From a841e184dec7e4023e0ea3e963d1ac4edf4fe41a Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Thu, 19 May 2016 16:37:53 -0500 Subject: [PATCH] Docs: Update dev notes for Cat 2 controls This patch updates the documentation for the developer notes associated with the Cat 2 (Medium) controls applied by the security role. Partial-bug: 1583744 Change-Id: Ic342f33942521db009185585a21208a4688f6ed3 --- doc/source/developer-notes/V-38443.rst | 6 ++---- doc/source/developer-notes/V-38445.rst | 6 +++--- doc/source/developer-notes/V-38453.rst | 6 +++++- doc/source/developer-notes/V-38464.rst | 16 ++++++++++------ doc/source/developer-notes/V-38465.rst | 6 +++--- doc/source/developer-notes/V-38466.rst | 6 +++--- doc/source/developer-notes/V-38468.rst | 19 +++++++++++-------- doc/source/developer-notes/V-38469.rst | 6 +++--- doc/source/developer-notes/V-38470.rst | 20 ++++++++++++-------- doc/source/developer-notes/V-38472.rst | 6 +++--- doc/source/developer-notes/V-38475.rst | 5 ++--- doc/source/developer-notes/V-38477.rst | 6 ++---- doc/source/developer-notes/V-38479.rst | 7 ++----- doc/source/developer-notes/V-38481.rst | 26 ++++++++++++++++++-------- doc/source/developer-notes/V-38483.rst | 4 ++-- doc/source/developer-notes/V-38484.rst | 6 +++--- doc/source/developer-notes/V-38489.rst | 3 ++- doc/source/developer-notes/V-38492.rst | 12 ++++++++++-- doc/source/developer-notes/V-38493.rst | 6 +++--- doc/source/developer-notes/V-38502.rst | 4 ++-- doc/source/developer-notes/V-38503.rst | 4 ++-- doc/source/developer-notes/V-38504.rst | 13 ++++++++----- doc/source/developer-notes/V-38514.rst | 5 +++-- doc/source/developer-notes/V-38515.rst | 6 ++---- doc/source/developer-notes/V-38517.rst | 5 +---- doc/source/developer-notes/V-38518.rst | 3 +++ doc/source/developer-notes/V-38574.rst | 2 +- doc/source/developer-notes/V-38576.rst | 2 +- doc/source/developer-notes/V-38577.rst | 2 +- doc/source/developer-notes/V-38579.rst | 7 +++++++ doc/source/developer-notes/V-38583.rst | 10 +++++++++- doc/source/developer-notes/V-38596.rst | 2 +- doc/source/developer-notes/V-38597.rst | 5 ++--- doc/source/developer-notes/V-38603.rst | 9 +++++++-- doc/source/developer-notes/V-38604.rst | 7 +------ doc/source/developer-notes/V-38605.rst | 8 ++++---- doc/source/developer-notes/V-38606.rst | 12 ++++++++++-- doc/source/developer-notes/V-38609.rst | 4 +--- doc/source/developer-notes/V-38611.rst | 6 +++--- doc/source/developer-notes/V-38612.rst | 3 ++- doc/source/developer-notes/V-38623.rst | 10 ++++++---- doc/source/developer-notes/V-38625.rst | 13 +++++++------ doc/source/developer-notes/V-38633.rst | 7 ++++--- doc/source/developer-notes/V-38634.rst | 6 +++--- doc/source/developer-notes/V-38637.rst | 12 +++++++----- doc/source/developer-notes/V-38652.rst | 8 +++++--- doc/source/developer-notes/V-38654.rst | 7 ++++--- doc/source/developer-notes/V-38660.rst | 8 +++----- doc/source/developer-notes/V-38670.rst | 6 +++--- doc/source/developer-notes/V-38671.rst | 5 +---- doc/source/developer-notes/V-38674.rst | 14 ++++++++++---- doc/source/developer-notes/V-38678.rst | 6 +++--- doc/source/developer-notes/V-38691.rst | 5 ++--- doc/source/developer-notes/V-51337.rst | 6 +++++- doc/source/developer-notes/V-51363.rst | 11 +++++++---- doc/source/developer-notes/V-54381.rst | 11 +++++++---- 56 files changed, 247 insertions(+), 179 deletions(-) mode change 120000 => 100644 doc/source/developer-notes/V-38453.rst diff --git a/doc/source/developer-notes/V-38443.rst b/doc/source/developer-notes/V-38443.rst index 0f8a56f4..a41c8833 100644 --- a/doc/source/developer-notes/V-38443.rst +++ b/doc/source/developer-notes/V-38443.rst @@ -1,4 +1,2 @@ -The Ansible tasks will ensure that ``/etc/gshadow`` is owned by root. This is -the default in Ubuntu 14.04 already, but the tasks will ensure that the -permissions match the STIG requirements in case they were changed by other -means after the installation of the operating system. +The ``/etc/gshadow`` file is owned by root by default on Ubuntu 14.04, Ubuntu +16.04 and CentOS 7. The security role ensures that the file is owned by root. diff --git a/doc/source/developer-notes/V-38445.rst b/doc/source/developer-notes/V-38445.rst index 3818e0fd..0b3e7a37 100644 --- a/doc/source/developer-notes/V-38445.rst +++ b/doc/source/developer-notes/V-38445.rst @@ -1,3 +1,3 @@ -Although audit log files are owned by the root user and group by default -in Ubuntu 14.04, the Ansible task for V-38445 will ensure that they are -configured as such. +The logs generated by the audit daemon are owned by root in Ubuntu 14.04, +Ubuntu 16.04 and CentOS 7. The Ansible task for V-38445 ensures that the files +are owned by the root user. diff --git a/doc/source/developer-notes/V-38453.rst b/doc/source/developer-notes/V-38453.rst deleted file mode 120000 index e81a3160..00000000 --- a/doc/source/developer-notes/V-38453.rst +++ /dev/null @@ -1 +0,0 @@ -V-38447.rst \ No newline at end of file diff --git a/doc/source/developer-notes/V-38453.rst b/doc/source/developer-notes/V-38453.rst new file mode 100644 index 00000000..94b7b403 --- /dev/null +++ b/doc/source/developer-notes/V-38453.rst @@ -0,0 +1,5 @@ +**Exception for Ubuntu** + +Verifying ownership and permissions of installed packages isn't possible in the +current version of ``dpkg`` as it is with ``rpm``. This security configuration +is skipped for Ubuntu. For CentOS, this check is done as part of V-38637. diff --git a/doc/source/developer-notes/V-38464.rst b/doc/source/developer-notes/V-38464.rst index 1bd777e7..1fe85e6d 100644 --- a/doc/source/developer-notes/V-38464.rst +++ b/doc/source/developer-notes/V-38464.rst @@ -1,10 +1,14 @@ -Ubuntu's default for ``security_disk_error_action`` is ``SUSPEND``, which -actually only suspends audit logging. That could be a security issue, so -``SYSLOG`` is recommended and is set by default by openstack-ansible-security. -There are additional options available, like ``EXEC``, ``SINGLE`` or ``HALT``. +The default configuration for ``disk_error_action`` is ``SUSPEND``, which +only suspends audit logging when there is a disk error on the system. +Suspending audit logging can lead to security problems because the system is no +longer keeping track of which syscalls were made. -To configure a different ``security_disk_error_action``, set the following -Ansible variable: +The security role sets the configuration to ``SYSLOG`` so that messages are +sent to syslog when disk errors occur. There are additional options available, +like ``EXEC``, ``SINGLE`` or ``HALT``. + +To configure a different ``disk_error_action``, set the following Ansible +variable: .. code-block:: yaml diff --git a/doc/source/developer-notes/V-38465.rst b/doc/source/developer-notes/V-38465.rst index 0afc2ad4..0b8d5bbc 100644 --- a/doc/source/developer-notes/V-38465.rst +++ b/doc/source/developer-notes/V-38465.rst @@ -1,5 +1,5 @@ **Exception** -Ubuntu 14.04 sets library files to have ``0755`` (or more restrictive) -permissions by default. Deployers are urged to review the permissions -of libraries regularly to ensure the system hasn't been altered. +Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set library files to have ``0755`` (or +more restrictive) permissions by default. Deployers are urged to review the +permissions of libraries regularly to ensure the system has not been altered. diff --git a/doc/source/developer-notes/V-38466.rst b/doc/source/developer-notes/V-38466.rst index 972ecdde..3675eda1 100644 --- a/doc/source/developer-notes/V-38466.rst +++ b/doc/source/developer-notes/V-38466.rst @@ -1,5 +1,5 @@ **Exception** -As with V-38465, Ubuntu sets the ownership of library files to root by -default. Deployers are urged to configure monitoring for changes to these -files. +As with V-38465, Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the ownership of +library files to root by default. Deployers are urged to configure monitoring +for changes to these files. diff --git a/doc/source/developer-notes/V-38468.rst b/doc/source/developer-notes/V-38468.rst index 26554f31..69d911c7 100644 --- a/doc/source/developer-notes/V-38468.rst +++ b/doc/source/developer-notes/V-38468.rst @@ -1,11 +1,14 @@ -Ubuntu's default for ``security_disk_full_action`` is ``SUSPEND``, which -actually only suspends audit logging. That could be a security issue, so -``SYSLOG`` is recommended and is set by default by openstack-ansible-security. -If syslog messages are being sent to remote servers, these log messages should -alert an administrator about the disk being full. There are additional options -available, like ``EXEC``, ``SINGLE`` or ``HALT``. +The default configuration for ``disk_full_action`` is ``SUSPEND``, which only +suspends audit logging. Suspending audit logging can lead to security problems +because the system is no longer keeping track of which syscalls were made. -To configure a different ``security_disk_full_action``, set the following +The security role sets the configuration to ``SYSLOG`` so that messages are +sent to syslog when the disk is full. If syslog messages are being sent to +remote servers, these log messages should alert an administrator about the disk +being full. There are additional options available, like ``EXEC``, ``SINGLE`` +or ``HALT``. + +To configure a different ``disk_full_action``, set the following Ansible variable: .. code-block:: yaml @@ -15,5 +18,5 @@ Ansible variable: For details on available settings and what they do, run ``man auditd.conf``. Some options can cause the host to go offline until the issue is fixed. Deployers are urged to **carefully read the auditd documentation** prior to -changing the ``security_disk_full_action`` setting from the default. +changing the ``disk_full_action`` setting from the default. diff --git a/doc/source/developer-notes/V-38469.rst b/doc/source/developer-notes/V-38469.rst index 36e64026..2548bd03 100644 --- a/doc/source/developer-notes/V-38469.rst +++ b/doc/source/developer-notes/V-38469.rst @@ -1,5 +1,5 @@ **Exception** -Ubuntu sets the permissions for system commands to ``0755`` or less already. -Deployers are urged to review these permissions for changes over time as they -can be a sign of a compromise. +Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the permissions for system +commands to ``0755`` or less already. Deployers are urged to review these +permissions for changes over time as they can be a sign of a compromise. diff --git a/doc/source/developer-notes/V-38470.rst b/doc/source/developer-notes/V-38470.rst index c71050df..aa61babd 100644 --- a/doc/source/developer-notes/V-38470.rst +++ b/doc/source/developer-notes/V-38470.rst @@ -1,11 +1,15 @@ -Ubuntu's default for ``security_space_left_action`` is ``SUSPEND``, which -actually only suspends audit logging. That could be a security issue, so -``SYSLOG`` is recommended and is set by default by openstack-ansible-security. -If syslog messages are being sent to remote servers, these log messages should -alert an administrator about the disk being almost full. There are additional -options available, like ``EXEC``, ``SINGLE`` or ``HALT``. +The default configuration for ``security_space_left_action`` is ``SUSPEND``, +which actually only suspends audit logging. Suspending audit logging can lead +to security problems because the system is no longer keeping track of which +syscalls were made. -To configure a different ``security_space_left_action``, set the following +The security role sets the configuration to ``SYSLOG`` so that messages are +sent to syslog when the available disk space reaches a low level. If syslog +messages are being