openstack
/
openstack-ansible-security
Code Issues Proposed changes

[Docs] Metadata cleanup 

This patch adds the right tags to each piece of metadata and corrects
small errors found in the deployer notes.

Closes-bug: 1595669
Change-Id: Ic04aaad85ebf111be5a0bdb01a350442fdea1433
This commit is contained in:
Major Hayden 2016-09-12 14:07:16 -05:00
parent 79eeaa43fb
commit 3c19f00a7f
257 changed files with 386 additions and 641 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/metadata/rhel6/V-38437.rst
View File

@ -1,7 +1,7 @@
---
id: V-38437
status: implemented
tag: misc
tag: services
---
If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out

6
doc/metadata/rhel6/V-38438.rst
View File

@ -1,11 +1,9 @@
---
id: V-38438
status: exception
tag: misc
status: implemented
tag: boot
---
**Exception**
To opt-out of the change, set the following variable:
.. code-block:: yaml

6
doc/metadata/rhel6/V-38439.rst
View File

@ -1,11 +1,9 @@
---
id: V-38439
status: exception
tag: misc
status: exception - manual intervention
tag: auth
---
**Exception**
Although adding centralized authentication and carefully managing user
accounts is critical for securing any system, that's left up to deployers
to handle via their internal business processes.

2
doc/metadata/rhel6/V-38443.rst
View File

@ -1,7 +1,7 @@
---
id: V-38443
status: implemented
tag: misc
tag: auth
---
The ``/etc/gshadow`` file is owned by root by default on Ubuntu 14.04, Ubuntu

6
doc/metadata/rhel6/V-38444.rst
View File

@ -1,10 +1,8 @@
---
id: V-38444
status: exception
tag: misc
status: exception - manual intervention
tag: network
---
**Exception**
See V-38551 for additional details. IPv6 configuration and filtering is left
up to the deployer.

2
doc/metadata/rhel6/V-38445.rst
View File

@ -1,7 +1,7 @@
---
id: V-38445
status: implemented
tag: misc
tag: auditd
---
The logs generated by the audit daemon are owned by root in Ubuntu 14.04,

14
doc/metadata/rhel6/V-38446.rst
View File

@ -1,10 +1,12 @@
---
id: V-38446
status: implemented
tag: misc
status: configuration required
tag: mail
---
Forwarding root's email to another user is highly recommended, but the Ansible
tasks won't configure an email address to receive root's email unless that
email address is configured. Set ``security_root_forward_email`` to an email
address that is ready to receive root's email.
Forwarding root's email to another user is highly recommended so that someone
can receive emails about errors or security events.
Deployers should set ``security_root_forward_email`` to a valid email address
of a user or mailing list that should receive critical automated emails from
the server.

4
doc/metadata/rhel6/V-38447.rst
View File

@ -1,11 +1,9 @@
---
id: V-38447
status: exception
tag: misc
tag: package
---
**Exception**
Although Ubuntu provides the ``debsums`` command for checking the contents of
files installed from packages, it cannot perform a detailed level of checking
sufficient to meet the STIG requirement. Some packages are not shipped with MD5

2
doc/metadata/rhel6/V-38448.rst
View File

@ -1,7 +1,7 @@
---
id: V-38448
status: implemented
tag: misc
tag: auth
---
Although the ``/etc/gshadow`` file is group-owned by root by default, the

2
doc/metadata/rhel6/V-38449.rst
View File

@ -1,7 +1,7 @@
---
id: V-38449
status: implemented
tag: misc
tag: auth
---
The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet

2
doc/metadata/rhel6/V-38450.rst
View File

@ -1,7 +1,7 @@
---
id: V-38450
status: implemented
tag: misc
tag: auth
---
The ownership of ``/etc/passwd`` will be changed to root.

2
doc/metadata/rhel6/V-38451.rst
View File

@ -1,7 +1,7 @@
---
id: V-38451
status: implemented
tag: misc
tag: auth
---
The group ownership for ``/etc/passwd`` will be set to root.

