feat: prepare tasks for NFSv3 rpcbind risk mitigations. CAUTION: as we're...

feat: prepare tasks for NFSv3 rpcbind risk mitigations. CAUTION: as we're lacking NetApp interface info, this code is not yet tested!

feat: prepare tasks for NFSv3 rpcbind risk mitigations. CAUTION: as we're...
7200fc1c · Jörg Sachse · f1a4cab6 · 7200fc1c · 7200fc1c · 7200fc1c
Commit 7200fc1c authored 1 year ago by Jörg Sachse
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -85,3 +85,7 @@
    name: "clamav-freshclam"
    state: restarted
  when: ansible_os_family == "RedHat"
+
+- name: daemon_reload
+  ansible.builtin.systemd:
+    daemon_reload: true
--- a/tasks/configure_rpcbind.yml
+++ b/tasks/configure_rpcbind.yml
+---
+- name: find out if rpcbind is installed by checking for systemd socket unit
+  ansible.builtin.stat:
+    path: "/lib/systemd/system/rpcbind.socket"
+    get_attributes: false
+    get_checksum: false
+    get_mime: false
+  register: rpcbind_installed
+  changed_when: false
+
+- name: create directory for Systemd unit override
+  ansible.builtin.file:
+    path: "/etc/systemd/system/rpcbind.socket.d/"
+    state: directory
+    mode: "0755"
+  when: rpcbind_installed
+
+- name: implement access control in rpcbind socket unit by creating an override - general settings
+  ansible.builtin.blockinfile:
+    path: "/etc/systemd/system/rpcbind.socket.d/override.conf"
+    create: true
+    marker: "### {mark} ANSIBLE MANAGED BLOCK - clear previous settings"
+    block: |
+      # from `man 5 systemd.socket`:
+      # "SOCK_STREAM (i.e. ListenStream=) when used for IP sockets refers to
+      # TCP sockets, SOCK_DGRAM (i.e. ListenDatagram=) to UDP."
+
+      # Clear any previously set options...
+      #ListenStream=0.0.0.0:111      # DISTRO DEFAULT
+      #ListenDatagram=0.0.0.0:111    # DISTRO DEFAULT
+      ListenStream=
+      ListenDatagram=
+      # ...and now set new stricter values in subsequent blocks.
+  when: rpcbind_installed
+  notify: daemon_reload
+
+- name: implement access control in rpcbind socket unit by creating an override - general settings
+  ansible.builtin.blockinfile:
+    path: "/etc/systemd/system/rpcbind.socket.d/override.conf"
+    create: true
+    marker: ### {mark} ANSIBLE MANAGED BLOCK - allow access for {{ item.source }}
+    block: |
+      ListenStream={{ item.source }}
+      ListenDatagram={{ item.source }}
+  loop: "{{ nfs_server_interfaces }}"
+  when: rpcbind_installed
+  notify: daemon_reload
+
+- name: implement rpcbind access control in iptables
+  ansible.builtin.iptables:
+    action: "insert"
+    chain: "INPUP"
+    comment: "{{ item.comment }}"
+    source: "{{ item.source }}"
+    jump: "ACCEPT"
+  loop: "{{ nfs_server_interfaces }}"
+  notify: "save iptables rules"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -44,6 +44,10 @@
  ansible.builtin.import_tasks: "configure_iptables.yml"
  tags: [iptables]

+- name: configure mitigations for NFSv3 rpcbind
+  ansible.builtin.import_tasks: "configure_rpcbind.yml"
+  tags: [nfs, network, iptables, rpc, rpcbind]
+
 - name: include rkhunter install task
  ansible.builtin.import_tasks: "install_rkhunter.yml"
  tags: [rkhunter]