Docs: Update dev notes for Cat 2 controls
This patch updates the documentation for the developer notes associated with the Cat 2 (Medium) controls applied by the security role. Partial-bug: 1583744 Change-Id: Ic342f33942521db009185585a21208a4688f6ed3
This commit is contained in:
Major Hayden
@@ -1,4 +1,2 @@
|
||||
The Ansible tasks will ensure that ``/etc/gshadow`` is owned by root. This is
|
||||
the default in Ubuntu 14.04 already, but the tasks will ensure that the
|
||||
permissions match the STIG requirements in case they were changed by other
|
||||
means after the installation of the operating system.
|
||||
The ``/etc/gshadow`` file is owned by root by default on Ubuntu 14.04, Ubuntu
|
||||
16.04 and CentOS 7. The security role ensures that the file is owned by root.
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
Although audit log files are owned by the root user and group by default
|
||||
in Ubuntu 14.04, the Ansible task for V-38445 will ensure that they are
|
||||
configured as such.
|
||||
The logs generated by the audit daemon are owned by root in Ubuntu 14.04,
|
||||
Ubuntu 16.04 and CentOS 7. The Ansible task for V-38445 ensures that the files
|
||||
are owned by the root user.
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
V-38447.rst
|
||||
5
doc/source/developer-notes/V-38453.rst
Normal file
5
doc/source/developer-notes/V-38453.rst
Normal file
@@ -0,0 +1,5 @@
|
||||
**Exception for Ubuntu**
|
||||
|
||||
Verifying ownership and permissions of installed packages isn't possible in the
|
||||
current version of ``dpkg`` as it is with ``rpm``. This security configuration
|
||||
is skipped for Ubuntu. For CentOS, this check is done as part of V-38637.
|
||||
@@ -1,10 +1,14 @@
|
||||
Ubuntu's default for ``security_disk_error_action`` is ``SUSPEND``, which
|
||||
actually only suspends audit logging. That could be a security issue, so
|
||||
``SYSLOG`` is recommended and is set by default by openstack-ansible-security.
|
||||
There are additional options available, like ``EXEC``, ``SINGLE`` or ``HALT``.
|
||||
The default configuration for ``disk_error_action`` is ``SUSPEND``, which
|
||||
only suspends audit logging when there is a disk error on the system.
|
||||
Suspending audit logging can lead to security problems because the system is no
|
||||
longer keeping track of which syscalls were made.
|
||||
|
||||
To configure a different ``security_disk_error_action``, set the following
|
||||
Ansible variable:
|
||||
The security role sets the configuration to ``SYSLOG`` so that messages are
|
||||
sent to syslog when disk errors occur. There are additional options available,
|
||||
like ``EXEC``, ``SINGLE`` or ``HALT``.
|
||||
|
||||
To configure a different ``disk_error_action``, set the following Ansible
|
||||
variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
**Exception**
|
||||
|
||||
Ubuntu 14.04 sets library files to have ``0755`` (or more restrictive)
|
||||
permissions by default. Deployers are urged to review the permissions
|
||||
of libraries regularly to ensure the system hasn't been altered.
|
||||
Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set library files to have ``0755`` (or
|
||||
more restrictive) permissions by default. Deployers are urged to review the
|
||||
permissions of libraries regularly to ensure the system has not been altered.
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
**Exception**
|
||||
|
||||
As with V-38465, Ubuntu sets the ownership of library files to root by
|
||||
default. Deployers are urged to configure monitoring for changes to these
|
||||
files.
|
||||
As with V-38465, Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the ownership of
|
||||
library files to root by default. Deployers are urged to configure monitoring
|
||||
for changes to these files.
|
||||
|
||||
@@ -1,11 +1,14 @@
|
||||
Ubuntu's default for ``security_disk_full_action`` is ``SUSPEND``, which
|
||||
actually only suspends audit logging. That could be a security issue, so
|
||||
``SYSLOG`` is recommended and is set by default by openstack-ansible-security.
|
||||
If syslog messages are being sent to remote servers, these log messages should
|
||||
alert an administrator about the disk being full. There are additional options
|
||||
available, like ``EXEC``, ``SINGLE`` or ``HALT``.
