openstack/ansible-hardening
Code Issues Proposed changes

[Docs] Metadata cleanup

Browse Source 
This patch adds the right tags to each piece of metadata and corrects
small errors found in the deployer notes.

Closes-bug: 1595669
Change-Id: Ic04aaad85ebf111be5a0bdb01a350442fdea1433
This commit is contained in:
Major Hayden 2016-09-12 14:07:16 -05:00
parent 79eeaa43fb
commit 3c19f00a7f
257 changed files with 386 additions and 641 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/metadata/rhel6/V-38437.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38437 id: V-38437
status: implemented status: implemented
tag: misc tag: services
--- ---
If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out

6
doc/metadata/rhel6/V-38438.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38438 id: V-38438
status: exception status: implemented
tag: misc tag: boot
--- ---
**Exception**
To opt-out of the change, set the following variable: To opt-out of the change, set the following variable:
.. code-block:: yaml .. code-block:: yaml

6
doc/metadata/rhel6/V-38439.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38439 id: V-38439
status: exception status: exception - manual intervention
tag: misc tag: auth
--- ---
**Exception**
Although adding centralized authentication and carefully managing user Although adding centralized authentication and carefully managing user
accounts is critical for securing any system, that's left up to deployers accounts is critical for securing any system, that's left up to deployers
to handle via their internal business processes. to handle via their internal business processes.

2
doc/metadata/rhel6/V-38443.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38443 id: V-38443
status: implemented status: implemented
tag: misc tag: auth
--- ---
The ``/etc/gshadow`` file is owned by root by default on Ubuntu 14.04, Ubuntu The ``/etc/gshadow`` file is owned by root by default on Ubuntu 14.04, Ubuntu

6
doc/metadata/rhel6/V-38444.rst
View File

@ -1,10 +1,8 @@
--- ---
id: V-38444 id: V-38444
status: exception status: exception - manual intervention
tag: misc tag: network
--- ---
**Exception**
See V-38551 for additional details. IPv6 configuration and filtering is left See V-38551 for additional details. IPv6 configuration and filtering is left
up to the deployer. up to the deployer.

2
doc/metadata/rhel6/V-38445.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38445 id: V-38445
status: implemented status: implemented
tag: misc tag: auditd
--- ---
The logs generated by the audit daemon are owned by root in Ubuntu 14.04, The logs generated by the audit daemon are owned by root in Ubuntu 14.04,

14
doc/metadata/rhel6/V-38446.rst
View File

@ -1,10 +1,12 @@
--- ---
id: V-38446 id: V-38446
status: implemented status: configuration required
tag: misc tag: mail
--- ---
Forwarding root's email to another user is highly recommended, but the Ansible Forwarding root's email to another user is highly recommended so that someone
tasks won't configure an email address to receive root's email unless that can receive emails about errors or security events.
email address is configured. Set ``security_root_forward_email`` to an email
address that is ready to receive root's email. Deployers should set ``security_root_forward_email`` to a valid email address
of a user or mailing list that should receive critical automated emails from
the server.

4
doc/metadata/rhel6/V-38447.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38447 id: V-38447
status: exception status: exception
tag: misc tag: package
--- ---
**Exception**
Although Ubuntu provides the ``debsums`` command for checking the contents of Although Ubuntu provides the ``debsums`` command for checking the contents of
files installed from packages, it cannot perform a detailed level of checking files installed from packages, it cannot perform a detailed level of checking
sufficient to meet the STIG requirement. Some packages are not shipped with MD5 sufficient to meet the STIG requirement. Some packages are not shipped with MD5

2
doc/metadata/rhel6/V-38448.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38448 id: V-38448
status: implemented status: implemented
tag: misc tag: auth
--- ---
Although the ``/etc/gshadow`` file is group-owned by root by default, the Although the ``/etc/gshadow`` file is group-owned by root by default, the

2
doc/metadata/rhel6/V-38449.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38449 id: V-38449
status: implemented status: implemented
tag: misc tag: auth
--- ---
The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet

2
doc/metadata/rhel6/V-38450.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38450 id: V-38450
status: implemented status: implemented
tag: misc tag: auth
--- ---
The ownership of ``/etc/passwd`` will be changed to root. The ownership of ``/etc/passwd`` will be changed to root.

2
doc/metadata/rhel6/V-38451.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38451 id: V-38451
status: implemented status: implemented
tag: misc tag: auth
--- ---
The group ownership for ``/etc/passwd`` will be set to root. The group ownership for ``/etc/passwd`` will be set to root.