sent to remote servers, these log messages should alert an +administrator about the disk being almost full. There are additional options +available, like ``EXEC``, ``SINGLE`` or ``HALT``. + +To configure a different ``space_left_action``, set the following Ansible variable: .. code-block:: yaml @@ -15,4 +19,4 @@ Ansible variable: For details on available settings and what they do, run ``man auditd.conf``. Some options can cause the host to go offline until the issue is fixed. Deployers are urged to **carefully read the auditd documentation** prior to -changing the ``security_space_left_action`` setting from the default. +changing the ``space_left_action`` setting from the default. diff --git a/doc/source/developer-notes/V-38472.rst b/doc/source/developer-notes/V-38472.rst index ab8da360..b97e47e2 100644 --- a/doc/source/developer-notes/V-38472.rst +++ b/doc/source/developer-notes/V-38472.rst @@ -1,5 +1,5 @@ **Exception** -Ubuntu sets system commands to be owned by root by default Deployers are -urged to review ownership changes via auditd rules to ensure system -commands haven't changed ownership over time. +Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set system commands to be owned by +root by default. Deployers are urged to review ownership changes via auditd +rules to ensure system commands haven't changed ownership over time. diff --git a/doc/source/developer-notes/V-38475.rst b/doc/source/developer-notes/V-38475.rst index b4a411aa..f3051e18 100644 --- a/doc/source/developer-notes/V-38475.rst +++ b/doc/source/developer-notes/V-38475.rst @@ -1,8 +1,7 @@ **Configuration required** -Ubuntu 14.04 does not set a password length requirement by default. The STIG -recommends passwords to be a minimum of 14 characters in length. To apply this -setting, set the following Ansible variable: +The STIG recommends passwords to be a minimum of 14 characters in length. To +apply this setting, set the following Ansible variable: .. code-block:: yaml diff --git a/doc/source/developer-notes/V-38477.rst b/doc/source/developer-notes/V-38477.rst index f5327a56..98fec31c 100644 --- a/doc/source/developer-notes/V-38477.rst +++ b/doc/source/developer-notes/V-38477.rst @@ -1,9 +1,7 @@ **Configuration required** -Ubuntu doesn't set a limitation on how frequently uses can change passwords. -However, the STIG recommends setting a limit of one password change per day. - -To enable this configuration, use this Ansible variable: +The STIG recommends setting a limit of one password change per day. To enable +this configuration, use this Ansible variable: .. code-block:: yaml diff --git a/doc/source/developer-notes/V-38479.rst b/doc/source/developer-notes/V-38479.rst index 651d7e31..8cd9530b 100644 --- a/doc/source/developer-notes/V-38479.rst +++ b/doc/source/developer-notes/V-38479.rst @@ -1,10 +1,7 @@ **Configuration required** -Ubuntu doesn't set a limitation on the age of passwords. -However, the STIG recommends setting a limit of 60 days before a password must -be changed. - -To enable this configuration, use this Ansible variable: +The STIG recommends setting a limit of 60 days before a password must +be changed. To enable this configuration, use this Ansible variable: .. code-block:: yaml diff --git a/doc/source/developer-notes/V-38481.rst b/doc/source/developer-notes/V-38481.rst index 836878d7..e359414b 100644 --- a/doc/source/developer-notes/V-38481.rst +++ b/doc/source/developer-notes/V-38481.rst @@ -1,18 +1,28 @@ -**Exception** +**Opt-in required** Operating system patching policies vary from organization to organization and are typically established based on business requirements and risk tolerance. -If desired, automatic updates (using the ``unattended-upgrades`` package) -can be enabled via openstack-ansible-security by setting the following -variable to ``true``: +.. note:: + + Automatically upgrading packages can provide significant security benefits, + but they can reduce availability and reliability. Updating packages can + cause daemons to restart on some systems and they can cause local + customizations of configuration files to be lost. + + Deployers are **strongly urged** to understand the nature of this change + and the associated risks prior to enabling automatic upgrades. + +Deployers can enable automatic updates by setting +``security_unattended_upgrades`` to ``True`:: .. code-block:: yaml security_unattended_upgrades: true -Note that this will only apply updates made available to the distro-security -(eg. trusty-security) repositories. +In Ubuntu, the ``unattended-upgrades`` package is installed and enabled. This +will apply updates that are made available to the trusty-security (Ubuntu +14.04) or xenial-security (Ubuntu 16.04) repositories. -**Deployers are urged to fully understand the impact of enabling automatic -update before making the change.** +In CentOS, the ``yum-cron`` package is installed and configured to +automatically apply updates. diff --git a/doc/source/developer-notes/V-38483.rst b/doc/source/developer-notes/V-38483.rst index 071c1b7e..6d52ce1a 100644 --- a/doc/source/developer-notes/V-38483.rst +++ b/doc/source/developer-notes/V-38483.rst @@ -1,3 +1,3 @@ -The Ansible task for V-38462 already checks for apt configurations that would -disable any GPG checks when installing packages. However, it's possible for +The Ansible task for V-38462 already checks for configurations that would +disable any GPG checks when installing packages. However, it is possible for the root user to override these configurations via command line parameters. diff --git a/doc/source/developer-notes/V-38484.rst b/doc/source/developer-notes/V-38484.rst index ad9eb08c..f4d8f4eb 100644 --- a/doc/source/developer-notes/V-38484.rst +++ b/doc/source/developer-notes/V-38484.rst @@ -1,3 +1,3 @@ -Ubuntu 