4
doc/metadata/rhel6/V-38452.rst
View File

@ -1,11 +1,9 @@
---
id: V-38452
status: exception
tag: misc
tag: package
---
**Exception**
Although Ubuntu provides the ``debsums`` command for checking the contents of
files installed from packages, it cannot perform a detailed level of checking
sufficient to meet the STIG requirement. Some packages are not shipped with MD5

10
doc/metadata/rhel6/V-38453.rst
View File

@ -1,11 +1,11 @@
---
id: V-38453
status: exception
tag: misc
status: exception - ubuntu
tag: package
---
**Exception for Ubuntu**
Verifying ownership and permissions of installed packages isn't possible in the
current version of ``dpkg`` as it is with ``rpm``. This security configuration
is skipped for Ubuntu. For CentOS, this check is done as part of V-38637.
is skipped for Ubuntu.
For CentOS, this check is done as part of V-38637.

4
doc/metadata/rhel6/V-38454.rst
View File

@ -1,11 +1,9 @@
---
id: V-38454
status: exception
tag: misc
tag: package
---
**Exception**
Although Ubuntu provides the ``debsums`` command for checking the contents of
files installed from packages, it cannot perform a detailed level of checking
sufficient to meet the STIG requirement. Some packages are not shipped with MD5

6
doc/metadata/rhel6/V-38455.rst
View File

@ -1,11 +1,9 @@
---
id: V-38455
status: exception
tag: misc
status: exception - initial provisioning
tag: boot
---
**Exception**
Configuring another mount for ``/tmp`` can disrupt a running system and this
configuration is skipped.

6
doc/metadata/rhel6/V-38456.rst
View File

@ -1,11 +1,9 @@
---
id: V-38456
status: exception
tag: misc
status: exception - initial provisioning
tag: boot
---
**Exception**
Configuring another mount for ``/var`` can disrupt a running system and this
configuration is skipped.

2
doc/metadata/rhel6/V-38457.rst
View File

@ -1,7 +1,7 @@
---
id: V-38457
status: implemented
tag: misc
tag: auth
---
The permissions for ``/etc/passwd`` will be set to ``0644``.

2
doc/metadata/rhel6/V-38458.rst
View File

@ -1,7 +1,7 @@
---
id: V-38458
status: implemented
tag: misc
tag: auth
---
The Ansible task will ensure that the ``/etc/group`` file is owned by the root

6
doc/metadata/rhel6/V-38459.rst
View File

@ -1,8 +1,8 @@
---
id: V-38459
status: implemented
tag: misc
tag: auth
---
The tasks in file_perms.yml will ensure that "/etc/group" is owned by
the root account.
The Ansible tasks will ensure that ``/etc/group`` is owned by the ``root``
user.

2
doc/metadata/rhel6/V-38460.rst
View File

@ -1,7 +1,7 @@
---
id: V-38460
status: implemented
tag: misc
tag: nfsd
---
The Ansible tasks will check for ``all_squash`` in ``/etc/exports`` (if it is

6
doc/metadata/rhel6/V-38461.rst
View File

@ -1,8 +1,8 @@
---
id: V-38461
status: implemented
tag: misc
tag: auth
---
Ubuntu sets the mode of ``/etc/group`` to ``0644`` by default and the Ansible
task will ensure that it is current set to those permissions.
The Ansible tasks will ensure that the mode of ``/etc/group//` is set to
``0644``.

2
doc/metadata/rhel6/V-38462.rst
View File

@ -1,7 +1,7 @@
---
id: V-38462
status: implemented
tag: misc
tag: package
---
All versions of Ubuntu and CentOS supported by the role verify packages against

4
doc/metadata/rhel6/V-38463.rst
View File

@ -1,11 +1,9 @@
---
id: V-38463
status: exception
status: exception - initial provisioning
tag: misc
---
**Exception**
Configuring a separate partition for ``/var/log`` is currently left up to the
deployer. There are security and operational benefits that come from the
change, but it must be done when the system is initially installed.

2
doc/metadata/rhel6/V-38464.rst
View File

@ -1,7 +1,7 @@
---
id: V-38464
status: implemented
tag: misc
tag: auditd
---
The default configuration for ``disk_error_action`` is ``SUSPEND``, which

6
doc/metadata/rhel6/V-38465.rst
View File

@ -1,11 +1,9 @@
---
id: V-38465
status: exception
tag: misc
tag: file_perms
---
**Exception**
Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set library files to have ``0755`` (or
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set library files to have ``0755`` (or
more restrictive) permissions by default. Deployers are urged to review the
permissions of libraries regularly to ensure the system has not been altered.

4
doc/metadata/rhel6/V-38466.rst
View File

@ -1,11 +1,9 @@
---
id: V-38466
status: exception
tag: misc
tag: file_perms
---
**Exception**
As with V-38465, Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the ownership of
library files to root by default. Deployers are urged to configure monitoring
for changes to these files.

