Add shell history cleaning feature, clean up in docs, add more elastic cron scheduling

blackandred · blackandred · commit b66c8569661c · 2020-08-29T12:07:22.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,4 @@
+/.idea
+*.pyc
+/meta/.galaxy_install_info
+!.gitkeep
diff --git a/README.md b/README.md
@@ -3,11 +3,12 @@ Basic Security
 
 Just another security role for Ansible.
 
-Allows to improve security of:
-- SSH
-- logs (IPv4 anonymization)
-- firewall (blocking incoming connections on unknown ports)
-- change root password
+**Features:**
+- SSH security improvements
+- IPv4 addresses anonymization in logs (scheduled every X hours, so the fail2ban can have time to block attackers on time)
+- Firewall configuration (blocking incoming connections on unknown ports)
+- Change root password
+- Scheduled bash, zsh, python (and others) history cleaning, so your passwords will not stay in a history
 
 Does not include fail2ban configuration, as it has a good dedicated role.
 
@@ -35,9 +36,25 @@ Configuration reference
 
     #
     # Logs IP addresses anonymization
-    # Allows to remove all IPv4 addresses from logs
     #
     anonymize_logs: true
+    anonymize_logs_schedule:
+        minute: 30
+        hour: "*"
+        day: "*"
+        weekday: "*"
+        month: "*"
+    
+    #
+    # Clear bash history
+    #
+    clear_shell_history: false
+    clear_shell_history_schedule:
+        minute: 30
+        hour: "*"
+        day: "*"
+        weekday: "*"
+        month: "*"
 
     #
     # Firewall
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -9,14 +9,31 @@ ssh_gateway_ports: no
 ssh_permit_tunnel: yes
 ssh_password_auth: yes
 ssh_permit_root_login: no
-ssh_host_title: "International Workers Association server"
+ssh_host_title: "iwa-ait.org"
 ssh_allow_only_specific_users: ""   # type user names here, separated by [space] character
 ssh_idle_time: "1800"
 
 #
 # Logs IP addresses anonymization
 #
 anonymize_logs: true
+anonymize_logs_schedule:
+    minute: "00"
+    hour: "*/6"
+    day: "*"
+    weekday: "*"
+    month: "*"
+
+#
+# Clear bash history
+#
+clear_shell_history: false
+clear_shell_history_schedule:
+    minute: "30"
+    hour: "*"
+    day: "*"
+    weekday: "*"
+    month: "*"
 
 #
 # Firewall
diff --git a/files/usr/local/bin/clear-shell-history.py b/files/usr/local/bin/clear-shell-history.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+
+#
+# Clears history files (from Bash, ZSH, PostgreSQL psql, Python, etc.)
+# ====================================================================
+#   Prevents from leaking passwords typed in shell
+#   Should be running as ROOT
+#
+
+import os
+import sys
+import pwd
+import subprocess
+
+HISTORY_FILES = ['.bash_history', '.sqlite_history', '.python_history',
+                 '.config/psysh/psysh_history', '.psql_history', '.zsh_history']
+exit_status = True
+
+for p in pwd.getpwall():
+    username = p.pw_name
+    homedir = p.pw_dir
+
+    for history_file in HISTORY_FILES:
+        path = homedir + '/' + history_file
+
+        if os.path.isfile(path):
+            print(' >> Clearing {path}'.format(path=path))
+
+            try:
+                with open(path, 'w') as f:
+                    f.write('')
+            except Exception as exc:
+                print(exc)
+                exit_status = False
+
+        subprocess.call(['rm', path + '-*.tmp'], stderr=subprocess.DEVNULL)
+
+
+sys.exit(0 if exit_status else 1)
diff --git a/tasks/all-tasks.yml b/tasks/all-tasks.yml
@@ -6,6 +6,9 @@
 - include: logs-anonymization.yml
   when: anonymize_logs == True
 
+- include: shell-history-cleaning.yml
+  when: clear_shell_history == True
+
 - include: configure-firewall.yml
   when: configure_firewall == True
 
diff --git a/tasks/logs-anonymization.yml b/tasks/logs-anonymization.yml
@@ -13,5 +13,9 @@
   become: yes
   cron:
       name: "logs-ipv4-strip"
-      minute: "30"
+      minute: "{{ anonymize_logs_schedule['minute'] | default('00') }}"
+      hour: "{{ anonymize_logs_schedule['hour'] | default('*/6') }}"
+      day: "{{ anonymize_logs_schedule['day'] | default('*') }}"
+      weekday: "{{ anonymize_logs_schedule['weekday'] | default('*') }}"
+      month: "{{ anonymize_logs_schedule['month'] | default('*') }}"
       job: "python /usr/local/bin/scan-and-strip-logs.py"
diff --git a/tasks/shell-history-cleaning.yml b/tasks/shell-history-cleaning.yml
@@ -0,0 +1,18 @@
+
+- name: Copy helper scripts to the bin directory
+  become: yes
+  copy:
+      src: "../files/usr/local/bin/clear-shell-history.py"
+      dest: "/usr/local/bin/clear-shell-history.py"
+      mode: a+x
+
+- name: Schedule shell history cleaning
+  become: yes
+  cron:
+      name: "shell-history-cleaning"
+      minute: "{{ clear_shell_history_schedule['minute'] | default('00') }}"
+      hour: "{{ clear_shell_history_schedule['hour'] | default('*') }}"
+      day: "{{ clear_shell_history_schedule['day'] | default('*') }}"
+      weekday: "{{ clear_shell_history_schedule['weekday'] | default('*') }}"
+      month: "{{ clear_shell_history_schedule['month'] | default('*') }}"
+      job: "python3 /usr/local/bin/clear-shell-history.py"

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +/.idea
 +*.pyc
 +/meta/.galaxy_install_info
 +!.gitkeep