From 61dd6e6cbe4e5fb1f2d7506614a1ace28df91f84 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 13 Dec 2016 09:08:53 -0600 Subject: [PATCH] [Docs] Update for RHEL7 STIG This patch updates the controls documentation for RHEL 7 and also adds a reference to the RHEL 7 STIG content in the main documentation page. Implements: blueprint security-rhel7-stig Change-Id: I56bd97dc793dddea7e05c0ac20a6579e7cfec533 --- doc/source/controls-rhel7.rst | 68 ++++++++++++++++++++++++++++++++++- doc/source/index.rst | 9 +++++ 2 files changed, 76 insertions(+), 1 deletion(-) diff --git a/doc/source/controls-rhel7.rst b/doc/source/controls-rhel7.rst index 8af78ce3..1f6e42da 100644 --- a/doc/source/controls-rhel7.rst +++ b/doc/source/controls-rhel7.rst @@ -1,7 +1,73 @@ Security hardening controls in detail (RHEL 7 STIG) =================================================== -RHEL 7 STIG controls are still in development +The openstack-ansible-security role follows the Red Hat Enteprise Linux 7 +`Security Technical Implementation Guide (STIG)`_. The guide has over 200 +controls that apply to various parts of a Linux system, and it is updated +regularly by the Defense Information Systems Agency (DISA). DISA is part of the +United States Department of Defense. The current version of the openstack- +ansible-security role is based on release 1, version 0.2 of the Red Hat +Enterprise Linux 7 STIG. + +Controls are divided into groups based on the following properties: + +* **Severity:** + + * *High severity* controls have a large impact on the security of a + system. They also have the largest operational impact to a system and + deployers should test them thoroughly in non-production environments. + + * *Low severity* controls have a smaller impact on overall security, but they + are generally easier to implement with a much lower operational impact. + +* **Implementation Status:** + + * *Implemented* controls are automatically implemented with automated tasks. + Deployers can often opt out of these controls by adjusting Ansible + variables. These variables are documented with each control below. + + * *Exceptions* denote controls that cannot be completed via automated tasks. + Some of these controls must be applied during the initial provisioning + process for new servers while others require manual inspection of the + system. + + * *Opt in* controls have automated tasks written, but these tasks are + disabled by default. These controls are often disabled because they could + cause disruptions on a production system, or they do not provide a + significant security benefit. Each control can be enabled with Ansible + variables and these variables are documented with each control below. + + * *Verification only* controls have tasks that verify that a control is met. + These tasks do not take any action on the system, but they often display + debug output with additional instructions for deployers. + +* **Tag:** + + * Each control has a tag applied, and the tags allow deployers to select + specific groups of controls to apply. For example, deployers can apply the + controls for the ssh daemon by using ``--tags sshd`` on the Ansible command + line. + + * Tags also make it easier to navigate through the Ansible tasks in the code + itself. For example, all tasks tagged with ``auditd`` are found within + ``tasks/rhel7stig/auditd.yml``. + +.. _Security Technical Implementation Guide (STIG): http://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx + +Although the STIG is specific to Red Hat Enterprise Linux 7, it also applies to +CentOS 7 systems. In addition, almost all of the controls are easily translated +for Ubuntu 16.04. Any deviations during translation are noted within the +documentation below. + +.. note:: + + The RHEL 7 STIG content is still under development and is disabled by + default. Deployers can test the tasks on non-production systems by setting + the ``stig_version`` variable on the Ansible command line: + + .. code-block:: console + + ansible-playbook -i hosts playbook.yml -e stig_version=rhel7 .. toctree:: :maxdepth: 2 diff --git a/doc/source/index.rst b/doc/source/index.rst index 1bd9f719..83d1dd58 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -45,6 +45,15 @@ Ocata release. controls.rst developer-guide.rst +Development is underway for adding the Red Hat Enterprise Linux 7 STIG content +to the openstack-ansible-security role. The documentation for this work is +available in this section: + +.. toctree:: + :maxdepth: 2 + + controls-rhel7.rst + Newton: Latest stable release ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~