plane/roles/control_plane_common/tasks/fetch_security_inputs.yml

@@ -159,3 +159,26 @@
     msg: "{{ alert_email_warning_msg }}"
   tags: security
   when: alert_email_address | length < 1
+
+- name: Prepare user list
+  set_fact:
+      user_list: "{{ lookup('vars', 'user').split()| unique | select| list }}"
+  when: user | length > 1
+
+- name: validate user
+  assert:
+    that:
+      - item is regex("^(?!-)[a-zA-Z]+[0-9-]*[@]((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") or
+        item is regex("(?!-)[a-zA-Z]+[0-9-]*$")
+    success_msg: "{{ user_success_msg }}"
+    fail_msg: "{{ user_fail_msg }}"
+  with_items: "{{ user_list }}"
+  when:
+    - user | length > 1
+
+- name: Validate allow_deny
+  assert:
+    that:
+      - allow_deny == 'Allow' or allow_deny == 'Deny'
+    success_msg: "{{ allow_deny_success_msg }}"
+    fail_msg: "{{ allow_deny_fail_msg }}"

control_plane/roles/control_plane_common/tasks/pre_requisite.yml

@@ -80,28 +80,6 @@
   register: os_value
   tags: [ init, validate ]
 
-- block:
-    - name: Fetch SElinux mode
-      command: sestatus
-      register: sestatus_current
-      changed_when: false
-
-    - name: Disable SElinux
-      replace:
-        path: /etc/sysconfig/selinux
-        regexp: 'SELINUX=[a-z]+'
-        replace: 'SELINUX=disabled'
-      when: '"SELinux status: enabled" in sestatus_current.stdout_lines'
-
-    - name: Status of SElinux
-      fail:
-        msg: "{{ selinux_status }}"
-      when: '"SELinux status: enabled" in sestatus_current.stdout_lines'
-      register: selinux_value
-  tags: init
-  when:
-    - os_supported_leap not in mgmt_os
-
 - name: State of firewall
   service:
     name: firewalld

control_plane/roles/control_plane_k8s/tasks/k8s_installation.yml

@@ -19,10 +19,6 @@
     fstype: swap
     state: absent
 
-- name: Disable selinux
-  selinux:
-    state: disabled
-
 - name: Copy k8s.conf file
   copy:
     src: k8s.conf

control_plane/roles/control_plane_security/tasks/configure_sshd.yml

@@ -0,0 +1,70 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Check if AllowUsers entry exixts
+  shell: cat "{{ sshd_conf_file }}"
+  register: file_content
+
+- name: Check if user is specified
+  debug:
+    msg: "Users not specified"
+  when: user | length < 1
+
+- name: Configure sshd_config
+  block:
+    - name: Configure sshd_config file when AllowUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'AllowUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') == -1
+
+    - name: Configure sshd_config file when DenyUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'DenyUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') == -1
+
+    - name: Configure sshd_config file when AllowUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(AllowUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') != -1
+
+    - name: Configure sshd_config file when DenyUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(DenyUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') != -1
+
+  when:
+    - user | length > 1

control_plane/roles/control_plane_security/tasks/install_apparmor.yml

@@ -0,0 +1,27 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Install apparmor-utils on Leap
+  zypper:
+    name: "{{ item }}"
+    state: present
+  changed_when: false
+  with_items:
+    - apparmor-utils
+    - apparmor-profiles
+  
+- name: Enable Apparmor
+  command: rcapparmor start
+  changed_when: false

control_plane/roles/control_plane_security/tasks/main.yml

@@ -39,6 +39,9 @@
     - block:
         - name: Install 389 directory server
           include_tasks: install_389ds.yml
+
+        - name: Install Apparmor on Leap
+          include_tasks: install_apparmor.yml
       when: os_supported_leap in mgmt_os
       
     - name: Install snoopy
@@ -50,7 +53,10 @@
     - name: Alert configuration
       include_tasks: configure_alerting.yml
       when: alert_email_address | length > 1
+
+    - name: Configure ssh access to login node
+      include_tasks: configure_sshd.yml
      
