commit 1b786738ab8d09ec8d0e4a699f0d2d6f757d63f0 Author: Aaron Guise Date: Wed Apr 1 11:20:57 2020 +1300 Initial Commit diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/action_set_name b/.vagrant/machines/default/virtualbox/action_set_name new file mode 100644 index 0000000..9c52736 --- /dev/null +++ b/.vagrant/machines/default/virtualbox/action_set_name @@ -0,0 +1 @@ +1585690149 \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/creator_uid b/.vagrant/machines/default/virtualbox/creator_uid new file mode 100644 index 0000000..e37d32a --- /dev/null +++ b/.vagrant/machines/default/virtualbox/creator_uid @@ -0,0 +1 @@ +1000 \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/id b/.vagrant/machines/default/virtualbox/id new file mode 100644 index 0000000..86a497d --- /dev/null +++ b/.vagrant/machines/default/virtualbox/id @@ -0,0 +1 @@ +41f4bbd1-36c9-4f47-876c-7aa50b09f29a \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/index_uuid b/.vagrant/machines/default/virtualbox/index_uuid new file mode 100644 index 0000000..26c5f9c --- /dev/null +++ b/.vagrant/machines/default/virtualbox/index_uuid @@ -0,0 +1 @@ +570d20849699415986acc997c20df779 \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/vagrant_cwd b/.vagrant/machines/default/virtualbox/vagrant_cwd new file mode 100644 index 0000000..9391299 --- /dev/null +++ b/.vagrant/machines/default/virtualbox/vagrant_cwd @@ -0,0 +1 @@ +/home/vagrant/Documents/ansible-roles/auth_duo \ No newline at end of file diff --git a/.vagrant/rgloader/loader.rb b/.vagrant/rgloader/loader.rb new file mode 100644 index 0000000..c3c05b0 --- /dev/null +++ b/.vagrant/rgloader/loader.rb @@ -0,0 +1,9 @@ +# This file loads the proper rgloader/loader.rb file that comes packaged +# with Vagrant so that encoded files can properly run with Vagrant. + +if ENV["VAGRANT_INSTALLER_EMBEDDED_DIR"] + require File.expand_path( + "rgloader/loader", ENV["VAGRANT_INSTALLER_EMBEDDED_DIR"]) +else + raise "Encoded files can't be read outside of the Vagrant installer." +end diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..8827676 --- /dev/null +++ b/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/README.md b/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..caba658 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,70 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +# All Vagrant configuration is done below. The "2" in Vagrant.configure +# configures the configuration version (we support older styles for +# backwards compatibility). Please don't change it unless you know what +# you're doing. +Vagrant.configure("2") do |config| + # The most common configuration options are documented and commented below. + # For a complete reference, please see the online documentation at + # https://docs.vagrantup.com. + + # Every Vagrant development environment requires a box. You can search for + # boxes at https://vagrantcloud.com/search. + config.vm.box = "cybercinch/centos7" + + # Disable automatic box update checking. If you disable this, then + # boxes will only be checked for updates when the user runs + # `vagrant box outdated`. This is not recommended. + # config.vm.box_check_update = false + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine. In the example below, + # accessing "localhost:8080" will access port 80 on the guest machine. + # NOTE: This will enable public access to the opened port + # config.vm.network "forwarded_port", guest: 80, host: 8080 + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine and only allow access + # via 127.0.0.1 to disable public access + # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1" + + # Create a private network, which allows host-only access to the machine + # using a specific IP. + # config.vm.network "private_network", ip: "192.168.33.10" + + # Create a public network, which generally matched to bridged network. + # Bridged networks make the machine appear as another physical device on + # your network. + # config.vm.network "public_network" + + # Share an additional folder to the guest VM. The first argument is + # the path on the host to the actual folder. The second argument is + # the path on the guest to mount the folder. And the optional third + # argument is a set of non-required options. + # config.vm.synced_folder "../data", "/vagrant_data" + + # Provider-specific configuration so you can fine-tune various + # backing providers for Vagrant. These expose provider-specific options. + # Example for VirtualBox: + # + # config.vm.provider "virtualbox" do |vb| + # # Display the VirtualBox GUI when booting the machine + # vb.gui = true + # + # # Customize the amount of memory on the VM: + # vb.memory = "1024" + # end + # + # View the documentation for the provider you are using for more + # information on available options. + + # Enable provisioning with a shell script. Additional provisioners such as + # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the + # documentation for more information about their specific syntax and use. + # config.vm.provision "shell", inline: <<-SHELL + # apt-get update + # apt-get install -y apache2 + # SHELL +end diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..0cc3471 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,14 @@ +--- +# defaults file for auth_duo +auth_duo_install_repo: true +auth_duo_reponame: duosecurity +# The settings which will be applied to /etc/duo/login_duo.conf +# Minimal settings are ikey, skey and host +# For more please check https://duo.com/docs/duounix#duo-configuration-options +auth_duo_settings: + - key: ikey + value: someikey + - key: skey + value: someskey + - key: host + value: somehost diff --git a/files/etc.pam.d.sshd b/files/etc.pam.d.sshd new file mode 100644 index 0000000..bd6ab32 --- /dev/null +++ b/files/etc.pam.d.sshd @@ -0,0 +1,23 @@ +#%PAM-1.0 +auth required pam_sepermit.so +auth substack password-auth +auth required pam_env.so +auth sufficient pam_duo.so +auth required pam_deny.so +auth include postlogin +# Used with