Enhanced file permission hardening (#360)

* feat(hardening): tightened file perm hardening according to HashiCorp best practice * fix: split tls dir creation into two tasks to ensure idempotency * feat(hardening): delete defaultly unused files to reduce attack surface * feat(hardening): use private tls path, harden perms of generated cert/key --------- Co-authored-by: lakrass <[email protected]>
ansible-community · Dec 13, 2024 · 09d9789 · 09d9789
1 parent d5bae97
commit 09d9789
Show file tree

Hide file tree

Showing 8 changed files with 91 additions and 29 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -292,7 +292,8 @@ vault_systemd_unit_path: /lib/systemd/system
 validate_certs_during_api_reachable_check: true
 
 vault_tls_certs_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}"
-vault_tls_private_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}"
+_vault_tls_private_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}"
+vault_tls_private_path: "{{ _vault_tls_private_path ~ ('/private' if vault_harden_file_perms and vault_tls_copy_keys) }}"
 vault_tls_src_files: "{{ lookup('env', 'VAULT_TLS_SRC_FILES') | default(role_path ~ '/files', true) }}"
 
 vault_tls_disable: "{{ lookup('env', 'VAULT_TLS_DISABLE') | default(true, true) }}"

diff --git a/tasks/backend_tls.yml b/tasks/backend_tls.yml
@@ -4,18 +4,29 @@
 - name: Create backend TLS directory
   become: true
   file:
-    dest: "{{ item }}"
+    dest: "{{ vault_backend_tls_certs_path }}"
     state: directory
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
-    mode: "0700"
-  with_items:
-    - "{{ vault_backend_tls_certs_path }}"
-    - "{{ vault_backend_tls_private_path }}"
+    mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}"
   when: vault_tls_copy_keys | bool
   tags:
     - tls
 
+- name: Create private backend TLS directory
+  become: true
+  file:
+    dest: "{{ vault_backend_tls_private_path }}"
+    state: directory
+    owner: "{{ vault_user }}"
+    group: "{{ vault_group }}"
+    mode: "{{ vault_harden_file_perms | ternary('0500', '0700') }}"
+  when:
+    - vault_tls_copy_keys | bool
+    - vault_backend_tls_certs_path != vault_backend_tls_private_path
+  tags:
+    - tls
+
 - name: Vault backend SSL Certificate and Key
   become: true
   copy:
@@ -28,13 +39,13 @@
   with_items:
     - src: "{{ vault_backend_tls_src_files }}/{{ vault_backend_tls_ca_file }}"
       dest: "{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_ca_file }}"
-      mode: "0644"
+      mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}"
     - src: "{{ vault_backend_tls_src_files }}/{{ vault_backend_tls_cert_file }}"
       dest: "{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_cert_file }}"
-      mode: "0644"
+      mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}"
     - src: "{{ vault_backend_tls_src_files }}/{{ vault_backend_tls_key_file }}"
       dest: "{{ vault_backend_tls_private_path }}/{{ vault_backend_tls_key_file }}"
-      mode: "0600"
+      mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}"
   when: vault_tls_copy_keys | bool
   tags:
     - tls
diff --git a/tasks/install.yml b/tasks/install.yml
@@ -60,7 +60,7 @@
     dest: "{{ vault_bin_path }}"
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
-    mode: "0755"
+    mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}"
   notify: Restart vault
   tags: installation
 

diff --git a/tasks/install_hashi_repo.yml b/tasks/install_hashi_repo.yml
@@ -91,7 +91,7 @@
   copy:
     owner: root
     group: root
-    mode: "0644"
+    mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}"
     dest: /etc/vault.d/vault.hcl
     content: |
       # Placeholder to mask default RPM/DPKG Vault config file.
@@ -100,3 +100,41 @@
       # in this directory. Keeping an empty placeholder prevents package updates
       # from re-installing the default config.
   when: ansible_pkg_mgr in ['yum', 'dnf', 'apt']
+
+- name: Harden binary perms
+  become: true
+  ansible.builtin.file:
+    path: "{{ vault_bin_path }}/vault"
+    mode: "0755" # Package default is 0775
+    owner: root # Package default
+    group: root # Package default
+  when: vault_harden_file_perms
+
+- name: Delete vault.env
+  become: true
+  ansible.builtin.file:
+    state: absent
+    path: /etc/vault.d/vault.env
+  when: vault_harden_file_perms
+
+- name: Harden perms of default cert/key
+  ansible.builtin.file:
+    path: "/opt/vault/tls/{{ item }}"
+    mode: "0400"
+  with_items:
+    - tls.crt
+    - tls.key
+  when:
+    - vault_harden_file_perms
+    - not vault_tls_disable
+    - not vault_tls_copy_keys
+
+- name: Delete default cert/key
+  become: true
+  ansible.builtin.file:
+    state: absent
+    path: "/opt/vault/tls/{{ item }}"
+  with_items:
+    - tls.crt
+    - tls.key
+  when: vault_tls_disable or vault_tls_copy_keys
diff --git a/tasks/install_remote.yml b/tasks/install_remote.yml
@@ -40,7 +40,7 @@
     dest: "{{ vault_bin_path }}"
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
-    mode: "0755"
+    mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}"
   notify: Restart vault
   tags: installation
 

