openstack
/
openstack-ansible-security
Code Issues Proposed changes

Backport of package optimization 

This patch is a backport of the package installation/removal work
done in the ocata branch. It is a manual backport of:

  I1def033953b50be3911cd932fd17b10dd2c658b7

Change-Id: I6c74e45f6e8d3b344508c87d20f4cf4250f713a9
This commit is contained in:
Major Hayden 2016-11-18 09:59:00 -06:00
parent 5e8714cf03
commit 4251bc5666
15 changed files with 196 additions and 380 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
defaults/main.yml
View File

@ -138,9 +138,11 @@ security_action_mail_acct: root # V-38680
# and should only be set to 'single' for deployers in extremely high security
# environments. Ubuntu's default is SUSPEND, which will suspend logging.
# **IMMENENT DANGER**
security_admin_space_left_action: SUSPEND # V-54381
security_admin_space_left_action: SUSPEND # V-54381
## Chrony (NTP) configuration
# Install and enable chrony to sync time with NTP servers.
security_enable_chrony: yes # V-38620
# Adjust the following NTP servers if necessary.
security_ntp_servers:
- 0.north-america.pool.ntp.org

7
doc/metadata/rhel6/V-38620.rst
View File

@ -9,6 +9,13 @@ and to serve as an NTP server for NTP clients. Chrony was chosen over ntpd
because it's actively maintained and has some enhancements for virtualized
environments.
Deployers can opt out of the ``chrony`` installation by setting the following
Ansible variable:
.. code-block:: yaml
security_enable_chrony: no
There are two configurations available for users to adjust chrony's default
configuration:

5
releasenotes/notes/chrony-config-variable-7a1a7862c05c9675.yaml Normal file
View File

@ -0,0 +1,5 @@
---
features:
- |
The installation of ``chrony`` is still enabled by default, but it is now
controlled by the ``security_enable_chrony`` variable.

23
tasks/aide.yml
View File

@ -13,29 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38489 - Install AIDE (with apt)
apt:
name: "{{ item }}"
state: "{{ security_package_state }}"
with_items:
- aide
- aide-common
when: ansible_pkg_mgr == 'apt'
tags:
- aide
- cat2
- V-38489
- name: V-38489 - Install AIDE (with yum)
yum:
name: aide
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'yum'
tags:
- aide
- cat2
- V-38489
- name: Verify that AIDE configuration directory exists
stat:
path: /etc/aide/aide.conf.d

32
tasks/apt.yml
View File

@ -111,3 +111,35 @@
- package
- cat2
- V-38481
- name: Add or remove packages based on STIG requirements
apt:
name: |
{%- set pkg_list = [] %}
{%- for package_dict in item[1] %}
{%- if pkg_list.extend(package_dict.packages) %}{% endif %}
{%- endfor %}
{{ pkg_list }}
state: "{{ item[0] }}"
with_items:
- "{{ stig_packages | selectattr('enabled') | groupby('state') }}"
tags:
- cat1
- auth
- package
- services
- V-38439 # install: aide, aide-common
- V-38620 # install: chrony
- V-38624 # install: logrotate
- V-38631 # install: auditd_pkg
- V-38632 # install: auditd_pkg
- V-38637 # install: debsums
- V-38669 # install: postfix
- V-51337 # install: apparmor
- V-38583 # remove: xinetd
- V-38587 # remove: telnet-server
- V-38591 # remove: rsh-server
- V-38603 # remove: ypserv
- V-38606 # remove: tftp-server
- V-38627 # remove: openldap-servers
- V-38671 # remove: sendmail

32
tasks/auditd.yml
View File

@ -13,28 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38631/38632 - The operating system must produce audit records (install auditd with apt)
apt:
name: "{{ auditd_pkg }}"
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'apt'
tags:
- auditd
- cat2
- V-38632
- V-38631
- name: V-38631/38632 - The operating system must produce audit records (install auditd with yum)
yum:
name: "{{ auditd_pkg }}"
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'yum'
tags:
- auditd
- cat2
- V-38632
- V-38631
- name: V-38631/38632 - The operating system must produce audit records (start auditd)
service:
name: auditd
@ -95,16 +73,6 @@
- cat2
- V-38636
- name: Ensure debsums package is installed (for V-38637)
apt:
name: debsums
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'apt'
tags:
- auditd
- cat2
- V-38637
# The debsums command returns 0 if the files haven't been altered but it
# returns 2 otherwise. We also will check to see if auditd has been installed
# and fail if it's not installed.

