From 4251bc56660a7aa913f49064cc499f1307bdf6f7 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Fri, 18 Nov 2016 09:59:00 -0600 Subject: [PATCH] Backport of package optimization This patch is a backport of the package installation/removal work done in the ocata branch. It is a manual backport of: I1def033953b50be3911cd932fd17b10dd2c658b7 Change-Id: I6c74e45f6e8d3b344508c87d20f4cf4250f713a9 --- defaults/main.yml | 4 +- doc/metadata/rhel6/V-38620.rst | 7 + ...rony-config-variable-7a1a7862c05c9675.yaml | 5 + tasks/aide.yml | 23 --- tasks/apt.yml | 32 ++++ tasks/auditd.yml | 32 ---- tasks/auth.yml | 75 --------- tasks/lsm.yml | 31 ---- tasks/mail.yml | 20 --- tasks/misc.yml | 48 +----- tasks/rpm.yml | 41 +++-- tasks/services.yml | 145 ------------------ tox.ini | 2 +- vars/redhat.yml | 55 +++++++ vars/ubuntu.yml | 56 +++++++ 15 files changed, 196 insertions(+), 380 deletions(-) create mode 100644 releasenotes/notes/chrony-config-variable-7a1a7862c05c9675.yaml diff --git a/defaults/main.yml b/defaults/main.yml index edc26611..fb279f01 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -138,9 +138,11 @@ security_action_mail_acct: root # V-38680 # and should only be set to 'single' for deployers in extremely high security # environments. Ubuntu's default is SUSPEND, which will suspend logging. # **IMMENENT DANGER** -security_admin_space_left_action: SUSPEND # V-54381 +security_admin_space_left_action: SUSPEND # V-54381 ## Chrony (NTP) configuration +# Install and enable chrony to sync time with NTP servers. +security_enable_chrony: yes # V-38620 # Adjust the following NTP servers if necessary. security_ntp_servers: - 0.north-america.pool.ntp.org diff --git a/doc/metadata/rhel6/V-38620.rst b/doc/metadata/rhel6/V-38620.rst index ab716357..26048841 100644 --- a/doc/metadata/rhel6/V-38620.rst +++ b/doc/metadata/rhel6/V-38620.rst @@ -9,6 +9,13 @@ and to serve as an NTP server for NTP clients. Chrony was chosen over ntpd because it's actively maintained and has some enhancements for virtualized environments. +Deployers can opt out of the ``chrony`` installation by setting the following +Ansible variable: + +.. code-block:: yaml + + security_enable_chrony: no + There are two configurations available for users to adjust chrony's default configuration: diff --git a/releasenotes/notes/chrony-config-variable-7a1a7862c05c9675.yaml b/releasenotes/notes/chrony-config-variable-7a1a7862c05c9675.yaml new file mode 100644 index 00000000..9677b7e0 --- /dev/null +++ b/releasenotes/notes/chrony-config-variable-7a1a7862c05c9675.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + The installation of ``chrony`` is still enabled by default, but it is now + controlled by the ``security_enable_chrony`` variable. diff --git a/tasks/aide.yml b/tasks/aide.yml index 6eb2adcc..b319346f 100644 --- a/tasks/aide.yml +++ b/tasks/aide.yml @@ -13,29 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: V-38489 - Install AIDE (with apt) - apt: - name: "{{ item }}" - state: "{{ security_package_state }}" - with_items: - - aide - - aide-common - when: ansible_pkg_mgr == 'apt' - tags: - - aide - - cat2 - - V-38489 - -- name: V-38489 - Install AIDE (with yum) - yum: - name: aide - state: "{{ security_package_state }}" - when: ansible_pkg_mgr == 'yum' - tags: - - aide - - cat2 - - V-38489 - - name: Verify that AIDE configuration directory exists stat: path: /etc/aide/aide.conf.d diff --git a/tasks/apt.yml b/tasks/apt.yml index 18b875af..7e231aaa 100644 --- a/tasks/apt.yml +++ b/tasks/apt.yml @@ -111,3 +111,35 @@ - package - cat2 - V-38481 + +- name: Add or remove packages based on STIG requirements + apt: + name: | + {%- set pkg_list = [] %} + {%- for package_dict in item[1] %} + {%- if pkg_list.extend(package_dict.packages) %}{% endif %} + {%- endfor %} + {{ pkg_list }} + state: "{{ item[0] }}" + with_items: + - "{{ stig_packages | selectattr('enabled') | groupby('state') }}" + tags: + - cat1 + - auth + - package + - services + - V-38439 # install: aide, aide-common + - V-38620 # install: chrony + - V-38624 # install: logrotate + - V-38631 # install: auditd_pkg + - V-38632 # install: auditd_pkg + - V-38637 # install: debsums + - V-38669 # install: postfix + - V-51337 # install: apparmor + - V-38583 # remove: xinetd + - V-38587 # remove: telnet-server + - V-38591 # remove: rsh-server + - V-38603 # remove: ypserv + - V-38606 # remove: tftp-server + - V-38627 # remove: openldap-servers + - V-38671 # remove: sendmail diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 10895554..76b9bf4a 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -13,28 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: V-38631/38632 - The operating system must produce audit records (install auditd with apt) - apt: - name: "{{ auditd_pkg }}" - state: "{{ security_package_state }}" - when: ansible_pkg_mgr == 'apt' - tags: - - auditd - - cat2 - - V-38632 - - V-38631 - -- name: V-38631/38632 - The operating system must produce audit records (install auditd with yum) - yum: - name: "{{ auditd_pkg }}" - state: "{{ security_package_state }}" - when: ansible_pkg_mgr == 'yum' - tags: - - auditd - - cat2 - - V-38632 - - V-38631 - - name: V-38631/38632 - The operating system must produce audit records (start auditd) service: name: auditd @@ -95,16 +73,6 @@ - cat2 - V-38636 -- name: Ensure debsums package is installed (for V-38637) - apt: - name: debsums - state: "{{ security_package_state }}" - when: ansible_pkg_mgr == 'apt' - tags: - - auditd - - cat2 - - V-38637 - # The debsums command returns 0 if the files haven't been altered but it # returns 2 otherwise. We also will check to see if auditd has been installed # and fail if it's not installed. diff --git a/tasks/auth.yml b/tasks/auth.yml index d12a0575..3ea26649 100644 --- a/tasks/auth.yml +++ b/tasks/auth.yml @@ -182,81 +182,6 @@ - cat2 - V-38500 -# Opt-in required for fail2ban (see documentation and defaults/main.yml) -# Ubuntu doesn't offer pam_faillock, but fail2ban provides a decent alternative -# for ssh-based authentication. See the documentation for details. -- name: V-38501 - The system must disable accounts after excessive login failures (install fail2ban) - apt: - name: fail2ban - state: "{{ security_package_state }}" - when: security_install_fail2ban | bool - tags: - - auth - - cat2 - - V-38501 - -# Ban the offending IP for 15 minutes to meet the spirit of the STIG. -# Yes, the bantime we want to modify has two spaces before the equal sign. -- name: V-38501 - The system must disable accounts after excessive login failures (configure fail2ban) - template: - src: jail.local.j2 - dest: /etc/fail2ban/jail.d/jail.local - when: security_install_fail2ban | bool - notify: - - restart fail2ban - tags: - - auth - - cat2 - - V-38501 - -- name: V-38591 - Remove rshd with apt - apt: - name: rsh-server - state: absent - when: - - ansible_pkg_mgr == 'apt' - - security_remove_rsh_server | bool - tags: - - auth - - cat1 - - V-38591 - -- name: V-38591 - Remove rshd with yum - yum: - name: rsh-server - state: absent - when: - - ansible_pkg_mgr == 'yum' - - security_remove_rsh_server | bool - tags: - - auth - - cat1 - - V-38591 - -- name: V-38587 - Remove telnet-server with apt - apt: - name: "{{ telnet_server_pkg }}" - state: absent - when: - - ansible_pkg_mgr == 'apt' - - security_remove_telnet_server | bool - tags: - - auth - - cat1 - - V-38587 - -- name: V-38587 - Remove telnet-server with yum - yum: - name: "{{ telnet_server_pkg }}" - state: absent - when: - - ansible_pkg_mgr == 'yum' - - security_remove_telnet_server | bool - tags: - - auth - - cat1 - - V-38587 - - name: Search /etc/passwd for password hashes (for V-38499) shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l" register: v38499_result diff --git a/tasks/lsm.yml b/tasks/lsm.yml index b7034911..f3832b0d 