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -101,7 +101,7 @@
     - path: "{{ vault_config_path }}"
       mode: "{{ vault_harden_file_perms | ternary('0550', '0750') }}"
     - path: "{{ vault_plugin_path }}"
-      mode: "{{ vault_harden_file_perms | ternary('0550', '0750') }}"
+      mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}"
     - path: "{{ vault_data_path }}"
       mode: "0750"
     - path: "{{ vault_log_path }}"
@@ -140,7 +140,7 @@
     dest: "{{ vault_gkms_credentials }}"
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
-    mode: "0600"
+    mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}"
   when:
     - vault_gkms | bool
     - vault_gkms_credentials_content | length > 0 or
@@ -152,7 +152,7 @@
     dest: "{{ vault_gcs_credentials_dst_file }}"
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
-    mode: "0600"
+    mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}"
   when:
     - vault_backend == "gcs"
     - vault_gcs_copy_sa | bool
@@ -164,7 +164,7 @@
     dest: "{{ vault_main_config }}"
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
-    mode: "0400"
+    mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}"
     backup: "{{ vault_backup_config | default('false') | bool | lower }}"
   notify:
     - Restart vault
@@ -177,7 +177,7 @@
     dest: "{{ vault_transit_config }}"
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
-    mode: "0400"
+    mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}"
     backup: "{{ vault_backup_config | default('false') | bool | lower }}"
   when: vault_transit | bool
   notify: Restart vault
@@ -189,7 +189,7 @@
     dest: "{{ vault_awskms_config }}"
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
-    mode: "0400"
+    mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}"
     backup: "{{ vault_backup_config | default('false') | bool | lower }}"
   when: vault_awskms | bool
   notify: Restart vault
@@ -201,7 +201,7 @@
     dest: "{{ vault_azurekeyvault_config }}"
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
-    mode: "0400"
+    mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}"
     backup: "{{ vault_backup_config | default('false') | bool | lower }}"
   when: vault_azurekeyvault | bool
   notify: Restart vault
@@ -213,7 +213,7 @@
     dest: "{{ vault_license_path }}"
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
-    mode: "0644"
+    mode: "{{ vault_harden_file_perms | ternary('0400', '0644') }}"
   when:
     - vault_configure_enterprise_license | bool
     - vault_license_file | length > 0

diff --git a/tasks/plugins/acme.yml b/tasks/plugins/acme.yml
@@ -51,7 +51,9 @@
         remote_src: "{{ (vault_plugin_acme_install == 'remote') }}"
         src: "{{ __vault_plugin_acme_zip_dir.path }}/{{ item.src }}"
         dest: "{{ item.dest }}"
-        mode: "+x"
+        mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}"
+        owner: "{{ vault_user }}"
+        group: "{{ vault_group }}"
       when: (item.when | default(true))
       loop:
         - src: "acme-plugin"

diff --git a/tasks/tls.yml b/tasks/tls.yml
@@ -4,18 +4,28 @@
 - name: Create TLS directory
   become: true
   file:
-    dest: "{{ item }}"
+    dest: "{{ vault_tls_certs_path }}"
     state: directory
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
-    mode: "0750"
-  with_items:
-    - "{{ vault_tls_certs_path }}"
-    - "{{ vault_tls_private_path }}"
+    mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}"
   when: vault_tls_copy_keys | bool
   tags:
     - tls
 
+- name: Create private TLS directory
+  file:
+    dest: "{{ vault_tls_private_path }}"
+    state: directory
+    owner: "{{ vault_user }}"
+    group: "{{ vault_group }}"
+    mode: "{{ vault_harden_file_perms | ternary('0500', '0700') }}"
+  when:
+    - vault_tls_copy_keys | bool
+    - vault_tls_certs_path != vault_tls_private_path
+  tags:
+    - tls
+
 - name: Vault SSL Certificate and Key
   become: true
   copy:
@@ -28,13 +38,13 @@
   with_items:
     - src: "{{ vault_tls_src_files }}/{{ vault_tls_ca_file }}"
       dest: "{{ vault_tls_certs_path }}/{{ vault_tls_ca_file }}"
-      mode: "0644"
+      mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}"
     - src: "{{ vault_tls_src_files }}/{{ vault_tls_cert_file }}"
       dest: "{{ vault_tls_certs_path }}/{{ vault_tls_cert_file }}"
-      mode: "0644"
+      mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}"
     - src: "{{ vault_tls_src_files }}/{{ vault_tls_key_file }}"
       dest: "{{ vault_tls_private_path }}/{{ vault_tls_key_file }}"
-      mode: "0600"
+      mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}"
   when: vault_tls_copy_keys | bool
   notify:
     - Restart vault