75
tasks/auth.yml
View File

@ -182,81 +182,6 @@
- cat2
- V-38500
# Opt-in required for fail2ban (see documentation and defaults/main.yml)
# Ubuntu doesn't offer pam_faillock, but fail2ban provides a decent alternative
# for ssh-based authentication. See the documentation for details.
- name: V-38501 - The system must disable accounts after excessive login failures (install fail2ban)
apt:
name: fail2ban
state: "{{ security_package_state }}"
when: security_install_fail2ban | bool
tags:
- auth
- cat2
- V-38501
# Ban the offending IP for 15 minutes to meet the spirit of the STIG.
# Yes, the bantime we want to modify has two spaces before the equal sign.
- name: V-38501 - The system must disable accounts after excessive login failures (configure fail2ban)
template:
src: jail.local.j2
dest: /etc/fail2ban/jail.d/jail.local
when: security_install_fail2ban | bool
notify:
- restart fail2ban
tags:
- auth
- cat2
- V-38501
- name: V-38591 - Remove rshd with apt
apt:
name: rsh-server
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_rsh_server | bool
tags:
- auth
- cat1
- V-38591
- name: V-38591 - Remove rshd with yum
yum:
name: rsh-server
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_rsh_server | bool
tags:
- auth
- cat1
- V-38591
- name: V-38587 - Remove telnet-server with apt
apt:
name: "{{ telnet_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_telnet_server | bool
tags:
- auth
- cat1
- V-38587
- name: V-38587 - Remove telnet-server with yum
yum:
name: "{{ telnet_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_telnet_server | bool
tags:
- auth
- cat1
- V-38587
- name: Search /etc/passwd for password hashes (for V-38499)
shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l"
register: v38499_result

31
tasks/lsm.yml
View File

@ -13,21 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Install packages for AppArmor support (for V-51337)
apt:
name: "{{ item }}"
state: "{{ security_package_state }}"
with_items:
- apparmor
- apparmor-profiles
- apparmor-utils
when:
- ansible_os_family == "Debian"
- security_enable_linux_security_module | bool
tags:
- cat2
- V-51337
- name: Ensure AppArmor is running (for V-51337)
service:
name: apparmor
@ -41,22 +26,6 @@
- cat2
- V-51337
- name: Install packages for SELinux support (for V-51337)
yum:
name: "{{ item }}"
state: "{{ security_package_state }}"
with_items:
- libselinux-python
- policycoreutils-python
- selinux-policy
- selinux-policy-targeted
when:
- ansible_os_family == "RedHat"
- security_enable_linux_security_module | bool
tags:
- cat2
- V-51337
- name: Ensure SELinux is in enforcing mode on the next reboot (for V-51337)
selinux:
state: enforcing

20
tasks/mail.yml
View File

@ -13,26 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with apt)
apt:
name: postfix
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'apt'
tags:
- mail
- cat3
- V-38669
- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with yum)
yum:
name: postfix
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'yum'
tags:
- mail
- cat3
- V-38669
- name: V-38669 - The postfix service must be enabled for mail delivery (enable postfix)
service:
name: postfix

48
tasks/misc.yml
View File

@ -40,30 +40,14 @@
- cat2
- V-38619
- name: V-38620 - Synchronize system clock (installing chrony with apt)
apt:
name: chrony
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- V-38620
- name: V-38620 - Synchronize system clock (installing chrony with yum)
yum:
name: chrony
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- V-38620
- name: V-38620 - Synchronize system clock (enable chrony)
service:
name: "{{ chrony_service }}"
state: started
enabled: yes
when: not check_mode
when:
- not check_mode
- security_enable_chrony | bool
tags:
- cat2
- V-38620
@ -80,35 +64,15 @@
template:
src: chrony.conf.j2
dest: /etc/chrony/chrony.conf
when: chrony_conf.stat.exists | bool
when:
- not check_mode
- security_enable_chrony | bool
notify:
- restart chrony
tags:
- cat2
- V-38620
# The STIG only requires that logrotate is installed and configured in cron.
# The openstack-ansible project will configure logs to be rotated weekly and
# compressed with each run. We won't change the interval here, but we will
# ensure that logrotate is installed (to meet the STIG requirement).
- name: V-38624 - System logs must be rotated daily (install logrotate with apt)
apt:
name: logrotate
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'apt'
tags:
- cat3
- V-38624
- name: V-38624 - System logs must be rotated daily (install logrotate with yum)
yum:
name: logrotate
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'yum'
tags:
- cat3
- V-38624
- name: Check for logrotate cron job (for V-38624)
stat:
path: /etc/cron.daily/logrotate

