Add scaffolding for contrib tasks

This patch adds the basic scaffolding for developer-contributed hardening standards that are outside the scope of the Security Technical Implementation Guide (STIG). Deployers have the option to deploy these hardening standards as well. Change-Id: I33175ffd36a75d27e5ac6c13aaf1584e5fdf23dd
2017-11-08 07:28:47 -06:00 · 2017-11-08 07:28:47 -06:00 · 2d407a5399
commit 2d407a5399
parent 89f24106cc
9 changed files with 96 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -367,3 +367,29 @@ security_disable_kdump: yes                                  # V-72057
 security_rhel7_disable_dccp: yes                             # V-77821
 # Enable Address Space Layout Randomization (ASLR).
 security_enable_aslr: yes                                    # V-77825
+
+###############################################################################
+#   ____            _        _ _
+#  / ___|___  _ __ | |_ _ __(_) |__
+# | |   / _ \| '_ \| __| '__| | '_ \
+# | |__| (_) | | | | |_| |  | | |_) |
+#  \____\___/|_| |_|\__|_|  |_|_.__/
+#
+#
+# The following configurations apply to tasks that are contributed by
+# ansible-hardening developers and may not be part of a hardening standard
+# or compliance program. For more information on the 'contrib' tasks, review
+# the documentation:
+#
+#   https://docs.openstack.org/ansible-hardening/latest/contrib.html
+#
+###############################################################################
+
+# To enable the contrib tasks, set this variable to 'yes'.
+security_contrib_enabled: no
+
+# Disable IPv6.
+# DANGER: This option causes IPv6 networking to be disabled for the ENTIRE
+# DANGER: SYSTEM. This will cause downtime for any services that depend on
+# DANGER: IPv6 network connectivity.
+security_contrib_disable_ipv6: no                            # C-00001
--- a/doc/source/contrib.rst
+++ b/doc/source/contrib.rst
@ -0,0 +1,39 @@
+Additional hardening configurations
+===================================
+
+Although the Security Technical Implementation Guide (STIG) contains a very
+comprehensive set of security configurations, some ansible-hardening
+contributors want to add extra security configurations to the role. The
+*contrib* portion of the ansible-hardening role is designed to implement those
+configurations as an optional set of tasks.
+
+The *contrib* hardening configurations are disabled by default, but they can
+be enabled by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_contrib_enabled: yes
+
+The individual tasks are controlled by Ansible variables in
+``defaults/main.yml`` that begin with ``security_contrib_``.
+
+Kernel
+------
+
+C-00001 - Disable IPv6
+~~~~~~~~~~~~~~~~~~~~~~
+
+Some systems do not require IPv6 connectivity and the presence of link local
+IPv6 addresses can present an additional attack surface for lateral movement.
+Deployers can set the following variable to disable IPv6 on all network
+interfaces:
+
+.. code-block:: yaml
+
+    security_contrib_disable_ipv6: yes
+
+.. warning::
+
+    Deployers should test this change in a test environment before applying it
+    in a production deployment. Applying this change to a production system
+    that relies on IPv6 connectivity will cause unexpected downtime.
--- a/doc/source/domains.rst
+++ b/doc/source/domains.rst
@ -1,7 +1,7 @@
 .. _hardening-domains-label:

-Hardening Domains
-=================
+Hardening Domains (RHEL 7 STIG)
+===============================

 The STIG divides its hardening requirements into severity levels, but the
 security role divides the requirements into system domains to make them easier
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@ -58,6 +58,7 @@ releases is found within the *Releases* section below.
   faq.rst
   domains.rst
   controls-rhel7.rst
+   contrib.rst
   developer-guide.rst

 Releases
--- a/tasks/contrib/main.yml
+++ b/tasks/contrib/main.yml
@ -0,0 +1,18 @@
+---
+# Copyright 2017, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Notify the deployer that contrib tasks are enabled
+  debug:
+    msg: "The contrib tasks are enabled."
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -53,3 +53,7 @@
      - always

  - include: "{{ stig_version }}stig/main.yml"
+
+  - include: contrib/main.yml
+    when:
+      - security_contrib_enabled | bool
--- a/tasks/rhel7stig/kernel.yml
+++ b/tasks/rhel7stig/kernel.yml
@ -46,6 +46,7 @@
    - V-72293
    - V-72309
    - V-72319
+    - C-00001

 - name: Check kdump service
  command: systemctl status kdump
--- a/tests/test.yml
+++ b/tests/test.yml
@ -61,3 +61,5 @@
    # this role without causing disruptions on the system.
    security_enable_virus_scanner: no
    security_run_virus_scanner_update: no
+    # Enable the contrib tasks.
+    security_contrib_enabled: yes
--- a/vars/main.yml
+++ b/vars/main.yml
@ -344,3 +344,6 @@ sysctl_settings_rhel7:
  - name: kernel.randomize_va_space
    value: 2
    enabled: "{{ security_enable_aslr | bool }}"
+  - name: net.ipv6.conf.all.disable_ipv6
+    value: 1
+    enabled: "{{ (security_contrib_enabled | bool) and (security_contrib_disable_ipv6 | bool) }}"