polkit to reauthorize users in remote sessions +-auth optional pam_reauthorize.so prepare +account required pam_nologin.so +account include password-auth +password include password-auth +# pam_selinux.so close should be the first session rule +session required pam_selinux.so close +session required pam_loginuid.so +# pam_selinux.so open should only be followed by sessions to be executed in the user context +session required pam_selinux.so open env_params +session required pam_namespace.so +session optional pam_keyinit.so force revoke +session include password-auth +session include postlogin +# Used with polkit to reauthorize users in remote sessions +-session optional pam_reauthorize.so prepare diff --git a/files/etc.yum.repos.d.duosecurity b/files/etc.yum.repos.d.duosecurity new file mode 100644 index 0000000..e9c6d4c --- /dev/null +++ b/files/etc.yum.repos.d.duosecurity @@ -0,0 +1,6 @@ +## Managed by Ansible ## +[duosecurity] +name=Duo Security Repository +baseurl=https://pkg.duosecurity.com/RedHat/"$releasever"Server/$basearch +enabled=1 +gpgcheck=1 \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..b7387ea --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,6 @@ +--- +# handlers file for auth_duo +- name: restart sshd + service: + name: sshd + state: restarted \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..a58b168 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,45 @@ +galaxy_info: + author: Aaron Guise + description: Enable duo_unix - Multifactor Authentication for Linux + company: Ultrafast Fibre + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: MIT + + min_ansible_version: 2.9 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + platforms: + - name: RedHat + versions: + - 7 +galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. + \ No newline at end of file diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst new file mode 100644 index 0000000..6a44bde --- /dev/null +++ b/molecule/default/INSTALL.rst @@ -0,0 +1,22 @@ +******* +Docker driver installation guide +******* + +Requirements +============ + +* Docker Engine + +Install +======= + +Please refer to the `Virtual environment`_ documentation for installation best +practices. If not using a virtual environment, please consider passing the +widely recommended `'--user' flag`_ when invoking ``pip``. + +.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ +.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site + +.. code-block:: bash + + $ pip install 'molecule[docker]' diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..afb92f6 --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + tasks: + - name: "Include auth_duo" + include_role: + name: "auth_duo" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..2a916f6 --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,17 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + command: ${MOLECULE_DOCKER_COMMAND:-""} + image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +provisioner: + name: ansible +verifier: + name: ansible diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml new file mode 100644 index 0000000..f8dc787 --- /dev/null +++ b/molecule/default/prepare.yml @@ -0,0 +1,13 @@ +--- +- name: Prepare + hosts: all + tasks: + - name: ensure openssh installed + yum: + name: openssh-server + state: installed + - name: ensure sshd is running + service: + name: sshd + state: started + enabled: true \ No newline at end of file diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..a82dd6f --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,9 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + tasks: + - name: Example assertion + assert: + that: true diff --git a/tasks/duo-repo.yml b/tasks/duo-repo.yml new file mode 100644 index 0000000..0f07398 --- /dev/null +++ b/tasks/duo-repo.yml @@ -0,0 +1,11 @@ +--- +- name: Ensure Duo GPG Key is installed + rpm_key: + key: https://duo.com/DUO-GPG-PUBLIC-KEY.asc + state: present + +- name: Ensure duo repository is present + copy: + src: etc.yum.repos.d.duosecurity + dest: /etc/yum.repos.d/duosecurity.repo + \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..9985206 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,44 @@ +--- +# tasks file for auth_duo +- name: Include repository install + include_tasks: duo-repo.yml + when: auth_duo_install_repo + +- name: Ensure duo is installed + yum: + name: duo_unix + enablerepo: "{{ auth_duo_reponame }}" + state: installed + +# - name: Ensure ikey is populated +# fail: +# msg: "ikey should not be 'someikey' see defaults/main.yml" +# when: +- name: Ensure Duo configuration in place + ini_file: + path: /etc/duo/pam_duo.conf + section: duo + option: "{{ item.key }}" + value: "{{ item.value }}" + with_items: "{{ auth_duo_settings }}" + +- name: Ensure PAM for SSH is configured with duo MFA + copy: + src: etc.pam.d.sshd + dest: /etc/pam.d/sshd + notify: restart sshd + +- name: Ensure PAM is enabled for SSH + lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regex }}" + line: "{{ item.line }}" + with_items: + - regex: '^UsePAM ' + line: 'UsePAM yes' + - regex: '^ChallengeResponseAuthentication ' + line: 'ChallengeResponseAuthentication yes' + notify: restart sshd + +- name: Flush Handlers + meta: flush_handlers \ No newline at end of file diff --git a/tests/inventory b/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..42fcec5 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - auth_duo \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..ce02e77 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for auth_duo \ No newline at end of file diff --git a/virtualbox.repo b/virtualbox.repo new file mode 100644 index 0000000..e7a2023 --- /dev/null +++ b/virtualbox.repo @@ -0,0 +1,7 @@ +[virtualbox] +name=Oracle Linux / RHEL / CentOS-$releasever / $basearch - VirtualBox +baseurl=http://download.virtualbox.org/virtualbox/rpm/el/$releasever/$basearch +enabled=1 +gpgcheck=1 +repo_gpgcheck=1 +gpgkey=https://www.virtualbox.org/download/oracle_vbox.asc