Backport of package optimization

This patch is a backport of the package installation/removal work done in the ocata branch. It is a manual backport of: I1def033953b50be3911cd932fd17b10dd2c658b7 Change-Id: I6c74e45f6e8d3b344508c87d20f4cf4250f713a9
6 years ago · 4251bc5666
parent 5e8714cf03
commit 4251bc5666
15 changed files with 196 additions and 380 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -138,9 +138,11 @@ security_action_mail_acct: root                   # V-38680
 # and should only be set to 'single' for deployers in extremely high security
 # environments. Ubuntu's default is SUSPEND, which will suspend logging.
 # **IMMENENT DANGER**
-security_admin_space_left_action: SUSPEND                  # V-54381
+security_admin_space_left_action: SUSPEND         # V-54381

 ## Chrony (NTP) configuration
+# Install and enable chrony to sync time with NTP servers.
+security_enable_chrony: yes                       # V-38620
 # Adjust the following NTP servers if necessary.
 security_ntp_servers:
  - 0.north-america.pool.ntp.org
--- a/doc/metadata/rhel6/V-38620.rst
+++ b/doc/metadata/rhel6/V-38620.rst
@ -9,6 +9,13 @@ and to serve as an NTP server for NTP clients.  Chrony was chosen over ntpd
 because it's actively maintained and has some enhancements for virtualized
 environments.

+Deployers can opt out of the ``chrony`` installation by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_chrony: no
+
 There are two configurations available for users to adjust chrony's default
 configuration:

--- a/releasenotes/notes/chrony-config-variable-7a1a7862c05c9675.yaml
+++ b/releasenotes/notes/chrony-config-variable-7a1a7862c05c9675.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The installation of ``chrony`` is still enabled by default, but it is now
+    controlled by the ``security_enable_chrony`` variable.
--- a/tasks/aide.yml
+++ b/tasks/aide.yml
@ -13,29 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: V-38489 - Install AIDE (with apt)
-  apt:
-    name: "{{ item }}"
-    state: "{{ security_package_state }}"
-  with_items:
-    - aide
-    - aide-common
-  when: ansible_pkg_mgr == 'apt'
-  tags:
-    - aide
-    - cat2
-    - V-38489
-
- name: V-38489 - Install AIDE (with yum)
-  yum:
-    name: aide
-    state: "{{ security_package_state }}"
-  when: ansible_pkg_mgr == 'yum'
-  tags:
-    - aide
-    - cat2
-    - V-38489
-
 - name: Verify that AIDE configuration directory exists
  stat:
    path: /etc/aide/aide.conf.d
--- a/tasks/apt.yml
+++ b/tasks/apt.yml
@ -111,3 +111,35 @@
    - package
    - cat2
    - V-38481
+
+- name: Add or remove packages based on STIG requirements
+  apt:
+    name: |
+      {%- set pkg_list = [] %}
+      {%- for package_dict in item[1] %}
+      {%- if pkg_list.extend(package_dict.packages) %}{% endif %}
+      {%- endfor %}
+      {{ pkg_list }}
+    state: "{{ item[0] }}"
+  with_items:
+    - "{{ stig_packages | selectattr('enabled') | groupby('state') }}"
+  tags:
+    - cat1
+    - auth
+    - package
+    - services
+    - V-38439 # install: aide, aide-common
+    - V-38620 # install: chrony
+    - V-38624 # install: logrotate
+    - V-38631 # install: auditd_pkg
+    - V-38632 # install: auditd_pkg
+    - V-38637 # install: debsums
+    - V-38669 # install: postfix
+    - V-51337 # install: apparmor
+    - V-38583 # remove: xinetd
+    - V-38587 # remove: telnet-server
+    - V-38591 # remove: rsh-server
+    - V-38603 # remove: ypserv
+    - V-38606 # remove: tftp-server
+    - V-38627 # remove: openldap-servers
+    - V-38671 # remove: sendmail
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@ -13,28 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: V-38631/38632 - The operating system must produce audit records (install auditd with apt)
-  apt:
-    name: "{{ auditd_pkg }}"
-    state: "{{ security_package_state }}"
-  when: ansible_pkg_mgr == 'apt'
-  tags:
-    - auditd
-    - cat2
-    - V-38632
-    - V-38631
-
- name: V-38631/38632 - The operating system must produce audit records (install auditd with yum)
-  yum:
-    name: "{{ auditd_pkg }}"
-    state: "{{ security_package_state }}"
-  when: ansible_pkg_mgr == 'yum'
-  tags:
-    - auditd
-    - cat2
-    - V-38632
-    - V-38631
-
 - name: V-38631/38632 - The operating system must produce audit records (start auditd)
  service:
    name: auditd
@ -95,16 +73,6 @@
    - cat2
    - V-38636

