From f422da8599c6d8f64ebfefbf0a0aa711ea1f9569 Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Thu, 22 Jun 2017 15:46:09 +0100 Subject: [PATCH] Add support for the openSUSE Leap distributions Add support for the openSUSE Leap distributions. The security rules are similar to the RedHat and Ubuntu ones. We also replace ansible_os_family with ansible_pkg_mgr since the former does not return consistent results across different SUSE distributions especially on older Ansible versions. Change-Id: I20ffe17039bb641aad70d8123f0b7e7417a42cba --- README.md | 2 + doc/metadata/rhel7/V-71855.rst | 4 +- doc/metadata/rhel7/V-71921.rst | 6 +- doc/metadata/rhel7/V-71923.rst | 3 +- doc/metadata/rhel7/V-71937.rst | 1 + doc/metadata/rhel7/V-71945.rst | 4 +- doc/metadata/rhel7/V-71969.rst | 1 + doc/metadata/rhel7/V-71977.rst | 7 ++- doc/metadata/rhel7/V-71979.rst | 7 ++- doc/metadata/rhel7/V-71989.rst | 4 +- doc/metadata/rhel7/V-71991.rst | 4 +- doc/metadata/rhel7/V-71995.rst | 7 ++- doc/metadata/rhel7/V-71997.rst | 4 +- doc/metadata/rhel7/V-71999.rst | 3 +- doc/metadata/rhel7/V-72013.rst | 6 +- doc/metadata/rhel7/V-72039.rst | 4 +- doc/metadata/rhel7/V-72051.rst | 5 +- doc/metadata/rhel7/V-72053.rst | 3 +- doc/metadata/rhel7/V-72067.rst | 12 ++-- doc/metadata/rhel7/V-72069.rst | 4 ++ doc/metadata/rhel7/V-72071.rst | 4 ++ doc/metadata/rhel7/V-72073.rst | 6 +- doc/metadata/rhel7/V-72077.rst | 1 + doc/metadata/rhel7/V-72181.rst | 3 +- doc/metadata/rhel7/V-72215.rst | 5 +- doc/metadata/rhel7/V-72225.rst | 5 +- doc/metadata/rhel7/V-72233.rst | 1 + doc/metadata/rhel7/V-72269.rst | 4 +- doc/metadata/rhel7/V-72273.rst | 4 +- doc/metadata/rhel7/V-72275.rst | 2 +- doc/metadata/rhel7/V-72301.rst | 1 + doc/metadata/rhel7/V-72307.rst | 1 + doc/source/controls-rhel7.rst | 4 +- doc/source/faq.rst | 2 + doc/source/index.rst | 2 + files/zypper-autoupdates | 3 + meta/main.yml | 5 ++ tasks/rhel7stig/aide.yml | 45 +++++++++++---- tasks/rhel7stig/auth.yml | 21 ++++++- tasks/rhel7stig/file_perms.yml | 4 +- tasks/rhel7stig/kernel.yml | 4 +- tasks/rhel7stig/lsm.yml | 4 +- tasks/rhel7stig/main.yml | 2 +- tasks/rhel7stig/packages.yml | 28 ++++++++- tasks/rhel7stig/zypper.yml | 79 +++++++++++++++++++++++++ vars/debian.yml | 1 + vars/redhat.yml | 1 + vars/suse.yml | 102 +++++++++++++++++++++++++++++++++ 48 files changed, 368 insertions(+), 67 deletions(-) create mode 100755 files/zypper-autoupdates create mode 100644 tasks/rhel7stig/zypper.yml create mode 100644 vars/suse.yml diff --git a/README.md b/README.md index c3b91573..49827a86 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,8 @@ to systems running the following distributions: * Ubuntu 14.04 *(deprecated)* * Ubuntu 16.04 * Red Hat Enterprise Linux 7 +* openSUSE Leap 42.2 and 42.3 +* SUSE Linux Enterprise 12 (*experimental*) For more details, review the [ansible-hardening documentation](http://docs.openstack.org/developer/ansible-hardening/). diff --git a/doc/metadata/rhel7/V-71855.rst b/doc/metadata/rhel7/V-71855.rst index 0fc331cc..aa0e2ed1 100644 --- a/doc/metadata/rhel7/V-71855.rst +++ b/doc/metadata/rhel7/V-71855.rst @@ -4,8 +4,8 @@ status: implemented tag: packages --- -Ansible tasks will check the ``rpm -Va`` output (on CentOS and RHEL) or the -output of ``debsums`` (on Ubuntu) to see if any files installed from packages +Ansible tasks will check the ``rpm -Va`` output (on CentOS, RHEL, openSUSE and SLE) or +the output of ``debsums`` (on Ubuntu) to see if any files installed from packages have been altered. The tasks will print a list of files that have changed since their package was installed. diff --git a/doc/metadata/rhel7/V-71921.rst b/doc/metadata/rhel7/V-71921.rst index b3a5be3f..880070b1 100644 --- a/doc/metadata/rhel7/V-71921.rst +++ b/doc/metadata/rhel7/V-71921.rst @@ -4,9 +4,9 @@ status: implemented tag: accounts --- -The default password storage mechanism for Ubuntu 16.04, CentOS 7, and Red Hat -Enterprise Linux 7 is ``SHA512`` and the tasks in the security role ensure that -the default is maintained. +The default password storage mechanism for Ubuntu 16.04, CentOS 7, openSUSE Leap, +SUSE Linux Enterprise 12 and Red Hat Enterprise Linux 7 is ``SHA512`` and the tasks +in the security role ensure that the default is maintained. Deployers can configure a different password storage mechanism by setting the following Ansible variable: diff --git a/doc/metadata/rhel7/V-71923.rst b/doc/metadata/rhel7/V-71923.rst index 50ac2f7a..83104c14 100644 --- a/doc/metadata/rhel7/V-71923.rst +++ b/doc/metadata/rhel7/V-71923.rst @@ -8,7 +8,8 @@ The role ensures that ``crypt_style`` is set to ``sha512`` in ``/etc/libuser.conf``, which is the default for CentOS 7 and Red Hat Enterprise Linux 7. -Ubuntu does not use ``libuser``, so this change is not applicable. +Ubuntu, openSUSE and SUSE Linux Enterprise 12 do