Merge pull request #14975 from rocky-linux/develop

General Fixes
This commit is contained in:
Louis Abel 2021-01-22 18:34:11 -07:00 committed by GitHub
commit 84d07f4a25
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 208 additions and 28 deletions

View File

@ -7,12 +7,12 @@ auth [success=done ignore=ignore default=die] pam_sss.so require_cert
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue nouserok {include if "with-pam-u2f-2fa"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"}
auth required pam_deny.so
@ -20,8 +20,8 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

View File

@ -1,11 +1,3 @@
******* **
/**////** /** ** **
/** /** ****** ***** /** ** //** **
/******* **////** **///**/** ** //***
/**///** /** /**/** // /**** /**
/** //** /** /**/** **/**/** **
/** //**//****** //***** /**//** **
// // ////// ///// // // //
This is a Rocky Linux system
All access is logged and monitored. Unauthorized access is prohibited.

View File

@ -1,7 +1,10 @@
---
# Basic system configuration. All hardening should also be imported here.
# Use --extra-vars="host=..." and specify a hostname in the inventory or
# provide an ansible host group name. You can also just use "all" if you
# want to ensure all systems are up to date on the configuration.
- name: Configure system
hosts: all
hosts: "{{ host }}"
become: true
# This is to try to avoid the handler issue in pre/post tasks

View File

@ -1,2 +1,26 @@
---
# Account Services
- name: Install packages
package:
name:
- httpd
- mod_ssl
- python3
- python3-setuptools
- python3-kdcproxy
state: present
- name: Deploy relevant httpd configuration
template:
src: "etc/httpd/conf.d/id.conf.j2"
dest: "/etc/httpd/conf.d/id.conf"
owner: root
group: root
mode: '0644'
notify: restart_httpd
- name: Enable and start
systemd:
name: httpd
state: running
enabled: true

View File

@ -35,18 +35,18 @@
- name: Override system-auth and password-auth
copy:
src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
dest: "{{ item }}"
owner: root
group: root
mode: '0644'
loop:
- /etc/authselect/custom/sssd-aoc/system-auth
- /etc/authselect/custom/sssd-aoc/password-auth
- /etc/authselect/custom/sssd-rocky/system-auth
- /etc/authselect/custom/sssd-rocky/password-auth
- name: Select New Profile
command: >
/usr/bin/authselect select custom/sssd-aoc
/usr/bin/authselect select custom/sssd-rocky
without-nullok
with-faillock
with-mkhomedir

View File

@ -14,15 +14,35 @@
yum:
name: "{{ mantis_pkg }}"
state: present
vars:
mantis_pkg:
- php
- php-ldap
- httpd
- mod_ssl
- php-pgsql
- php-mbstring
- php-curl
- openldap
tags:
- packages
- name: Download the bugtracker
get_url:
url: "http://downloads.sourceforge.net/mantisbt/mantisbt-{{ mantis_version }}.tar.gz"
dest: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
checksum: "{{ mantis_checksum }}"
- name: Extract mantis
unarchive:
src: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
dest: "/var/www"
owner: apache
group: apache
remote_src: true
- name: Configure mantis
template:
src: "var/www/mantis/config/config_inc.php.j2"
dest: "/var/www/mantisbt-{{ mantis_version }}/config/config_inc.php"
owner: apache
group: apache
mode: '0640'
- name: Configure httpd
template:
src: "etc/httpd/conf.d/mantis.conf.j2"
dest: "/etc/httpd/conf.d/mantis.conf"
owner: root
group: root
mode: '0644'

View File

@ -0,0 +1,48 @@
WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=1000 \
display-name=%{GROUP}
WSGIImportScript /usr/lib/python3.6/site-packages/kdcproxy/__init__.py \
process-group=kdcproxy application-group=kdcproxy
WSGIScriptAlias /KdcProxy /usr/lib/python3.6/site-packages/kdcproxy/__init__.py
WSGIScriptReloading Off
<VirtualHost *:80>
ServerName accounts.rockylinux.org
ServerAlias accounts.rockylinux.org {{ ansible_fqdn }}
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
<VirtualHost *:443>
ServerName accounts.rockylinux.org
ServerAlias accounts.rockylinux.org {{ ansible_fqdn }}
RequestHeader set X-Forwarded-Proto https
SSLCertificateFile /etc/pki/tls/certs/noggin.crt
SSLCertificateKeyFile /etc/pki/tls/private/noggin.key
</VirtualHost>
<Location "/">
ProxyPreserveHost On
ProxyPass http://127.0.0.1:5000/
ProxyPassReverse http://127.0.0.1:5000/
<RequireAll>
Require all granted
Include /etc/httpd/conf/blacklist.conf
</RequireAll>
</Location>
<Location "/KdcProxy">
Satisfy Any
WSGIProcessGroup kdcproxy
WSGIApplicationGroup kdcproxy
ProxyPass "!"
ProxyPassReverse "!"
<RequireAll>
Require all granted
Include /etc/httpd/conf/blacklist.conf
</RequireAll>
</Location>
ServerSignature Off
ServerTokens Prod
ErrorDocument 403 "<h3>Your IP is on the blacklist.</h3><p>Please contact <a href="mailto:infrastructure@rockylinux.org">Rocky Linux Staff</a> to see if this can be corrected.</p>"