6
doc/metadata/rhel6/V-38467.rst
View File

@ -1,10 +1,8 @@
---
id: V-38467
status: exception
tag: misc
status: exception - initial provisioning
tag: auditd
---
**Exception**
Storing audit logs on a separate partition is recommended, but this change
is left up to deployers to configure during the installation of the OS.

2
doc/metadata/rhel6/V-38468.rst
View File

@ -1,7 +1,7 @@
---
id: V-38468
status: implemented
tag: misc
tag: auditd
---
The default configuration for ``disk_full_action`` is ``SUSPEND``, which only

4
doc/metadata/rhel6/V-38469.rst
View File

@ -1,11 +1,9 @@
---
id: V-38469
status: exception
tag: misc
tag: file_perms
---
**Exception**
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the permissions for system
commands to ``0755`` or less already. Deployers are urged to review these
permissions for changes over time as they can be a sign of a compromise.

2
doc/metadata/rhel6/V-38470.rst
View File

@ -1,7 +1,7 @@
---
id: V-38470
status: implemented
tag: misc
tag: auditd
---
The default configuration for ``security_space_left_action`` is ``SUSPEND``,

4
doc/metadata/rhel6/V-38471.rst
View File

@ -1,10 +1,10 @@
---
id: V-38471
status: implemented
tag: misc
tag: auditd
---
An Ansible task will adjust ``active`` from `no` to `yes` in
An Ansible task will adjust ``active`` from ``no`` to ``yes`` in
``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to
syslog automatically. The auditd daemon will be restarted if the configuration
file is changed.

4
doc/metadata/rhel6/V-38472.rst
View File

@ -1,11 +1,9 @@
---
id: V-38472
status: exception
tag: misc
tag: file_perms
---
**Exception**
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set system commands to be owned by
root by default. Deployers are urged to review ownership changes via auditd
rules to ensure system commands haven't changed ownership over time.

4
doc/metadata/rhel6/V-38473.rst
View File

@ -1,10 +1,8 @@
---
id: V-38473
status: exception
status: exception - initial provisioning
tag: misc
---
**Exception**
Creating ``/home`` on a different partition is highly recommended but it is
left to deployers to configure during the installation of the OS.

4
doc/metadata/rhel6/V-38474.rst
View File

@ -1,10 +1,8 @@
---
id: V-38474
status: exception
tag: misc
tag: x11
---
**Exception**
The openstack-ansible roles don't install X by default, so there is no
graphical desktop to configure.

6
doc/metadata/rhel6/V-38475.rst
View File

@ -1,11 +1,9 @@
---
id: V-38475
status: implemented
tag: misc
status: configuration required
tag: auth
---
**Configuration required**
The STIG recommends passwords to be a minimum of 14 characters in length. To
apply this setting, set the following Ansible variable:

2
doc/metadata/rhel6/V-38476.rst
View File

@ -1,7 +1,7 @@
---
id: V-38476
status: implemented
tag: misc
tag: package
---
The security role verifies that the GPG keys that correspond to each supported

6
doc/metadata/rhel6/V-38477.rst
View File

@ -1,11 +1,9 @@
---
id: V-38477
status: implemented
tag: misc
status: configuration required
tag: auth
---
**Configuration required**
The STIG recommends setting a limit of one password change per day. To enable
this configuration, use this Ansible variable:

4
doc/metadata/rhel6/V-38478.rst
View File

@ -1,11 +1,9 @@
---
id: V-38478
status: exception
tag: misc
tag: package
---
**Exception**
Ubuntu and CentOS do not use the Red Hat Network Service. However, there are
tasks in the security role which ensure that all packages have GPG checks
enabled (see V-38462) and provide the option for deployers to apply updates

6
doc/metadata/rhel6/V-38479.rst
View File

@ -1,11 +1,9 @@
---
id: V-38479
status: implemented
tag: misc
status: configuration required
tag: auth
---
**Configuration required**
The STIG recommends setting a limit of 60 days before a password must
be changed. To enable this configuration, use this Ansible variable:

6
doc/metadata/rhel6/V-38480.rst
View File

@ -1,11 +1,9 @@
---
id: V-38480
status: implemented
tag: misc
status: configuration required
tag: auth
---
**Configuration required**
After enabling password age limits in V-38479, be sure to configure
warnings for users so they know when their password is approaching expiration.
STIG's recommendation is seven days prior to the expiration. Use an Ansible

4
doc/metadata/rhel6/V-38481.rst
View File

@ -1,11 +1,9 @@
---
id: V-38481
status: opt-in
tag: misc
tag: package
---
**Opt-in required**
Operating system patching policies vary from organization to organization and
are typically established based on business requirements and risk tolerance.