- name: Ensure debsums package is installed (for V-38637)
-  apt:
-    name: debsums
-    state: "{{ security_package_state }}"
-  when: ansible_pkg_mgr == 'apt'
-  tags:
-    - auditd
-    - cat2
-    - V-38637
-
 # The debsums command returns 0 if the files haven't been altered but it
 # returns 2 otherwise. We also will check to see if auditd has been installed
 # and fail if it's not installed.
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@ -182,81 +182,6 @@
    - cat2
    - V-38500

-# Opt-in required for fail2ban (see documentation and defaults/main.yml)
-# Ubuntu doesn't offer pam_faillock, but fail2ban provides a decent alternative
-# for ssh-based authentication. See the documentation for details.
- name: V-38501 - The system must disable accounts after excessive login failures (install fail2ban)
-  apt:
-    name: fail2ban
-    state: "{{ security_package_state }}"
-  when: security_install_fail2ban | bool
-  tags:
-    - auth
-    - cat2
-    - V-38501
-
-# Ban the offending IP for 15 minutes to meet the spirit of the STIG.
-# Yes, the bantime we want to modify has two spaces before the equal sign.
- name: V-38501 - The system must disable accounts after excessive login failures (configure fail2ban)
-  template:
-    src: jail.local.j2
-    dest: /etc/fail2ban/jail.d/jail.local
-  when: security_install_fail2ban | bool
-  notify:
-    - restart fail2ban
-  tags:
-    - auth
-    - cat2
-    - V-38501
-
- name: V-38591 - Remove rshd with apt
-  apt:
-    name: rsh-server
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'apt'
-    - security_remove_rsh_server | bool
-  tags:
-    - auth
-    - cat1
-    - V-38591
-
- name: V-38591 - Remove rshd with yum
-  yum:
-    name: rsh-server
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'yum'
-    - security_remove_rsh_server | bool
-  tags:
-    - auth
-    - cat1
-    - V-38591
-
- name: V-38587 - Remove telnet-server with apt
-  apt:
-    name: "{{ telnet_server_pkg }}"
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'apt'
-    - security_remove_telnet_server | bool
-  tags:
-    - auth
-    - cat1
-    - V-38587
-
- name: V-38587 - Remove telnet-server with yum
-  yum:
-    name: "{{ telnet_server_pkg }}"
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'yum'
-    - security_remove_telnet_server | bool
-  tags:
-    - auth
-    - cat1
-    - V-38587
-
 - name: Search /etc/passwd for password hashes (for V-38499)
  shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l"
  register: v38499_result
--- a/tasks/lsm.yml
+++ b/tasks/lsm.yml
@ -13,21 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: Install packages for AppArmor support (for V-51337)
-  apt:
-    name: "{{ item }}"
-    state: "{{ security_package_state }}"
-  with_items:
-    - apparmor
-    - apparmor-profiles
-    - apparmor-utils
-  when:
-    - ansible_os_family == "Debian"
-    - security_enable_linux_security_module | bool
-  tags:
-    - cat2
-    - V-51337
-
 - name: Ensure AppArmor is running (for V-51337)
  service:
    name: apparmor
@ -41,22 +26,6 @@
    - cat2
    - V-51337

- name: Install packages for SELinux support (for V-51337)
-  yum:
-    name: "{{ item }}"
-    state: "{{ security_package_state }}"
-  with_items:
-    - libselinux-python
-    - policycoreutils-python
-    - selinux-policy
-    - selinux-policy-targeted
-  when:
-    - ansible_os_family == "RedHat"
-    - security_enable_linux_security_module | bool
-  tags:
-    - cat2
-    - V-51337
-
 - name: Ensure SELinux is in enforcing mode on the next reboot (for V-51337)
  selinux:
    state: enforcing
--- a/tasks/mail.yml
+++ b/tasks/mail.yml
@ -13,26 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with apt)
-  apt:
-    name: postfix
-    state: "{{ security_package_state }}"
-  when: ansible_pkg_mgr == 'apt'
-  tags:
-    - mail
-    - cat3
-    - V-38669
-
- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with yum)
-  yum:
-    name: postfix
-    state: "{{ security_package_state }}"
-  when: ansible_pkg_mgr == 'yum'
-  tags:
-    - mail
-    - cat3
-    - V-38669
-
 - name: V-38669 - The postfix service must be enabled for mail delivery (enable postfix)
  service:
    name: postfix
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@ -40,30 +40,14 @@
    - cat2
    - V-38619

- name: V-38620 - Synchronize system clock (installing chrony with apt)
-  apt:
-    name: chrony
-    state: "{{ security_package_state }}"
-  when: ansible_pkg_mgr == 'apt'
-  tags:
-    - cat2
-    - V-38620
-
- name: V-38620 - Synchronize system clock (installing chrony with yum)
-  yum:
-    name: chrony
-    state: "{{ security_package_state }}"
-  when: ansible_pkg_mgr == 'yum'
-  tags:
-    - cat2
-    - V-38620
-
 - name: V-38620 - Synchronize system clock (enable chrony)
  service:
    name: "{{ chrony_service }}"
    state: started
    enabled: yes
-  when: not check_mode
+  when:
+    - not check_mode
+    - security_enable_chrony | bool
  tags:
    - cat2
    - V-38620
@ -80,35 +64,15 @@
  template:
    src: chrony.conf.j2
    dest: /etc/chrony/chrony.conf
-  when: chrony_conf.stat.exists | bool
+  when:
+    - not check_mode
+    - security_enable_chrony | bool
  notify:
    - restart chrony
  tags:
    - cat2
    - V-38620

-# The STIG only requires that logrotate is installed and configured in cron.
-# The openstack-ansible project will configure logs to be rotated weekly and
-# compressed with each run. We won't change the interval here, but we will
-# ensure that logrotate is installed (to meet the STIG requirement).
- name: V-38624 - System logs must be rotated daily (install logrotate with apt)
-  apt:
-    name: logrotate
-    state: "{{ security_package_state }}"
-  when: ansible_pkg_mgr == 'apt'
-  tags:
-    - cat3
-    - V-38624
-
- name: V-38624 - System logs must be rotated daily (install logrotate with yum)
-  yum:
-    name: logrotate
-    state: "{{ security_package_state }}"
-  when: ansible_pkg_mgr == 'yum'
-  tags:
-    - cat3
-    - V-38624
-
 - name: Check for logrotate cron job (for V-38624)
  stat:
    path: /etc/cron.daily/logrotate
--- a/tasks/rpm.yml
+++ b/tasks/rpm.yml
@ -86,16 +86,6 @@
    - cat1
    - V-38462

- name: V-38481 - Install yum-cron for automatic updates
-  yum:
-    name: yum-cron
-    state: "{{ security_package_state }}"
-  when: security_unattended_upgrades_enabled | bool
-  tags:
-    - package
-    - cat2
-    - V-38481
-
 - name: V-38481 - System security patches and updates must be installed and up-to-date
  lineinfile:
    dest: /etc/yum/yum-cron.conf
@ -107,3 +97,34 @@
    - package
    - cat2
    - V-38481
+
+- name: Add or remove packages based on STIG requirements
+  yum:
+    name: |
+      {%- set pkg_list = [] %}
+      {%- for package_dict in item[1] %}
+      {%- if pkg_list.extend(package_dict.packages) %}{% endif %}
+      {%- endfor %}
+      {{ pkg_list }}
+    state: "{{ item[0] }}"
+  with_items:
+    - "{{ stig_packages | selectattr('enabled') | groupby('state') }}"
+  tags:
+    - cat1
+    - auth
+    - services
+    - V-38439 # install: aide, aide-common
+    - V-38481 # install: yum-cron
+    - V-38620 # install: chrony
+    - V-38624 # install: logrotate
+    - V-38631 # install: auditd_pkg
+    - V-38632 # install: auditd_pkg
+    - V-38669 # install: postfix
+    - V-51337 # install: SELinux
+    - V-38583 # remove: xinetd
+    - V-38587 # remove: telnet-server
+    - V-38591 # remove: rsh-server
+    - V-38603 # remove: ypserv
+    - V-38606 # remove: tftp-server
+    - V-38627 # remove: openldap-servers
+    - V-38671 # remove: sendmail
--- a/tasks/services.yml
+++ b/tasks/services.yml
@ -117,55 +117,6 @@
    - cat2
    - V-38582