|
||||
The default configuration for ``disk_full_action`` is ``SUSPEND``, which only
|
||||
suspends audit logging. Suspending audit logging can lead to security problems
|
||||
because the system is no longer keeping track of which syscalls were made.
|
||||
|
||||
To configure a different ``security_disk_full_action``, set the following
|
||||
The security role sets the configuration to ``SYSLOG`` so that messages are
|
||||
sent to syslog when the disk is full. If syslog messages are being sent to
|
||||
remote servers, these log messages should alert an administrator about the disk
|
||||
being full. There are additional options available, like ``EXEC``, ``SINGLE``
|
||||
or ``HALT``.
|
||||
|
||||
To configure a different ``disk_full_action``, set the following
|
||||
Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
@@ -15,5 +18,5 @@ Ansible variable:
|
||||
For details on available settings and what they do, run ``man auditd.conf``.
|
||||
Some options can cause the host to go offline until the issue is fixed.
|
||||
Deployers are urged to **carefully read the auditd documentation** prior to
|
||||
changing the ``security_disk_full_action`` setting from the default.
|
||||
changing the ``disk_full_action`` setting from the default.
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
**Exception**
|
||||
|
||||
Ubuntu sets the permissions for system commands to ``0755`` or less already.
|
||||
Deployers are urged to review these permissions for changes over time as they
|
||||
can be a sign of a compromise.
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the permissions for system
|
||||
commands to ``0755`` or less already. Deployers are urged to review these
|
||||
permissions for changes over time as they can be a sign of a compromise.
|
||||
|
||||
@@ -1,11 +1,15 @@
|
||||
Ubuntu's default for ``security_space_left_action`` is ``SUSPEND``, which
|
||||
actually only suspends audit logging. That could be a security issue, so
|
||||
``SYSLOG`` is recommended and is set by default by openstack-ansible-security.
|
||||
If syslog messages are being sent to remote servers, these log messages should
|
||||
alert an administrator about the disk being almost full. There are additional
|
||||
options available, like ``EXEC``, ``SINGLE`` or ``HALT``.
|
||||
The default configuration for ``security_space_left_action`` is ``SUSPEND``,
|
||||
which actually only suspends audit logging. Suspending audit logging can lead
|
||||
to security problems because the system is no longer keeping track of which
|
||||
syscalls were made.
|
||||
|
||||
To configure a different ``security_space_left_action``, set the following
|
||||
The security role sets the configuration to ``SYSLOG`` so that messages are
|
||||
sent to syslog when the available disk space reaches a low level. If syslog
|
||||
messages are being sent to remote servers, these log messages should alert an
|
||||
administrator about the disk being almost full. There are additional options
|
||||
available, like ``EXEC``, ``SINGLE`` or ``HALT``.
|
||||
|
||||
To configure a different ``space_left_action``, set the following
|
||||
Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
@@ -15,4 +19,4 @@ Ansible variable:
|
||||
For details on available settings and what they do, run ``man auditd.conf``.
|
||||
Some options can cause the host to go offline until the issue is fixed.
|
||||
Deployers are urged to **carefully read the auditd documentation** prior to
|
||||
changing the ``security_space_left_action`` setting from the default.
|
||||
changing the ``space_left_action`` setting from the default.
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
**Exception**
|
||||
|
||||
Ubuntu sets system commands to be owned by root by default Deployers are
|
||||
urged to review ownership changes via auditd rules to ensure system
|
||||
commands haven't changed ownership over time.
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set system commands to be owned by
|
||||
root by default. Deployers are urged to review ownership changes via auditd
|
||||
rules to ensure system commands haven't changed ownership over time.