14.04 already enables the display of the last successful login for a -user immediately after login. An Ansible task ensures this setting is -applied and restarts the ssh daemon if necessary. +Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last +successful login for a user immediately after login. An Ansible task ensures +this setting is applied and restarts the ssh daemon if necessary. diff --git a/doc/source/developer-notes/V-38489.rst b/doc/source/developer-notes/V-38489.rst index cf8d9110..11839511 100644 --- a/doc/source/developer-notes/V-38489.rst +++ b/doc/source/developer-notes/V-38489.rst @@ -1 +1,2 @@ -The ``aide`` package will be installed by Ansible tasks. +The security role installs and configures the ``aide`` package to provide file +integrity monitoring on the host. diff --git a/doc/source/developer-notes/V-38492.rst b/doc/source/developer-notes/V-38492.rst index 9e10f5ee..32b98f7e 100644 --- a/doc/source/developer-notes/V-38492.rst +++ b/doc/source/developer-notes/V-38492.rst @@ -1,2 +1,10 @@ -The virtual consoles mentioned in V-38492 aren't used in Ubuntu 14.04 by -default. +**Exception** + +Virtual consoles are helpful during an emergency and they can only be reached +by physical or other out-of-band access (such as DRAC, iLO, or iKVM). This +change can be confusing for system administrators and it is left up to the +deployer to complete. + +As an alternative, deployers could take action to restrict physical access to +server terminals. Out-of-band access mechanisms should be segmented onto their +own restricted network and should use centralized authentication. diff --git a/doc/source/developer-notes/V-38493.rst b/doc/source/developer-notes/V-38493.rst index 084043b1..ba05ae92 100644 --- a/doc/source/developer-notes/V-38493.rst +++ b/doc/source/developer-notes/V-38493.rst @@ -1,3 +1,3 @@ -Ubuntu 14.04 sets the mode of ``/var/log/audit/`` to ``0750`` by default. The -Ansible task for this requirement ensures that the mode is ``0750`` (which -is more strict than the STIG requirement). +Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the mode of ``/var/log/audit/`` to +``0750`` by default. The Ansible task for this requirement ensures that the +mode is ``0750`` (which is more strict than the STIG requirement). diff --git a/doc/source/developer-notes/V-38502.rst b/doc/source/developer-notes/V-38502.rst index 98f129f5..c5070d2d 100644 --- a/doc/source/developer-notes/V-38502.rst +++ b/doc/source/developer-notes/V-38502.rst @@ -1,2 +1,2 @@ -Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by -default. The Ansible task will ensure that the default is maintained. +The user and group ownership of ``/etc/passwd`` is root by default. The Ansible +task will ensure that the default is maintained. diff --git a/doc/source/developer-notes/V-38503.rst b/doc/source/developer-notes/V-38503.rst index 98f129f5..c5070d2d 100644 --- a/doc/source/developer-notes/V-38503.rst +++ b/doc/source/developer-notes/V-38503.rst @@ -1,2 +1,2 @@ -Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by -default. The Ansible task will ensure that the default is maintained. +The user and group ownership of ``/etc/passwd`` is root by default. The Ansible +task will ensure that the default is maintained. diff --git a/doc/source/developer-notes/V-38504.rst b/doc/source/developer-notes/V-38504.rst index e1451c45..24bf6207 100644 --- a/doc/source/developer-notes/V-38504.rst +++ b/doc/source/developer-notes/V-38504.rst @@ -1,5 +1,8 @@ -Although Ubuntu 14.04's default for ``/etc/shadow`` is ``0640``, the STIG -requires a mode of ``0000``. This doesn't affect how the system operates since -root is the only user that should be able to read from and write to -``/etc/shadow``. Allowing users to read the file could open up the system -to attacks since the password hashes can be dumped and brute forced. +Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but +CentOS 7 sets it to ``000``. The STIG requires the mode to be ``000`` and the +Ansible tasks in the security role ensure that the mode meets the requirement. + +**Special note for Ubuntu:** This change doesn't affect how the system operates +since root is the only user that should be able to read from and write to +``/etc/shadow``. Allowing users to read the file could open up the system to +attacks since the password hashes can be dumped and brute forced. diff --git a/doc/source/developer-notes/V-38514.rst b/doc/source/developer-notes/V-38514.rst index 7d4718d3..18dbd3ca 100644 --- a/doc/source/developer-notes/V-38514.rst +++ b/doc/source/developer-notes/V-38514.rst @@ -1,6 +1,7 @@ The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not -needed. Neither Ubuntu 14.04 or openstack-ansible utilizes this kernel -module and the Ansible tasks will disable it by default. +needed. Although this protocol is occasionally used in some OpenStack +environments for quality of service functions, it is not in the default +implementation. To opt-out of this change, simply change the following variable to ``no``: diff --git a/doc/source/developer-notes/V-38515.rst b/doc/source/developer-notes/V-38515.rst index 0201988e..a1d548fd 100644 --- a/doc/source/developer-notes/V-38515.rst +++ b/doc/source/developer-notes/V-38515.rst @@ -1,7 +1,5 @@ -The Stream Control Transmission Protocol (SCTP) must be disabled. This module -isn't used by Ubuntu 14.04 or openstack-ansible by default. - -To opt-out of this change, set the following variable to ``no``: +The Stream Control Transmission Protocol (SCTP) must be disabled. To opt-out of +this change, set the following variable to ``no``: .. code-block:: yaml diff --git a/doc/source/developer-notes/V-38517.rst b/doc/source/developer-notes/V-38517.rst index 966589dc..6b63c125 100644 --- a/doc/source/developer-notes/V-38517.rst +++ b/doc/source/developer-notes/V-38517.rst @@ -1,11 +1,8 @@ The `Transparent Inter-Process Communication (TIPC)`_ protocol must be -disabled. Neither Ubuntu 14.04 or openstack-ansible enables this module by -default, so the Ansible tasks in this role will disable the module. +disabled. To opt-out of this change, set the following variable to ``no``: .. _Transparent Inter-Process Communication (TIPC): https://en.wikipedia.org/wiki/TIPC -To opt-out of this change, set the following variable to ``no``: - .. code-block:: yaml security_disable_module_tipc: no diff --git a/doc/source/developer-notes/V-38518.rst b/doc/source/developer-notes/V-38518.rst index 1d3fce1a..4cd1dd97 100644 --- a/doc/source/developer-notes/V-38518.rst +++ b/doc/source/developer-notes/V-38518.rst @@ -3,3 +3,6 @@ Different systems may have different log files populated depending on the type of data that ``rsyslogd`` receives. By default, log files are created with the user and group ownership set to root. + +Deployers should review the files generated by the ``rsyslogd`` daemon to +verify that they have the most restrictive ownership and permissions. diff --git a/doc/source/developer-notes/V-38574.rst b/doc/source/developer-notes/V-38574.rst index 877dad22..6f75a7cf 100644 --- a/doc/source/developer-notes/V-38574.rst +++ b/doc/source/developer-notes/V-38574.rst @@ -1,6 +1,6 @@ The STIG requires SHA512 to be used for hashing password since it is in the list of FIPS 140-2 approved hashing algorithms. This is also the -default in Ubuntu 14.04. +default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7. The Ansible tasks will verify that the secure default is still set in the system's PAM configuration. If it has been altered, the playbook will fail diff --git a/doc/source/developer-notes/V-38576.rst b/doc/source/developer-notes/V-38576.rst index fd72d720..5221492b 100644 --- a/doc/source/developer-notes/V-38576.rst +++ b/doc/source/developer-notes/V-38576.rst @@ -1,6 +1,6 @@ The STIG requires SHA512 to be used for hashing password since it is in the list of FIPS 140-2 approved hashing algorithms. This is also the -default in Ubuntu 14.04. +default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7. The Ansible tasks will verify that the secure default is still set in ``/etc/login.defs``. If it has been altered, the playbook will fail diff --git a/doc/source/developer-notes/V-38577.rst b/doc/source/developer-notes/V-38577.rst index 7adb97f8..15427cd6 100644 --- a/doc/source/developer-notes/V-38577.rst +++ b/doc/source/developer-notes/V-38577.rst @@ -1,6 +1,6 @@ The STIG requires SHA512 to be used for hashing password since it is in the list of FIPS 140-2 approved hashing algorithms. This is also the -default in Ubuntu 14.04. +default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7. The ``libuser`` package isn't installed by default in Ubuntu or via openstack-ansible. The Ansible tasks will do the following: diff --git a/doc/source/developer-notes/V-38579.rst b/doc/source/developer-notes/V-38579.rst index ac733bcd..cf6fbbb5 100644 --- a/doc/source/developer-notes/V-38579.rst +++ b/doc/source/developer-notes/V-38579.rst @@ -1,2 +1,9 @@ Ubuntu 14.04 sets the ownership on ``/boot/grub/grub.cfg`` to root by default. The Ansible task will ensure that the secure default is maintained. + +In Ubuntu 16.04 and CentOS 7, the bootloader configuration files in +``/boot/grub2`` are owned by the root user by default. + +Deployers should monitor these files for changes in ownership, permissions and +contents. The ``aide`` daemon is installed by the security role to monitor +these files. diff --git a/doc/source/developer-notes/V-38583.rst b/doc/source/developer-notes/V-38583.rst index e36b6259..d64107b9 100644 --- a/doc/source/developer-notes/V-38583.rst +++ b/doc/source/developer-notes/V-38583.rst @@ -1 +1,9 @@ -The permissions on ``/boot/grub/grub.cfg`` will be set to ``0644``. +**Exception for grub2** + +For Ubuntu 14.04, the permissions on ``/boot/grub/grub.cfg`` will be set to +``0644``. + +Ubuntu 16.04 and CentOS 7 use grub2. The configuration files in ``/boot/grub2`` +are regenerated when new kernels are installed or when the root user +regenerates the configuration file. File ownership and permissions are set +appropriately after each of these events. diff --git a/doc/source/developer-notes/V-38596.rst b/doc/source/developer-notes/V-38596.rst index e2ff4dc1..0af84334 100644 --- a/doc/source/developer-notes/V-38596.rst +++ b/doc/source/developer-notes/V-38596.rst @@ -1,3 +1,3 @@ The Ansible tasks will set ``kernel.randomize_va_space=2`` immediately and will also ensure that the setting is applied on the next boot. This setting -is currently the default in Ubuntu 14.04. +is currently the default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7. diff --git a/doc/source/developer-notes/V-38597.rst b/doc/source/developer-notes/V-38597.rst index b72fd4e4..57098070 100644 --- a/doc/source/developer-notes/V-38597.rst +++ b/doc/source/developer-notes/V-38597.rst @@ -1,6 +1,5 @@ -Although Red Hat kernels provide ExecShield, Ubuntu provides Non-Executable -Memory (NX) support and it is enabled by default. There's not an option -to enable or disable it. +Non-Executable Memory (NX) is the successor to ExecShield, and it is enabled by +default on Ubuntu 14.04, Ubuntu 16.04, and CentOS 7. For more information, refer to `Ubuntu's security feature documentation on NX`_. diff --git a/doc/source/developer-notes/V-38603.rst b/doc/source/developer-notes/V-38603.rst index a93d693c..a77ce713 100644 --- a/doc/source/developer-notes/V-38603.rst +++ b/doc/source/developer-notes/V-38603.rst @@ -1,5 +1,10 @@ -The ``nis`` package is Ubuntu's equivalent of Red Hat's ``ypserv`` package. -The Ansible tasks will remove the ``nis`` package if