41
tasks/rpm.yml
View File

@ -86,16 +86,6 @@
- cat1
- V-38462
- name: V-38481 - Install yum-cron for automatic updates
yum:
name: yum-cron
state: "{{ security_package_state }}"
when: security_unattended_upgrades_enabled | bool
tags:
- package
- cat2
- V-38481
- name: V-38481 - System security patches and updates must be installed and up-to-date
lineinfile:
dest: /etc/yum/yum-cron.conf
@ -107,3 +97,34 @@
- package
- cat2
- V-38481
- name: Add or remove packages based on STIG requirements
yum:
name: |
{%- set pkg_list = [] %}
{%- for package_dict in item[1] %}
{%- if pkg_list.extend(package_dict.packages) %}{% endif %}
{%- endfor %}
{{ pkg_list }}
state: "{{ item[0] }}"
with_items:
- "{{ stig_packages | selectattr('enabled') | groupby('state') }}"
tags:
- cat1
- auth
- services
- V-38439 # install: aide, aide-common
- V-38481 # install: yum-cron
- V-38620 # install: chrony
- V-38624 # install: logrotate
- V-38631 # install: auditd_pkg
- V-38632 # install: auditd_pkg
- V-38669 # install: postfix
- V-51337 # install: SELinux
- V-38583 # remove: xinetd
- V-38587 # remove: telnet-server
- V-38591 # remove: rsh-server
- V-38603 # remove: ypserv
- V-38606 # remove: tftp-server
- V-38627 # remove: openldap-servers
- V-38671 # remove: sendmail

145
tasks/services.yml
View File

@ -117,55 +117,6 @@
- cat2
- V-38582
- name: V-38584 - xinetd must be uninstalled if not in use (apt)
apt:
name: xinetd
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_xinetd | bool
tags:
- services
- cat3
- V-38584
- name: V-38584 - xinetd must be uninstalled if not in use (yum)
yum:
name: xinetd
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_xinetd | bool
tags:
- services
- cat3
- V-38584
# Ubuntu's equivalent of Red Hat's ypserv package is 'nis'
- name: V-38603 - Remove ypserv package with apt
apt:
name: "{{ ypserv_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_ypserv | bool
tags:
- services
- cat2
- V-38603
- name: V-38603 - Remove ypserv package with yum
yum:
name: "{{ ypserv_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_ypserv | bool
tags:
- services
- cat2
- V-38603
- name: V-38605 - The cron service must be running
service:
name: "{{ cron_service }}"
@ -176,30 +127,6 @@
- cat2
- V-38605
- name: V-38606 - The tftp-server package must not be installed unless required (apt)
apt:
name: "{{ tftp_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_tftp_server | bool
tags:
- services
- cat2
- V-38606
- name: V-38606 - The tftp-server package must not be installed unless required (yum)
yum:
name: "{{ tftp_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_tftp_server | bool
tags:
- services
- cat2
- V-38606
- name: V-38618 - avahi must be disabled
service:
name: avahi-daemon
@ -213,30 +140,6 @@
- cat3
- V-38618
- name: V-38627 - Remove LDAP servers unless required (apt)
apt:
name: "{{ ldap_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_ldap_server | bool
tags:
- services
- cat3
- V-38627
- name: V-38627 - Remove LDAP servers unless required (yum)
yum:
name: "{{ ldap_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_ldap_server | bool
tags:
- services
- cat3
- V-38627
- name: V-38650 - rdisc must be disabled
service:
name: rdisc
@ -250,30 +153,6 @@
- cat3
- V-38650
- name: V-38671 - Remove sendmail with apt
apt:
name: sendmail
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_sendmail | bool
tags:
- services
- cat2
- V-38671
- name: V-38671 - Remove sendmail with yum
yum:
name: sendmail
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_sendmail | bool
tags:
- services
- cat2
- V-38671
- name: V-38672 - netconsole must be disabled
service:
name: netconsole
@ -286,27 +165,3 @@
- services
- cat3
- V-38672
- name: V-38676 - The X windows package must not be installed (apt)
apt:
name: "{{ xserver_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_xorg | bool
tags:
- services
- cat3
- V-38676
- name: V-38676 - The X windows package must not be installed (yum)
yum:
name: "{{ xserver_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_xorg | bool
tags:
- services
- cat3
- V-38676

2
tox.ini
View File

@ -117,7 +117,7 @@ setenv =
# https://review.openstack.org/354819 merges.
# NOTE(mhayden): Skipping V-38620 since chrony cannot start with ntpd
# running in the gate images.
ANSIBLE_PARAMETERS=--skip-tags V-38462,V-38660,V-38620
ANSIBLE_PARAMETERS=--skip-tags V-38462,V-38660 -e security_enable_chrony=no
commands =
{[testenv:tests_clone]commands}
bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"

55
vars/redhat.yml
View File

@ -36,3 +36,58 @@ chrony_service: chronyd
# Commands
grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
# RHEL 6 STIG: Packages to add/remove
stig_packages:
- packages:
- audit
- audispd-plugins
- aide
- chrony
- logrotate
- postfix
state: "{{ security_package_state }}"
enabled: True
- packages:
- libselinux-python
- policycoreutils-python
- selinux-policy
- selinux-policy-targeted
state: "{{ security_package_state }}"
enabled: "{{ security_enable_linux_security_module }}"
- packages:
- yum-cron
state: "{{ security_package_state }}"
enabled: "{{ security_unattended_upgrades_enabled }}"
- packages:
- xinetd
state: absent
enabled: "{{ security_remove_xinetd }}"
- packages:
- ypserv
state: absent
enabled: "{{ security_remove_ypserv }}"
- packages:
- tftp-server
state: absent
enabled: "{{ security_remove_tftp_server }}"
- packages:
- openldap-servers
state: absent
enabled: "{{ security_remove_ldap_server }}"
- packages:
- sendmail
state: absent
enabled: "{{ security_remove_sendmail }}"
- packages:
- xorg-x11-server-Xorg
state: absent
enabled: "{{ security_remove_xorg }}"
- packages:
- rsh-server
state: absent
enabled: "{{ security_remove_rsh_server }}"
- packages:
- telnet-server
state: absent
enabled: "{{ security_remove_telnet_server }}"

56
vars/ubuntu.yml
View File

@ -39,3 +39,59 @@ chrony_service: chrony
# Commands
grub_update_cmd: "update-grub"
# RHEL 6 STIG: Packages to add/remove
stig_packages:
- packages:
- auditd
- audispd-plugins
- aide
- aide-common
- chrony
- debsums
- logrotate
- postfix
state: "{{ security_package_state }}"
enabled: True
- packages:
- apparmor
- apparmor-profiles
- apparmor-utils
state: "{{ security_package_state }}"
enabled: "{{ security_enable_linux_security_module }}"
- packages:
- fail2ban
state: "{{ security_package_state }}"
enabled: "{{ security_install_fail2ban }}"
- packages:
- xinetd
state: absent
enabled: "{{ security_remove_xinetd }}"
- packages:
- nis
state: absent
enabled: "{{ security_remove_ypserv }}"
- packages:
- tftpd
state: absent
enabled: "{{ security_remove_tftp_server }}"
- packages:
- slapd
state: absent
enabled: "{{ security_remove_ldap_server }}"
- packages:
- sendmail
state: absent
enabled: "{{ security_remove_sendmail }}"
- packages:
- xorg-xserver
state: absent
enabled: "{{ security_remove_xorg }}"
- packages:
- rsh-server
state: absent
enabled: "{{ security_remove_rsh_server }}"
- packages:
- telnetd
state: absent
enabled: "{{ security_remove_telnet_server }}"