4
doc/metadata/rhel6/V-38482.rst
View File

@ -1,11 +1,9 @@
---
id: V-38482
status: exception
tag: misc
tag: auth
---
**Exception**
Password complexity requirements are left up to the deployer. Deployers are
urged to rely on SSH keys as often as possible to avoid problems with
passwords.

2
doc/metadata/rhel6/V-38483.rst
View File

@ -1,7 +1,7 @@
---
id: V-38483
status: implemented
tag: misc
tag: package
---
The Ansible task for V-38462 already checks for configurations that would

2
doc/metadata/rhel6/V-38484.rst
View File

@ -1,7 +1,7 @@
---
id: V-38484
status: implemented
tag: misc
tag: package
---
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last

2
doc/metadata/rhel6/V-38486.rst
View File

@ -4,8 +4,6 @@ status: exception
tag: misc
---
**Exception**
System backups are left to the deployer to configure. Deployers are stringly
urged to maintain backups of each system, including log files and critical
configuration information.

2
doc/metadata/rhel6/V-38487.rst
View File

@ -1,7 +1,7 @@
---
id: V-38487
status: implemented
tag: misc
tag: package
---
The Ansible task for V-38462 already checks for apt configurations that would

2
doc/metadata/rhel6/V-38488.rst
View File

@ -4,8 +4,6 @@ status: exception
tag: misc
---
**Exception**
System backups are left to the deployer to configure. Deployers are stringly
urged to maintain backups of each system, including log files and critical
configuration information.

2
doc/metadata/rhel6/V-38489.rst
View File

@ -1,7 +1,7 @@
---
id: V-38489
status: implemented
tag: misc
tag: aide
---
The security role installs and configures the ``aide`` package to provide file

6
doc/metadata/rhel6/V-38490.rst
View File

@ -1,11 +1,9 @@
---
id: V-38490
status: exception
tag: misc
status: opt-in
tag: kernel
---
**Exception**
Disabling the ``usb-storage`` module can add extra security, but it's not
necessary on most systems. To disable the ``usb-storage`` module on hosts,
set the following variable to ``yes``:

2
doc/metadata/rhel6/V-38491.rst
View File

@ -1,7 +1,7 @@
---
id: V-38491
status: implemented
tag: misc
tag: auth
---
The Ansible task will check for the presence of ``/etc/hosts.equiv`` and

4
doc/metadata/rhel6/V-38492.rst
View File

@ -1,11 +1,9 @@
---
id: V-38492
status: exception
tag: misc
tag: auth
---
**Exception**
Virtual consoles are helpful during an emergency and they can only be reached
by physical or other out-of-band access (such as DRAC, iLO, or iKVM). This
change can be confusing for system administrators and it is left up to the

2
doc/metadata/rhel6/V-38493.rst
View File

@ -1,7 +1,7 @@
---
id: V-38493
status: implemented
tag: misc
tag: auditd
---
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the mode of ``/var/log/audit/`` to

4
doc/metadata/rhel6/V-38494.rst
View File

@ -1,11 +1,9 @@
---
id: V-38494
status: exception
tag: misc
tag: auth
---
**Exception**
Removing serial consoles from ``/etc/securetty`` can make troubleshooting
a server extremely difficult. Deployers are urged to use strong physical
security practices to prevent unauthorized users from gaining physical access

2
doc/metadata/rhel6/V-38495.rst
View File

@ -1,7 +1,7 @@
---
id: V-38495
status: implemented
tag: misc
tag: auditd
---
The Ansible tasks will ensure that files in ``/var/log/audit`` are owned

6
doc/metadata/rhel6/V-38496.rst
View File

@ -1,11 +1,9 @@
---
id: V-38496
status: exception
tag: misc
status: exception - manual intervention
tag: auth
---
**Exception**
The Ansible tasks will check for default system accounts (other than root)
that are not locked. The tasks won't take any action, however, because
any action could cause authorized users to be unable to access the system.

