Merge pull request #880 from Lakshmi-Patneedi/devel

Restrict non-essentials

omnia_security_config.yml

@@ -49,4 +49,15 @@ user: ''
 # This variable provides the type of access
 # Accepted values: "Allow" or "Deny"
 # Default value: "Allow"
-allow_deny: "Allow"
+allow_deny: "Allow"
+
+# This variable is used to disable services.
+# Accepted values: "true" or "false". 
+# Default values are: true  
+# Root access is needed.
+restrict_program_support: false
+
+# The below mentioned services can be disabled, by adding values in comma separated values format for restrict_softwares variable
+# Services: telnet,lpd,bluetooth,rlogin,rexec
+# Ex: restrict_softwares: 'telnet,lpd,bluetooth' ( This disables 3 services, to disable more services, add services with comma separation. )
+restrict_softwares: ''

roles/cluster_validation/tasks/fetch_security_inputs.yml

@@ -86,3 +86,51 @@
       - allow_deny == 'Allow' or allow_deny == 'Deny'
     success_msg: "{{ allow_deny_success_msg }}"
     fail_msg: "{{ allow_deny_fail_msg }}"
+
+- name: Assert restrict_program_support
+  assert:
+    that:
+      - restrict_program_support == true or restrict_program_support == false
+    success_msg: "{{ restrict_program_support_success_msg }}"
+    fail_msg: "{{ restrict_program_support_failure_msg }}"
+
+- name: Initialize variables for restrict_softwares
+  set_fact:
+    restrict_program_status: false
+    disable_services: []
+
+- block:
+    - name: The services needs to be disabled are appending to list
+      set_fact:
+          services_list: "{{ lookup('vars', 'restrict_softwares').split(',')| map('trim') | unique | select| list }}"
+
+    - name: Assert restrict_softwares variable
+      assert:
+        that:
+          - item == 'telnet' or
+            item == 'lpd' or
+            item == 'bluetooth' or
+            item == 'rlogin' or
+            item == 'rexec'
+        success_msg: "{{ restrict_softwares_success_msg }}"
+        fail_msg: "{{ restrict_softwares_failure_msg }}"
+      failed_when: false
+      with_items: "{{ services_list }}"
+
+    - name: Creating a list for disabling services
+      set_fact:
+          disable_services: "{{ disable_services + [ item ] }}"
+      when:
+        - item == 'telnet' or
+          item == 'lpd' or
+          item == 'bluetooth' or
+          item == 'rlogin' or
+          item == 'rexec'
+      with_items: "{{ services_list }}"
+
+    - name: Setting restrict_program_status
+      set_fact:
+        restrict_program_status: true
+      when:
+        - disable_services | length > 0
+  when: restrict_program_support

roles/cluster_validation/vars/main.yml

@@ -95,4 +95,8 @@ email_search_key: "@"
 user_success_msg: "user successfully validated"
 user_fail_msg: "Failed. Incorrect user format in security_vars.yml"
 allow_deny_success_msg: "Access successfully validated"
-allow_deny_fail_msg: "Failed. Incorrect Access format in security_vars.yml"
+allow_deny_fail_msg: "Failed. Incorrect Access format in security_vars.yml"
+restrict_program_support_success_msg: "restrict_program_support successfully validated"
+restrict_program_support_failure_msg: "Failed. Accepted values are true or false."
+restrict_softwares_success_msg: "restrict_softwares successfully validated"
+restrict_softwares_failure_msg: "Warning. Values should be comma separated. The supported services are telnet, lpd, bluetooth, rlogin, rexec. Please check restrict_softwares variable"

roles/login_node/tasks/main.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -51,6 +51,10 @@
         
         - name: Session timeout configuration
           include_tasks: session_timeout.yml
+
+        - name: Restrict nonessential programs
+          include_tasks: restrict_nonessentials.yml
+          when: hostvars['127.0.0.1']['restrict_program_status']
       when: hostvars['127.0.0.1']['enable_secure_login_node']
   when:
     - hostvars['127.0.0.1']['login_node_required']

roles/login_node/tasks/restrict_nonessentials.yml

@@ -0,0 +1,89 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Gathering service facts
+  service_facts:
+
+- name: Disable bluetooth services
+  block:
+    - name: Disabling bluetooth service
+      service:
+        name: bluetooth
+        enabled: no
+        state: stopped
+      when:
+        - "'bluetooth.service' in ansible_facts.services"
+        - ansible_facts.services['bluetooth.service'].status in service_status
+ 
+    - name: Disabling bluez service
+      service:
+        name: dbus-org.bluez.service
+        enabled: no
+        state: stopped
+      failed_when: false
+      when:
+        - "'dbus-org.bluez.service' in ansible_facts.services"
+        - ansible_facts.services['dbus-org.bluez.service'].status in service_status
+ 
+    - name: Disabling blueman service
+      systemd:
+        name: blueman-mechanism.service
+        state: stopped
+        enabled: no
+      when: 
+        - "'blueman-mechanism.service' in ansible_facts.services"
+        - ansible_facts.services['blueman-mechanism.service'].status in service_status
+  when: "'bluetooth' in hostvars['127.0.0.1']['disable_services']"
+
+- name: Disabling telnet service
+  service:
+    name: telnet.socket
+    enabled: no
+    state: stopped
+  when:
+    - "'telnet' in hostvars['127.0.0.1']['disable_services']"
+    - "'telnet@.service' in ansible_facts.services"
+    - ansible_facts.services['telnet@.service'].status in service_status
+
+- name: Disabling lpd service
+  service:
+    name: cups-lpd.socket
+    enabled: no
+    state: stopped
+  when:
+    - "'lpd' in hostvars['127.0.0.1']['disable_services']"
+    - "'cups-lpd@.service' in ansible_facts.services"
+    - ansible_facts.services['cups-lpd@.service'].status in service_status
+ 
+- name: Disabling rlogin service
+  service:
+    name: rlogin.socket
+    enabled: no
+    state: stopped
+  when: 
+    - "'rlogin' in hostvars['127.0.0.1']['disable_services']"
+    - "'rlogin.socket' in ansible_facts.services"
+    - ansible_facts.services['rlogin.socket'].status in service_status
+ 
+- name: Disabling rexec service
+  service:
+    name: rexec.socket
+    enabled: no
+    state: stopped
+    changed_when: false
+  when: 
+    -  "'rexec' in hostvars['127.0.0.1']['disable_services']"
+    - "'rexec.socket' in ansible_facts.services"
+    -  ansible_facts.services['rexec.socket'].status in service_status

roles/login_node/vars/main.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -85,4 +85,7 @@ kerberos_packages:
   - krb5-client
 kerberos_principal_path: /var/lib/kerberos/krb5kdc/principal
 kerberos_conf_path: /etc/krb5.conf
-kerberos_env_path: /usr/lib/mit/sbin/
+kerberos_env_path: /usr/lib/mit/sbin/
+
+# Usage: restrict_nonessentials.yml
+service_status: ['enabled','alias','static','indirect','enabled-runtime','active','inactive']