4
doc/metadata/rhel6/V-38452.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38452 id: V-38452
status: exception status: exception
tag: misc tag: package
--- ---
**Exception**
Although Ubuntu provides the ``debsums`` command for checking the contents of Although Ubuntu provides the ``debsums`` command for checking the contents of
files installed from packages, it cannot perform a detailed level of checking files installed from packages, it cannot perform a detailed level of checking
sufficient to meet the STIG requirement. Some packages are not shipped with MD5 sufficient to meet the STIG requirement. Some packages are not shipped with MD5

10
doc/metadata/rhel6/V-38453.rst
View File

@ -1,11 +1,11 @@
--- ---
id: V-38453 id: V-38453
status: exception status: exception - ubuntu
tag: misc tag: package
--- ---
**Exception for Ubuntu**
Verifying ownership and permissions of installed packages isn't possible in the Verifying ownership and permissions of installed packages isn't possible in the
current version of ``dpkg`` as it is with ``rpm``. This security configuration current version of ``dpkg`` as it is with ``rpm``. This security configuration
is skipped for Ubuntu. For CentOS, this check is done as part of V-38637. is skipped for Ubuntu.
For CentOS, this check is done as part of V-38637.

4
doc/metadata/rhel6/V-38454.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38454 id: V-38454
status: exception status: exception
tag: misc tag: package
--- ---
**Exception**
Although Ubuntu provides the ``debsums`` command for checking the contents of Although Ubuntu provides the ``debsums`` command for checking the contents of
files installed from packages, it cannot perform a detailed level of checking files installed from packages, it cannot perform a detailed level of checking
sufficient to meet the STIG requirement. Some packages are not shipped with MD5 sufficient to meet the STIG requirement. Some packages are not shipped with MD5

6
doc/metadata/rhel6/V-38455.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38455 id: V-38455
status: exception status: exception - initial provisioning
tag: misc tag: boot
--- ---
**Exception**
Configuring another mount for ``/tmp`` can disrupt a running system and this Configuring another mount for ``/tmp`` can disrupt a running system and this
configuration is skipped. configuration is skipped.

6
doc/metadata/rhel6/V-38456.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38456 id: V-38456
status: exception status: exception - initial provisioning
tag: misc tag: boot
--- ---
**Exception**
Configuring another mount for ``/var`` can disrupt a running system and this Configuring another mount for ``/var`` can disrupt a running system and this
configuration is skipped. configuration is skipped.

2
doc/metadata/rhel6/V-38457.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38457 id: V-38457
status: implemented status: implemented
tag: misc tag: auth
--- ---
The permissions for ``/etc/passwd`` will be set to ``0644``. The permissions for ``/etc/passwd`` will be set to ``0644``.

2
doc/metadata/rhel6/V-38458.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38458 id: V-38458
status: implemented status: implemented
tag: misc tag: auth
--- ---
The Ansible task will ensure that the ``/etc/group`` file is owned by the root The Ansible task will ensure that the ``/etc/group`` file is owned by the root

6
doc/metadata/rhel6/V-38459.rst
View File

@ -1,8 +1,8 @@
--- ---
id: V-38459 id: V-38459
status: implemented status: implemented
tag: misc tag: auth
--- ---
The tasks in file_perms.yml will ensure that "/etc/group" is owned by The Ansible tasks will ensure that ``/etc/group`` is owned by the ``root``
the root account. user.

2
doc/metadata/rhel6/V-38460.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38460 id: V-38460
status: implemented status: implemented
tag: misc tag: nfsd
--- ---
The Ansible tasks will check for ``all_squash`` in ``/etc/exports`` (if it is The Ansible tasks will check for ``all_squash`` in ``/etc/exports`` (if it is

6
doc/metadata/rhel6/V-38461.rst
View File

@ -1,8 +1,8 @@
--- ---
id: V-38461 id: V-38461
status: implemented status: implemented
tag: misc tag: auth
--- ---
Ubuntu sets the mode of ``/etc/group`` to ``0644`` by default and the Ansible The Ansible tasks will ensure that the mode of ``/etc/group//` is set to
task will ensure that it is current set to those permissions. ``0644``.

2
doc/metadata/rhel6/V-38462.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38462 id: V-38462
status: implemented status: implemented
tag: misc tag: package
--- ---
All versions of Ubuntu and CentOS supported by the role verify packages against All versions of Ubuntu and CentOS supported by the role verify packages against

4
doc/metadata/rhel6/V-38463.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38463 id: V-38463
status: exception status: exception - initial provisioning
tag: misc tag: misc
--- ---
**Exception**
Configuring a separate partition for ``/var/log`` is currently left up to the Configuring a separate partition for ``/var/log`` is currently left up to the
deployer. There are security and operational benefits that come from the deployer. There are security and operational benefits that come from the
change, but it must be done when the system is initially installed. change, but it must be done when the system is initially installed.