2
doc/metadata/rhel6/V-38497.rst
View File

@ -1,7 +1,7 @@
---
id: V-38497
status: implemented
tag: misc
tag: auth
---
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to

2
doc/metadata/rhel6/V-38498.rst
View File

@ -1,7 +1,7 @@
---
id: V-38498
status: implemented
tag: misc
tag: auditd
---
Ubuntu and CentOS set the current audit log (the one that is actively being

2
doc/metadata/rhel6/V-38499.rst
View File

@ -1,7 +1,7 @@
---
id: V-38499
status: implemented
tag: misc
tag: auth
---
The Ansible task will search for password hashes in ``/etc/passwd`` using

2
doc/metadata/rhel6/V-38500.rst
View File

@ -1,7 +1,7 @@
---
id: V-38500
status: implemented
tag: misc
tag: auth
---
The Ansible tasks will search for accounts in ``/etc/passwd`` that have UID 0

6
doc/metadata/rhel6/V-38501.rst
View File

@ -1,11 +1,9 @@
---
id: V-38501
status: exception
tag: misc
status: opt-in
tag: auth
---
**Exception and opt-in alternative**
Adjusting PAM configurations is very risky since it affects how all users
authenticate. In addition, ``pam_faillock.so`` isn't available in Ubuntu.

2
doc/metadata/rhel6/V-38502.rst
View File

@ -1,7 +1,7 @@
---
id: V-38502
status: implemented
tag: misc
tag: auth
---
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible

2
doc/metadata/rhel6/V-38503.rst
View File

@ -1,7 +1,7 @@
---
id: V-38503
status: implemented
tag: misc
tag: auth
---
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible

2
doc/metadata/rhel6/V-38504.rst
View File

@ -1,7 +1,7 @@
---
id: V-38504
status: implemented
tag: misc
tag: auth
---
Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but

2
doc/metadata/rhel6/V-38511.rst
View File

@ -4,8 +4,6 @@ status: implemented
tag: misc
---
**Special Case**
Running virtual infrastructure requires IP forwarding to be enabled on various
interfaces. The STIG allows for this, so long as the system is being operated
as a router (as is the case for an OpenStack host).

4
doc/metadata/rhel6/V-38512.rst
View File

@ -1,11 +1,9 @@
---
id: V-38512
status: exception
tag: misc
tag: network
---
**Exception**
Although a minimal set of iptables rules are configured on openstack-ansible
hosts, the "deny all" requirement of the STIG is not met. This is largely left
up to the deployer to do, based on their assessment of their own network

6
doc/metadata/rhel6/V-38513.rst
View File

@ -1,11 +1,9 @@
---
id: V-38513
status: exception
tag: misc
status: exception - manual intervention
tag: network
---
**Exception**
Although a minimal set of iptables rules are configured on openstack-ansible
hosts, the "deny all" requirement of the STIG is not met. This is largely left
up to the deployer to do, based on their assessment of their own network

2
doc/metadata/rhel6/V-38514.rst
View File

@ -1,7 +1,7 @@
---
id: V-38514
status: implemented
tag: misc
tag: kernel
---
The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not

2
doc/metadata/rhel6/V-38515.rst
View File

@ -1,7 +1,7 @@
---
id: V-38515
status: implemented
tag: misc
tag: kernel
---
The Stream Control Transmission Protocol (SCTP) must be disabled. To opt-out of

2
doc/metadata/rhel6/V-38516.rst
View File

@ -1,7 +1,7 @@
---
id: V-38516
status: implemented
tag: misc
tag: kernel
---
The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. The Ansible

2
doc/metadata/rhel6/V-38517.rst
View File

@ -1,7 +1,7 @@
---
id: V-38517
status: implemented
tag: misc
tag: kernel
---
The `Transparent Inter-Process Communication (TIPC)`_ protocol must be

4
doc/metadata/rhel6/V-38518.rst
View File

@ -1,11 +1,9 @@
---
id: V-38518
status: exception
tag: misc
tag: file_perms
---
**Exception**
Different systems may have different log files populated depending on the type
of data that ``rsyslogd`` receives. By default, log files are created with the
user and group ownership set to root.

4
doc/metadata/rhel6/V-38519.rst
View File

@ -1,11 +1,9 @@
---
id: V-38519
status: exception
tag: misc
tag: file_perms
---
**Exception**
Different systems may have different log files populated depending on the type
of data that ``rsyslogd`` receives. By default, log files are created with the
user and group ownership set to root.