it is installed. To +This packages is named differently depending on the Linux distribution: + +* Ubuntu 14.04: ``nis`` +* Ubuntu 16.04: ``nis`` +* CentOS 7: ``ypserv`` + +The Ansible tasks will remove the appropriate package if it is installed. To opt-out of this change, adjust the following configuration variable to ``no``: .. code-block:: yaml diff --git a/doc/source/developer-notes/V-38604.rst b/doc/source/developer-notes/V-38604.rst index 4daa8c9e..0cc02333 100644 --- a/doc/source/developer-notes/V-38604.rst +++ b/doc/source/developer-notes/V-38604.rst @@ -1,6 +1 @@ -**Exception** - -The ``ypbind`` service is removed as part of V-38603 where the ``nis`` package -is removed from the system entirely. Since neither Ubuntu nor -openstack-ansible install any NIS-related services, this configuration is -skipped. +The ``ypbind`` service is removed entirely as part of V-38603. diff --git a/doc/source/developer-notes/V-38605.rst b/doc/source/developer-notes/V-38605.rst index 8977ddb0..22cba2b1 100644 --- a/doc/source/developer-notes/V-38605.rst +++ b/doc/source/developer-notes/V-38605.rst @@ -1,4 +1,4 @@ -The ``cron`` service is running by default in Ubuntu and is required for -openstack-ansible's services to function properly. The Ansible tasks in -this role will ensure that ``cron`` is running and is configured to start -at boot time. +The ``cron`` service is running by default in Ubuntu 14.04, Ubuntu 16.04, and +CentOS 7. It is required for various OpenStack services to function properly. +The Ansible tasks in this role will ensure that ``cron`` is running and is +configured to start at boot time. diff --git a/doc/source/developer-notes/V-38606.rst b/doc/source/developer-notes/V-38606.rst index d2e8e66c..e299c0ff 100644 --- a/doc/source/developer-notes/V-38606.rst +++ b/doc/source/developer-notes/V-38606.rst @@ -1,5 +1,13 @@ -The ``tftpd`` package in Ubuntu will be removed. To opt-out, adjust the -following configuration variable to ``no``: +The package containing the tftp daemon has different names depending on the +Linux distribution: + +* Ubuntu 14.04: ``tftpd`` +* Ubuntu 16.04: ``tftpd`` +* CentOS 7: ``tftp-server`` + +The Ansible tasks will select the appropriate package for the Linux +distribution and remove the package. To opt-out, adjust the following +configuration variable to ``no``: .. code-block:: yaml diff --git a/doc/source/developer-notes/V-38609.rst b/doc/source/developer-notes/V-38609.rst index a75ea9ca..60b49792 100644 --- a/doc/source/developer-notes/V-38609.rst +++ b/doc/source/developer-notes/V-38609.rst @@ -1,3 +1 @@ -The ``tftpd`` service is removed by V-38606 and it is not installed by -Ubuntu or openstack-ansible by default. For this reason, it's recommended -to remove the service by using the Ansible task from V-38606. +The package containing the ``tftpd`` service is removed by V-38606. diff --git a/doc/source/developer-notes/V-38611.rst b/doc/source/developer-notes/V-38611.rst index 7bfbec56..d340df83 100644 --- a/doc/source/developer-notes/V-38611.rst +++ b/doc/source/developer-notes/V-38611.rst @@ -1,3 +1,3 @@ -By default, Ubuntu configures the ssh daemon so that rsh's .rhosts files are -ignored. The Ansible tasks will ensure that this setting hasn't changed -from the default. +Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 configure the ssh daemon so that rsh's +.rhosts files are ignored by default. The Ansible tasks will ensure that this +setting has not changed from the default. diff --git a/doc/source/developer-notes/V-38612.rst b/doc/source/developer-notes/V-38612.rst index 7a9c5d12..af6a2b9d 100644 --- a/doc/source/developer-notes/V-38612.rst +++ b/doc/source/developer-notes/V-38612.rst @@ -1 +1,2 @@ -The tasks in sshd.yml will ensure that SSH does not allow host based authentication. \ No newline at end of file +The Ansible tasks in the security role ensure that the ssh daemon does not +allow host based authentication. diff --git a/doc/source/developer-notes/V-38623.rst b/doc/source/developer-notes/V-38623.rst index 47ae252f..fdd6ac32 100644 --- a/doc/source/developer-notes/V-38623.rst +++ b/doc/source/developer-notes/V-38623.rst @@ -1,6 +1,8 @@ -Ubuntu sets the mode on rsyslog files to ``0640`` by default, but the STIG -requires ``0600`` or less. The Ansible tasks will adjust the rsyslog -configuration so that any new log files will have the mode set to ``0600``. +The mode on rsyslog files is set to ``0640`` by default in Ubuntu 14.04 and +Ubuntu 16.04 by default. CentOS 7 sets the mode to ``0600`` by default. The +Ansible tasks will adjust the rsyslog configuration so that any new log files +will have the mode set to ``0600``. This will take effect the next time that log files are rotated with -``logrotate`` (configured in V-38624). +``logrotate`` (configured in V-38624). Deployers can also make this change +manually with ``chmod``. diff --git a/doc/source/developer-notes/V-38625.rst b/doc/source/developer-notes/V-38625.rst index 18a73677..c897b216 100644 --- a/doc/source/developer-notes/V-38625.rst +++ b/doc/source/developer-notes/V-38625.rst @@ -1,8 +1,9 @@ **Exception** -Neither Ubuntu 14.04 or openstack-ansible configures LDAP authentication by -default. Deployers that use LDAP authentication for systems are strongly -urged to use TLS connectivity between client hosts and LDAP servers to -prevent eavesdroppers on the network from reading the authentication attempts -as they are made. The certificates on the LDAP server must be trusted by -each client. +Deployers that use LDAP authentication for systems are strongly urged to use +TLS connectivity between client hosts and LDAP servers to prevent eavesdroppers +on the network from reading the authentication attempts as they are made. The +certificates on the LDAP server must be trusted by each