From 312048452721b7e7ad0cef5f9e5de985cc0b0670 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Wed, 7 Oct 2015 12:43:27 -0500 Subject: [PATCH] V-3851{4,5,6,7}: Disabling certain network protocols This also includes a minor cleanup for V-38490 (disable usb-storage module). Change-Id: Ie874cbf3c8fb6a69b7d0d674d728876a5d4d1fb7 --- defaults/main.yml | 10 ++++-- doc/source/developer-notes/V-38490.rst | 6 ++-- doc/source/developer-notes/V-38514.rst | 11 ++++++ doc/source/developer-notes/V-38515.rst | 10 ++++++ doc/source/developer-notes/V-38516.rst | 13 +++++++ doc/source/developer-notes/V-38517.rst | 13 +++++++ tasks/kernel.yml | 48 ++++++++++++++++++++++++-- 7 files changed, 105 insertions(+), 6 deletions(-) create mode 100644 doc/source/developer-notes/V-38514.rst create mode 100644 doc/source/developer-notes/V-38515.rst create mode 100644 doc/source/developer-notes/V-38516.rst create mode 100644 doc/source/developer-notes/V-38517.rst diff --git a/defaults/main.yml b/defaults/main.yml index 4a90cd8a..2c25a312 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -165,8 +165,14 @@ num_logs: 5 # V-38636 #password_warn_age: 7 # V-38480 ## Kernel modules -# V-38490 - Set the line below to yes to disable usb-storage -disable_usb_storage: no +# Set these booleans to 'yes' to disable the kernel module (following the +# STIG requirements). Set the boolean to 'no' to ensure no changes are made. +disable_module: + dccp: yes # V-38514 + rds: yes # V-38516 + sctp: yes # V-38515 + tipc: yes # V-38517 + usb_storage: no # V-38490 ## sysctl tunables # ** DANGER ** diff --git a/doc/source/developer-notes/V-38490.rst b/doc/source/developer-notes/V-38490.rst index 65fe8dab..3d3f97dc 100644 --- a/doc/source/developer-notes/V-38490.rst +++ b/doc/source/developer-notes/V-38490.rst @@ -2,8 +2,10 @@ Disabling the ``usb-storage`` module can add extra security, but it's not necessary on most systems. To disable the ``usb-storage`` module on hosts, -set ``disable_usb_storage`` to ``yes``: +set the following variable to ``yes``: .. code-block:: yaml - disable_usb_storage: yes + disable_module['usb_storage']: yes + +**NOTE:** The module will be disabled on the next reboot. diff --git a/doc/source/developer-notes/V-38514.rst b/doc/source/developer-notes/V-38514.rst new file mode 100644 index 00000000..f0a4a077 --- /dev/null +++ b/doc/source/developer-notes/V-38514.rst @@ -0,0 +1,11 @@ +The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not +needed. Neither Ubuntu 14.04 or openstack-ansible utilizes this kernel +module and the Ansible tasks will disable it by default. + +To opt-out of this change, simply change the following variable to ``no``: + +.. code-block:: yaml + + disable_module['dccp']: no + +**NOTE:** The module will be disabled on the next reboot. diff --git a/doc/source/developer-notes/V-38515.rst b/doc/source/developer-notes/V-38515.rst new file mode 100644 index 00000000..987d1f83 --- /dev/null +++ b/doc/source/developer-notes/V-38515.rst @@ -0,0 +1,10 @@ +The Stream Control Transmission Protocol (SCTP) must be disabled. This module +isn't used by Ubuntu 14.04 or openstack-ansible by default. + +To opt-out of this change, set the following variable to ``no``: + +.. code-block:: yaml + + disable_module['sctp']: no + +**NOTE:** The module will be disabled on the next reboot. diff --git a/doc/source/developer-notes/V-38516.rst b/doc/source/developer-notes/V-38516.rst new file mode 100644 index 00000000..83104523 --- /dev/null +++ b/doc/source/developer-notes/V-38516.rst @@ -0,0 +1,13 @@ +The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. Neither Ubuntu +14.04 or openstack-ansible enables this module by default, so the Ansible +tasks in this role will disable the module. + +.. _Reliable Datagram Sockets (RDS): https://en.wikipedia.org/wiki/Reliable_Datagram_Sockets + +To opt-out of this change, set the following variable to ``no``: + +.. code-block:: yaml + + disable_module['rds']: no + +**NOTE:** The module will be disabled on the next reboot. diff --git a/doc/source/developer-notes/V-38517.rst b/doc/source/developer-notes/V-38517.rst new file mode 100644 index 00000000..61832680 --- /dev/null +++ b/doc/source/developer-notes/V-38517.rst @@ -0,0 +1,13 @@ +The `Transparent Inter-Process Communication (TIPC)`_ protocol must be +disabled. Neither Ubuntu 14.04 or openstack-ansible enables this module by +default, so the Ansible tasks in this role will disable the module. + +.. _Transparent Inter-Process Communication (TIPC): https://en.wikipedia.org/wiki/TIPC + +To opt-out of this change, set the following variable to ``no``: + +.. code-block:: yaml + + disable_module['tipc']: no + +**NOTE:** The module will be disabled on the next reboot. diff --git a/tasks/kernel.yml b/tasks/kernel.yml index e8ad39a9..109ae2de 100644 --- a/tasks/kernel.yml +++ b/tasks/kernel.yml @@ -96,11 +96,55 @@ - name: V-38490 - Disable usb-storage module lineinfile: - dest: /etc/modprobe.d/disable-usb-storage.conf + dest: /etc/modprobe.d/V-38490-disable-usb-storage.conf line: "install usb-storage /bin/true" create: yes - when: disable_usb_storage is defined and disable_usb_storage | bool + when: disable_module['usb_storage'] | bool tags: - kernel - cat2 - V-38490 + +- name: V-38514 - Disable DCCP + lineinfile: + dest: /etc/modprobe.d/V-38514-disable-dccp.conf + line: "install dccp /bin/true" + create: yes + when: disable_module['dccp'] | bool + tags: + - kernel + - cat2 + - V-38514 + +- name: V-38515 - Disable SCTP + lineinfile: + dest: /etc/modprobe.d/V-38515-disable-sctp.conf + line: "install sctp /bin/true" + create: yes + when: disable_module['sctp'] | bool + tags: + - kernel + - cat2 + - V-38515 + +- name: V-38516 - Disable RDS + lineinfile: + dest: /etc/modprobe.d/V-38516-disable-rds.conf + line: "install rds /bin/true" + create: yes + when: disable_module['rds'] | bool + tags: + - kernel + - cat3 + - V-38516 + +- name: V-38517 - Disable TIPC + lineinfile: + dest: /etc/modprobe.d/V-38517-disable-tipc.conf + line: "install tipc /bin/true" + create: yes + when: disable_module['tipc'] | bool + tags: + - kernel + - cat2 + - V-38517