6
doc/metadata/rhel6/V-38520.rst
View File

@ -1,11 +1,9 @@
---
id: V-38520
status: exception
tag: misc
status: exception - manual intervention
tag: log
---
**Exception**
At the moment, openstack-ansible already sends logs to the rsyslog container
from various containers and hosts. However, deployers are strongly urged
to forward these logs to a system outside their openstack-ansible environment

6
doc/metadata/rhel6/V-38521.rst
View File

@ -1,11 +1,9 @@
---
id: V-38521
status: exception
tag: misc
status: exception - manual intervention
tag: log
---
**Exception**
At the moment, openstack-ansible already sends logs to the rsyslog container
from various containers and hosts. However, deployers are strongly urged
to forward these logs to a system outside their openstack-ansible environment

4
doc/metadata/rhel6/V-38523.rst
View File

@ -1,11 +1,9 @@
---
id: V-38523
status: exception
tag: misc
tag: kernel
---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these
restrictions can impact certain network interfaces and cause service
disruptions. Some security configurations make sense for certain types of

18
doc/metadata/rhel6/V-38524.rst
View File

@ -1,15 +1,15 @@
---
id: V-38524
status: implemented
tag: misc
status: opt-in
tag: kernel
---
This patch disables ICMPv4 redirects feature on the host.
Accepting ICMP redirects has few legitimate uses.
It should be disabled unless it is absolutely required.
The STIG requires that ICMPv4 redirects are disabled on the host. However, this
can cause problems with LXC-based deployments, such as environments deployed
with OpenStack-Ansible.
It is configurable by ``security_disable_icmpv4_redirects`` variable.
This feature is disabled by default as it can disrupt ``LXC`` deployments.
Deployers can opt-in for this change by setting the following Ansible variable:
Deployers can skip or enable this task by setting
``security_disable_icmpv4_redirects`` to ``no`` or ``yes``, respectively.
.. code-block:: yaml
security_disable_icmpv4_redirects: yes

2
doc/metadata/rhel6/V-38525.rst
View File

@ -1,7 +1,7 @@
---
id: V-38525
status: implemented
tag: misc
tag: auditd
---
Rules are added for auditing changes to system time done via ``stime``.

4
doc/metadata/rhel6/V-38526.rst
View File

@ -1,11 +1,9 @@
---
id: V-38526
status: opt-in
tag: misc
tag: kernel
---
**Opt-in required**
The STIG requires that secure ICMP redirects are disabled, but this can cause
issues in some virtualized or containerized environments. The Ansible tasks
in the security role will not disable these redirects by default.

2
doc/metadata/rhel6/V-38527.rst
View File

@ -1,7 +1,7 @@
---
id: V-38527
status: implemented
tag: misc
tag: auditd
---
Rules are added for auditing changes to system time done via

6
doc/metadata/rhel6/V-38528.rst
View File

@ -1,11 +1,9 @@
---
id: V-38528
status: exception
tag: misc
status: opt-in
tag: kernel
---
**Exception**
The STIG requires that all martian packets are logged by setting the sysctl
parameter ``net.ipv4.conf.all.log_martians`` to ``1``.

4
doc/metadata/rhel6/V-38529.rst
View File

@ -1,11 +1,9 @@
---
id: V-38529
status: exception
tag: misc
tag: kernel
---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these
restrictions can impact certain network interfaces and cause service
disruptions. Some security configurations make sense for certain types of

2
doc/metadata/rhel6/V-38530.rst
View File

@ -1,7 +1,7 @@
---
id: V-38530
status: implemented
tag: misc
tag: auditd
---
Rules are added to auditd to log all attempts to change the system time using

6
doc/metadata/rhel6/V-38531.rst
View File

@ -1,9 +1,7 @@
---
id: V-38531
status: exception
tag: misc
status: implemented
tag: auditd
---
**Exception**
The audit rules from V-38534 already cover all account modifications.