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
**Configuration required**
|
||||
|
||||
Ubuntu 14.04 does not set a password length requirement by default. The STIG
|
||||
recommends passwords to be a minimum of 14 characters in length. To apply this
|
||||
setting, set the following Ansible variable:
|
||||
The STIG recommends passwords to be a minimum of 14 characters in length. To
|
||||
apply this setting, set the following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
|
||||
@@ -1,9 +1,7 @@
|
||||
**Configuration required**
|
||||
|
||||
Ubuntu doesn't set a limitation on how frequently uses can change passwords.
|
||||
However, the STIG recommends setting a limit of one password change per day.
|
||||
|
||||
To enable this configuration, use this Ansible variable:
|
||||
The STIG recommends setting a limit of one password change per day. To enable
|
||||
this configuration, use this Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
|
||||
@@ -1,10 +1,7 @@
|
||||
**Configuration required**
|
||||
|
||||
Ubuntu doesn't set a limitation on the age of passwords.
|
||||
However, the STIG recommends setting a limit of 60 days before a password must
|
||||
be changed.
|
||||
|
||||
To enable this configuration, use this Ansible variable:
|
||||
The STIG recommends setting a limit of 60 days before a password must
|
||||
be changed. To enable this configuration, use this Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
|
||||
@@ -1,18 +1,28 @@
|
||||
**Exception**
|
||||
**Opt-in required**
|
||||
|
||||
Operating system patching policies vary from organization to organization and
|
||||
are typically established based on business requirements and risk tolerance.
|
||||
|
||||
If desired, automatic updates (using the ``unattended-upgrades`` package)
|
||||
can be enabled via openstack-ansible-security by setting the following
|
||||
variable to ``true``:
|
||||
.. note::
|
||||
|
||||
Automatically upgrading packages can provide significant security benefits,
|
||||
but they can reduce availability and reliability. Updating packages can
|
||||
cause daemons to restart on some systems and they can cause local
|
||||
customizations of configuration files to be lost.
|
||||
|
||||
Deployers are **strongly urged** to understand the nature of this change
|
||||
and the associated risks prior to enabling automatic upgrades.
|
||||
|
||||
Deployers can enable automatic updates by setting
|
||||
``security_unattended_upgrades`` to ``True`::
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_unattended_upgrades: true
|
||||
|
||||
Note that this will only apply updates made available to the distro-security
|
||||
(eg. trusty-security) repositories.
|
||||
In Ubuntu, the ``unattended-upgrades`` package is installed and enabled. This
|
||||
will apply updates that are made available to the trusty-security (Ubuntu
|
||||
14.04) or xenial-security (Ubuntu 16.04) repositories.
|
||||
|
||||
**Deployers are urged to fully understand the impact of enabling automatic
|
||||
update before making the change.**
|
||||
In CentOS, the ``yum-cron`` package is installed and configured to
|
||||
automatically apply updates.
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
The Ansible task for V-38462 already checks for apt configurations that would
|
||||
disable any GPG checks when installing packages. However, it's possible for
|
||||
The Ansible task for V-38462 already checks for configurations that would
|
||||
disable any GPG checks when installing packages. However, it is possible for
|
||||
the root user to override these configurations via command line parameters.
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
Ubuntu 14.04 already enables the display of the last successful login for a
|
||||
user immediately after login. An Ansible task ensures this setting is
|
||||
applied and restarts the ssh daemon if necessary.
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last
|
||||
successful login for a user immediately after login. An Ansible task ensures
|
||||
this setting is applied and restarts the ssh daemon if necessary.
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
The ``aide`` package will be installed by Ansible tasks.
|
||||
The security role installs and configures the ``aide`` package to provide file
|
||||
integrity monitoring on the host.
|
||||
|
||||
@@ -1,2 +1,10 @@
|
||||
The virtual consoles mentioned in V-38492 aren't used in Ubuntu 14.04 by
|
||||
default.
|
||||
**Exception**
|
||||
|
||||
Virtual consoles are helpful during an emergency and they can only be reached
|
||||
by physical or other out-of-band access (such as DRAC, iLO, or iKVM). This
|
||||
change can be confusing for system administrators and it is left up to the
|
||||
deployer to complete.
|
||||
|
||||
As an alternative, deployers could take action to restrict physical access to
|
||||
server terminals. Out-of-band access mechanisms should be segmented onto their
|
||||
own restricted network and should use centralized authentication.
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
Ubuntu 14.04 sets the mode of ``/var/log/audit/`` to ``0750`` by default. The
|
||||
Ansible task for this requirement ensures that the mode is ``0750`` (which
|
||||
is more strict than the STIG requirement).