     - name: Session timeout configuration
       include_tasks: session_timeout.yml
-  when: enable_security_support
+  when: enable_security_support

omnia_security_config.yml

@@ -40,3 +40,12 @@ session_timeout: 180
 # If this variable is left blank, authentication failure alerts will be disabled.
 # Required value
 alert_email_address: ""
+
+# This variable mentions the users to whom the access will be provided
+# format of user shall be username@ip or username 
+# Ex1- root@1.2.3.4 Ex2- root Ex3- root@1.2.3.4 root (if multiple user, provide space seperated values) by default empty
+user: ''
+
+# This variable provides the type of access
+# Accepted values 'Allow' or 'Deny' by default 'Allow'
+allow_deny: 'Allow'

roles/cluster_validation/tasks/fetch_security_inputs.yml

@@ -63,3 +63,26 @@
   debug:
     msg: "{{ alert_email_warning_msg }}"
   when: alert_email_address | length < 1
+
+- name: Prepare user list
+  set_fact:
+      user_list: "{{ lookup('vars', 'user').split()| unique | select| list }}"
+  when: user | length > 1
+
+- name: validate user
+  assert:
+    that:
+      - item is regex("^(?!-)[a-zA-Z]+[0-9-]*[@]((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") or
+        item is regex("(?!-)[a-zA-Z]+[0-9-]*$")
+    success_msg: "{{ user_success_msg }}"
+    fail_msg: "{{ user_fail_msg }}"
+  with_items: "{{ user_list }}"
+  when:
+    - user | length > 1
+
+- name: Validate allow_deny
+  assert:
+    that:
+      - allow_deny == 'Allow' or allow_deny == 'Deny'
+    success_msg: "{{ allow_deny_success_msg }}"
+    fail_msg: "{{ allow_deny_fail_msg }}"

roles/common/tasks/main.yml

@@ -73,11 +73,6 @@
         fstype: swap
         state: absent
 
-    - name: Disable selinux
-      selinux:
-        state: disabled
-      tags: install
-
     - name: Install common packages
       package:
         name: "{{ common_packages }}"

roles/login_node/tasks/configure_sshd.yml

@@ -0,0 +1,70 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Check if AllowUsers entry exixts
+  shell: cat "{{ sshd_conf_file }}"
+  register: file_content
+
+- name: Check if user is specified
+  debug:
+    msg: "Users not specified"
+  when: user | length < 1
+
+- name: Configure sshd_config
+  block:
+    - name: Configure sshd_config file when AllowUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'AllowUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') == -1
+
+    - name: Configure sshd_config file when DenyUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'DenyUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') == -1
+
+    - name: Configure sshd_config file when AllowUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(AllowUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') != -1
+
+    - name: Configure sshd_config file when DenyUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(DenyUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') != -1
+
+  when:
+    - user | length > 1

roles/login_node/tasks/install_apparmor.yml

@@ -0,0 +1,30 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Install and enable Apparmor on Leap
+  block:
+    - name: Install apparmor-utils on Leap
+      zypper:
+        name: "{{ item }}"
+        state: present
+      changed_when: false
+      with_items:
+        - apparmor-utils
+        - apparmor-profiles
+
+    - name: Enable Apparmor
+      command: rcapparmor start
+      changed_when: false
+  when: os_leap in ansible_distribution | lower

roles/login_node/tasks/main.yml

@@ -23,6 +23,9 @@
     - block:
         - name: FreeIPA configuration
           include_tasks: ipa_configuration.yml
+
+        - name: Install Apparmor on Leap
+          include_tasks: install_apparmor.yml
           
         - name: Install snoopy
           include_tasks: install_snoopy.yml
@@ -33,6 +36,9 @@
         - name: Alert configuration
           include_tasks: configure_alerting.yml
           when: hostvars['127.0.0.1']['alert_email_address'] | length > 1
+
+        - name: Configure ssh access to login node
+          include_tasks: configure_sshd.yml
         
         - name: Session timeout configuration
           include_tasks: session_timeout.yml