not use ``libuser``, so this change +is not applicable. Deployers can opt out of this change by setting the following Ansible variable: diff --git a/doc/metadata/rhel7/V-71937.rst b/doc/metadata/rhel7/V-71937.rst index 54ddead3..ca0a9e75 100644 --- a/doc/metadata/rhel7/V-71937.rst +++ b/doc/metadata/rhel7/V-71937.rst @@ -10,6 +10,7 @@ from one of the PAM configuration files: * CentOS or RHEL: removes ``nullok`` from ``/etc/pam.d/system-auth`` * Ubuntu: removes ``nullok_secure`` from ``/etc/pam.d/common-auth`` +* openSUSE Leap or SLE: remove ``nullok`` from ``/etc/pam.d/common-auth`` and ``/etc/pam.d/common-password`` Deployers can opt-out of this change by setting the following Ansible variable: diff --git a/doc/metadata/rhel7/V-71945.rst b/doc/metadata/rhel7/V-71945.rst index e053a7f9..bc81d546 100644 --- a/doc/metadata/rhel7/V-71945.rst +++ b/doc/metadata/rhel7/V-71945.rst @@ -40,5 +40,5 @@ Ansible variables: .. note:: - Ubuntu does not provide ``pam_faillock``. This change is only applied to - CentOS 7 or Red Hat Enterprise Linux 7 systems. + Ubuntu, openSUSE Leap and SUSE Linux Enterprise 12 do not provide ``pam_faillock``. + This change is only applied to CentOS 7 or Red Hat Enterprise Linux 7 systems. diff --git a/doc/metadata/rhel7/V-71969.rst b/doc/metadata/rhel7/V-71969.rst index 46c54643..2b71ee18 100644 --- a/doc/metadata/rhel7/V-71969.rst +++ b/doc/metadata/rhel7/V-71969.rst @@ -9,6 +9,7 @@ installed. The package name differs between Linux distributions: * CentOS: ``ypserv`` * Ubuntu: ``nis`` +* openSUSE Leap: ``ypserv`` Deployers can opt-out of this change by setting the following Ansible variable: diff --git a/doc/metadata/rhel7/V-71977.rst b/doc/metadata/rhel7/V-71977.rst index 9d272408..df14af19 100644 --- a/doc/metadata/rhel7/V-71977.rst +++ b/doc/metadata/rhel7/V-71977.rst @@ -12,6 +12,11 @@ On CentOS 7 systems, the tasks set the ``gpgcheck`` option to ``1`` in the ``/etc/yum.conf`` file. This enables GPG checks for all packages installed with ``yum``. +On openSUSE Leap systems, the tasks set the ``gpgcheck`` option to ``1`` in the +``/etc/zypp/zypp.conf`` file. This enables GPG checks for all packages installed +with ``zypper``. + Setting ``security_enable_gpgcheck_packages`` to ``no`` will skip the ``AllowUnauthenticated`` string check on Ubuntu and it will set ``gpgcheck=0`` -in ``/etc/yum.conf`` on CentOS systems. +in ``/etc/yum.conf`` or ``/etc/zypp/zypp.conf`` on CentOS and openSUSE Leap systems +respectively. diff --git a/doc/metadata/rhel7/V-71979.rst b/doc/metadata/rhel7/V-71979.rst index 0f6145d2..1e0653ee 100644 --- a/doc/metadata/rhel7/V-71979.rst +++ b/doc/metadata/rhel7/V-71979.rst @@ -12,6 +12,11 @@ On CentOS 7 systems, the tasks set the ``localpkg_gpgcheck`` option to ``1`` in the ``/etc/yum.conf`` file. This enables GPG checks for all packages installed locally with ``yum``. +On openSUSE Leap systems, the tasks set the ``gpgcheck`` option to ``1`` in the +``/etc/zypp/zypp.conf`` file. This enables GPG checks for all packages installed +with ``zypper``. + Setting ``security_enable_gpgcheck_packages_local`` to ``no`` will skip the ``no-debsig`` adjustment on Ubuntu and it will set ``local_gpgcheck=0`` in -``/etc/yum.conf`` on CentOS systems. +``/etc/yum.conf`` on CentOS systems. Similarly, on openSUSE Leap systems, it will set +``gpgcheck=0`` in ``/etc/zypp/zypp.conf``. diff --git a/doc/metadata/rhel7/V-71989.rst b/doc/metadata/rhel7/V-71989.rst index 80206488..b9c29f02 100644 --- a/doc/metadata/rhel7/V-71989.rst +++ b/doc/metadata/rhel7/V-71989.rst @@ -7,8 +7,8 @@ tag: lsm The tasks in the security role enable the appropriate Linux Security Module (LSM) for the operating system. -For Ubuntu systems, AppArmor is installed and enabled. This change takes -effect immediately. +For Ubuntu, openSUSE and SUSE Linux Enterprise 12 systems, AppArmor is installed and +enabled. This change takes effect immediately. For CentOS or Red Hat Enterprise Linux systems, SELinux is enabled (in enforcing mode) and its user tools are automatically installed. If SELinux is diff --git a/doc/metadata/rhel7/V-71991.rst b/doc/metadata/rhel7/V-71991.rst index 04b9fdd0..d023c6cb 100644 --- a/doc/metadata/rhel7/V-71991.rst +++ b/doc/metadata/rhel7/V-71991.rst @@ -5,8 +5,8 @@ tag: misc --- The SELinux targeted policy is enabled on CentOS 7 and Red Hat systems. -AppArmor only has one set of policies, so this change has no effect on Ubuntu -systems running AppArmor. +AppArmor only has one set of policies, so this change has no effect on Ubuntu, +openSUSE Leap and SUSE systems running AppArmor. For more information on this change and how to opt out, refer to :ref:`stig-V-71989`. diff --git a/doc/metadata/rhel7/V-71995.rst b/doc/metadata/rhel7/V-71995.rst index 4b733065..a9800145 100644 --- a/doc/metadata/rhel7/V-71995.rst +++ b/doc/metadata/rhel7/V-71995.rst @@ -1,6 +1,6 @@ --- id: V-71995 -status: opt-in - Ubuntu only +status: opt-in - Ubuntu and SUSE only tag: accounts --- @@ -21,8 +21,9 @@ Ansible variable: .. note:: - Ubuntu uses ``pam_umask`` and it uses the default umask provided by the - ``UMASK`` line in ``/etc/login.defs``. The default setting on Ubuntu + Ubuntu, openSUSE Leap and SUSE Linux Enterpsise 12 use ``pam_umask`` and it uses + the default umask provided by the ``UMASK`` line in ``/etc/login.defs``. + The default setting on Ubuntu, openSUSE Leap and SUSE Linux Enterprise 12 systems is ``022``. This allows the user's group and other users on the system to read and execute files, but they cannot write to them. diff --git a/doc/metadata/rhel7/V-71997.rst b/doc/metadata/rhel7/V-71997.rst index 67ac822f..9250890b 100644 --- a/doc/metadata/rhel7/V-71997.rst +++ b/doc/metadata/rhel7/V-71997.rst @@ -6,7 +6,7 @@ tag: packages The STIG requires that the current release of the operating system is still supported and is actively receiving security updates. Deployers are urged to -stay current with the latest releases from Ubuntu, CentOS and Red Hat. +stay current with the latest releases from Ubuntu, SUSE, CentOS and Red Hat. The following links provide more details on end of life (EOL) dates for the distributions supported by this role: @@ -14,3 +14,5 @@ distributions supported by this role: * `Ubuntu releases `_ * `CentOS EOL dates `_ * `Red Hat Enterprise Linux Life Cycle `_ +* `openSUSE EOL dates `_ +* `SUSE Linux Enterprise `_ diff --git a/doc/metadata/rhel7/V-71999.rst b/doc/metadata/rhel7/V-71999.rst index 7c6c6a1e..1b18d075 100644 --- a/doc/metadata/rhel7/V-71999.rst +++ b/doc/metadata/rhel7/V-71999.rst @@ -17,4 +17,5 @@ Ansible variable: When enabled, the tasks install and configure ``yum-cron`` on CentOS and Red Hat Enterprise Linux. On Ubuntu systems, the ``unattended-upgrades`` package -is installed and configured. +is installed and configured. On openSUSE Leap and SUSE Linux Enterprise systems, +a daily cronjob is installed. diff --git a/doc/metadata/rhel7/V-72013.rst b/doc/metadata/rhel7/V-72013.rst index e570351f..4f90fa5e 100644 --- a/doc/metadata/rhel7/V-72013.rst +++ b/doc/metadata/rhel7/V-72013.rst @@ -16,6 +16,6 @@ Deployers can opt out of this change by setting the following Ansible variable: .. note:: - On CentOS 7 and Red Hat Enterprise Linux 7 systems, home directories are - always created with new users by default. Home directories are not created - by default on Ubuntu systems. + On CentOS 7, Red Hat Enterprise Linux 7 systems, openSUSE Leap and SUSE + Linux Enterprise 12, home directories are always created with new users by default. + Home directories are not created by default on Ubuntu systems. diff --git a/doc/metadata/rhel7/V-72039.rst b/doc/metadata/rhel7/V-72039.rst index fe78bdf8..cbcbcc8b 100644 --- a/doc/metadata/rhel7/V-72039.rst +++ b/doc/metadata/rhel7/V-72039.rst @@ -15,5 +15,5 @@ labels are applied for the class of device. This change applies only to CentOS or Red Hat Enterprise Linux systems since they rely on SELinux as their default Linux Security Module (LSM). - Ubuntu systems use AppArmor, which uses policy files rather than labels - applied to individual files. + Ubuntu, openSUSE Leap and SUSE Linux Enterprise systems use AppArmor, which + uses policy files rather than labels applied to individual files. diff --git a/doc/metadata/rhel7/V-72051.rst b/doc/metadata/rhel7/V-72051.rst index f9c65e10..f2dd9160 100644 --- a/doc/metadata/rhel7/V-72051.rst +++ b/doc/metadata/rhel7/V-72051.rst @@ -4,12 +4,15 @@ status: exception - manual intervention tag: misc --- -Ubuntu, CentOS and Red Hat Enterprise Linux already capture the logs from cron. +Ubuntu, CentOS, Red Hat Enterprise Linux, openSUSE Leap and SUSE Linux +Enterprise already capture the logs from cron. Ubuntu systems collect cron job logs into the main syslog file (``/var/log/syslog``) rather than separate them into their own log file. CentOS and Red Hat Enterprise Linux systems collect cron logs in ``/var/log/cron``. +openSUSE Leap and SUSE Linux Enterprise collect cron job in +``/var/log/messages``. Deployers should not need to adjust these configurations unless a specific environment requires it. The tasks in the security role do not make changes to diff --git a/doc/metadata/rhel7/V-72053.rst b/doc/metadata/rhel7/V-72053.rst index d57a9ce5..b44c9a37 100644 --- a/doc/metadata/rhel7/V-72053.rst +++ b/doc/metadata/rhel7/V-72053.rst @@ -6,4 +6,5 @@ tag: file_perms The tasks in the security role check for the existence of ``/etc/cron.allow`` and set both the user and group ownership to ``root``. This is the default on -Ubuntu, CentOS, and Red Hat Enterprise Linux systems already. +Ubuntu, CentOS, Red Hat Enterprise Linux systems, openSUSE Leap and