View File

@ -0,0 +1,33 @@
<VirtualHost *:80>
ServerAdmin infrastructure@rockylinux.org
DocumentRoot "/var/www/mantisbt-{{ mantis_version }}"
ServerName bugs.rockylinux.org
TransferLog /var/log/httpd/mantis_access.log
ErrorLog /var/log/httpd/mantis_error.log
<Directory "/var/www/mantisbt-{{ mantis_version }}/">
Options MultiViews FollowSymlinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/pki/tls/certs/bugs.rockylinux.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/bugs.rockylinux.org.key
ServerAdmin infrastructure@rockylinux.org
DocumentRoot "/var/www/mantisbt-{{ mantis_version }}"
ServerName bugs.rockylinux.org
TransferLog /var/log/httpd/mantis_access.log
ErrorLog /var/log/httpd/mantis_error.log
<Directory "/var/www/mantisbt-{{ mantis_version }}/">
Options MultiViews FollowSymlinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

View File

@ -0,0 +1,40 @@
<?php
$g_hostname = 'build-a-box.labs.angelsofclockwork.net';
$g_db_type = 'pgsql';
$g_database_name = '{{ mantis_db_name }}';
$g_db_username = '{{ mantis_db_user }}';
$g_db_password = '{{ mantis_db_pass }}';
$g_default_timezone = 'UTC';
$g_crypto_master_salt = 'DDQF2sdgdPycpzfWNSOt4KelQlz7h0kb9HHxaUFpYXk=';
# Added
$g_login_method = 'LDAP';
$g_ldap_server = '{{ rocky_ipaserver_lb }}';
$g_ldap_root_dn = '{{ rocky_ldap_user_basedn }}';
$g_ldap_organization = '(objectClass=posixAccount)';
$g_ldap_protocol_version = 3;
$g_ldap_network_timeout = 30;
$g_ldap_follow_referrals = ON;
$g_ldap_bind_dn = '{{ mantis_binder_user }}';
$g_ldap_bind_passwd = '{{ mantis_binder_pass }}';
$g_ldap_uid_field = 'uid';
$g_ldap_realname_field = 'cn';
$g_use_ldap_realname = ON;
$g_use_ldap_email = ON;
$g_webmaster_email = 'infrastructure@rockylinux.org';
$g_from_email = 'noreply@rockylinux.org';
$g_return_path_email = 'noreply@rockylinux.org';
$g_from_name = 'Rocky Linux Bugzilla';
$g_allow_file_upload = ON;
$g_file_upload_method = DATABASE; # or DISK
$g_dropzone_enabled = ON;
$g_show_realname = ON;
$g_allowed_files = 'log,patch,txt';
$g_disallowed_files = 'exe,tar,tgz,tar.gz,pl,sh';
$g_window_title = 'Rocky Bugzilla';
$g_allow_signup = OFF;
$g_allow_anonymous_login = ON;
$g_anonymous_account = 'anonymous';

View File

@ -0,0 +1,2 @@
---
ipatype: server

View File

@ -0,0 +1,18 @@
---
# mantis vars
mantis_version: 2.24.2
mantis_checksum: "sha256:c1b483c8395a0fb1249bcc50ada203db584d819f4f6f606b1d1eec42c5205cb8"
mantis_pkg:
- php
- php-ldap
- httpd
- mod_ssl
- php-pgsql
- php-mbstring
- php-curl
- openldap
mantis_db_name: mantis
mantis_db_user: mantis
#mantis_db_pass: ThisIsNotThePassword!
mantis_binder_user: "uid=mantis_binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
#mantis_binder_pass: ThisIsNotThePassword!