4
doc/metadata/rhel6/V-38532.rst
View File

@ -1,11 +1,9 @@
---
id: V-38532
status: exception
tag: misc
tag: kernel
---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these
restrictions can impact certain network interfaces and cause service
disruptions. Some security configurations make sense for certain types of

4
doc/metadata/rhel6/V-38533.rst
View File

@ -1,11 +1,9 @@
---
id: V-38533
status: exception
tag: misc
tag: kernel
---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these
restrictions can impact certain network interfaces and cause service
disruptions. Some security configurations make sense for certain types of

2
doc/metadata/rhel6/V-38534.rst
View File

@ -1,7 +1,7 @@
---
id: V-38534
status: implemented
tag: misc
tag: auditd
---
Audit rules are added in a task so that any events associated with

8
doc/metadata/rhel6/V-38535.rst
View File

@ -1,9 +1,9 @@
---
id: V-38535
status: implemented
tag: misc
tag: kernel
---
By default, Ubuntu 14.04 rejects ICMPv4 packets sent to a broadcast address.
The Ansible tasks for this STIG configuration ensures that the secure default
setting is maintained.
The Ansible tasks will ensure that ``net.ipv4.icmp_echo_ignore_broadcasts`` is
set to ``1``, which will cause the system to stop responding to ICMPv4 packets
sent to the broadcast address.

6
doc/metadata/rhel6/V-38536.rst
View File

@ -1,9 +1,7 @@
---
id: V-38536
status: exception
tag: misc
status: implemented
tag: auditd
---
**Exception**
The audit rules from V-38534 already cover all account modifications.

7
doc/metadata/rhel6/V-38537.rst
View File

@ -1,8 +1,9 @@
---
id: V-38537
status: implemented
tag: misc
tag: kernel
---
Ubuntu already ignores ICMPv4 bogus error messages by default. The role will
ensure that this default setting is maintained.
The Ansible tasks will ensure that
``net.ipv4.icmp_ignore_bogus_error_responses`` is set to ``1``. This prevents
a host from responding to bogus ICMPv4 error messages.

6
doc/metadata/rhel6/V-38538.rst
View File

@ -1,9 +1,7 @@
---
id: V-38538
status: exception
tag: misc
status: implemented
tag: auditd
---
**Exception**
The audit rules from V-38534 already cover all account modifications.

2
doc/metadata/rhel6/V-38539.rst
View File

@ -1,7 +1,7 @@
---
id: V-38539
status: implemented
tag: misc
tag: kernel
---
The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.

6
doc/metadata/rhel6/V-38540.rst
View File

@ -1,9 +1,7 @@
---
id: V-38540
status: implemented
tag: misc
tag: auditd
---
Rules are added for auditing network configuration changes. The path to
Ubuntu's standard network configuration location has replaced the path
to Red Hat's default network configuration location.
Rules are added that allows auditd to track network configuration changes.

2
doc/metadata/rhel6/V-38541.rst
View File

@ -1,7 +1,7 @@
---
id: V-38541
status: implemented
tag: misc
tag: auditd
---
For Ubuntu, rules are added to auditd that will log any changes made in the

4
doc/metadata/rhel6/V-38542.rst
View File

@ -1,11 +1,9 @@
---
id: V-38542
status: exception
tag: misc
tag: kernel
---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these
restrictions can impact certain network interfaces and cause service
disruptions. Some security configurations make sense for certain types of

6
doc/metadata/rhel6/V-38543.rst
View File

@ -1,11 +1,9 @@
---
id: V-38543
status: exception
tag: misc
status: opt-in
tag: auditd
---
**Exception**
The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``
syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments
and while updating packages with apt. By default, these rules are disabled.

4
doc/metadata/rhel6/V-38544.rst
View File

@ -1,11 +1,9 @@
---
id: V-38544
status: exception
tag: misc
tag: kernel
---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these
restrictions can impact certain network interfaces and cause service
disruptions. Some security configurations make sense for certain types of

6
doc/metadata/rhel6/V-38545.rst
View File

@ -1,11 +1,9 @@
---
id: V-38545
status: exception
tag: misc
status: opt-in
tag: auditd
---
**Exception**
The audit rules for permission changes made with ``chown`` are disabled by
default as they can generate an excessive amount of logs in a short period of
time, especially during a deployment.

4
doc/metadata/rhel6/V-38546.rst
View File

@ -1,11 +1,9 @@
---
id: V-38546
status: opt-in
tag: misc
tag: kernel
---
**Opt-in required**
The STIG requires IPv6 to be disabled system-wide unless it is needed for the
system to operate. Deployers must consider how their network is configured
before disabling IPv6 entirely.

6
doc/metadata/rhel6/V-38547.rst
View File

@ -1,11 +1,9 @@
---
id: V-38547
status: exception
tag: misc
status: opt-in
tag: auditd
---
**Exception**
The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``
syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments
and while updating packages with apt. By default, these rules are disabled.

Some files were not shown because too many files have changed in this diff Show More