2
doc/metadata/rhel6/V-38464.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38464 id: V-38464
status: implemented status: implemented
tag: misc tag: auditd
--- ---
The default configuration for ``disk_error_action`` is ``SUSPEND``, which The default configuration for ``disk_error_action`` is ``SUSPEND``, which

6
doc/metadata/rhel6/V-38465.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38465 id: V-38465
status: exception status: exception
tag: misc tag: file_perms
--- ---
**Exception** Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set library files to have ``0755`` (or
Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set library files to have ``0755`` (or
more restrictive) permissions by default. Deployers are urged to review the more restrictive) permissions by default. Deployers are urged to review the
permissions of libraries regularly to ensure the system has not been altered. permissions of libraries regularly to ensure the system has not been altered.

4
doc/metadata/rhel6/V-38466.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38466 id: V-38466
status: exception status: exception
tag: misc tag: file_perms
--- ---
**Exception**
As with V-38465, Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the ownership of As with V-38465, Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the ownership of
library files to root by default. Deployers are urged to configure monitoring library files to root by default. Deployers are urged to configure monitoring
for changes to these files. for changes to these files.

6
doc/metadata/rhel6/V-38467.rst
View File

@ -1,10 +1,8 @@
--- ---
id: V-38467 id: V-38467
status: exception status: exception - initial provisioning
tag: misc tag: auditd
--- ---
**Exception**
Storing audit logs on a separate partition is recommended, but this change Storing audit logs on a separate partition is recommended, but this change
is left up to deployers to configure during the installation of the OS. is left up to deployers to configure during the installation of the OS.

2
doc/metadata/rhel6/V-38468.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38468 id: V-38468
status: implemented status: implemented
tag: misc tag: auditd
--- ---
The default configuration for ``disk_full_action`` is ``SUSPEND``, which only The default configuration for ``disk_full_action`` is ``SUSPEND``, which only

4
doc/metadata/rhel6/V-38469.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38469 id: V-38469
status: exception status: exception
tag: misc tag: file_perms
--- ---
**Exception**
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the permissions for system Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the permissions for system
commands to ``0755`` or less already. Deployers are urged to review these commands to ``0755`` or less already. Deployers are urged to review these
permissions for changes over time as they can be a sign of a compromise. permissions for changes over time as they can be a sign of a compromise.

2
doc/metadata/rhel6/V-38470.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38470 id: V-38470
status: implemented status: implemented
tag: misc tag: auditd
--- ---
The default configuration for ``security_space_left_action`` is ``SUSPEND``, The default configuration for ``security_space_left_action`` is ``SUSPEND``,

4
doc/metadata/rhel6/V-38471.rst
View File

@ -1,10 +1,10 @@
--- ---
id: V-38471 id: V-38471
status: implemented status: implemented
tag: misc tag: auditd
--- ---
An Ansible task will adjust ``active`` from `no` to `yes` in An Ansible task will adjust ``active`` from ``no`` to ``yes`` in
``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to ``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to
syslog automatically. The auditd daemon will be restarted if the configuration syslog automatically. The auditd daemon will be restarted if the configuration
file is changed. file is changed.

4
doc/metadata/rhel6/V-38472.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38472 id: V-38472
status: exception status: exception
tag: misc tag: file_perms
--- ---
**Exception**
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set system commands to be owned by Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set system commands to be owned by
root by default. Deployers are urged to review ownership changes via auditd root by default. Deployers are urged to review ownership changes via auditd
rules to ensure system commands haven't changed ownership over time. rules to ensure system commands haven't changed ownership over time.

4
doc/metadata/rhel6/V-38473.rst
View File

@ -1,10 +1,8 @@
--- ---
id: V-38473 id: V-38473
status: exception status: exception - initial provisioning
tag: misc tag: misc
--- ---
**Exception**
Creating ``/home`` on a different partition is highly recommended but it is Creating ``/home`` on a different partition is highly recommended but it is
left to deployers to configure during the installation of the OS. left to deployers to configure during the installation of the OS.

4
doc/metadata/rhel6/V-38474.rst
View File

@ -1,10 +1,8 @@
--- ---
id: V-38474 id: V-38474
status: exception status: exception
tag: misc tag: x11
--- ---
**Exception**
The openstack-ansible roles don't install X by default, so there is no The openstack-ansible roles don't install X by default, so there is no
graphical desktop to configure. graphical desktop to configure.