100644 --- a/tasks/lsm.yml +++ b/tasks/lsm.yml @@ -13,21 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Install packages for AppArmor support (for V-51337) - apt: - name: "{{ item }}" - state: "{{ security_package_state }}" - with_items: - - apparmor - - apparmor-profiles - - apparmor-utils - when: - - ansible_os_family == "Debian" - - security_enable_linux_security_module | bool - tags: - - cat2 - - V-51337 - - name: Ensure AppArmor is running (for V-51337) service: name: apparmor @@ -41,22 +26,6 @@ - cat2 - V-51337 -- name: Install packages for SELinux support (for V-51337) - yum: - name: "{{ item }}" - state: "{{ security_package_state }}" - with_items: - - libselinux-python - - policycoreutils-python - - selinux-policy - - selinux-policy-targeted - when: - - ansible_os_family == "RedHat" - - security_enable_linux_security_module | bool - tags: - - cat2 - - V-51337 - - name: Ensure SELinux is in enforcing mode on the next reboot (for V-51337) selinux: state: enforcing diff --git a/tasks/mail.yml b/tasks/mail.yml index 7f7255f0..dc00bcee 100644 --- a/tasks/mail.yml +++ b/tasks/mail.yml @@ -13,26 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with apt) - apt: - name: postfix - state: "{{ security_package_state }}" - when: ansible_pkg_mgr == 'apt' - tags: - - mail - - cat3 - - V-38669 - -- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with yum) - yum: - name: postfix - state: "{{ security_package_state }}" - when: ansible_pkg_mgr == 'yum' - tags: - - mail - - cat3 - - V-38669 - - name: V-38669 - The postfix service must be enabled for mail delivery (enable postfix) service: name: postfix diff --git a/tasks/misc.yml b/tasks/misc.yml index 62f9bda4..f610b7dc 100644 --- a/tasks/misc.yml +++ b/tasks/misc.yml @@ -40,30 +40,14 @@ - cat2 - V-38619 -- name: V-38620 - Synchronize system clock (installing chrony with apt) - apt: - name: chrony - state: "{{ security_package_state }}" - when: ansible_pkg_mgr == 'apt' - tags: - - cat2 - - V-38620 - -- name: V-38620 - Synchronize system clock (installing chrony with yum) - yum: - name: chrony - state: "{{ security_package_state }}" - when: ansible_pkg_mgr == 'yum' - tags: - - cat2 - - V-38620 - - name: V-38620 - Synchronize system clock (enable chrony) service: name: "{{ chrony_service }}" state: started enabled: yes - when: not check_mode + when: + - not check_mode + - security_enable_chrony | bool tags: - cat2 - V-38620 @@ -80,35 +64,15 @@ template: src: chrony.conf.j2 dest: /etc/chrony/chrony.conf - when: chrony_conf.stat.exists | bool + when: + - not check_mode + - security_enable_chrony | bool notify: - restart chrony tags: - cat2 - V-38620 -# The STIG only requires that logrotate is installed and configured in cron. -# The openstack-ansible project will configure logs to be rotated weekly and -# compressed with each run. We won't change the interval here, but we will -# ensure that logrotate is installed (to meet the STIG requirement). -- name: V-38624 - System logs must be rotated daily (install logrotate with apt) - apt: - name: logrotate - state: "{{ security_package_state }}" - when: ansible_pkg_mgr == 'apt' - tags: - - cat3 - - V-38624 - -- name: V-38624 - System logs must be rotated daily (install logrotate with yum) - yum: - name: logrotate - state: "{{ security_package_state }}" - when: ansible_pkg_mgr == 'yum' - tags: - - cat3 - - V-38624 - - name: Check for logrotate cron job (for V-38624) stat: path: /etc/cron.daily/logrotate diff --git a/tasks/rpm.yml b/tasks/rpm.yml index 04d74858..d04d53f9 100644 --- a/tasks/rpm.yml +++ b/tasks/rpm.yml @@ -86,16 +86,6 @@ - cat1 - V-38462 -- name: V-38481 - Install yum-cron for automatic updates - yum: - name: yum-cron - state: "{{ security_package_state }}" - when: security_unattended_upgrades_enabled | bool - tags: - - package - - cat2 - - V-38481 - - name: V-38481 - System security patches and updates must be installed and