- name: V-38584 - xinetd must be uninstalled if not in use (apt)
-  apt:
-    name: xinetd
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'apt'
-    - security_remove_xinetd | bool
-  tags:
-    - services
-    - cat3
-    - V-38584
-
- name: V-38584 - xinetd must be uninstalled if not in use (yum)
-  yum:
-    name: xinetd
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'yum'
-    - security_remove_xinetd | bool
-  tags:
-    - services
-    - cat3
-    - V-38584
-
-# Ubuntu's equivalent of Red Hat's ypserv package is 'nis'
- name: V-38603 - Remove ypserv package with apt
-  apt:
-    name: "{{ ypserv_pkg }}"
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'apt'
-    - security_remove_ypserv | bool
-  tags:
-    - services
-    - cat2
-    - V-38603
-
- name: V-38603 - Remove ypserv package with yum
-  yum:
-    name: "{{ ypserv_pkg }}"
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'yum'
-    - security_remove_ypserv | bool
-  tags:
-    - services
-    - cat2
-    - V-38603
-
 - name: V-38605 - The cron service must be running
  service:
    name: "{{ cron_service }}"
@ -176,30 +127,6 @@
    - cat2
    - V-38605

- name: V-38606 - The tftp-server package must not be installed unless required (apt)
-  apt:
-    name: "{{ tftp_pkg }}"
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'apt'
-    - security_remove_tftp_server | bool
-  tags:
-    - services
-    - cat2
-    - V-38606
-
- name: V-38606 - The tftp-server package must not be installed unless required (yum)
-  yum:
-    name: "{{ tftp_pkg }}"
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'yum'
-    - security_remove_tftp_server | bool
-  tags:
-    - services
-    - cat2
-    - V-38606
-
 - name: V-38618 - avahi must be disabled
  service:
    name: avahi-daemon
@ -213,30 +140,6 @@
    - cat3
    - V-38618

- name: V-38627 - Remove LDAP servers unless required (apt)
-  apt:
-    name: "{{ ldap_server_pkg }}"
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'apt'
-    - security_remove_ldap_server | bool
-  tags:
-    - services
-    - cat3
-    - V-38627
-
- name: V-38627 - Remove LDAP servers unless required (yum)
-  yum:
-    name: "{{ ldap_server_pkg }}"
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'yum'
-    - security_remove_ldap_server | bool
-  tags:
-    - services
-    - cat3
-    - V-38627
-
 - name: V-38650 - rdisc must be disabled
  service:
    name: rdisc
@ -250,30 +153,6 @@
    - cat3
    - V-38650