6
doc/metadata/rhel6/V-38475.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38475 id: V-38475
status: implemented status: configuration required
tag: misc tag: auth
--- ---
**Configuration required**
The STIG recommends passwords to be a minimum of 14 characters in length. To The STIG recommends passwords to be a minimum of 14 characters in length. To
apply this setting, set the following Ansible variable: apply this setting, set the following Ansible variable:

2
doc/metadata/rhel6/V-38476.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38476 id: V-38476
status: implemented status: implemented
tag: misc tag: package
--- ---
The security role verifies that the GPG keys that correspond to each supported The security role verifies that the GPG keys that correspond to each supported

6
doc/metadata/rhel6/V-38477.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38477 id: V-38477
status: implemented status: configuration required
tag: misc tag: auth
--- ---
**Configuration required**
The STIG recommends setting a limit of one password change per day. To enable The STIG recommends setting a limit of one password change per day. To enable
this configuration, use this Ansible variable: this configuration, use this Ansible variable:

4
doc/metadata/rhel6/V-38478.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38478 id: V-38478
status: exception status: exception
tag: misc tag: package
--- ---
**Exception**
Ubuntu and CentOS do not use the Red Hat Network Service. However, there are Ubuntu and CentOS do not use the Red Hat Network Service. However, there are
tasks in the security role which ensure that all packages have GPG checks tasks in the security role which ensure that all packages have GPG checks
enabled (see V-38462) and provide the option for deployers to apply updates enabled (see V-38462) and provide the option for deployers to apply updates

6
doc/metadata/rhel6/V-38479.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38479 id: V-38479
status: implemented status: configuration required
tag: misc tag: auth
--- ---
**Configuration required**
The STIG recommends setting a limit of 60 days before a password must The STIG recommends setting a limit of 60 days before a password must
be changed. To enable this configuration, use this Ansible variable: be changed. To enable this configuration, use this Ansible variable:

6
doc/metadata/rhel6/V-38480.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38480 id: V-38480
status: implemented status: configuration required
tag: misc tag: auth
--- ---
**Configuration required**
After enabling password age limits in V-38479, be sure to configure After enabling password age limits in V-38479, be sure to configure
warnings for users so they know when their password is approaching expiration. warnings for users so they know when their password is approaching expiration.
STIG's recommendation is seven days prior to the expiration. Use an Ansible STIG's recommendation is seven days prior to the expiration. Use an Ansible

4
doc/metadata/rhel6/V-38481.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38481 id: V-38481
status: opt-in status: opt-in
tag: misc tag: package
--- ---
**Opt-in required**
Operating system patching policies vary from organization to organization and Operating system patching policies vary from organization to organization and
are typically established based on business requirements and risk tolerance. are typically established based on business requirements and risk tolerance.

4
doc/metadata/rhel6/V-38482.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38482 id: V-38482
status: exception status: exception
tag: misc tag: auth
--- ---
**Exception**
Password complexity requirements are left up to the deployer. Deployers are Password complexity requirements are left up to the deployer. Deployers are
urged to rely on SSH keys as often as possible to avoid problems with urged to rely on SSH keys as often as possible to avoid problems with
passwords. passwords.

2
doc/metadata/rhel6/V-38483.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38483 id: V-38483
status: implemented status: implemented
tag: misc tag: package
--- ---
The Ansible task for V-38462 already checks for configurations that would The Ansible task for V-38462 already checks for configurations that would

2
doc/metadata/rhel6/V-38484.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38484 id: V-38484
status: implemented status: implemented
tag: misc tag: package
--- ---
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last

2
doc/metadata/rhel6/V-38486.rst
View File

@ -4,8 +4,6 @@ status: exception
tag: misc tag: misc
--- ---
**Exception**
System backups are left to the deployer to configure. Deployers are stringly System backups are left to the deployer to configure. Deployers are stringly
urged to maintain backups of each system, including log files and critical urged to maintain backups of each system, including log files and critical
configuration information. configuration information.

2
doc/metadata/rhel6/V-38487.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38487 id: V-38487
status: implemented status: implemented
tag: misc tag: package
--- ---
The Ansible task for V-38462 already checks for apt configurations that would The Ansible task for V-38462 already checks for apt configurations that would

2
doc/metadata/rhel6/V-38488.rst
View File

@ -4,8 +4,6 @@ status: exception
tag: misc tag: misc
--- ---
**Exception**
System backups are left to the deployer to configure. Deployers are stringly System backups are left to the deployer to configure. Deployers are stringly
urged to maintain backups of each system, including log files and critical urged to maintain backups of each system, including log files and critical
configuration information. configuration information.