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the mode of ``/var/log/audit/`` to
|
||||
``0750`` by default. The Ansible task for this requirement ensures that the
|
||||
mode is ``0750`` (which is more strict than the STIG requirement).
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by
|
||||
default. The Ansible task will ensure that the default is maintained.
|
||||
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible
|
||||
task will ensure that the default is maintained.
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by
|
||||
default. The Ansible task will ensure that the default is maintained.
|
||||
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible
|
||||
task will ensure that the default is maintained.
|
||||
|
||||
@@ -1,5 +1,8 @@
|
||||
Although Ubuntu 14.04's default for ``/etc/shadow`` is ``0640``, the STIG
|
||||
requires a mode of ``0000``. This doesn't affect how the system operates since
|
||||
root is the only user that should be able to read from and write to
|
||||
``/etc/shadow``. Allowing users to read the file could open up the system
|
||||
to attacks since the password hashes can be dumped and brute forced.
|
||||
Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but
|
||||
CentOS 7 sets it to ``000``. The STIG requires the mode to be ``000`` and the
|
||||
Ansible tasks in the security role ensure that the mode meets the requirement.
|
||||
|
||||
**Special note for Ubuntu:** This change doesn't affect how the system operates
|
||||
since root is the only user that should be able to read from and write to
|
||||
``/etc/shadow``. Allowing users to read the file could open up the system to
|
||||
attacks since the password hashes can be dumped and brute forced.
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not
|
||||
needed. Neither Ubuntu 14.04 or openstack-ansible utilizes this kernel
|
||||
module and the Ansible tasks will disable it by default.
|
||||
needed. Although this protocol is occasionally used in some OpenStack
|
||||
environments for quality of service functions, it is not in the default
|
||||
implementation.
|
||||
|
||||
To opt-out of this change, simply change the following variable to ``no``:
|
||||
|
||||
|
||||
@@ -1,7 +1,5 @@
|
||||
The Stream Control Transmission Protocol (SCTP) must be disabled. This module
|
||||
isn't used by Ubuntu 14.04 or openstack-ansible by default.
|
||||
|
||||
To opt-out of this change, set the following variable to ``no``:
|
||||
The Stream Control Transmission Protocol (SCTP) must be disabled. To opt-out of
|
||||
this change, set the following variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
|
||||
@@ -1,11 +1,8 @@
|
||||
The `Transparent Inter-Process Communication (TIPC)`_ protocol must be
|
||||
disabled. Neither Ubuntu 14.04 or openstack-ansible enables this module by
|
||||
default, so the Ansible tasks in this role will disable the module.
|
||||
disabled. To opt-out of this change, set the following variable to ``no``:
|
||||
|
||||
.. _Transparent Inter-Process Communication (TIPC): https://en.wikipedia.org/wiki/TIPC
|
||||
|
||||
To opt-out of this change, set the following variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_disable_module_tipc: no
|
||||
|
||||
@@ -3,3 +3,6 @@
|
||||
Different systems may have different log files populated depending on the type
|
||||
of data that ``rsyslogd`` receives. By default, log files are created with the
|
||||
user and group ownership set to root.
|
||||
|
||||
Deployers should review the files generated by the ``rsyslogd`` daemon to
|
||||
verify that they have the most restrictive ownership and permissions.
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
The STIG requires SHA512 to be used for hashing password since it is
|
||||
in the list of FIPS 140-2 approved hashing algorithms. This is also the
|
||||
default in Ubuntu 14.04.
|
||||
default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
|
||||
|
||||
The Ansible tasks will verify that the secure default is still set in the
|
||||
system's PAM configuration. If it has been altered, the playbook will fail
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
The STIG requires SHA512 to be used for hashing password since it is
|
||||
in the list of FIPS 140-2 approved hashing algorithms. This is also the
|
||||
default in Ubuntu 14.04.
|
||||
default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
|
||||
|
||||
The Ansible tasks will verify that the secure default is still set in
|
||||
``/etc/login.defs``. If it has been altered, the playbook will fail
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
The STIG requires SHA512 to be used for hashing password since it is
|
||||
in the list of FIPS 140-2 approved hashing algorithms. This is also the
|
||||
default in Ubuntu 14.04.
