Merge "Docs: Update dev notes for Cat 1 controls"
This commit is contained in:
Jenkins
@@ -1,11 +1,20 @@
|
||||
**Exception**
|
||||
|
||||
Verifying contents of files installed from packages is more difficult in
|
||||
Ubuntu, mainly due to the lack of an equivalent of ``rpm -V``. The ``debsums``
|
||||
package installs the ``debsums`` command and that can be used to look for
|
||||
files that have changed since the package was installed.
|
||||
Although Ubuntu provides the ``debsums`` command for checking the contents of
|
||||
files installed from packages, it cannot perform a detailed level of checking
|
||||
sufficient to meet the STIG requirement. Some packages are not shipped with MD5
|
||||
checksums for all files. Deployers are encouraged to use ``debsums -c``
|
||||
regularly to check for alterations in as many packages as possible.
|
||||
|
||||
However, not all packages have MD5 checksums for all files and ``debsums``
|
||||
doesn't do detailed checking like ``rpm``. Deployers are urged to run
|
||||
``debsums -c`` to review changes made to files on their systems. This report
|
||||
takes a long time to run on most systems.
|
||||
Ubuntu does not currently have a capability to check file permissions,
|
||||
ownership, or group ownership against the permissions that were originally set
|
||||
when the package was installed.
|
||||
|
||||
In CentOS, the ``rpm`` command can verify package contents, ownership, group
|
||||
ownership, and permissions after the package has been installed. However, many
|
||||
configuration files are changed by the security role and this will cause the
|
||||
verification to fail.
|
||||
|
||||
Deployers should utilize the monitoring capabilities of the ``aide`` package
|
||||
(which is installed by other Ansible tasks in this role) to determine which
|
||||
configuration files, libraries or binaries may have been changed.
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
**Exception**
|
||||
|
||||
Verifying permissions of installed packages isn't possible in the current
|
||||
version of ``dpkg`` as it is with ``rpm``. This security configuration is
|
||||
skipped.
|
||||
1
doc/source/developer-notes/V-38452.rst
Symbolic link
1
doc/source/developer-notes/V-38452.rst
Symbolic link
@@ -0,0 +1 @@
|
||||
V-38447.rst
|
||||
@@ -1,5 +0,0 @@
|
||||
**Exception**
|
||||
|
||||
Verifying ownership of installed packages isn't possible in the current
|
||||
version of ``dpkg`` as it is with ``rpm``. This security configuration is
|
||||
skipped.
|
||||
1
doc/source/developer-notes/V-38453.rst
Symbolic link
1
doc/source/developer-notes/V-38453.rst
Symbolic link
@@ -0,0 +1 @@
|
||||
V-38447.rst
|
||||
@@ -1,6 +0,0 @@
|
||||
**Exception**
|
||||
|
||||
Verifying ownership of installed packages isn't possible in the current
|
||||
version of ``dpkg`` as it is with ``rpm``. This security configuration is
|
||||
skipped.
|
||||
|
||||
1
doc/source/developer-notes/V-38454.rst
Symbolic link
1
doc/source/developer-notes/V-38454.rst
Symbolic link
@@ -0,0 +1 @@
|
||||
V-38447.rst
|
||||
@@ -1,4 +1,6 @@
|
||||
**Exception**
|
||||
|
||||
Ubuntu doesn't use the Red Hat Network Service, so this requirement doesn't
|
||||
apply.
|
||||
Ubuntu and CentOS do not use the Red Hat Network Service. However, there are
|
||||
tasks in the security role which ensure that all packages have GPG checks
|
||||
enabled (see V-38462) and provide the option for deployers to apply updates
|
||||
automatically.