2
doc/metadata/rhel6/V-38489.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38489 id: V-38489
status: implemented status: implemented
tag: misc tag: aide
--- ---
The security role installs and configures the ``aide`` package to provide file The security role installs and configures the ``aide`` package to provide file

6
doc/metadata/rhel6/V-38490.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38490 id: V-38490
status: exception status: opt-in
tag: misc tag: kernel
--- ---
**Exception**
Disabling the ``usb-storage`` module can add extra security, but it's not Disabling the ``usb-storage`` module can add extra security, but it's not
necessary on most systems. To disable the ``usb-storage`` module on hosts, necessary on most systems. To disable the ``usb-storage`` module on hosts,
set the following variable to ``yes``: set the following variable to ``yes``:

2
doc/metadata/rhel6/V-38491.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38491 id: V-38491
status: implemented status: implemented
tag: misc tag: auth
--- ---
The Ansible task will check for the presence of ``/etc/hosts.equiv`` and The Ansible task will check for the presence of ``/etc/hosts.equiv`` and

4
doc/metadata/rhel6/V-38492.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38492 id: V-38492
status: exception status: exception
tag: misc tag: auth
--- ---
**Exception**
Virtual consoles are helpful during an emergency and they can only be reached Virtual consoles are helpful during an emergency and they can only be reached
by physical or other out-of-band access (such as DRAC, iLO, or iKVM). This by physical or other out-of-band access (such as DRAC, iLO, or iKVM). This
change can be confusing for system administrators and it is left up to the change can be confusing for system administrators and it is left up to the

2
doc/metadata/rhel6/V-38493.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38493 id: V-38493
status: implemented status: implemented
tag: misc tag: auditd
--- ---
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the mode of ``/var/log/audit/`` to Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the mode of ``/var/log/audit/`` to

4
doc/metadata/rhel6/V-38494.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38494 id: V-38494
status: exception status: exception
tag: misc tag: auth
--- ---
**Exception**
Removing serial consoles from ``/etc/securetty`` can make troubleshooting Removing serial consoles from ``/etc/securetty`` can make troubleshooting
a server extremely difficult. Deployers are urged to use strong physical a server extremely difficult. Deployers are urged to use strong physical
security practices to prevent unauthorized users from gaining physical access security practices to prevent unauthorized users from gaining physical access

2
doc/metadata/rhel6/V-38495.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38495 id: V-38495
status: implemented status: implemented
tag: misc tag: auditd
--- ---
The Ansible tasks will ensure that files in ``/var/log/audit`` are owned The Ansible tasks will ensure that files in ``/var/log/audit`` are owned

6
doc/metadata/rhel6/V-38496.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38496 id: V-38496
status: exception status: exception - manual intervention
tag: misc tag: auth
--- ---
**Exception**
The Ansible tasks will check for default system accounts (other than root) The Ansible tasks will check for default system accounts (other than root)
that are not locked. The tasks won't take any action, however, because that are not locked. The tasks won't take any action, however, because
any action could cause authorized users to be unable to access the system. any action could cause authorized users to be unable to access the system.

2
doc/metadata/rhel6/V-38497.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38497 id: V-38497
status: implemented status: implemented
tag: misc tag: auth
--- ---
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to

2
doc/metadata/rhel6/V-38498.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38498 id: V-38498
status: implemented status: implemented
tag: misc tag: auditd
--- ---
Ubuntu and CentOS set the current audit log (the one that is actively being Ubuntu and CentOS set the current audit log (the one that is actively being

2
doc/metadata/rhel6/V-38499.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38499 id: V-38499
status: implemented status: implemented
tag: misc tag: auth
--- ---
The Ansible task will search for password hashes in ``/etc/passwd`` using The Ansible task will search for password hashes in ``/etc/passwd`` using

2
doc/metadata/rhel6/V-38500.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38500 id: V-38500
status: implemented status: implemented
tag: misc tag: auth
--- ---
The Ansible tasks will search for accounts in ``/etc/passwd`` that have UID 0 The Ansible tasks will search for accounts in ``/etc/passwd`` that have UID 0

6
doc/metadata/rhel6/V-38501.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38501 id: V-38501
status: exception status: opt-in
tag: misc tag: auth
--- ---
**Exception and opt-in alternative**
Adjusting PAM configurations is very risky since it affects how all users Adjusting PAM configurations is very risky since it affects how all users
authenticate. In addition, ``pam_faillock.so`` isn't available in Ubuntu. authenticate. In addition, ``pam_faillock.so`` isn't available in Ubuntu.

2
doc/metadata/rhel6/V-38502.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38502 id: V-38502
status: implemented status: implemented
tag: misc tag: auth
--- ---
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible The user and group ownership of ``/etc/passwd`` is root by default. The Ansible

2
doc/metadata/rhel6/V-38503.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38503 id: V-38503
status: implemented status: implemented
tag: misc tag: auth
--- ---
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible The user and group ownership of ``/etc/passwd`` is root by default. The Ansible

2
doc/metadata/rhel6/V-38504.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38504 id: V-38504
status: implemented status: implemented
tag: misc tag: auth
--- ---
Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but

2
doc/metadata/rhel6/V-38511.rst
View File

@ -4,8 +4,6 @@ status: implemented
tag: misc tag: misc
--- ---
**Special Case**
Running virtual infrastructure requires IP forwarding to be enabled on various Running virtual infrastructure requires IP forwarding to be enabled on various
interfaces. The STIG allows for this, so long as the system is being operated interfaces. The STIG allows for this, so long as the system is being operated
as a router (as is the case for an OpenStack host). as a router (as is the case for an OpenStack host).

4
doc/metadata/rhel6/V-38512.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38512 id: V-38512
status: exception status: exception
tag: misc tag: network
--- ---
**Exception**
Although a minimal set of iptables rules are configured on openstack-ansible Although a minimal set of iptables rules are configured on openstack-ansible
hosts, the "deny all" requirement of the STIG is not met. This is largely left hosts, the "deny all" requirement of the STIG is not met. This is largely left
up to the deployer to do, based on their assessment of their own network up to the deployer to do, based on their assessment of their own network

6
doc/metadata/rhel6/V-38513.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38513 id: V-38513
status: exception status: exception - manual intervention
tag: misc tag: network
--- ---
**Exception**
Although a minimal set of iptables rules are configured on openstack-ansible Although a minimal set of iptables rules are configured on openstack-ansible
hosts, the "deny all" requirement of the STIG is not met. This is largely left hosts, the "deny all" requirement of the STIG is not met. This is largely left
up to the deployer to do, based on their assessment of their own network up to the deployer to do, based on their assessment of their own network

2
doc/metadata/rhel6/V-38514.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38514 id: V-38514
status: implemented status: implemented
tag: misc tag: kernel
--- ---
The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not

2
doc/metadata/rhel6/V-38515.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38515 id: V-38515
status: implemented status: implemented
tag: misc tag: kernel
--- ---
The Stream Control Transmission Protocol (SCTP) must be disabled. To opt-out of The Stream Control Transmission Protocol (SCTP) must be disabled. To opt-out of

2
doc/metadata/rhel6/V-38516.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38516 id: V-38516
status: implemented status: implemented
tag: misc tag: kernel
--- ---
The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. The Ansible The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. The Ansible

2
doc/metadata/rhel6/V-38517.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38517 id: V-38517
status: implemented status: implemented
tag: misc tag: kernel
--- ---
The `Transparent Inter-Process Communication (TIPC)`_ protocol must be The `Transparent Inter-Process Communication (TIPC)`_ protocol must be

4
doc/metadata/rhel6/V-38518.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38518 id: V-38518
status: exception status: exception
tag: misc tag: file_perms
--- ---
**Exception**
Different systems may have different log files populated depending on the type Different systems may have different log files populated depending on the type
of data that ``rsyslogd`` receives. By default, log files are created with the of data that ``rsyslogd`` receives. By default, log files are created with the
user and group ownership set to root. user and group ownership set to root.

4
doc/metadata/rhel6/V-38519.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38519 id: V-38519
status: exception status: exception
tag: misc tag: file_perms
--- ---
**Exception**
Different systems may have different log files populated depending on the type Different systems may have different log files populated depending on the type
of data that ``rsyslogd`` receives. By default, log files are created with the of data that ``rsyslogd`` receives. By default, log files are created with the
user and group ownership set to root. user and group ownership set to root.

6
doc/metadata/rhel6/V-38520.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38520 id: V-38520
status: exception status: exception - manual intervention
tag: misc tag: log
--- ---
**Exception**
At the moment, openstack-ansible already sends logs to the rsyslog container At the moment, openstack-ansible already sends logs to the rsyslog container
from various containers and hosts. However, deployers are strongly urged from various containers and hosts. However, deployers are strongly urged
to forward these logs to a system outside their openstack-ansible environment to forward these logs to a system outside their openstack-ansible environment

6
doc/metadata/rhel6/V-38521.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38521 id: V-38521
status: exception status: exception - manual intervention
tag: misc tag: log
--- ---
**Exception**
At the moment, openstack-ansible already sends logs to the rsyslog container At the moment, openstack-ansible already sends logs to the rsyslog container
from various containers and hosts. However, deployers are strongly urged from various containers and hosts. However, deployers are strongly urged
to forward these logs to a system outside their openstack-ansible environment to forward these logs to a system outside their openstack-ansible environment

4
doc/metadata/rhel6/V-38523.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38523 id: V-38523
status: exception status: exception
tag: misc tag: kernel
--- ---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these The STIG makes several requirements for IPv4 network restrictions, but these
restrictions can impact certain network interfaces and cause service restrictions can impact certain network interfaces and cause service
disruptions. Some security configurations make sense for certain types of disruptions. Some security configurations make sense for certain types of

18
doc/metadata/rhel6/V-38524.rst
View File

@ -1,15 +1,15 @@
--- ---
id: V-38524 id: V-38524
status: implemented status: opt-in
tag: misc tag: kernel
--- ---
This patch disables ICMPv4 redirects feature on the host. The STIG requires that ICMPv4 redirects are disabled on the host. However, this
Accepting ICMP redirects has few legitimate uses. can cause problems with LXC-based deployments, such as environments deployed
It should be disabled unless it is absolutely required. with OpenStack-Ansible.
It is configurable by ``security_disable_icmpv4_redirects`` variable. Deployers can opt-in for this change by setting the following Ansible variable:
This feature is disabled by default as it can disrupt ``LXC`` deployments.
Deployers can skip or enable this task by setting .. code-block:: yaml
``security_disable_icmpv4_redirects`` to ``no`` or ``yes``, respectively.
security_disable_icmpv4_redirects: yes

2
doc/metadata/rhel6/V-38525.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38525 id: V-38525
status: implemented status: implemented
tag: misc tag: auditd
--- ---
Rules are added for auditing changes to system time done via ``stime``. Rules are added for auditing changes to system time done via ``stime``.

4
doc/metadata/rhel6/V-38526.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38526 id: V-38526
status: opt-in status: opt-in
tag: misc tag: kernel
--- ---
**Opt-in required**
The STIG requires that secure ICMP redirects are disabled, but this can cause The STIG requires that secure ICMP redirects are disabled, but this can cause
issues in some virtualized or containerized environments. The Ansible tasks issues in some virtualized or containerized environments. The Ansible tasks
in the security role will not disable these redirects by default. in the security role will not disable these redirects by default.

2
doc/metadata/rhel6/V-38527.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38527 id: V-38527
status: implemented status: implemented
tag: misc tag: auditd
--- ---
Rules are added for auditing changes to system time done via Rules are added for auditing changes to system time done via

6
doc/metadata/rhel6/V-38528.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38528 id: V-38528
status: exception status: opt-in
tag: misc tag: kernel
--- ---
**Exception**
The STIG requires that all martian packets are logged by setting the sysctl The STIG requires that all martian packets are logged by setting the sysctl
parameter ``net.ipv4.conf.all.log_martians`` to ``1``. parameter ``net.ipv4.conf.all.log_martians`` to ``1``.

4
doc/metadata/rhel6/V-38529.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38529 id: V-38529
status: exception status: exception
tag: misc tag: kernel
--- ---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these The STIG makes several requirements for IPv4 network restrictions, but these
restrictions can impact certain network interfaces and cause service restrictions can impact certain network interfaces and cause service
disruptions. Some security configurations make sense for certain types of disruptions. Some security configurations make sense for certain types of

2
doc/metadata/rhel6/V-38530.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38530 id: V-38530
status: implemented status: implemented
tag: misc tag: auditd
--- ---
Rules are added to auditd to log all attempts to change the system time using Rules are added to auditd to log all attempts to change the system time using

6
doc/metadata/rhel6/V-38531.rst
View File

@ -1,9 +1,7 @@
--- ---
id: V-38531 id: V-38531
status: exception status: implemented
tag: misc tag: auditd
--- ---
**Exception**
The audit rules from V-38534 already cover all account modifications. The audit rules from V-38534 already cover all account modifications.

4
doc/metadata/rhel6/V-38532.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38532 id: V-38532
status: exception status: exception
tag: misc tag: kernel
--- ---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these The STIG makes several requirements for IPv4 network restrictions, but these
restrictions can impact certain network interfaces and cause service restrictions can impact certain network interfaces and cause service
disruptions. Some security configurations make sense for certain types of disruptions. Some security configurations make sense for certain types of

4
doc/metadata/rhel6/V-38533.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38533 id: V-38533
status: exception status: exception
tag: misc tag: kernel
--- ---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these The STIG makes several requirements for IPv4 network restrictions, but these
restrictions can impact certain network interfaces and cause service restrictions can impact certain network interfaces and cause service
disruptions. Some security configurations make sense for certain types of disruptions. Some security configurations make sense for certain types of

2
doc/metadata/rhel6/V-38534.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38534 id: V-38534
status: implemented status: implemented
tag: misc tag: auditd
--- ---
Audit rules are added in a task so that any events associated with Audit rules are added in a task so that any events associated with

8
doc/metadata/rhel6/V-38535.rst
View File

@ -1,9 +1,9 @@
--- ---
id: V-38535 id: V-38535
status: implemented status: implemented
tag: misc tag: kernel
--- ---
By default, Ubuntu 14.04 rejects ICMPv4 packets sent to a broadcast address. The Ansible tasks will ensure that ``net.ipv4.icmp_echo_ignore_broadcasts`` is
The Ansible tasks for this STIG configuration ensures that the secure default set to ``1``, which will cause the system to stop responding to ICMPv4 packets
setting is maintained. sent to the broadcast address.