|
||||
default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
|
||||
|
||||
The ``libuser`` package isn't installed by default in Ubuntu or via
|
||||
openstack-ansible. The Ansible tasks will do the following:
|
||||
|
||||
@@ -1,2 +1,9 @@
|
||||
Ubuntu 14.04 sets the ownership on ``/boot/grub/grub.cfg`` to root by default.
|
||||
The Ansible task will ensure that the secure default is maintained.
|
||||
|
||||
In Ubuntu 16.04 and CentOS 7, the bootloader configuration files in
|
||||
``/boot/grub2`` are owned by the root user by default.
|
||||
|
||||
Deployers should monitor these files for changes in ownership, permissions and
|
||||
contents. The ``aide`` daemon is installed by the security role to monitor
|
||||
these files.
|
||||
|
||||
@@ -1 +1,9 @@
|
||||
The permissions on ``/boot/grub/grub.cfg`` will be set to ``0644``.
|
||||
**Exception for grub2**
|
||||
|
||||
For Ubuntu 14.04, the permissions on ``/boot/grub/grub.cfg`` will be set to
|
||||
``0644``.
|
||||
|
||||
Ubuntu 16.04 and CentOS 7 use grub2. The configuration files in ``/boot/grub2``
|
||||
are regenerated when new kernels are installed or when the root user
|
||||
regenerates the configuration file. File ownership and permissions are set
|
||||
appropriately after each of these events.
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
The Ansible tasks will set ``kernel.randomize_va_space=2`` immediately and
|
||||
will also ensure that the setting is applied on the next boot. This setting
|
||||
is currently the default in Ubuntu 14.04.
|
||||
is currently the default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
Although Red Hat kernels provide ExecShield, Ubuntu provides Non-Executable
|
||||
Memory (NX) support and it is enabled by default. There's not an option
|
||||
to enable or disable it.
|
||||
Non-Executable Memory (NX) is the successor to ExecShield, and it is enabled by
|
||||
default on Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
|
||||
|
||||
For more information, refer to `Ubuntu's security feature documentation on
|
||||
NX`_.
|
||||
|
||||
@@ -1,5 +1,10 @@
|
||||
The ``nis`` package is Ubuntu's equivalent of Red Hat's ``ypserv`` package.
|
||||
The Ansible tasks will remove the ``nis`` package if it is installed. To
|
||||
This packages is named differently depending on the Linux distribution:
|
||||
|
||||
* Ubuntu 14.04: ``nis``
|
||||
* Ubuntu 16.04: ``nis``
|
||||
* CentOS 7: ``ypserv``
|
||||
|
||||
The Ansible tasks will remove the appropriate package if it is installed. To
|
||||
opt-out of this change, adjust the following configuration variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
@@ -1,6 +1 @@
|
||||
**Exception**
|
||||
|
||||
The ``ypbind`` service is removed as part of V-38603 where the ``nis`` package
|
||||
is removed from the system entirely. Since neither Ubuntu nor
|
||||
openstack-ansible install any NIS-related services, this configuration is
|
||||
skipped.
|
||||
The ``ypbind`` service is removed entirely as part of V-38603.
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
The ``cron`` service is running by default in Ubuntu and is required for
|
||||
openstack-ansible's services to function properly. The Ansible tasks in
|
||||
this role will ensure that ``cron`` is running and is configured to start
|
||||
at boot time.
|
||||
The ``cron`` service is running by default in Ubuntu 14.04, Ubuntu 16.04, and
|
||||
CentOS 7. It is required for various OpenStack services to function properly.
|
||||
The Ansible tasks in this role will ensure that ``cron`` is running and is
|
||||
configured to start at boot time.