- name: V-38671 - Remove sendmail with apt
-  apt:
-    name: sendmail
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'apt'
-    - security_remove_sendmail | bool
-  tags:
-    - services
-    - cat2
-    - V-38671
-
- name: V-38671 - Remove sendmail with yum
-  yum:
-    name: sendmail
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'yum'
-    - security_remove_sendmail | bool
-  tags:
-    - services
-    - cat2
-    - V-38671
-
 - name: V-38672 - netconsole must be disabled
  service:
    name: netconsole
@ -286,27 +165,3 @@
    - services
    - cat3
    - V-38672
-
- name: V-38676 - The X windows package must not be installed (apt)
-  apt:
-    name: "{{ xserver_pkg }}"
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'apt'
-    - security_remove_xorg | bool
-  tags:
-    - services
-    - cat3
-    - V-38676
-
- name: V-38676 - The X windows package must not be installed (yum)
-  yum:
-    name: "{{ xserver_pkg }}"
-    state: absent
-  when:
-    - ansible_pkg_mgr == 'yum'
-    - security_remove_xorg | bool
-  tags:
-    - services
-    - cat3
-    - V-38676
--- a/tox.ini
+++ b/tox.ini
@ -117,7 +117,7 @@ setenv =
    #                https://review.openstack.org/354819 merges.
    # NOTE(mhayden): Skipping V-38620 since chrony cannot start with ntpd
    #                running in the gate images.
-    ANSIBLE_PARAMETERS=--skip-tags V-38462,V-38660,V-38620
+    ANSIBLE_PARAMETERS=--skip-tags V-38462,V-38660 -e security_enable_chrony=no
 commands =
    {[testenv:tests_clone]commands}
    bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -36,3 +36,58 @@ chrony_service: chronyd

 # Commands
 grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
+
+# RHEL 6 STIG: Packages to add/remove
+stig_packages:
+  - packages:
+      - audit
+      - audispd-plugins
+      - aide
+      - chrony
+      - logrotate
+      - postfix
+    state: "{{ security_package_state }}"
+    enabled: True
+  - packages:
+      - libselinux-python
+      - policycoreutils-python
+      - selinux-policy
+      - selinux-policy-targeted
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_enable_linux_security_module }}"
+  - packages:
+      - yum-cron
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_unattended_upgrades_enabled }}"
+  - packages:
+      - xinetd
+    state: absent
+    enabled: "{{ security_remove_xinetd }}"
+  - packages:
+      - ypserv
+    state: absent
+    enabled: "{{ security_remove_ypserv }}"
+  - packages:
+      - tftp-server
+    state: absent
+    enabled: "{{ security_remove_tftp_server }}"
+  - packages:
+      - openldap-servers
+    state: absent
+    enabled: "{{ security_remove_ldap_server }}"
+  - packages:
+      - sendmail
+    state: absent
+    enabled: "{{ security_remove_sendmail }}"
+  - packages:
+      - xorg-x11-server-Xorg
+    state: absent
+    enabled: "{{ security_remove_xorg }}"
+  - packages:
+      - rsh-server
+    state: absent
+    enabled: "{{ security_remove_rsh_server }}"
+  - packages:
+      - telnet-server
+    state: absent
+    enabled: "{{ security_remove_telnet_server }}"
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@ -39,3 +39,59 @@ chrony_service: chrony

 # Commands
 grub_update_cmd: "update-grub"
+
+# RHEL 6 STIG: Packages to add/remove
+stig_packages:
+  - packages:
+      - auditd
+      - audispd-plugins
+      - aide
+      - aide-common
+      - chrony
+      - debsums
+      - logrotate
+      - postfix
+    state: "{{ security_package_state }}"
+    enabled: True
+  - packages:
+      - apparmor
+      - apparmor-profiles
+      - apparmor-utils
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_enable_linux_security_module }}"
+  - packages:
+      - fail2ban
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_install_fail2ban }}"
+  - packages:
+      - xinetd
+    state: absent
+    enabled: "{{ security_remove_xinetd }}"
+  - packages:
+      - nis
+    state: absent
+    enabled: "{{ security_remove_ypserv }}"
+  - packages:
+      - tftpd
+    state: absent
+    enabled: "{{ security_remove_tftp_server }}"
+  - packages:
+      - slapd
+    state: absent
+    enabled: "{{ security_remove_ldap_server }}"
+  - packages:
+      - sendmail
+    state: absent
+    enabled: "{{ security_remove_sendmail }}"
+  - packages:
+      - xorg-xserver
+    state: absent
+    enabled: "{{ security_remove_xorg }}"
+  - packages:
+      - rsh-server
+    state: absent
+    enabled: "{{ security_remove_rsh_server }}"
+  - packages:
+      - telnetd
+    state: absent
+    enabled: "{{ security_remove_telnet_server }}"