6
doc/metadata/rhel6/V-38536.rst
View File

@ -1,9 +1,7 @@
--- ---
id: V-38536 id: V-38536
status: exception status: implemented
tag: misc tag: auditd
--- ---
**Exception**
The audit rules from V-38534 already cover all account modifications. The audit rules from V-38534 already cover all account modifications.

7
doc/metadata/rhel6/V-38537.rst
View File

@ -1,8 +1,9 @@
--- ---
id: V-38537 id: V-38537
status: implemented status: implemented
tag: misc tag: kernel
--- ---
Ubuntu already ignores ICMPv4 bogus error messages by default. The role will The Ansible tasks will ensure that
ensure that this default setting is maintained. ``net.ipv4.icmp_ignore_bogus_error_responses`` is set to ``1``. This prevents
a host from responding to bogus ICMPv4 error messages.

6
doc/metadata/rhel6/V-38538.rst
View File

@ -1,9 +1,7 @@
--- ---
id: V-38538 id: V-38538
status: exception status: implemented
tag: misc tag: auditd
--- ---
**Exception**
The audit rules from V-38534 already cover all account modifications. The audit rules from V-38534 already cover all account modifications.

2
doc/metadata/rhel6/V-38539.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38539 id: V-38539
status: implemented status: implemented
tag: misc tag: kernel
--- ---
The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods. The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.

6
doc/metadata/rhel6/V-38540.rst
View File

@ -1,9 +1,7 @@
--- ---
id: V-38540 id: V-38540
status: implemented status: implemented
tag: misc tag: auditd
--- ---
Rules are added for auditing network configuration changes. The path to Rules are added that allows auditd to track network configuration changes.
Ubuntu's standard network configuration location has replaced the path
to Red Hat's default network configuration location.

2
doc/metadata/rhel6/V-38541.rst
View File

@ -1,7 +1,7 @@
--- ---
id: V-38541 id: V-38541
status: implemented status: implemented
tag: misc tag: auditd
--- ---
For Ubuntu, rules are added to auditd that will log any changes made in the For Ubuntu, rules are added to auditd that will log any changes made in the

4
doc/metadata/rhel6/V-38542.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38542 id: V-38542
status: exception status: exception
tag: misc tag: kernel
--- ---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these The STIG makes several requirements for IPv4 network restrictions, but these
restrictions can impact certain network interfaces and cause service restrictions can impact certain network interfaces and cause service
disruptions. Some security configurations make sense for certain types of disruptions. Some security configurations make sense for certain types of

6
doc/metadata/rhel6/V-38543.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38543 id: V-38543
status: exception status: opt-in
tag: misc tag: auditd
--- ---
**Exception**
The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat`` The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``
syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments
and while updating packages with apt. By default, these rules are disabled. and while updating packages with apt. By default, these rules are disabled.

4
doc/metadata/rhel6/V-38544.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38544 id: V-38544
status: exception status: exception
tag: misc tag: kernel
--- ---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these The STIG makes several requirements for IPv4 network restrictions, but these
restrictions can impact certain network interfaces and cause service restrictions can impact certain network interfaces and cause service
disruptions. Some security configurations make sense for certain types of disruptions. Some security configurations make sense for certain types of

6
doc/metadata/rhel6/V-38545.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38545 id: V-38545
status: exception status: opt-in
tag: misc tag: auditd
--- ---
**Exception**
The audit rules for permission changes made with ``chown`` are disabled by The audit rules for permission changes made with ``chown`` are disabled by
default as they can generate an excessive amount of logs in a short period of default as they can generate an excessive amount of logs in a short period of
time, especially during a deployment. time, especially during a deployment.

4
doc/metadata/rhel6/V-38546.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38546 id: V-38546
status: opt-in status: opt-in
tag: misc tag: kernel
--- ---
**Opt-in required**
The STIG requires IPv6 to be disabled system-wide unless it is needed for the The STIG requires IPv6 to be disabled system-wide unless it is needed for the
system to operate. Deployers must consider how their network is configured system to operate. Deployers must consider how their network is configured
before disabling IPv6 entirely. before disabling IPv6 entirely.

6
doc/metadata/rhel6/V-38547.rst
View File

@ -1,11 +1,9 @@
--- ---
id: V-38547 id: V-38547
status: exception status: opt-in
tag: misc tag: auditd
--- ---
**Exception**
The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat`` The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``
syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments
and while updating packages with apt. By default, these rules are disabled. and while updating packages with apt. By default, these rules are disabled.

Some files were not shown because too many files have changed in this diff Show More