|
||||
|
||||
@@ -1,5 +1,13 @@
|
||||
The ``tftpd`` package in Ubuntu will be removed. To opt-out, adjust the
|
||||
following configuration variable to ``no``:
|
||||
The package containing the tftp daemon has different names depending on the
|
||||
Linux distribution:
|
||||
|
||||
* Ubuntu 14.04: ``tftpd``
|
||||
* Ubuntu 16.04: ``tftpd``
|
||||
* CentOS 7: ``tftp-server``
|
||||
|
||||
The Ansible tasks will select the appropriate package for the Linux
|
||||
distribution and remove the package. To opt-out, adjust the following
|
||||
configuration variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
|
||||
@@ -1,3 +1 @@
|
||||
The ``tftpd`` service is removed by V-38606 and it is not installed by
|
||||
Ubuntu or openstack-ansible by default. For this reason, it's recommended
|
||||
to remove the service by using the Ansible task from V-38606.
|
||||
The package containing the ``tftpd`` service is removed by V-38606.
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
By default, Ubuntu configures the ssh daemon so that rsh's .rhosts files are
|
||||
ignored. The Ansible tasks will ensure that this setting hasn't changed
|
||||
from the default.
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 configure the ssh daemon so that rsh's
|
||||
.rhosts files are ignored by default. The Ansible tasks will ensure that this
|
||||
setting has not changed from the default.
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
The tasks in sshd.yml will ensure that SSH does not allow host based authentication.
|
||||
The Ansible tasks in the security role ensure that the ssh daemon does not
|
||||
allow host based authentication.
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
Ubuntu sets the mode on rsyslog files to ``0640`` by default, but the STIG
|
||||
requires ``0600`` or less. The Ansible tasks will adjust the rsyslog
|
||||
configuration so that any new log files will have the mode set to ``0600``.
|
||||
The mode on rsyslog files is set to ``0640`` by default in Ubuntu 14.04 and
|
||||
Ubuntu 16.04 by default. CentOS 7 sets the mode to ``0600`` by default. The
|
||||
Ansible tasks will adjust the rsyslog configuration so that any new log files
|
||||
will have the mode set to ``0600``.
|
||||
|
||||
This will take effect the next time that log files are rotated with
|
||||
``logrotate`` (configured in V-38624).
|
||||
``logrotate`` (configured in V-38624). Deployers can also make this change
|
||||
manually with ``chmod``.
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
**Exception**
|
||||
|
||||
Neither Ubuntu 14.04 or openstack-ansible configures LDAP authentication by
|
||||
default. Deployers that use LDAP authentication for systems are strongly
|
||||
urged to use TLS connectivity between client hosts and LDAP servers to
|
||||
prevent eavesdroppers on the network from reading the authentication attempts
|
||||
as they are made. The certificates on the LDAP server must be trusted by
|
||||
each client.
|
||||
Deployers that use LDAP authentication for systems are strongly urged to use
|
||||
TLS connectivity between client hosts and LDAP servers to prevent eavesdroppers
|
||||
on the network from reading the authentication attempts as they are made. The
|
||||
certificates on the LDAP server must be trusted by each client.
|
||||
|
||||
The tasks in the security role do not adjust the LDAP configuration since this
|
||||
could disrupt future authentication attempts.
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
Ubuntu's default setting for ``security_max_log_file`` matches the STIG
|
||||
requirement of rotating logs when they reach 6MB. The Ansible task for this
|
||||
STIG requirement ensures that the secure default is maintained.
|
||||
The default setting for ``security_max_log_file`` in Ubuntu 14.04, Ubuntu
|
||||
16.04, and CentOS 7 matches the STIG requirement of rotating logs when they
|
||||
reach 6MB. The Ansible task for this STIG requirement ensures that the secure
|
||||
default is maintained.
|
||||
|
||||
Deployers who want to exceed the STIG guideline can increase the size of logs
|
||||
by adjusting the following Ansible variable:
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
Ubuntu's default action for ``security_max_log_file_action`` is to rotate the
|
||||
logs. This meets the STIG requirements and the Ansible task will ensure that
|
||||
the secure default is maintained.
|
||||
The default action for ``security_max_log_file_action`` on Ubuntu 14.04, Ubuntu
|
||||
16.04, and CentOS 7 is to rotate the logs. This meets the STIG requirements and
|
||||
the Ansible task will ensure that the secure default is maintained.