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. Neither Ubuntu
|
||||
14.04 or openstack-ansible enables this module by default, so the Ansible
|
||||
The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. The Ansible
|
||||
tasks in this role will disable the module.
|
||||
|
||||
.. _Reliable Datagram Sockets (RDS): https://en.wikipedia.org/wiki/Reliable_Datagram_Sockets
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
**Exception**
|
||||
|
||||
Neither Ubuntu or openstack-ansible installs a graphical desktop by default.
|
||||
Deployers are urged to use graphical desktops only on client machines that
|
||||
connect to the OpenStack environment, rather than configuring graphical
|
||||
desktops within the OpenStack infrastructure itself.
|
||||
|
||||
@@ -1 +1,7 @@
|
||||
services.yml reads a list of services and their desired state from the 'defaults/main.yml' cat3_services variable. With this list the tasks will ensure the services are in the state desired by their corresponding STIG requirement.
|
||||
The Ansible tasks in the security role will disable the abrtd service and stop
|
||||
the service immediately. To opt-out of this change, set the following Ansible
|
||||
variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_disable_abrtd: no
|
||||
|
||||
@@ -1 +1,7 @@
|
||||
services.yml reads a list of services and their desired state from the 'defaults/main.yml' cat3_services variable. With this list the tasks will ensure the services are in the state desired by their corresponding STIG requirement.
|
||||
The Ansible tasks in the security role will disable the atd service and stop
|
||||
the service immediately. To opt-out of this change, set the following Ansible
|
||||
variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_disable_atd: no
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
**Opt-in required**
|
||||
|
||||
The STIG requires that daemons have their umask set to ``027`` or ``022``.
|
||||
Since changing umasks can disrupt some systems, this is an opt-in change.
|
||||
|
||||
Deployers that want this change applied to their systems must set the Ansible
|
||||
variable ``security_umask_daemons_init`` to ``027``. The current default for
|
||||
Ubuntu 14.04 is ``027`` already, so deployers do not need to make any
|
||||
adjustments to Ansible variables to meet the STIG requirement.
|
||||
variable ``security_umask_daemons_init`` to ``027``.
|
||||
|
||||
@@ -1,7 +1,2 @@
|
||||
**Special case**
|
||||
|
||||
Ubuntu doesn't provide the same ``ntpdate`` service that a Red Hat Enterprise
|
||||
Linux 6 server would have. In addition, time synchronization is added within
|
||||
the fixes for V-38620 (where ``chrony`` is installed and configured).
|
||||
|
||||
There is no action to be taken on Ubuntu for this STIG.
|
||||
Time synchronization is added within the fixes for V-38620 (where ``chrony`` is
|
||||
installed and configured). The ``ntpdate`` service is not used.
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
**Exception**
|
||||
|
||||
Ubuntu's default umask setting in ``/etc/login.defs`` is ``022``, but the STIG
|
||||
requires ``077`` to be set. Since changing umask settings can disrupt some
|
||||
systems, this change requires a deployer to opt-in.
|
||||
Changing umask settings can disrupt some systems and this change requires a
|
||||
deployer to opt-in. To opt-in for this change and adjust the umask, set the following Ansible variable:
|
||||
|
||||
To opt-in for this change and adjust the umask, the Ansible variable
|
||||
``security_umask_login_defs`` must be set to ``077``.
|
||||
.. code-block:: yaml
|
||||
|
||||
security_umask_login_defs: 077
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
**Special case**
|
||||
|
||||
Ubuntu doesn't package the ``oddjobd`` daemon, so there are no packages to
|
||||
remove or daemons to stop. There is no action to be taken for this STIG on
|
||||
Ubuntu 14.04.
|
||||
Very few environments run the ``oddjobd`` service, and those that do run it are
|
||||
usually associated with highly-available, clustered systems. Deployers will
|
||||
need to disable this service manually if it is running on the system.
|
||||
|
||||
@@ -1,5 +1,9 @@
|
||||
**Fixed by another STIG**
|
||||
|
||||
Ubuntu 14.04 doesn't use umask settings in ``/etc/profile``. Those settings
|
||||
are expected to be in ``/etc/login.defs`` instead. See V-38645 for more
|
||||
details.
|
||||
are expected to be in ``/etc/login.defs`` instead.
|
||||
|
||||
For CentOS 7, umask settings are present in ``/etc/profile`` but they are
|
||||
overidden by settings in ``/etc/login.defs``.
|
||||
|
||||
See V-38645 for more details.
|
||||
|
||||
@@ -1,9 +1,7 @@
|
||||
**Opt-in required**
|
||||
|
||||
Neither Ubuntu or openstack-ansible installs the csh shell by default.