SUSE Linux +Enterprise 12 already. diff --git a/doc/metadata/rhel7/V-72067.rst b/doc/metadata/rhel7/V-72067.rst index 03d5dc7e..cc9dfd11 100644 --- a/doc/metadata/rhel7/V-72067.rst +++ b/doc/metadata/rhel7/V-72067.rst @@ -1,11 +1,11 @@ --- id: V-72067 -status: implemented - red hat only +status: implemented - red hat and suse only tag: misc --- -The tasks in the Ansible role install the ``dracut-fips`` and -``dracut-fips-aesni`` packages and check to see if FIPS is enabled on the +The tasks in the Ansible role install the ``dracut-fips`` (RHEL and SLE) and +``dracut-fips-aesni`` (RHEL) packages and check to see if FIPS is enabled on the system. If it is not enabled, a warning message is printed in the Ansible output. @@ -18,6 +18,6 @@ the bootloader configuration and regenerating the initramfs. .. note:: - This change only applies to CentOS and Red Hat Enterprise Linux. Ubuntu - does not use dracut by default and the process for enabling the FIPS - functionality at boot time is more complex. + This change only applies to CentOS, Red Hat Enterprise Linux, openSUSE Leap + and SUSE Linux Enterprise. Ubuntu does not use dracut by default and the process + for enabling the FIPS functionality at boot time is more complex. diff --git a/doc/metadata/rhel7/V-72069.rst b/doc/metadata/rhel7/V-72069.rst index b72fb762..b3f73137 100644 --- a/doc/metadata/rhel7/V-72069.rst +++ b/doc/metadata/rhel7/V-72069.rst @@ -12,3 +12,7 @@ However, Ubuntu lacks the rules that include ACL and extended attribute checks. The tasks in the security role will add a small configuration block at the end of the AIDE configuration file to meet the requirements of this STIG, as well as V-72071. + +openSUSE Leap and SUSE Linux Enterprise 12 also lack a rule to check ACLs and +extended attributes. The default configuration file is adjusted to include those +as well. diff --git a/doc/metadata/rhel7/V-72071.rst b/doc/metadata/rhel7/V-72071.rst index 38c26425..31ce05fa 100644 --- a/doc/metadata/rhel7/V-72071.rst +++ b/doc/metadata/rhel7/V-72071.rst @@ -12,3 +12,7 @@ However, Ubuntu lacks the rules that include ACL and extended attribute checks. The tasks in the security role will add a small configuration block at the end of the AIDE configuration file to meet the requirements of this STIG, as well as V-72069. + +openSUSE Leap and SUSE Linux Enterprise 12 also lack a rule to check ACLs and +extended attributes. The default configuration file is adjusted to include those +as well. diff --git a/doc/metadata/rhel7/V-72073.rst b/doc/metadata/rhel7/V-72073.rst index ff99eac1..b1342da4 100644 --- a/doc/metadata/rhel7/V-72073.rst +++ b/doc/metadata/rhel7/V-72073.rst @@ -4,9 +4,9 @@ status: implemented tag: aide --- -The default AIDE configuration in CentOS 7 and Red Hat Enterprise Linux 7 -already uses SHA512 to validate file contents and directories. No changes are -required on these systems. +The default AIDE configuration in CentOS 7, Red Hat Enterprise Linux 7, +openSUSE Leap and SUSE Linux Enterprise 12 already uses SHA512 to validate +file contents and directories. No changes are required on these systems. The tasks in the security role add a rule to end of the AIDE configuration on Ubuntu systems that uses SHA512 for validation. diff --git a/doc/metadata/rhel7/V-72077.rst b/doc/metadata/rhel7/V-72077.rst index 839669a5..948f906f 100644 --- a/doc/metadata/rhel7/V-72077.rst +++ b/doc/metadata/rhel7/V-72077.rst @@ -9,6 +9,7 @@ installed. The package name differs between Linux distributions: * CentOS: ``telnet-server`` * Ubuntu: ``telnetd`` +* openSUSE Leap: ``telnet-server`` Deployers can opt-out of this change by setting the following Ansible variable: diff --git a/doc/metadata/rhel7/V-72181.rst b/doc/metadata/rhel7/V-72181.rst index 00d69673..9309541c 100644 --- a/doc/metadata/rhel7/V-72181.rst +++ b/doc/metadata/rhel7/V-72181.rst @@ -15,4 +15,5 @@ Deployers can opt-out of this change by setting an Ansible variable: .. note:: - No action is taken on Ubuntu 16.04 because ``pt_chown`` is not available. + No action is taken on Ubuntu 16.04, openSUSE Leap and SUSE Linux Enterprise + because ``pt_chown`` is not available. diff --git a/doc/metadata/rhel7/V-72215.rst b/doc/metadata/rhel7/V-72215.rst index 60a698c4..6a6db7bf 100644 --- a/doc/metadata/rhel7/V-72215.rst +++ b/doc/metadata/rhel7/V-72215.rst @@ -4,8 +4,9 @@ status: implemented tag: misc --- -By default, CentOS 7 and Red Hat Enterprise Linux 7 check for virus database -updates 12 times a day. Ubuntu servers have a default of 24 checks per day. +By default, CentOS 7, Red Hat Enterprise Linux 7, openSUSE Leap and SUSE Linux +Enterprise 12 check for virus database updates 12 times a day. Ubuntu servers +have a default of 24 checks per day. The tasks in the security role do not adjust these defaults as they are more secure than the STIG's requirement. diff --git a/doc/metadata/rhel7/V-72225.rst b/doc/metadata/rhel7/V-72225.rst index ff131710..5062177d 100644 --- a/doc/metadata/rhel7/V-72225.rst +++ b/doc/metadata/rhel7/V-72225.rst @@ -5,8 +5,9 @@ tag: sshd --- The tasks in the security role deploy a standard notice and consent banner into -``/etc/motd`` on each server. Ubuntu, CentOS and Red Hat Enterprise Linux -display this banner after each successful login via ssh or the console. +``/etc/motd`` on each server. Ubuntu, CentOS, Red Hat Enterprise Linux, +openSUSE Leap and SUSE Linux Enterprise display this banner after each successful +login via ssh or the console. Deployers can choose a different destination for the banner by setting the following Ansible variable: diff --git a/doc/metadata/rhel7/V-72233.rst b/doc/metadata/rhel7/V-72233.rst index 758300fa..dc87532f 100644 --- a/doc/metadata/rhel7/V-72233.rst +++ b/doc/metadata/rhel7/V-72233.rst @@ -9,3 +9,4 @@ role installs the following packages: * CentOS: ``openssh-clients``, ``openssh-server`` * Ubuntu: ``openssh-client``, ``openssh-server`` +* openSUSE Leap: ``openssh`` diff --git a/doc/metadata/rhel7/V-72269.rst b/doc/metadata/rhel7/V-72269.rst index 874b32d2..eb7f1fdf 100644 --- a/doc/metadata/rhel7/V-72269.rst +++ b/doc/metadata/rhel7/V-72269.rst @@ -7,8 +7,8 @@ tag: misc The tasks in the security role make the following changes on each host: * The ``chrony`` package is installed. -* The service (``chronyd`` on Red Hat and CentOS, ``chrony`` on Ubuntu) is - started and enabled at boot time. +* The service (``chronyd`` on Red Hat, CentOS, SLE and openSUSE Leap, + ``chrony`` on Ubuntu) is started and enabled at boot time. * A configuration file template is deployed that includes ``maxpoll 10`` on each server line. diff --git a/doc/metadata/rhel7/V-72273.rst b/doc/metadata/rhel7/V-72273.rst index 89f99140..0b0c3d08 100644 --- a/doc/metadata/rhel7/V-72273.rst +++ b/doc/metadata/rhel7/V-72273.rst @@ -19,5 +19,5 @@ Deployers can opt in for this change by setting the following Ansible variable: Deployers must pre-configure ``firewalld`` or copy over a working XML file in ``/etc/firewalld/zones/`` from another server. The default firewalld - restrictions on Ubuntu, CentOS and Red Hat Enterprise Linux are highly - restrictive. + restrictions on Ubuntu, CentOS, Red Hat Enterprise Linux and openSUSE Leap + are highly restrictive. diff --git a/doc/metadata/rhel7/V-72275.rst b/doc/metadata/rhel7/V-72275.rst index 4cfb5c3e..1aa0d9e2 100644 --- a/doc/metadata/rhel7/V-72275.rst +++ b/doc/metadata/rhel7/V-72275.rst @@ -11,4 +11,4 @@ disruptive in some environments. Deployers should review their PAM configurations and add ``pam_lastlogin`` to ``/etc/pam.d/postlogin`` on CentOS and Red Hat Enterprise Linux or to -``/etc/pam.d/login`` on Ubuntu. +``/etc/pam.d/login`` on Ubuntu, openSUSE Leap and SUSE Linux Enterprise. diff --git a/doc/metadata/rhel7/V-72301.rst b/doc/metadata/rhel7/V-72301.rst index 917bb725..bd68fd0c 100644 --- a/doc/metadata/rhel7/V-72301.rst +++ b/doc/metadata/rhel7/V-72301.rst @@ -9,6 +9,7 @@ installed. The package name differs between Linux distributions: * CentOS: ``tftp-server`` * Ubuntu: ``tftpd`` +* openSUSE Leap: ``tftp`` Deployers can opt-out of this change by setting the following Ansible variable: diff --git a/doc/metadata/rhel7/V-72307.rst b/doc/metadata/rhel7/V-72307.rst index b8a814b2..0656c43c 100644 --- a/doc/metadata/rhel7/V-72307.rst +++ b/doc/metadata/rhel7/V-72307.rst @@ -9,6 +9,7 @@ installed. The package name differs between Linux distributions: * CentOS: ``xorg-x11-server-Xorg`` * Ubuntu: ``xorg-xserver`` +* openSUSE Leap: ``xorg-x11-server`` Deployers can opt-out of this change by setting the following Ansible variable: diff --git a/doc/source/controls-rhel7.rst b/doc/source/controls-rhel7.rst index c66e2edf..3349eae2 100644 --- a/doc/source/controls-rhel7.rst +++ b/doc/source/controls-rhel7.rst @@ -56,8 +56,8 @@ Controls are divided into groups based on the following properties: Although the STIG is specific to Red Hat Enterprise Linux 7, it also applies to CentOS 7 systems. In addition, almost all of the controls are easily translated -for Ubuntu 16.04. Any deviations during translation are noted within the -documentation below. +for Ubuntu 16.04, openSUSE Leap and SUSE Linux Enterprise 12. Any deviations +during translation are noted within the documentation below. .. toctree:: :maxdepth: 2 diff --git a/doc/source/faq.rst b/doc/source/faq.rst index e4ad3255..ec86ef33 100644 --- a/doc/source/faq.rst +++ b/doc/source/faq.rst @@ -47,6 +47,8 @@ servers running the following Linux distributions: * Ubuntu 16.04 * CentOS 7 * Red Hat Enterprise Linux 7 +* openSUSE Leap 42.2 and 42.3 +* SUSE Linux Enterprise 12 (experimental) The OpenStack gating system tests the role against each of these distributions regularly except for Red Hat Enterprise Linux 7, since it is a non-free diff --git a/doc/source/index.rst b/doc/source/index.rst index 514e81f6..0742b031 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -92,6 +92,8 @@ Pike * Ubuntu 16.04 Xenial * CentOS 7 * Red Hat Enterprise Linux 7 *(partial automated test coverage)* + * openSUSE Leap 42.2 and 42.3 + * SUSE Linux Enterprise 12 (*experimental*) * **Documentation:** diff --git a/files/zypper-autoupdates b/files/zypper-autoupdates new file mode 100755 index 00000000..b996833b --- /dev/null +++ b/files/zypper-autoupdates @@ -0,0 +1,3 @@ +#!/bin/bash + +/usr/bin/zypper -n dup -l diff --git a/meta/main.yml b/meta/main.yml index da1c750f..c37e8ef7 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -13,6 +13,11 @@ galaxy_info: versions: - trusty - xenial + - name: opensuse + versions: + - 42.1 + - 42.2 + - 42.3 categories: - cloud - security diff --git a/tasks/rhel7stig/aide.yml b/tasks/rhel7stig/aide.yml index 8a1ef738..ba0b9ba7 100644 --- a/tasks/rhel7stig/aide.yml +++ b/tasks/rhel7stig/aide.yml @@ -15,9 +15,12 @@ - name: Verify that AIDE configuration directory exists stat: - path: /etc/aide/aide.conf.d + path: "{{ item }}" register: aide_conf check_mode: no + with_items: + - /etc/aide/aide.conf.d + - /etc/aide.conf tags: - always @@ -25,7 +28,7 @@ template: src: ZZ_aide_exclusions.j2 dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions - when: aide_conf.stat.exists | bool + when: aide_conf.results[0].stat.exists | bool tags: - medium - aide @@ -34,7 +37,7 @@ # NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration # that meets the requirements of V-72069 and V-72071. That config # is borrowed for Ubuntu 16.04 here. -- name: Configure AIDE to verify additional properties +- name: Configure AIDE to verify additional properties (Ubuntu) blockinfile: dest: "/etc/aide/aide.conf" insertbefore: EOF @@ -54,7 +57,7 @@ /bin NORMAL /sbin NORMAL when: - - aide_conf.stat.exists | bool + - aide_conf.results[0].stat.exists | bool - ansible_os_family | lower == 'debian' tags: - low @@ -63,6 +66,24 @@ - V-72071 - V-72073 +# NOTE(hwoarang): Add acl and xattrs on SUSE to meet V-72069 and V-72071. +- name: Configure AIDE to verify additional properties (SUSE) + lineinfile: + dest: "/etc/aide.conf" + regexp: '(^Binlib.*= )' + line: '\1p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs' + state: present + backrefs: yes + when: + - aide_conf.results[1].stat.exists | bool + - ansible_pkg_mgr == 'zypper' + tags: + - low + - aide + - V-72069 + - V-72071 + - V-72073 + - name: Check to see if AIDE database is already in place stat: path: "{{ aide_database_file }}" @@ -72,12 +93,14 @@ - always - name: Initialize AIDE (this will take a few minutes) - # NOTE(hwoarang): aideinit is an Ubuntu wrapper. + # NOTE(hwoarang): aideinit is an Ubuntu wrapper. An alternative + # would be to use aideinit || aide -i but that will possibly mask + # genuine aideinit failures. shell: "if test -x /usr/sbin/aideinit; then aideinit; else aide -i; fi" changed_when: false register: aide_init when: - - aide_conf.stat.exists | bool + - aide_conf.results[0].stat.exists | bool or aide_conf.results[1].stat.exists | bool - not aide_database.stat.exists | bool - security_rhel7_initialize_aide | bool tags: @@ -85,21 +108,21 @@ - aide - V-71973 -# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since Ubuntu +# NOTE(mhayden): This is only needed for CentOS 7, RHEL 7 and SUSE since Ubuntu # copies the new AIDE database into place automatically with its AIDE wrapper # script. - name: Move AIDE database into place - command: "mv /var/lib/aide/aide.db.new.gz {{ aide_database_file }}" + command: "mv {{ aide_database_out_file }} {{ aide_database_file }}" changed_when: false when: - aide_init | changed - - ansible_os_family | lower == 'redhat' + - ansible_pkg_mgr in ['yum', 'zypper'] tags: - medium - aide - V-71973 -# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since the AIDE +# NOTE(mhayden): This is only needed for CentOS 7, RHEL 7 and SUSE since the AIDE # package doesn't come with a cron job file. Ubuntu packages a cron job for # AIDE checks already. - name: Create AIDE cron job @@ -110,7 +133,7 @@ special_time: daily job: "aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root" when: - - ansible_os_family | lower == 'redhat' + - ansible_pkg_mgr in ['yum', 'zypper'] tags: - medium - aide diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 0352fd62..7f9b277c 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -65,6 +65,25 @@ - high - V-71937 +- name: Prevent users with blank or null passwords from authenticating (SUSE) + lineinfile: + dest: "{{ item }}" + state: present + regexp: "^(.*required.*)nullok(.*)$" + line: '\1\2' + backup: yes + backrefs: yes + with_items: + - "{{ pam_auth_file }}" + - "{{ pam_password_file }}" + when: + - ansible_pkg_mgr == 'zypper' + - security_disallow_blank_password_login | bool + tags: + - auth + - high + - V-71937 + - name: Lock accounts after three failed login attempts a 15 minute period blockinfile: dest: "{{ pam_password_file }}" @@ -73,7 +92,7 @@ insertbefore: EOF block: "{{ lookup('template', 'pam_faillock.j2') }}" when: - - ansible_os_family | lower == 'redhat' + - ansible_pkg_mgr in ['yum', 'zypper'] - security_pam_faillock_enable | bool tags: - auth diff --git a/tasks/rhel7stig/file_perms.yml b/tasks/rhel7stig/file_perms.yml index 7f4e7de6..52c2a412 100644 --- a/tasks/rhel7stig/file_perms.yml +++ b/tasks/rhel7stig/file_perms.yml @@ -21,7 +21,7 @@ changed_when: False when: - not check_mode | bool - - ansible_os_family | lower == 'redhat' + - ansible_pkg_mgr in ['yum', 'zypper'] - security_reset_perm_ownership | bool tags: - file_perms @@ -38,7 +38,7 @@ - "{{ rpmverify_package_list.stdout_lines | default([]) }}" when: - not check_mode | bool - - ansible_os_family | lower == 'redhat' + - ansible_pkg_mgr in ['yum', 'zypper'] - rpmverify_package_list is defined - rpmverify_package_list.stdout_lines | length > 0 async: 300 diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml index ec1835c5..539ac4a8 100644 --- a/tasks/rhel7stig/kernel.yml +++ b/tasks/rhel7stig/kernel.yml @@ -76,7 +76,7 @@ failed_when: False check_mode: no when: - - ansible_os_family | lower == 'redhat' + - ansible_pkg_mgr in ['yum', 'zypper'] tags: - always @@ -86,7 +86,7 @@ FIPS is not enabled at boot time on this server. The STIG requires FIPS to be enabled at boot time. when: - - ansible_os_family | lower == 'redhat' + - ansible_pkg_mgr in ['yum', 'zypper'] - fips_check is defined - fips_check.stdout != '1' tags: diff --git a/tasks/rhel7stig/lsm.yml b/tasks/rhel7stig/lsm.yml index 13b29b73..9471dee7 100644 --- a/tasks/rhel7stig/lsm.yml +++ b/tasks/rhel7stig/lsm.yml @@ -19,7 +19,7 @@ changed_when: False check_mode: no when: - - ansible_os_family == "Debian" + - ansible_pkg_mgr in ['apt', 'zypper'] tags: - high - V-71989 @@ -30,7 +30,7 @@ state: started enabled: yes when: - - ansible_os_family == "Debian" + - ansible_pkg_mgr in ['apt', 'zypper'] - security_rhel7_enable_linux_security_module | bool - not check_mode - '"AppArmor disabled by boot time parameter" not in dmesg_apparmor_output.stdout' diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index f8696a90..94cbb83c 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -44,7 +44,7 @@ poll: 0 when: - not check_mode | bool - - ansible_os_family | lower == 'redhat' + - ansible_os_family | lower in ['redhat', 'suse'] tags: - always - skip_ansible_lint diff --git a/tasks/rhel7stig/packages.yml b/tasks/rhel7stig/packages.yml index 8d81d6a4..6e193926 100644 --- a/tasks/rhel7stig/packages.yml +++ b/tasks/rhel7stig/packages.yml @@ -34,7 +34,7 @@ - V-72301 - V-72307 -- name: V-71987 - Clean requirements/dependencies when removing packages (rpm) +- name: V-71987 - Clean requirements/dependencies when removing packages (RedHat) lineinfile: dest: "{{ pkg_mgr_config }}" regexp: "^(#)?clean_requirements_on_remove" @@ -48,6 +48,20 @@ - packages - V-71987 +- name: V-71987 - Clean requirements/dependencies when removing packages (SUSE) + lineinfile: + dest: "{{ pkg_mgr_config }}" + regexp: '^(#)?\s*solver\.cleandepsOnRemove' + line: 'solver.cleandepsOnRemove = true' + state: present + when: + - security_package_clean_on_remove | bool + - ansible_pkg_mgr == 'zypper' + tags: + - low + - packages + - V-71987 + - name: V-71987 - Clean requirements/dependencies when removing packages (dpkg) lineinfile: dest: /etc/apt/apt.conf.d/security-autoremove @@ -143,3 +157,15 @@ - packages - cat2 - V-71999 + +- name: Enable automatic package updates (SUSE) + copy: + src: zypper-autoupdates + dest: /etc/cron.daily/zypper-autoupdates + when: + - ansible_pkg_mgr == 'zypper' + - security_rhel7_automatic_package_updates | bool + tags: + - packages + - cat2 + - V-71999 diff --git a/tasks/rhel7stig/zypper.yml b/tasks/rhel7stig/zypper.yml new file mode 100644 index 00000000..43b8f482 --- /dev/null +++ b/tasks/rhel7stig/zypper.yml @@ -0,0 +1,79 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# Copyright 2017, SUSE LINUX GmbH. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Ensure RPM verification task has finished + async_status: + jid: "{{ rpmverify_task.ansible_job_id }}" + failed_when: False + changed_when: False + register: job_result + until: job_result.finished + retries: 30 + when: + - not rpmverify_task | skipped + +- name: V-71855 - Get files with invalid checksums (rpm) + shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" + register: invalid_checksum_files + changed_when: False + when: + - not check_mode | bool + - ansible_pkg_mgr == 'zypper' + tags: + - rpm + - high + - V-71855 + +- name: V-71855 - The cryptographic hash of system files and commands must match vendor values (rpm) + debug: + msg: | + The following files have checksums that differ from the checksum provided + with their package. Each of these should be verified manually to ensure + they have not been modified by an unauthorized user. + + {% for filename in invalid_checksum_files.stdout_lines %} + {{ filename }} + {% endfor %} + when: + - not check_mode | bool + - ansible_pkg_mgr == 'zypper' + - invalid_checksum_files is defined + - invalid_checksum_files.stdout is defined + tags: + - rpm + - high + - V-71855 + +- name: Determine all SUSE repositories + shell: ls /etc/zypp/repos.d/*.repo + changed_when: false + register: all_zypper_repositories + +- name: V-71977 - Require digital signatures for all packages and repositories + lineinfile: + dest: "{{ item }}" + regexp: '^(#)?\s*gpgcheck' + line: "gpgcheck=1" + state: present + with_items: + - "{{ all_zypper_repositories.stdout_lines | default([]) }}" + - "{{ pkg_mgr_config }}" + tags: + - rpm + - high + - V-71977 + - V-71979 + - V-71981 diff --git a/vars/debian.yml b/vars/debian.yml index 6fae2c07..85ae2163 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -33,6 +33,7 @@ grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg grub_defaults_file: /etc/default/grub aide_cron_job_path: /etc/cron.daily/aide aide_database_file: /var/lib/aide/aide.db +aide_database_out_file: /var/lib/aide/aide.db.new chrony_conf_file: /etc/chrony/chrony.conf daemon_init_params_file: /etc/init.d/rc diff --git a/vars/redhat.yml b/vars/redhat.yml index 8c32021f..1c5386e3 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -29,6 +29,7 @@ grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ' grub_defaults_file: /etc/sysconfig/grub aide_cron_job_path: /etc/cron.d/aide aide_database_file: /var/lib/aide/aide.db.gz +aide_database_out_file: /var/lib/aide/aide.db.new.gz chrony_conf_file: /etc/chrony.conf daemon_init_params_file: /etc/init.d/functions pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}" diff --git a/vars/suse.yml b/vars/suse.yml new file mode 100644 index 00000000..0d68027d --- /dev/null +++ b/vars/suse.yml @@ -0,0 +1,102 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# Copyright 2017, SUSE LINUX GmbH +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Variables for openSUSE +# +# For more details, see 'vars/main.yml'. + +# Configuration file paths +pam_auth_file: /etc/pam.d/common-auth +pam_password_file: /etc/pam.d/common-password +pam_postlogin_file: /etc/pam.d/login +vsftpd_conf_file: /etc/vsftpd.conf +grub_conf_file: /boot/grub2/grub.cfg +# NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to +# create the EFI distro directory. Since this information is not available on +# Ansible, we have to improvise a bit... +grub_conf_file_efi: "{% set os_id = ansible_distribution.split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg" +grub_defaults_file: /etc/default/grub +aide_cron_job_path: /etc/cron.daily/aide +aide_database_file: /var/lib/aide/aide.db +aide_database_out_file: /var/lib/aide/aide.db.new +chrony_conf_file: /etc/chrony.conf +daemon_init_params_file: /etc/rc.status +pkg_mgr_config: /etc/zypp/zypp.conf + +# Service names +cron_service: crond +ssh_service: sshd +chrony_service: chronyd +clamav_service: 'clamd' + +# Commands +grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}" +ssh_keysign_path: /usr/lib/ssh + +# Other configuration +security_interactive_user_minimum_uid: 1000 + +# RHEL 7 STIG: Packages to add/remove +stig_packages_rhel7: + - packages: + - audit-audispd-plugins + - audit + - aide + - dracut-fips + - openssh + - screen + state: "{{ security_package_state }}" + enabled: True + - packages: + - apparmor-parser + - apparmor-profiles + - apparmor-utils + state: "{{ security_package_state }}" + enabled: "{{ security_rhel7_enable_linux_security_module }}" + - packages: + - chrony + state: "{{ security_package_state }}" + enabled: "{{ security_rhel7_enable_chrony }}" + - packages: + - clamav + - clamav-database + - monitoring-plugins-clamav + state: "{{ security_package_state }}" + enabled: "{{ security_enable_virus_scanner }}" + - packages: + - firewalld + state: "{{ security_package_state }}" + enabled: "{{ security_enable_firewalld }}" + - packages: + - rsh-server + state: absent + enabled: "{{ security_rhel7_remove_rsh_server }}" + - packages: + - telnet-server + state: absent + enabled: "{{ security_rhel7_remove_telnet_server }}" + - packages: + - tftp + state: absent + enabled: "{{ security_rhel7_remove_tftp_server }}" + - packages: + - xorg-x11-server + state: absent + enabled: "{{ security_rhel7_remove_xorg }}" + - packages: + - ypserv + state: absent + enabled: "{{ security_rhel7_remove_ypserv }}"