up-to-date lineinfile: dest: /etc/yum/yum-cron.conf @@ -107,3 +97,34 @@ - package - cat2 - V-38481 + +- name: Add or remove packages based on STIG requirements + yum: + name: | + {%- set pkg_list = [] %} + {%- for package_dict in item[1] %} + {%- if pkg_list.extend(package_dict.packages) %}{% endif %} + {%- endfor %} + {{ pkg_list }} + state: "{{ item[0] }}" + with_items: + - "{{ stig_packages | selectattr('enabled') | groupby('state') }}" + tags: + - cat1 + - auth + - services + - V-38439 # install: aide, aide-common + - V-38481 # install: yum-cron + - V-38620 # install: chrony + - V-38624 # install: logrotate + - V-38631 # install: auditd_pkg + - V-38632 # install: auditd_pkg + - V-38669 # install: postfix + - V-51337 # install: SELinux + - V-38583 # remove: xinetd + - V-38587 # remove: telnet-server + - V-38591 # remove: rsh-server + - V-38603 # remove: ypserv + - V-38606 # remove: tftp-server + - V-38627 # remove: openldap-servers + - V-38671 # remove: sendmail diff --git a/tasks/services.yml b/tasks/services.yml index 6048c376..0d7e1863 100644 --- a/tasks/services.yml +++ b/tasks/services.yml @@ -117,55 +117,6 @@ - cat2 - V-38582 -- name: V-38584 - xinetd must be uninstalled if not in use (apt) - apt: - name: xinetd - state: absent - when: - - ansible_pkg_mgr == 'apt' - - security_remove_xinetd | bool - tags: - - services - - cat3 - - V-38584 - -- name: V-38584 - xinetd must be uninstalled if not in use (yum) - yum: - name: xinetd - state: absent - when: - - ansible_pkg_mgr == 'yum' - - security_remove_xinetd | bool - tags: - - services - - cat3 - - V-38584 - -# Ubuntu's equivalent of Red Hat's ypserv package is 'nis' -- name: V-38603 - Remove ypserv package with apt - apt: - name: "{{ ypserv_pkg }}" - state: absent - when: - - ansible_pkg_mgr == 'apt' - - security_remove_ypserv | bool - tags: - - services - - cat2 - - V-38603 - -- name: V-38603 - Remove ypserv package with yum - yum: - name: "{{ ypserv_pkg }}" - state: absent - when: - - ansible_pkg_mgr == 'yum' - - security_remove_ypserv | bool - tags: - - services - - cat2 - - V-38603 - - name: V-38605 - The cron service must be running service: name: "{{ cron_service }}" @@ -176,30 +127,6 @@ - cat2 - V-38605 -- name: V-38606 - The tftp-server package must not be installed unless required (apt) - apt: - name: "{{ tftp_pkg }}" - state: absent - when: - - ansible_pkg_mgr == 'apt' - - security_remove_tftp_server | bool - tags: - - services - - cat2 - - V-38606 - -- name: V-38606 - The tftp-server package must not be installed unless required (yum) - yum: - name: "{{ tftp_pkg }}" - state: absent - when: - - ansible_pkg_mgr == 'yum' - - security_remove_tftp_server | bool - tags: - - services - - cat2 - - V-38606 - - name: V-38618 - avahi must be disabled service: name: avahi-daemon @@ -213,30 +140,6 @@ - cat3 - V-38618 -- name: V-38627 - Remove LDAP servers unless required (apt) - apt: - name: "{{ ldap_server_pkg }}" - state: absent - when: - - ansible_pkg_mgr == 'apt' - - security_remove_ldap_server | bool - tags: - - services - - cat3 - - V-38627 - -- name: V-38627 - Remove LDAP servers unless required (yum) - yum: - name: "{{ ldap_server_pkg }}" - state: absent - when: - - ansible_pkg_mgr == 'yum' - - security_remove_ldap_server | bool - tags: - - services - - cat3 - - V-38627 - - name: V-38650 - rdisc must be disabled service: name: rdisc @@ -250,30 +153,6 @@ - cat3 - V-38650 -- name: V-38671 - Remove sendmail with apt - apt: - name: sendmail - state: absent - when: - - ansible_pkg_mgr == 'apt' - - security_remove_sendmail | bool - tags: - - services - - cat2 - - V-38671 - -- name: V-38671 - Remove sendmail with yum - yum: - name: sendmail - state: absent - when: - - ansible_pkg_mgr == 'yum' - - security_remove_sendmail | bool - tags: - - services - - cat2 - - V-38671 - - name: V-38672 - netconsole must be disabled service: name: netconsole @@ -286,27 +165,3 @@ - services - cat3 - V-38672 - -- name: V-38676 - The X windows package must not be installed (apt) - apt: - name: "{{ xserver_pkg }}" - state: absent - when: - - ansible_pkg_mgr == 'apt' - - security_remove_xorg | bool - tags: - - services - - cat3 - - V-38676 - -- name: V-38676 - The X windows package must not be installed (yum) - yum: - name: "{{ xserver_pkg }}" - state: absent - when: - - ansible_pkg_mgr == 'yum' - - security_remove_xorg | bool - tags: - - services - - cat3 - - V-38676 diff --git a/tox.ini b/tox.ini index 8f62abb5..5e733724 100644 --- a/tox.ini +++ b/tox.ini @@ -117,7 +117,7 @@ setenv = # https://review.openstack.org/354819 merges. # NOTE(mhayden): Skipping V-38620 since chrony cannot start with ntpd # running in the gate images. - ANSIBLE_PARAMETERS=--skip-tags V-38462,V-38660,V-38620 + ANSIBLE_PARAMETERS=--skip-tags V-38462,V-38660 -e security_enable_chrony=no commands = {[testenv:tests_clone]commands} bash -c "{toxinidir}/tests/common/test-ansible-functional.sh" diff --git a/vars/redhat.yml b/vars/redhat.yml index ac294625..5948c456 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -36,3 +36,58 @@ chrony_service: chronyd # Commands grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf" + +# RHEL 6 STIG: Packages to add/remove +stig_packages: + - packages: + - audit + - audispd-plugins + - aide + - chrony + - logrotate + - postfix + state: "{{ security_package_state }}" + enabled: True + - packages: + - libselinux-python + - policycoreutils-python + - selinux-policy + - selinux-policy-targeted + state: "{{ security_package_state }}" + enabled: "{{ security_enable_linux_security_module }}" + - packages: + - yum-cron + state: "{{ security_package_state }}" + enabled: "{{ security_unattended_upgrades_enabled }}" + - packages: + - xinetd + state: absent + enabled: "{{ security_remove_xinetd }}" + - packages: + - ypserv + state: absent + enabled: "{{ security_remove_ypserv }}" + - packages: + - tftp-server + state: absent + enabled: "{{ security_remove_tftp_server }}" + - packages: + - openldap-servers + state: absent + enabled: "{{ security_remove_ldap_server }}" + - packages: + - sendmail + state: absent + enabled: "{{ security_remove_sendmail }}" + - packages: + - xorg-x11-server-Xorg + state: absent + enabled: "{{ security_remove_xorg }}" + - packages: + - rsh-server + state: absent + enabled: "{{ security_remove_rsh_server }}" + - packages: + - telnet-server + state: absent + enabled: "{{ security_remove_telnet_server }}" diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml index 356ebd75..1725ad59 100644 --- a/vars/ubuntu.yml +++ b/vars/ubuntu.yml @@ -39,3 +39,59 @@ chrony_service: chrony # Commands grub_update_cmd: "update-grub" + +# RHEL 6 STIG: Packages to add/remove +stig_packages: + - packages: + - auditd + - audispd-plugins + - aide + - aide-common + - chrony + - debsums + - logrotate + - postfix + state: "{{ security_package_state }}" + enabled: True + - packages: + - apparmor + - apparmor-profiles + - apparmor-utils + state: "{{ security_package_state }}" + enabled: "{{ security_enable_linux_security_module }}" + - packages: + - fail2ban + state: "{{ security_package_state }}" + enabled: "{{ security_install_fail2ban }}" + - packages: + - xinetd + state: absent + enabled: "{{ security_remove_xinetd }}" + - packages: + - nis + state: absent + enabled: "{{ security_remove_ypserv }}" + - packages: + - tftpd + state: absent + enabled: "{{ security_remove_tftp_server }}" + - packages: + - slapd + state: absent + enabled: "{{ security_remove_ldap_server }}" + - packages: + - sendmail + state: absent + enabled: "{{ security_remove_sendmail }}" + - packages: + - xorg-xserver + state: absent + enabled: "{{ security_remove_xorg }}" + - packages: + - rsh-server + state: absent + enabled: "{{ security_remove_rsh_server }}" + - packages: + - telnetd + state: absent + enabled: "{{ security_remove_telnet_server }}"