|
||||
|
||||
Use caution when changing this option. Certain values, like ``SUSPEND`` will
|
||||
cause the audit daemon to lock the machine when the maximum size for a log
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
The auditd package is verified with ``debsums`` and the playbook will fail
|
||||
immediately if any of the files from the auditd package have been altered.
|
||||
This could be the sign of a system compromise.
|
||||
The auditd package is verified with ``debsums`` in Ubuntu and with ``rpm`` in
|
||||
CentOS. The playbook will fail immediately if any of the files from the auditd
|
||||
package have been altered. This could be the sign of a system compromise.
|
||||
|
||||
If the ``debsums`` package isn't installed, the Ansible task will install it
|
||||
during the playbook run.
|
||||
.. note::
|
||||
|
||||
If the ``debsums`` package isn't installed on Ubuntu, the Ansible task will
|
||||
install it during the playbook run.
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
**Exception**
|
||||
|
||||
Although neither Ubuntu 14.04 or openstack-ansible mount remote filesystems
|
||||
by default, deployers are urged to use the ``nodev`` option on any remotely
|
||||
mounted filesystems whenever possible.
|
||||
Deployers are urged to use the ``nodev`` option on any remotely mounted
|
||||
filesystems whenever possible.
|
||||
|
||||
The security role does not take action on filesystem mounts since this could
|
||||
affect the stability or availability of the host.
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
**Exception**
|
||||
|
||||
Although neither Ubuntu 14.04 or openstack-ansible mount remote filesystems
|
||||
by default, deployers are urged to use the ``nosuid`` option on any remotely
|
||||
mounted filesystems whenever possible.
|
||||
Deployers are urged to use the ``nosuid`` option on any remotely mounted
|
||||
filesystems whenever possible.
|
||||
|
||||
The security role does not take action on filesystem mounts since this could
|
||||
affect the stability or availability of the host.
|
||||
|
||||
@@ -1,8 +1,6 @@
|
||||
Although neither Ubuntu 14.04 or openstack-ansible install or configure the
|
||||
SNMP daemon by default, the Ansible tasks will check to see if the SNMP
|
||||
configuration file is present. If the file is present, and the file contains
|
||||
configurations for insecure SNMP protocols, an error will be
|
||||
printed and the playbook will fail.
|
||||
The Ansible tasks will check to see if the SNMP configuration file is present.
|
||||
If the file is present, and the file contains configurations for insecure SNMP
|
||||
protocols, an error will be printed and the playbook will fail.
|
||||
|
||||
The task specifically looks for uncommented configuration lines containing:
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
The AIDE package is already installed as part of the Ansible tasks to fix
|
||||
V-38429, but these Ansible tasks will verify that the cron job file is actually
|
||||
in place. Ubuntu will configure the cron job automatically as soon as the
|
||||
package is installed. If the cron job is missing, an error will be printed
|
||||
and the playbook will fail.
|
||||
in place. The cron job is installed as part of the aide package installation.
|
||||
If the cron job is missing, an error will be printed and the playbook will
|
||||
fail.
|
||||
|
||||
@@ -1,7 +1,4 @@
|
||||
Although neither Ubuntu nor openstack-ansible install or configure sendmail
|
||||
by default, the Ansible task will remove the sendmail package if it exists on
|
||||
the system.
|
||||
|
||||
The security role will remove the sendmail package if it exists on the system.
|
||||
To opt-out of this change, adjust the following Ansible variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
@@ -1,4 +1,10 @@
|
||||
Ubuntu sets the default runlevel in ``/etc/init/rc-sysinit.conf`` and it should
|
||||
be set to ``2`` on Ubuntu systems. The Ansible task will verify that the
|
||||
correct runlevel is set. If the verification fails, an error will be printed
|
||||
and the playbook will fail.
|
||||
Ubuntu 14.04 sets the default runlevel in ``/etc/init/rc-sysinit.conf`` and it
|
||||
should be set to ``2`` on Ubuntu systems. The Ansible task will verify that the
|
||||
correct runlevel is set.
|
||||
|
||||
For operating systems that use systemd, such as Ubuntu 16.04 and CentOS 7, the
|
||||
Ansible tasks will verify that the ``graphical.target`` is not loaded by
|
||||
default.