client. + +The tasks in the security role do not adjust the LDAP configuration since this +could disrupt future authentication attempts. diff --git a/doc/source/developer-notes/V-38633.rst b/doc/source/developer-notes/V-38633.rst index 0ba670ab..03553f64 100644 --- a/doc/source/developer-notes/V-38633.rst +++ b/doc/source/developer-notes/V-38633.rst @@ -1,6 +1,7 @@ -Ubuntu's default setting for ``security_max_log_file`` matches the STIG -requirement of rotating logs when they reach 6MB. The Ansible task for this -STIG requirement ensures that the secure default is maintained. +The default setting for ``security_max_log_file`` in Ubuntu 14.04, Ubuntu +16.04, and CentOS 7 matches the STIG requirement of rotating logs when they +reach 6MB. The Ansible task for this STIG requirement ensures that the secure +default is maintained. Deployers who want to exceed the STIG guideline can increase the size of logs by adjusting the following Ansible variable: diff --git a/doc/source/developer-notes/V-38634.rst b/doc/source/developer-notes/V-38634.rst index b5880d29..cec3c454 100644 --- a/doc/source/developer-notes/V-38634.rst +++ b/doc/source/developer-notes/V-38634.rst @@ -1,6 +1,6 @@ -Ubuntu's default action for ``security_max_log_file_action`` is to rotate the -logs. This meets the STIG requirements and the Ansible task will ensure that -the secure default is maintained. +The default action for ``security_max_log_file_action`` on Ubuntu 14.04, Ubuntu +16.04, and CentOS 7 is to rotate the logs. This meets the STIG requirements and +the Ansible task will ensure that the secure default is maintained. Use caution when changing this option. Certain values, like ``SUSPEND`` will cause the audit daemon to lock the machine when the maximum size for a log diff --git a/doc/source/developer-notes/V-38637.rst b/doc/source/developer-notes/V-38637.rst index 0de32fb0..d11034a9 100644 --- a/doc/source/developer-notes/V-38637.rst +++ b/doc/source/developer-notes/V-38637.rst @@ -1,6 +1,8 @@ -The auditd package is verified with ``debsums`` and the playbook will fail -immediately if any of the files from the auditd package have been altered. -This could be the sign of a system compromise. +The auditd package is verified with ``debsums`` in Ubuntu and with ``rpm`` in +CentOS. The playbook will fail immediately if any of the files from the auditd +package have been altered. This could be the sign of a system compromise. -If the ``debsums`` package isn't installed, the Ansible task will install it -during the playbook run. +.. note:: + + If the ``debsums`` package isn't installed on Ubuntu, the Ansible task will + install it during the playbook run. diff --git a/doc/source/developer-notes/V-38652.rst b/doc/source/developer-notes/V-38652.rst index 1dd08d58..fc554ff2 100644 --- a/doc/source/developer-notes/V-38652.rst +++ b/doc/source/developer-notes/V-38652.rst @@ -1,5 +1,7 @@ **Exception** -Although neither Ubuntu 14.04 or openstack-ansible mount remote filesystems -by default, deployers are urged to use the ``nodev`` option on any remotely -mounted filesystems whenever possible. +Deployers are urged to use the ``nodev`` option on any remotely mounted +filesystems whenever possible. + +The security role does not take action on filesystem mounts since this could +affect the stability or availability of the host. diff --git a/doc/source/developer-notes/V-38654.rst b/doc/source/developer-notes/V-38654.rst index 0a0479b3..be52f203 100644 --- a/doc/source/developer-notes/V-38654.rst +++ b/doc/source/developer-notes/V-38654.rst @@ -1,6 +1,7 @@ **Exception** -Although neither Ubuntu 14.04 or openstack-ansible mount remote filesystems -by default, deployers are urged to use the ``nosuid`` option on any remotely -mounted filesystems whenever possible. +Deployers are urged to use the ``nosuid`` option on any remotely mounted +filesystems whenever possible. +The security role does not take action on filesystem mounts since this could +affect the stability or availability of the host. diff --git a/doc/source/developer-notes/V-38660.rst b/doc/source/developer-notes/V-38660.rst index 36eb418c..aed091a7 100644 --- a/doc/source/developer-notes/V-38660.rst +++ b/doc/source/developer-notes/V-38660.rst @@ -1,8 +1,6 @@ -Although neither Ubuntu 14.04 or openstack-ansible install or configure the -SNMP daemon by default, the Ansible tasks will check to see if the SNMP -configuration file is present. If the file is present, and the file contains -configurations for insecure SNMP protocols, an error will be -printed and the playbook will fail. +The Ansible tasks will check to see if the SNMP configuration file is present. +If the file is present, and the file contains configurations for insecure SNMP +protocols, an error will be printed and the playbook will fail. The task specifically looks for uncommented configuration lines containing: diff --git a/doc/source/developer-notes/V-38670.rst b/doc/source/developer-notes/V-38670.rst index e264f8c0..4a37b92f 100644 --- a/doc/source/developer-notes/V-38670.rst +++ b/doc/source/developer-notes/V-38670.rst @@ -1,5 +1,5 @@ The AIDE package is already installed as part of the Ansible tasks to fix V-38429, but these Ansible tasks will verify that the cron job file is actually -in place. Ubuntu will configure the cron job automatically as soon as the -package is installed. If the cron job is missing, an error will be printed -and the playbook will fail. +in place. The cron job is installed as part of the aide package installation. +If the cron job is missing, an error will be printed and the playbook will +fail. diff --git a/doc/source/developer-notes/V-38671.rst b/doc/source/developer-notes/V-38671.rst index b70b78e0..f5bbc98e 100644 --- a/doc/source/developer-notes/V-38671.rst +++ b/doc/source/developer-notes/V-38671.rst @@ -1,7 +1,4 @@ -Although neither Ubuntu nor openstack-ansible install or configure sendmail -by default, the Ansible task will remove the sendmail package if it exists on -the system. - +The security role will remove the sendmail package if it exists on the system. To opt-out of this change, adjust the following Ansible variable to ``no``: .. code-block:: yaml diff --git a/doc/source/developer-notes/V-38674.rst b/doc/source/developer-notes/V-38674.rst index 299f42b8..644eae03 100644 --- a/doc/source/developer-notes/V-38674.rst +++ b/doc/source/developer-notes/V-38674.rst @@ -1,4 +1,10 @@ -Ubuntu sets the default runlevel in ``/etc/init/rc-sysinit.conf`` and it should -be set to ``2`` on Ubuntu systems. The Ansible task will verify that the -correct runlevel is set. If the verification fails, an error will be printed -and the playbook will fail. +Ubuntu 14.04 sets the default runlevel in ``/etc/init/rc-sysinit.conf`` and it +should be set to ``2`` on Ubuntu systems. The Ansible task will verify that the +correct runlevel is set. + +For operating systems that use systemd, such as Ubuntu 16.04 and CentOS 7, the +Ansible tasks will verify that the ``graphical.target`` is not loaded by +default. + +If any of these verifications fails, an error will be printed and the playbook +will fail. diff --git a/doc/source/developer-notes/V-38678.rst b/doc/source/developer-notes/V-38678.rst index c8e22e6a..cd38775d 100644 --- a/doc/source/developer-notes/V-38678.rst +++ b/doc/source/developer-notes/V-38678.rst @@ -3,6 +3,6 @@ will trigger the ``security_space_left_action``. The threshold of remaining disk space is configured by ``security_space_left`` in ``/etc/audit/auditd.conf``. -By default, Ubuntu sets this value to 75 megabytes. The STIG doesn't set a -specific requirement for the exact size, so the Ansible task will ensure that -the Ubuntu default of 75 megabytes is set. +By default, Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set this value to 75 +megabytes. The STIG doesn't set a specific requirement for the exact size, so +the Ansible task will ensure that the default of 75 megabytes is set. diff --git a/doc/source/developer-notes/V-38691.rst b/doc/source/developer-notes/V-38691.rst index a8900001..3a36fd49 100644 --- a/doc/source/developer-notes/V-38691.rst +++ b/doc/source/developer-notes/V-38691.rst @@ -1,6 +1,5 @@ -Although neither Ubuntu 14.04 or openstack-ansible installs the ``bluetooth`` -package, the Ansible tasks will disable the service and stop it if it's found -to be running on the system. +The Ansible tasks will disable the ``bluetooth`` service and stop it if it is +running on the system. To opt-out of this change, adjust the following Ansible variable to ``no``: diff --git a/doc/source/developer-notes/V-51337.rst b/doc/source/developer-notes/V-51337.rst index 0922dcf4..929a3f5f 100644 --- a/doc/source/developer-notes/V-51337.rst +++ b/doc/source/developer-notes/V-51337.rst @@ -1,10 +1,14 @@ Ubuntu loads the AppArmor module by default starting with version 8.04. For more information, review the `AppArmor documentation`_ on Ubuntu's site. -In addition, the openstack-ansible project configures AppArmor policies +In addition, the OpenStack-Ansible project configures AppArmor policies for the LXC containers which run the OpenStack infrastructure. The tasks for this STIG will verify that AppArmor is enabled via the ``apparmor_status``. The playbook will fail if AppArmor is found to be disabled on the host. +On CentOS 7, the security role will verify that SELinux is in *Enforcing* mode. +If SELinux is in *Disabled* or *Permissive* mode, the playbook will fail with +an error message. + .. _AppArmor documentation: https://help.ubuntu.com/community/AppArmor diff --git a/doc/source/developer-notes/V-51363.rst b/doc/source/developer-notes/V-51363.rst index 8f44a7d1..f352ac7f 100644 --- a/doc/source/developer-notes/V-51363.rst +++ b/doc/source/developer-notes/V-51363.rst @@ -1,4 +1,7 @@ -The openstack-ansible project configures AppArmor to limit the actions of -containers and reduce the changes (and potential damages) of a container -breakout. The RHEL 6 STIG mentions SELinux but the existing SELinux policies -provided with Ubuntu aren't as well maintained as those provided with RHEL. +For Ubuntu, the standard AppArmor policies provided by the AppArmor package are +loaded. The OpenStack-Ansible project also configures AppArmor to limit the +actions of containers and reduce the changes (and potential damages) of a +container breakout. + +On CentOS 7, the ``selinux-policy-targeted`` package provides SELinux policies +that enforce limits on system services and users. diff --git a/doc/source/developer-notes/V-54381.rst b/doc/source/developer-notes/V-54381.rst index 31d5b58a..07b4c587 100644 --- a/doc/source/developer-notes/V-54381.rst +++ b/doc/source/developer-notes/V-54381.rst @@ -3,11 +3,14 @@ The STIG requires that the audit system must switch the entire system into single-user mode when the space for logging becomes dangerously low. -**This will cause serious service disruptions for any environment and should -only be enabled for extremely high security environments.** +.. note:: -Ubuntu sets ``security_admin_space_left_action`` to ``SUSPEND`` by default, and -this will cause logging to be temporarily suspended until disk space is freed. + **This will cause serious service disruptions for any environment and + should only be enabled for extremely high security environments.** + +The ``security_admin_space_left_action`` configuration is set to ``SUSPEND`` by +default, and this will cause logging to be temporarily suspended until disk +space is freed. For extremely high security environments, this Ansible variable can be provided to meet the requirements of the STIG: