404 lines
22 KiB
YAML
404 lines
22 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## STIG version selection
|
|
# The RHEL 7 STIG content first appeared in the Ocata release and is compatible
|
|
# with the following operating systems:
|
|
#
|
|
# * CentOS 7
|
|
# * Debian Jessie
|
|
# * Fedora 27
|
|
# * openSUSE Leap 42.x
|
|
# * SUSE Linux Enterprise 12
|
|
# * Ubuntu 16.04 Xenial LTS
|
|
#
|
|
# Valid options: rhel7
|
|
stig_version: rhel7
|
|
|
|
## APT Cache Options
|
|
# This variable is used across multiple OpenStack-Ansible roles to handle the
|
|
# apt cache updates as efficiently as possible.
|
|
cache_timeout: 600
|
|
|
|
# Set the package install state for distribution packages
|
|
# Options are 'present' and 'latest'
|
|
security_package_state: present
|
|
|
|
## EPEL
|
|
# Set the following variable to `no` to prevent the EPEL repository from being
|
|
# installed by the role. This may prevent certain packages from installing,
|
|
# such as ClamAV.
|
|
security_epel_install_repository: yes
|
|
#
|
|
# Some deployers install a customized EPEL package that redirects servers to
|
|
# their internal EPEL mirrors. Provide the name of the EPEL repository package
|
|
# (epel-release by default on CentOS) or a URL to an EPEL release RPM file.
|
|
security_epel_release_package: epel-release
|
|
|
|
###############################################################################
|
|
# ____ _ _ _____ _ _____ ____ _____ ___ ____
|
|
# | _ \| | | | ____| | |___ | / ___|_ _|_ _/ ___|
|
|
# | |_) | |_| | _| | | / / \___ \ | | | | | _
|
|
# | _ <| _ | |___| |___ / / ___) || | | | |_| |
|
|
# |_| \_\_| |_|_____|_____| /_/ |____/ |_| |___\____|
|
|
#
|
|
# The following options are specific to the RHEL 7 STIG. For details on each
|
|
# option, refer to the ansible-hardening documentation:
|
|
#
|
|
# https://docs.openstack.org/ansible-hardening/latest/domains.html
|
|
#
|
|
###############################################################################
|
|
|
|
## Accounts (accounts)
|
|
# Set minimum password lifetime to 1 day for interactive accounts.
|
|
security_set_minimum_password_lifetime: no # V-71927
|
|
security_set_maximum_password_lifetime: no # V-71931
|
|
|
|
## AIDE (aide)
|
|
# Initialize the AIDE database immediately (may take time).
|
|
security_rhel7_initialize_aide: no # V-71973
|
|
|
|
# The default Ubuntu configuration for AIDE will cause it to wander into some
|
|
# terrible places on the system, such as /var/lib/lxc and images in /opt.
|
|
# The following three default exclusions are highly recommended for AIDE to
|
|
# work properly, but additional exclusions can be added to this list if needed.
|
|
security_aide_exclude_dirs:
|
|
- /openstack
|
|
- /opt
|
|
- /run
|
|
- /var
|
|
|
|
## Audit daemon (auditd)
|
|
# Send audit records to a different system using audisp.
|
|
#security_audisp_remote_server: '10.0.21.1' # V-72083
|
|
# Encrypt audit records when they are transmitted over the network.
|
|
#security_audisp_enable_krb5: yes # V-72085
|
|
# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
|
|
security_rhel7_audit_failure_flag: 1 # V-72081
|
|
# Set the action to take when the disk is full or network events cannot be sent.
|
|
security_rhel7_auditd_disk_full_action: syslog # V-72087
|
|
security_rhel7_auditd_network_failure_action: syslog # V-72087
|
|
# Size of remaining disk space (in MB) that triggers alerts.
|
|
security_rhel7_auditd_space_left: "{{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089
|
|
# Action to take when the space_left threshold is reached.
|
|
security_rhel7_auditd_space_left_action: email # V-72091
|
|
# Send auditd email alerts to this user.
|
|
security_rhel7_auditd_action_mail_acct: root # V-72093
|
|
# Add audit rules for commands/syscalls.
|
|
security_rhel7_audit_chsh: yes # V-72167
|
|
security_rhel7_audit_chage: yes # V-72155
|
|
security_rhel7_audit_chcon: yes # V-72139
|
|
security_rhel7_audit_chmod: no # V-72105
|
|
security_rhel7_audit_chown: no # V-72097
|
|
security_rhel7_audit_creat: yes # V-72123
|
|
security_rhel7_audit_crontab: yes # V-72183
|
|
security_rhel7_audit_delete_module: yes # V-72189
|
|
security_rhel7_audit_fchmod: no # V-72107
|
|
security_rhel7_audit_fchmodat: no # V-72109
|
|
security_rhel7_audit_fchown: no # V-72099
|
|
security_rhel7_audit_fchownat: no # V-72103
|
|
security_rhel7_audit_fremovexattr: no # V-72119
|
|
security_rhel7_audit_fsetxattr: no # V-72113
|
|
security_rhel7_audit_ftruncate: yes # V-72133
|
|
security_rhel7_audit_init_module: yes # V-72187
|
|
security_rhel7_audit_gpasswd: yes # V-72153
|
|
security_rhel7_audit_lchown: no # V-72101
|
|
security_rhel7_audit_lremovexattr: no # V-72121
|
|
security_rhel7_audit_lsetxattr: no # V-72115
|
|
security_rhel7_audit_mount: yes # V-72171
|
|
security_rhel7_audit_newgrp: yes # V-72165
|
|
security_rhel7_audit_open: yes # V-72125
|
|
security_rhel7_audit_openat: yes # V-72127
|
|
security_rhel7_audit_open_by_handle_at: yes # V-72129
|
|
security_rhel7_audit_pam_timestamp_check: yes # V-72185
|
|
security_rhel7_audit_passwd: yes # V-72149
|
|
security_rhel7_audit_postdrop: yes # V-72175
|
|
security_rhel7_audit_postqueue: yes # V-72177
|
|
security_rhel7_audit_removexattr: no # V-72117
|
|
security_rhel7_audit_rename: yes # V-72199
|
|
security_rhel7_audit_renameat: yes # V-72201
|
|
security_rhel7_audit_restorecon: yes # V-72141
|
|
security_rhel7_audit_rmdir: yes # V-72203
|
|
security_rhel7_audit_semanage: yes # V-72135
|
|
security_rhel7_audit_setsebool: yes # V-72137
|
|
security_rhel7_audit_setxattr: no # V-72111
|
|
security_rhel7_audit_ssh_keysign: yes # V-72179
|
|
security_rhel7_audit_su: yes # V-72159
|
|
security_rhel7_audit_sudo: yes # V-72161
|
|
security_rhel7_audit_sudoedit: yes # V-72169
|
|
security_rhel7_audit_truncate: yes # V-72131
|
|
security_rhel7_audit_umount: yes # V-72173
|
|
security_rhel7_audit_unix_chkpwd: yes # V-72151
|
|
security_rhel7_audit_unlink: yes # V-72205
|
|
security_rhel7_audit_unlinkat: yes # V-72207
|
|
security_rhel7_audit_userhelper: yes # V-72157
|
|
# Add audit rules for other events.
|
|
security_rhel7_audit_account_access: yes # V-72143
|
|
security_rhel7_audit_sudo_config_changes: yes # V-72163
|
|
security_rhel7_audit_insmod: yes # V-72191
|
|
security_rhel7_audit_rmmod: yes # V-72193
|
|
security_rhel7_audit_modprobe: yes # V-72195
|
|
security_rhel7_audit_account_actions: yes # V-72197
|
|
|
|
## Authentication (auth)
|
|
# Check if sudoers has the NOPASSWD rule enabled
|
|
security_sudoers_nopasswd_check_enable: yes
|
|
|
|
# Disallow logins from accounts with blank/null passwords via PAM.
|
|
security_disallow_blank_password_login: yes # V-71937
|
|
# Apply password quality rules.
|
|
# NOTE: The security_pwquality_apply_rules variable is a "master switch".
|
|
# Set the 'security_pwquality_apply_rules' variable to 'yes' to apply all of
|
|
# the password quality rules. Each rule can be disabled with a value of 'no'.
|
|
security_pwquality_apply_rules: no
|
|
security_pwquality_require_uppercase: yes # V-71903
|
|
security_pwquality_require_lowercase: yes # V-71905
|
|
security_pwquality_require_numeric: yes # V-71907
|
|
security_pwquality_require_special: yes # V-71909
|
|
security_pwquality_require_characters_changed: yes # V-71911
|
|
security_pwquality_require_character_classes_changed: yes # V-71913
|
|
security_pwquality_limit_repeated_characters: yes # V-71915
|
|
security_pwquality_limit_repeated_character_classes: yes # V-71917
|
|
security_pwquality_require_minimum_password_length: no # V-71935
|
|
# Use pwquality when passwords are changed or established.
|
|
security_enable_pwquality_password_set: no # V-73159
|
|
# Ensure passwords are stored using SHA512.
|
|
security_password_encrypt_method: SHA512 # V-71921
|
|
# Ensure user/group admin utilities only store encrypted passwords.
|
|
security_libuser_crypt_style_sha512: yes # V-71923
|
|
# Set a minimum/maximum lifetime limit for user passwords.
|
|
#security_password_min_lifetime_days: 1 # V-71925
|
|
#security_password_max_lifetime_days: 60 # V-71929
|
|
# Set a delay (in seconds) between failed login attempts.
|
|
security_shadow_utils_fail_delay: 4 # V-71951
|
|
# Set a umask for all authenticated users.
|
|
# security_shadow_utils_umask: '077' # V-71995
|
|
# Create home directories for new users by default.
|
|
security_shadow_utils_create_home: yes # V-72013
|
|
# How many old user password to remember to prevent password re-use.
|
|
#security_password_remember_password: 5 # V-71933
|
|
# Disable user accounts if the password expires.
|
|
security_disable_account_if_password_expires: no # V-71941
|
|
# Lock user accounts with excessive login failures. See documentation.
|
|
security_pam_faillock_enable: no # V-71945 / V-71943 / RHEL-07-010373
|
|
security_pam_faillock_interval: 900
|
|
security_pam_faillock_attempts: 3
|
|
security_pam_faillock_deny_root: yes # RHEL-07-010373
|
|
security_pam_faillock_unlock_time: 604800 # V-71943
|
|
# Limit the number of concurrent connections per account.
|
|
#security_rhel7_concurrent_session_limit: 10 # V-72217
|
|
# Remove .shosts and shosts.equiv files.
|
|
security_rhel7_remove_shosts_files: no # V-72277
|
|
|
|
## File permissions (file_perms)
|
|
# Reset file permissions and ownership for files installed via RPM packages.
|
|
security_reset_perm_ownership: no # V-71849
|
|
# Search for files/directories owned by invalid users or groups.
|
|
security_search_for_invalid_owner: no # V-72007
|
|
security_search_for_invalid_group_owner: no # V-72009
|
|
# Set user/group owners on each home directory and set mode to 0750.
|
|
security_set_home_directory_permissions_and_owners: no # V-72017 / V-72019 / V-72021
|
|
# Find all world-writable directories and display them.
|
|
security_find_world_writable_dirs: no # V-72047
|
|
|
|
## Graphical interfaces (graphical)
|
|
# Disable automatic gdm logins
|
|
security_disable_gdm_automatic_login: yes # V-71953
|
|
# Disable timed gdm logins for guests
|
|
security_disable_gdm_timed_login: yes # V-71955
|
|
# Enable session locking for graphical logins.
|
|
security_lock_session: no # V-71891
|
|
# Set a timer (in seconds) when an inactive session is locked.
|
|
security_lock_session_inactive_delay: 900 # V-71893
|
|
# Prevent users from modifying session lock settings.
|
|
security_lock_session_override_user: yes # RHEL-07-010071
|
|
# Lock a session (start screensaver) when a session is inactive.
|
|
security_lock_session_when_inactive: yes # V-71893
|
|
# Time after screensaver starts when user login is required.
|
|
security_lock_session_screensaver_lock_delay: 5 # V-71901
|
|
# Enable a login banner and set the text for the banner.
|
|
security_enable_graphical_login_message: yes # V-71859
|
|
security_enable_graphical_login_message_text: >
|
|
You are accessing a secured system and your actions will be logged along
|
|
with identifying information. Disconnect immediately if you are not an
|
|
authorized user of this system.