|
||||
|
||||
If any of these verifications fails, an error will be printed and the playbook
|
||||
will fail.
|
||||
|
||||
@@ -3,6 +3,6 @@ will trigger the ``security_space_left_action``. The threshold of remaining
|
||||
disk space is configured by ``security_space_left`` in
|
||||
``/etc/audit/auditd.conf``.
|
||||
|
||||
By default, Ubuntu sets this value to 75 megabytes. The STIG doesn't set a
|
||||
specific requirement for the exact size, so the Ansible task will ensure that
|
||||
the Ubuntu default of 75 megabytes is set.
|
||||
By default, Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set this value to 75
|
||||
megabytes. The STIG doesn't set a specific requirement for the exact size, so
|
||||
the Ansible task will ensure that the default of 75 megabytes is set.
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
Although neither Ubuntu 14.04 or openstack-ansible installs the ``bluetooth``
|
||||
package, the Ansible tasks will disable the service and stop it if it's found
|
||||
to be running on the system.
|
||||
The Ansible tasks will disable the ``bluetooth`` service and stop it if it is
|
||||
running on the system.
|
||||
|
||||
To opt-out of this change, adjust the following Ansible variable to ``no``:
|
||||
|
||||
|
||||
@@ -1,10 +1,14 @@
|
||||
Ubuntu loads the AppArmor module by default starting with version 8.04. For
|
||||
more information, review the `AppArmor documentation`_ on Ubuntu's site.
|
||||
In addition, the openstack-ansible project configures AppArmor policies
|
||||
In addition, the OpenStack-Ansible project configures AppArmor policies
|
||||
for the LXC containers which run the OpenStack infrastructure.
|
||||
|
||||
The tasks for this STIG will verify that AppArmor is enabled via the
|
||||
``apparmor_status``. The playbook will fail if AppArmor is found to be
|
||||
disabled on the host.
|
||||
|
||||
On CentOS 7, the security role will verify that SELinux is in *Enforcing* mode.
|
||||
If SELinux is in *Disabled* or *Permissive* mode, the playbook will fail with
|
||||
an error message.
|
||||
|
||||
.. _AppArmor documentation: https://help.ubuntu.com/community/AppArmor
|
||||
|
||||
@@ -1,4 +1,7 @@
|
||||
The openstack-ansible project configures AppArmor to limit the actions of
|
||||
containers and reduce the changes (and potential damages) of a container
|
||||
breakout. The RHEL 6 STIG mentions SELinux but the existing SELinux policies
|
||||
provided with Ubuntu aren't as well maintained as those provided with RHEL.
|
||||
For Ubuntu, the standard AppArmor policies provided by the AppArmor package are
|
||||
loaded. The OpenStack-Ansible project also configures AppArmor to limit the
|
||||
actions of containers and reduce the changes (and potential damages) of a
|
||||
container breakout.
|
||||
|
||||
On CentOS 7, the ``selinux-policy-targeted`` package provides SELinux policies
|
||||
that enforce limits on system services and users.
|
||||
|
||||
@@ -3,11 +3,14 @@
|
||||
The STIG requires that the audit system must switch the entire system into
|
||||
single-user mode when the space for logging becomes dangerously low.
|
||||
|
||||
**This will cause serious service disruptions for any environment and should
|
||||
only be enabled for extremely high security environments.**
|
||||
.. note::
|
||||
|
||||
Ubuntu sets ``security_admin_space_left_action`` to ``SUSPEND`` by default, and
|
||||
this will cause logging to be temporarily suspended until disk space is freed.
|
||||
**This will cause serious service disruptions for any environment and
|
||||
should only be enabled for extremely high security environments.**
|
||||
|
||||
The ``security_admin_space_left_action`` configuration is set to ``SUSPEND`` by
|
||||
default, and this will cause logging to be temporarily suspended until disk
|
||||
space is freed.
|
||||
|
||||
For extremely high security environments, this Ansible variable can be
|
||||
provided to meet the requirements of the STIG:
|
||||
|
||||
Reference in New Issue
Block a user