|
||||
|
||||
Since umask changes can be disruptive on some systems, the deployer must
|
||||
opt-in for this change to happen. If the ``security_umask_csh`` Ansible variable is
|
||||
Since umask changes can be disruptive on some systems, the deployer must opt-in
|
||||
for this change to happen. If the ``security_umask_csh`` Ansible variable is
|
||||
set **and** the csh package is installed, the Ansible tasks will ensure the
|
||||
appropriate umask is set in the csh configuration file.
|
||||
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
**Exception**
|
||||
|
||||
Neither Ubuntu nor openstack-ansible will configure any removable media mounts
|
||||
by default. Deploys are strongly urged to mount any additional disks with the
|
||||
``noexec`` mount option set.
|
||||
Deployers are strongly urged to mount any additional disks with the ``noexec``
|
||||
mount option set whenever possible.
|
||||
|
||||
For more information about the ``noexec`` mount option, review this `good
|
||||
answer from a ServerFault user about noexec`_.
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
Although the ``samba`` server isn't installed by Ubuntu or openstack-ansible
|
||||
by default, the Ansible tasks will check to see if the package is installed
|
||||
and the configuration file will be adjusted. If adjustments are made, the
|
||||
service will be restarted.
|
||||
The Ansible tasks will check to see if the package is installed and the
|
||||
configuration file will be adjusted. If adjustments are made, the service will
|
||||
be restarted.
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
**Exception**
|
||||
|
||||
Ubuntu and openstack-ansible do not currently configure any samba share mounts
|
||||
by default. However, deployers are urged to follow this STIG if they ever
|
||||
mount samba shares within their infrastructure.
|
||||
Deployers are urged to require SMB client signing if they ever mount samba
|
||||
shares within their infrastructure.
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
Ubuntu doesn't restrict core dumps by default, but the STIG requires that core
|
||||
dumps are disabled for all users unless absolutely necessary.
|
||||
The security role will add a file in ``/etc/security/limits.d/`` that disables
|
||||
core dumps for all users. Although this setting is more secure, it can prevent users from debugging kernel errors.
|
||||
|
||||
To opt-out of this change, set the following Ansible variable to ``no``:
|
||||
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
Neither Ubuntu nor openstack-ansible install the X windows server by default.
|
||||
The ansible tasks will remove the ``xserver-xorg`` package if it is present.
|
||||
The Ansible tasks will remove the ``xserver-xorg`` package if it is present.
|
||||
|
||||
To opt-out of the change, set the following Ansible variable to ``no``:
|
||||
|
||||
|
||||
@@ -1,11 +1,12 @@
|
||||
**Opt-in required**
|
||||
|
||||
By default, Ubuntu doesn't require that inactive accounts are locked after a
|
||||
period of time. The STIG requires that accounts with 35 days of activity are
|
||||
locked.
|
||||
Deployers must opt-in for this change by setting the following Ansible
|
||||
variable:
|
||||
|
||||
Deployers must opt-in for this change by setting the
|
||||
``security_inactive_account_lock_days`` Ansible variable. The STIG requires
|
||||
this to be set to 35 days at a maximum. The Ansible tasks will not make any
|
||||
changes to ``/etc/default/useradd`` unless
|
||||
.. code-block:: yaml
|
||||
|
||||
security_inactive_account_lock_days: 35
|
||||
|
||||
The STIG requires this to be set to 35 days at a maximum. The Ansible tasks
|
||||
will not make any changes to ``/etc/default/useradd`` unless
|
||||
``security_inactive_account_lock_days`` is set.
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
Although neither Ubuntu nor openstack-ansible installs or configures
|
||||
``vsftpd`` by default, the Ansible task will ensure that the appropriate
|
||||
log configuration lines are applied to ``/etc/vsftpd.conf`` to meet the
|
||||
STIG requirements. If the ``vsftpd`` package isn't installed, the Ansible
|
||||
tasks won't make any changes to the system.
|
||||
The security role will ensure that the appropriate log configuration lines are
|
||||
applied to ``/etc/vsftpd.conf`` to meet the STIG requirements. If the
|
||||
``vsftpd`` package isn't installed, the Ansible tasks won't make any changes to
|
||||
the system.
|
||||
|
||||
Reference in New Issue
Block a user