Merge "V-3851{4,5,6,7}: Disabling certain network protocols"

defaults/main.yml

@@ -166,8 +166,14 @@ num_logs: 5                                       # V-38636
 #password_warn_age: 7                             # V-38480
 
 ## Kernel modules
-# V-38490 - Set the line below to yes to disable usb-storage
+# Set these booleans to 'yes' to disable the kernel module (following the
-disable_usb_storage: no
+# STIG requirements). Set the boolean to 'no' to ensure no changes are made.
+disable_module:
+  dccp: yes                                       # V-38514
+  rds: yes                                        # V-38516
+  sctp: yes                                       # V-38515
+  tipc: yes                                       # V-38517
+  usb_storage: no                                 # V-38490
 
 ## sysctl tunables
 # ** DANGER **

doc/source/developer-notes/V-38490.rst

@@ -2,8 +2,10 @@
 
 Disabling the ``usb-storage`` module can add extra security, but it's not
 necessary on most systems. To disable the ``usb-storage`` module on hosts,
-set ``disable_usb_storage`` to ``yes``:
+set the following variable to ``yes``:
 
 .. code-block:: yaml
 
-    disable_usb_storage: yes
+    disable_module['usb_storage']: yes
+
+**NOTE:** The module will be disabled on the next reboot.

doc/source/developer-notes/V-38514.rst

@@ -0,0 +1,11 @@
+The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not
+needed. Neither Ubuntu 14.04 or openstack-ansible utilizes this kernel
+module and the Ansible tasks will disable it by default.
+
+To opt-out of this change, simply change the following variable to ``no``:
+
+.. code-block:: yaml
+
+    disable_module['dccp']: no
+
+**NOTE:** The module will be disabled on the next reboot.

doc/source/developer-notes/V-38515.rst

@@ -0,0 +1,10 @@
+The Stream Control Transmission Protocol (SCTP) must be disabled. This module
+isn't used by Ubuntu 14.04 or openstack-ansible by default.
+
+To opt-out of this change, set the following variable to ``no``:
+
+.. code-block:: yaml
+
+    disable_module['sctp']: no
+
+**NOTE:** The module will be disabled on the next reboot.

doc/source/developer-notes/V-38516.rst

@@ -0,0 +1,13 @@
+The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. Neither Ubuntu
+14.04 or openstack-ansible enables this module by default, so the Ansible
+tasks in this role will disable the module.
+
+.. _Reliable Datagram Sockets (RDS): https://en.wikipedia.org/wiki/Reliable_Datagram_Sockets
+
+To opt-out of this change, set the following variable to ``no``:
+
+.. code-block:: yaml
+
+    disable_module['rds']: no
+
+**NOTE:** The module will be disabled on the next reboot.

doc/source/developer-notes/V-38517.rst

@@ -0,0 +1,13 @@
+The `Transparent Inter-Process Communication (TIPC)`_ protocol must be
+disabled. Neither Ubuntu 14.04 or openstack-ansible enables this module by
+default, so the Ansible tasks in this role will disable the module.
+
+.. _Transparent Inter-Process Communication (TIPC): https://en.wikipedia.org/wiki/TIPC
+
+To opt-out of this change, set the following variable to ``no``:
+
+.. code-block:: yaml
+
+    disable_module['tipc']: no
+
+**NOTE:** The module will be disabled on the next reboot.

tasks/kernel.yml

@@ -96,11 +96,55 @@
 
 - name: V-38490 - Disable usb-storage module
   lineinfile:
-    dest: /etc/modprobe.d/disable-usb-storage.conf
+    dest: /etc/modprobe.d/V-38490-disable-usb-storage.conf
     line: "install usb-storage /bin/true"
     create: yes
-  when: disable_usb_storage is defined and disable_usb_storage | bool
+  when: disable_module['usb_storage'] | bool
   tags:
     - kernel
     - cat2
     - V-38490
+
+- name: V-38514 - Disable DCCP
+  lineinfile:
+    dest: /etc/modprobe.d/V-38514-disable-dccp.conf
+    line: "install dccp /bin/true"
+    create: yes
+  when: disable_module['dccp'] | bool
+  tags:
+    - kernel
+    - cat2
+    - V-38514
+
+- name: V-38515 - Disable SCTP
+  lineinfile:
+    dest: /etc/modprobe.d/V-38515-disable-sctp.conf
+    line: "install sctp /bin/true"
+    create: yes
+  when: disable_module['sctp'] | bool
+  tags:
+    - kernel
+    - cat2
+    - V-38515
+
+- name: V-38516 - Disable RDS
+  lineinfile:
+    dest: /etc/modprobe.d/V-38516-disable-rds.conf
+    line: "install rds /bin/true"
+    create: yes
+  when: disable_module['rds'] | bool
+  tags:
+    - kernel
+    - cat3
+    - V-38516
+
+- name: V-38517 - Disable TIPC
+  lineinfile:
+    dest: /etc/modprobe.d/V-38517-disable-tipc.conf
+    line: "install tipc /bin/true"
+    create: yes
+  when: disable_module['tipc'] | bool
+  tags:
+    - kernel
+    - cat2
+    - V-38517