|
|
|
|
## Linux Security Module (lsm)
|
|
# Enable SELinux on Red Hat/CentOS and AppArmor on Ubuntu.
|
|
security_rhel7_enable_linux_security_module: yes # V-71989 / V-71991
|
|
|
|
## Miscellaneous (misc)
|
|
# Disable the autofs service.
|
|
security_rhel7_disable_autofs: yes # V-71985
|
|
# Enable virus scanning with clamav
|
|
security_enable_virus_scanner: no # V-72213
|
|
# Run the virus scanner update during the deployment (if scanner is deployed)
|
|
security_run_virus_scanner_update: yes
|
|
# Disable ctrl-alt-delete key sequence on the console.
|
|
security_rhel7_disable_ctrl_alt_delete: yes # V-71993
|
|
# Install and enable firewalld for iptables management.
|
|
security_enable_firewalld: no # V-72273
|
|
# Rate limit TCP connections to 25/min and burstable to 100.
|
|
security_enable_firewalld_rate_limit: no # V-72271
|
|
security_enable_firewalld_rate_limit_per_minute: 25
|
|
security_enable_firewalld_rate_limit_burst: 100
|
|
# Update the grub configuration.
|
|
security_enable_grub_update: yes
|
|
# Require authentication in GRUB to boot into single-user or maintenance modes.
|
|
security_require_grub_authentication: no # V-71961 / V-71963
|
|
# The default password for grub authentication is 'secrete'.
|
|
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B
|
|
# Set session timeout.
|
|
security_rhel7_session_timeout: 600 # V-72223
|
|
# Enable chrony for NTP time synchronization.
|
|
security_rhel7_enable_chrony: yes # V-72269
|
|
# Use the following NTP servers.
|
|
security_ntp_servers:
|
|
- 0.pool.ntp.org
|
|
- 1.pool.ntp.org
|
|
- 2.pool.ntp.org
|
|
- 3.pool.ntp.org
|
|
# NTP server options.
|
|
security_ntp_server_options: offline maxpoll 10 minpoll 8
|
|
# Chrony limits access to clients that are on certain subnets. Adjust the
|
|
# following subnets here to limit client access to chrony servers.
|
|
security_allowed_ntp_subnets:
|
|
- 10/8
|
|
- 192.168/16
|
|
- 172.16/12
|
|
# Listen for NTP requests only on local interfaces.
|
|
security_ntp_bind_local_interfaces_only: yes
|
|
# Restrict mail relaying.
|
|
security_rhel7_restrict_mail_relaying: yes # V-72297
|
|
# Deploy a login banner. # V-72225 / V-71863
|
|
security_login_banner_text: |
|
|
------------------------------------------------------------------------------
|
|
* WARNING *
|
|
* You are accessing a secured system and your actions will be logged along *
|
|
* with identifying information. Disconnect immediately if you are not an *
|
|
* authorized user of this system. *
|
|
------------------------------------------------------------------------------
|
|
|
|
|
|
## Packages (packages)
|
|
# Remove packages from the system as required by the STIG. Set any of these
|
|
# to 'no' to skip their removal.
|
|
security_rhel7_remove_rsh_server: yes # V-71967
|
|
security_rhel7_remove_telnet_server: yes # V-72077
|
|
security_rhel7_remove_tftp_server: yes # V-72301
|
|
security_rhel7_remove_xorg: yes # V-72307
|
|
security_rhel7_remove_ypserv: yes # V-71969
|
|
# Automatically remove dependencies when removing packages.
|
|
security_package_clean_on_remove: no # V-71987
|
|
# Automatically update packages.
|
|
security_rhel7_automatic_package_updates: no # V-71999
|
|
# Install packages for multi-factor authentication.
|
|
security_install_multifactor_auth_packages: yes # V-72417
|
|
security_check_package_checksums: no # V-71855
|
|
|
|
## RPM (rpm)
|
|
# Enable GPG checks for packages and repository data.
|
|
security_enable_gpgcheck_packages: yes # V-71977
|
|
security_enable_gpgcheck_packages_local: yes # V-71979
|
|
security_enable_gpgcheck_repo: no # V-71981
|
|
|
|
## ssh server (sshd)
|
|
# Ensure sshd is running and enabled at boot time.
|
|
security_enable_sshd: yes # V-72235
|
|
# Disallow logins from users with empty/null passwords.
|
|
security_sshd_disallow_empty_password: yes # V-71939 / RHEL-07-010440
|
|
# Disallow users from overriding the ssh environment variables.
|
|
security_sshd_disallow_environment_override: yes # V-71957
|
|
# Disallow host based authentication.
|
|
security_sshd_disallow_host_based_auth: yes # V-71959
|
|
# Set a list of allowed ssh ciphers.
|
|
security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # V-72221
|
|
# Specify a text file to be displayed as the banner/MOTD for all sessions.
|
|
security_sshd_banner_file: /etc/motd # V-71861 / V-72225
|
|
# Set the interval for max session length and the number of intervals to allow.
|
|
security_sshd_client_alive_interval: 600 # V-72237
|
|
security_sshd_client_alive_count_max: 0 # V-72241
|
|
# Print the last login for a user when they log in over ssh.
|
|
security_sshd_print_last_log: yes # V-72245
|
|
# Permit direct root logins ('yes', 'no', 'without-password', 'prohibit-password', 'forced-commands-only')
|
|
security_sshd_permit_root_login: no # V-72247
|
|
# Disallow authentication using known hosts authentication.
|
|
security_sshd_disallow_known_hosts_auth: yes # V-72249 / V-72239
|
|
# Disallow rhosts authentication.
|
|
security_sshd_disallow_rhosts_auth: yes # V-72243
|
|
# Enable X11 forwarding.
|
|
security_sshd_enable_x11_forwarding: yes # V-72303
|
|
# Set the allowed ssh protocols.
|
|
security_sshd_protocol: 2 # V-72251
|
|
# Set the list of allowed Message Authentication Codes (MACs) for ssh.
|
|
security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512' # V-72253
|
|
# Disallow Generic Security Service Application Program Interface (GSSAPI) auth.
|
|
security_sshd_disallow_gssapi: yes # V-72259
|
|
# Disallow compression or delay after login.
|
|
security_sshd_compression: 'delayed' # V-72267
|
|
# Require privilege separation at every opportunity.
|
|
security_sshd_enable_privilege_separation: yes # V-72265
|
|
# Require strict mode checking of home directory configuration files.
|
|
security_sshd_enable_strict_modes: yes # V-72263
|
|
# Disallow Kerberos authentication.
|
|
security_sshd_disable_kerberos_auth: yes # V-72261
|
|
|
|
## Kernel settings (kernel)
|
|
# Disallow forwarding IPv4/IPv6 source routed packets on all interfaces
|
|
# immediately and by default on new interfaces.
|
|
security_disallow_source_routed_packet_forward_ipv4: yes # V-72283 / V-72285
|
|
security_disallow_source_routed_packet_forward_ipv6: yes # V-72319
|
|
# Disallow responses to IPv4 ICMP echoes sent to broadcast address.
|
|
security_disallow_echoes_broadcast_address: yes # V-72287
|
|
# Disallow IPV4 ICMP redirects on all interfaces immediately and by default on
|
|
# new interfaces.
|
|
security_disallow_icmp_redirects: yes # V-73175 / V-72289 / V-72291 / V-72293
|
|
# Disallow IP forwarding.
|
|
security_disallow_ip_forwarding: no # V-72309
|
|
# Disable USB storage support.
|
|
security_rhel7_disable_usb_storage: yes # V-71983
|
|
# Disable kdump.
|
|
security_disable_kdump: yes # V-72057
|
|
# Disable Datagram Congestion Control Protocol (DCCP).
|
|
security_rhel7_disable_dccp: yes # V-77821
|
|
# Enable Address Space Layout Randomization (ASLR).
|
|
security_enable_aslr: yes # V-77825
|
|
|
|
###############################################################################
|
|
# ____ _ _ _
|
|
# / ___|___ _ __ | |_ _ __(_) |__
|
|
# | | / _ \| '_ \| __| '__| | '_ \
|
|
# | |__| (_) | | | | |_| | | | |_) |
|
|
# \____\___/|_| |_|\__|_| |_|_.__/
|
|
#
|
|
#
|
|
# The following configurations apply to tasks that are contributed by
|
|
# ansible-hardening developers and may not be part of a hardening standard
|
|
# or compliance program. For more information on the 'contrib' tasks, review
|
|
# the documentation:
|
|
#
|
|
# https://docs.openstack.org/ansible-hardening/latest/contrib.html
|
|
#
|
|
###############################################################################
|
|
|
|
# To enable the contrib tasks, set this variable to 'yes'.
|
|
security_contrib_enabled: no
|
|
|
|
# Disable IPv6.
|
|
# DANGER: This option causes IPv6 networking to be disabled for the ENTIRE
|
|
# DANGER: SYSTEM. This will cause downtime for any services that depend on
|
|
# DANGER: IPv6 network connectivity.
|
|
security_contrib_disable_ipv6: no # C-00001
|