From d7f838df9c923f7e5e682d1747aa5f5255b6565e Mon Sep 17 00:00:00 2001 From: Andy McCrae Date: Wed, 13 Sep 2017 10:53:03 -0600 Subject: [PATCH] Revert "Revert "Retire openstack-ansible-security"" Now that stable/pike has been released we can re-retire the openstack-ansible-security role. NB the .gitreview file has remained in place, so that future stable releases will be successful. This reverts commit fe39a30c98f7ea706b930b18e9a37b8e4ce8d6a9. Change-Id: I1137ca951de2fba3b692c2c77b2030d9b0bd10eb --- LICENSE | 202 - README.md | 99 +- README.rst | 21 - Vagrantfile | 51 - bindep.txt | 46 - defaults/main.yml | 649 - doc/Makefile | 195 - .../U_RedHat_6_V1R12_Manual-xccdf.xml | 3168 ---- ...erprise_Linux_7_STIG_V1R1_Manual-xccdf.xml | 12082 ---------------- doc/metadata/import-existing-notes.py | 61 - doc/metadata/rhel6/V-38437.rst | 12 - doc/metadata/rhel6/V-38438.rst | 19 - doc/metadata/rhel6/V-38439.rst | 9 - doc/metadata/rhel6/V-38443.rst | 8 - doc/metadata/rhel6/V-38444.rst | 8 - doc/metadata/rhel6/V-38445.rst | 9 - doc/metadata/rhel6/V-38446.rst | 12 - doc/metadata/rhel6/V-38447.rst | 24 - doc/metadata/rhel6/V-38448.rst | 8 - doc/metadata/rhel6/V-38449.rst | 8 - doc/metadata/rhel6/V-38450.rst | 7 - doc/metadata/rhel6/V-38451.rst | 7 - doc/metadata/rhel6/V-38452.rst | 24 - doc/metadata/rhel6/V-38453.rst | 11 - doc/metadata/rhel6/V-38454.rst | 24 - doc/metadata/rhel6/V-38455.rst | 12 - doc/metadata/rhel6/V-38456.rst | 12 - doc/metadata/rhel6/V-38457.rst | 7 - doc/metadata/rhel6/V-38458.rst | 8 - doc/metadata/rhel6/V-38459.rst | 8 - doc/metadata/rhel6/V-38460.rst | 10 - doc/metadata/rhel6/V-38461.rst | 8 - doc/metadata/rhel6/V-38462.rst | 23 - doc/metadata/rhel6/V-38463.rst | 12 - doc/metadata/rhel6/V-38464.rst | 26 - doc/metadata/rhel6/V-38465.rst | 9 - doc/metadata/rhel6/V-38466.rst | 9 - doc/metadata/rhel6/V-38467.rst | 8 - doc/metadata/rhel6/V-38468.rst | 27 - doc/metadata/rhel6/V-38469.rst | 9 - doc/metadata/rhel6/V-38470.rst | 28 - doc/metadata/rhel6/V-38471.rst | 10 - doc/metadata/rhel6/V-38472.rst | 9 - doc/metadata/rhel6/V-38473.rst | 8 - doc/metadata/rhel6/V-38474.rst | 8 - doc/metadata/rhel6/V-38475.rst | 15 - doc/metadata/rhel6/V-38476.rst | 13 - doc/metadata/rhel6/V-38477.rst | 12 - doc/metadata/rhel6/V-38478.rst | 10 - doc/metadata/rhel6/V-38479.rst | 12 - doc/metadata/rhel6/V-38480.rst | 14 - doc/metadata/rhel6/V-38481.rst | 32 - doc/metadata/rhel6/V-38482.rst | 14 - doc/metadata/rhel6/V-38483.rst | 9 - doc/metadata/rhel6/V-38484.rst | 9 - doc/metadata/rhel6/V-38486.rst | 9 - doc/metadata/rhel6/V-38487.rst | 9 - doc/metadata/rhel6/V-38488.rst | 9 - doc/metadata/rhel6/V-38489.rst | 8 - doc/metadata/rhel6/V-38490.rst | 15 - doc/metadata/rhel6/V-38491.rst | 12 - doc/metadata/rhel6/V-38492.rst | 14 - doc/metadata/rhel6/V-38493.rst | 9 - doc/metadata/rhel6/V-38494.rst | 11 - doc/metadata/rhel6/V-38495.rst | 8 - doc/metadata/rhel6/V-38496.rst | 17 - doc/metadata/rhel6/V-38497.rst | 28 - doc/metadata/rhel6/V-38498.rst | 14 - doc/metadata/rhel6/V-38499.rst | 8 - doc/metadata/rhel6/V-38500.rst | 13 - doc/metadata/rhel6/V-38501.rst | 43 - doc/metadata/rhel6/V-38502.rst | 8 - doc/metadata/rhel6/V-38503.rst | 8 - doc/metadata/rhel6/V-38504.rst | 14 - doc/metadata/rhel6/V-38511.rst | 9 - doc/metadata/rhel6/V-38512.rst | 14 - doc/metadata/rhel6/V-38513.rst | 14 - doc/metadata/rhel6/V-38514.rst | 18 - doc/metadata/rhel6/V-38515.rst | 14 - doc/metadata/rhel6/V-38516.rst | 18 - doc/metadata/rhel6/V-38517.rst | 16 - doc/metadata/rhel6/V-38518.rst | 12 - doc/metadata/rhel6/V-38519.rst | 12 - doc/metadata/rhel6/V-38520.rst | 12 - doc/metadata/rhel6/V-38521.rst | 12 - doc/metadata/rhel6/V-38522.rst | 7 - doc/metadata/rhel6/V-38523.rst | 17 - doc/metadata/rhel6/V-38524.rst | 15 - doc/metadata/rhel6/V-38525.rst | 7 - doc/metadata/rhel6/V-38526.rst | 16 - doc/metadata/rhel6/V-38527.rst | 8 - doc/metadata/rhel6/V-38528.rst | 26 - doc/metadata/rhel6/V-38529.rst | 17 - doc/metadata/rhel6/V-38530.rst | 8 - doc/metadata/rhel6/V-38531.rst | 7 - doc/metadata/rhel6/V-38532.rst | 17 - doc/metadata/rhel6/V-38533.rst | 17 - doc/metadata/rhel6/V-38534.rst | 9 - doc/metadata/rhel6/V-38535.rst | 9 - doc/metadata/rhel6/V-38536.rst | 7 - doc/metadata/rhel6/V-38537.rst | 9 - doc/metadata/rhel6/V-38538.rst | 7 - doc/metadata/rhel6/V-38539.rst | 27 - doc/metadata/rhel6/V-38540.rst | 7 - doc/metadata/rhel6/V-38541.rst | 17 - doc/metadata/rhel6/V-38542.rst | 17 - doc/metadata/rhel6/V-38543.rst | 17 - doc/metadata/rhel6/V-38544.rst | 17 - doc/metadata/rhel6/V-38545.rst | 16 - doc/metadata/rhel6/V-38546.rst | 18 - doc/metadata/rhel6/V-38547.rst | 17 - doc/metadata/rhel6/V-38548.rst | 19 - doc/metadata/rhel6/V-38549.rst | 10 - doc/metadata/rhel6/V-38550.rst | 17 - doc/metadata/rhel6/V-38551.rst | 22 - doc/metadata/rhel6/V-38552.rst | 16 - doc/metadata/rhel6/V-38553.rst | 10 - doc/metadata/rhel6/V-38554.rst | 16 - doc/metadata/rhel6/V-38555.rst | 10 - doc/metadata/rhel6/V-38556.rst | 16 - doc/metadata/rhel6/V-38557.rst | 16 - doc/metadata/rhel6/V-38558.rst | 16 - doc/metadata/rhel6/V-38559.rst | 16 - doc/metadata/rhel6/V-38560.rst | 10 - doc/metadata/rhel6/V-38561.rst | 16 - doc/metadata/rhel6/V-38563.rst | 9 - doc/metadata/rhel6/V-38565.rst | 16 - doc/metadata/rhel6/V-38566.rst | 16 - doc/metadata/rhel6/V-38567.rst | 10 - doc/metadata/rhel6/V-38568.rst | 7 - doc/metadata/rhel6/V-38569.rst | 14 - doc/metadata/rhel6/V-38570.rst | 14 - doc/metadata/rhel6/V-38571.rst | 14 - doc/metadata/rhel6/V-38572.rst | 14 - doc/metadata/rhel6/V-38573.rst | 43 - doc/metadata/rhel6/V-38574.rst | 21 - doc/metadata/rhel6/V-38575.rst | 17 - doc/metadata/rhel6/V-38576.rst | 21 - doc/metadata/rhel6/V-38577.rst | 26 - doc/metadata/rhel6/V-38578.rst | 7 - doc/metadata/rhel6/V-38579.rst | 15 - doc/metadata/rhel6/V-38580.rst | 8 - doc/metadata/rhel6/V-38581.rst | 7 - doc/metadata/rhel6/V-38582.rst | 15 - doc/metadata/rhel6/V-38583.rst | 13 - doc/metadata/rhel6/V-38584.rst | 13 - doc/metadata/rhel6/V-38585.rst | 10 - doc/metadata/rhel6/V-38586.rst | 11 - doc/metadata/rhel6/V-38587.rst | 13 - doc/metadata/rhel6/V-38588.rst | 9 - doc/metadata/rhel6/V-38589.rst | 10 - doc/metadata/rhel6/V-38590.rst | 12 - doc/metadata/rhel6/V-38591.rst | 13 - doc/metadata/rhel6/V-38592.rst | 13 - doc/metadata/rhel6/V-38593.rst | 8 - doc/metadata/rhel6/V-38594.rst | 9 - doc/metadata/rhel6/V-38595.rst | 8 - doc/metadata/rhel6/V-38596.rst | 9 - doc/metadata/rhel6/V-38597.rst | 13 - doc/metadata/rhel6/V-38598.rst | 12 - doc/metadata/rhel6/V-38599.rst | 9 - doc/metadata/rhel6/V-38600.rst | 10 - doc/metadata/rhel6/V-38601.rst | 8 - doc/metadata/rhel6/V-38602.rst | 13 - doc/metadata/rhel6/V-38603.rst | 18 - doc/metadata/rhel6/V-38604.rst | 7 - doc/metadata/rhel6/V-38605.rst | 10 - doc/metadata/rhel6/V-38606.rst | 20 - doc/metadata/rhel6/V-38607.rst | 8 - doc/metadata/rhel6/V-38608.rst | 15 - doc/metadata/rhel6/V-38609.rst | 7 - doc/metadata/rhel6/V-38610.rst | 14 - doc/metadata/rhel6/V-38611.rst | 9 - doc/metadata/rhel6/V-38612.rst | 8 - doc/metadata/rhel6/V-38613.rst | 21 - doc/metadata/rhel6/V-38614.rst | 7 - doc/metadata/rhel6/V-38615.rst | 9 - doc/metadata/rhel6/V-38616.rst | 8 - doc/metadata/rhel6/V-38617.rst | 8 - doc/metadata/rhel6/V-38618.rst | 7 - doc/metadata/rhel6/V-38619.rst | 8 - doc/metadata/rhel6/V-38620.rst | 34 - doc/metadata/rhel6/V-38621.rst | 12 - doc/metadata/rhel6/V-38622.rst | 25 - doc/metadata/rhel6/V-38623.rst | 14 - doc/metadata/rhel6/V-38624.rst | 11 - doc/metadata/rhel6/V-38625.rst | 13 - doc/metadata/rhel6/V-38626.rst | 13 - doc/metadata/rhel6/V-38627.rst | 14 - doc/metadata/rhel6/V-38628.rst | 7 - doc/metadata/rhel6/V-38629.rst | 9 - doc/metadata/rhel6/V-38630.rst | 9 - doc/metadata/rhel6/V-38631.rst | 7 - doc/metadata/rhel6/V-38632.rst | 9 - doc/metadata/rhel6/V-38633.rst | 17 - doc/metadata/rhel6/V-38634.rst | 14 - doc/metadata/rhel6/V-38635.rst | 9 - doc/metadata/rhel6/V-38636.rst | 16 - doc/metadata/rhel6/V-38637.rst | 14 - doc/metadata/rhel6/V-38638.rst | 9 - doc/metadata/rhel6/V-38639.rst | 9 - doc/metadata/rhel6/V-38640.rst | 13 - doc/metadata/rhel6/V-38641.rst | 13 - doc/metadata/rhel6/V-38642.rst | 11 - doc/metadata/rhel6/V-38643.rst | 23 - doc/metadata/rhel6/V-38644.rst | 8 - doc/metadata/rhel6/V-38645.rst | 13 - doc/metadata/rhel6/V-38646.rst | 9 - doc/metadata/rhel6/V-38647.rst | 13 - doc/metadata/rhel6/V-38648.rst | 17 - doc/metadata/rhel6/V-38649.rst | 13 - doc/metadata/rhel6/V-38650.rst | 14 - doc/metadata/rhel6/V-38651.rst | 9 - doc/metadata/rhel6/V-38652.rst | 11 - doc/metadata/rhel6/V-38653.rst | 9 - doc/metadata/rhel6/V-38654.rst | 11 - doc/metadata/rhel6/V-38655.rst | 13 - doc/metadata/rhel6/V-38656.rst | 9 - doc/metadata/rhel6/V-38657.rst | 8 - doc/metadata/rhel6/V-38658.rst | 10 - doc/metadata/rhel6/V-38659.rst | 15 - doc/metadata/rhel6/V-38660.rst | 21 - doc/metadata/rhel6/V-38661.rst | 15 - doc/metadata/rhel6/V-38662.rst | 15 - doc/metadata/rhel6/V-38663.rst | 11 - doc/metadata/rhel6/V-38664.rst | 9 - doc/metadata/rhel6/V-38665.rst | 9 - doc/metadata/rhel6/V-38666.rst | 18 - doc/metadata/rhel6/V-38667.rst | 10 - doc/metadata/rhel6/V-38668.rst | 13 - doc/metadata/rhel6/V-38669.rst | 10 - doc/metadata/rhel6/V-38670.rst | 12 - doc/metadata/rhel6/V-38671.rst | 12 - doc/metadata/rhel6/V-38672.rst | 16 - doc/metadata/rhel6/V-38673.rst | 8 - doc/metadata/rhel6/V-38674.rst | 32 - doc/metadata/rhel6/V-38675.rst | 15 - doc/metadata/rhel6/V-38676.rst | 13 - doc/metadata/rhel6/V-38677.rst | 9 - doc/metadata/rhel6/V-38678.rst | 14 - doc/metadata/rhel6/V-38679.rst | 9 - doc/metadata/rhel6/V-38680.rst | 12 - doc/metadata/rhel6/V-38681.rst | 17 - doc/metadata/rhel6/V-38682.rst | 15 - doc/metadata/rhel6/V-38683.rst | 18 - doc/metadata/rhel6/V-38684.rst | 15 - doc/metadata/rhel6/V-38685.rst | 10 - doc/metadata/rhel6/V-38686.rst | 14 - doc/metadata/rhel6/V-38687.rst | 8 - doc/metadata/rhel6/V-38688.rst | 9 - doc/metadata/rhel6/V-38689.rst | 9 - doc/metadata/rhel6/V-38690.rst | 10 - doc/metadata/rhel6/V-38691.rst | 14 - doc/metadata/rhel6/V-38692.rst | 16 - doc/metadata/rhel6/V-38693.rst | 14 - doc/metadata/rhel6/V-38694.rst | 16 - doc/metadata/rhel6/V-38695.rst | 12 - doc/metadata/rhel6/V-38696.rst | 11 - doc/metadata/rhel6/V-38697.rst | 14 - doc/metadata/rhel6/V-38698.rst | 11 - doc/metadata/rhel6/V-38699.rst | 20 - doc/metadata/rhel6/V-38700.rst | 11 - doc/metadata/rhel6/V-38701.rst | 10 - doc/metadata/rhel6/V-38702.rst | 10 - doc/metadata/rhel6/V-43150.rst | 9 - doc/metadata/rhel6/V-51337.rst | 45 - doc/metadata/rhel6/V-51363.rst | 13 - doc/metadata/rhel6/V-51369.rst | 14 - doc/metadata/rhel6/V-51379.rst | 14 - doc/metadata/rhel6/V-51391.rst | 16 - doc/metadata/rhel6/V-51875.rst | 9 - doc/metadata/rhel6/V-54381.rst | 24 - doc/metadata/rhel6/V-57569.rst | 10 - doc/metadata/rhel6/V-58901.rst | 28 - doc/metadata/rhel7/V-71849.rst | 26 - doc/metadata/rhel7/V-71855.rst | 17 - doc/metadata/rhel7/V-71859.rst | 29 - doc/metadata/rhel7/V-71861.rst | 28 - doc/metadata/rhel7/V-71863.rst | 10 - doc/metadata/rhel7/V-71891.rst | 16 - doc/metadata/rhel7/V-71893.rst | 15 - doc/metadata/rhel7/V-71895.rst | 10 - doc/metadata/rhel7/V-71897.rst | 7 - doc/metadata/rhel7/V-71899.rst | 10 - doc/metadata/rhel7/V-71901.rst | 20 - doc/metadata/rhel7/V-71903.rst | 29 - doc/metadata/rhel7/V-71905.rst | 29 - doc/metadata/rhel7/V-71907.rst | 29 - doc/metadata/rhel7/V-71909.rst | 29 - doc/metadata/rhel7/V-71911.rst | 29 - doc/metadata/rhel7/V-71913.rst | 29 - doc/metadata/rhel7/V-71915.rst | 29 - doc/metadata/rhel7/V-71917.rst | 29 - doc/metadata/rhel7/V-71919.rst | 9 - doc/metadata/rhel7/V-71921.rst | 22 - doc/metadata/rhel7/V-71923.rst | 17 - doc/metadata/rhel7/V-71925.rst | 18 - doc/metadata/rhel7/V-71927.rst | 10 - doc/metadata/rhel7/V-71929.rst | 19 - doc/metadata/rhel7/V-71931.rst | 9 - doc/metadata/rhel7/V-71933.rst | 17 - doc/metadata/rhel7/V-71935.rst | 16 - doc/metadata/rhel7/V-71937.rst | 18 - doc/metadata/rhel7/V-71939.rst | 15 - doc/metadata/rhel7/V-71941.rst | 15 - doc/metadata/rhel7/V-71943.rst | 9 - doc/metadata/rhel7/V-71945.rst | 44 - doc/metadata/rhel7/V-71947.rst | 12 - doc/metadata/rhel7/V-71949.rst | 12 - doc/metadata/rhel7/V-71951.rst | 13 - doc/metadata/rhel7/V-71953.rst | 16 - doc/metadata/rhel7/V-71955.rst | 15 - doc/metadata/rhel7/V-71957.rst | 14 - doc/metadata/rhel7/V-71959.rst | 14 - doc/metadata/rhel7/V-71961.rst | 28 - doc/metadata/rhel7/V-71963.rst | 10 - doc/metadata/rhel7/V-71965.rst | 9 - doc/metadata/rhel7/V-71967.rst | 13 - doc/metadata/rhel7/V-71969.rst | 17 - doc/metadata/rhel7/V-71971.rst | 15 - doc/metadata/rhel7/V-71973.rst | 16 - doc/metadata/rhel7/V-71975.rst | 8 - doc/metadata/rhel7/V-71977.rst | 17 - doc/metadata/rhel7/V-71979.rst | 17 - doc/metadata/rhel7/V-71981.rst | 21 - doc/metadata/rhel7/V-71983.rst | 14 - doc/metadata/rhel7/V-71985.rst | 12 - doc/metadata/rhel7/V-71987.rst | 17 - doc/metadata/rhel7/V-71989.rst | 29 - doc/metadata/rhel7/V-71991.rst | 12 - doc/metadata/rhel7/V-71993.rst | 14 - doc/metadata/rhel7/V-71995.rst | 38 - doc/metadata/rhel7/V-71997.rst | 16 - doc/metadata/rhel7/V-71999.rst | 20 - doc/metadata/rhel7/V-72001.rst | 10 - doc/metadata/rhel7/V-72003.rst | 9 - doc/metadata/rhel7/V-72005.rst | 12 - doc/metadata/rhel7/V-72007.rst | 18 - doc/metadata/rhel7/V-72009.rst | 18 - doc/metadata/rhel7/V-72011.rst | 9 - doc/metadata/rhel7/V-72013.rst | 21 - doc/metadata/rhel7/V-72015.rst | 10 - doc/metadata/rhel7/V-72017.rst | 25 - doc/metadata/rhel7/V-72019.rst | 10 - doc/metadata/rhel7/V-72021.rst | 10 - doc/metadata/rhel7/V-72023.rst | 10 - doc/metadata/rhel7/V-72025.rst | 10 - doc/metadata/rhel7/V-72027.rst | 10 - doc/metadata/rhel7/V-72029.rst | 13 - doc/metadata/rhel7/V-72031.rst | 13 - doc/metadata/rhel7/V-72033.rst | 13 - doc/metadata/rhel7/V-72035.rst | 10 - doc/metadata/rhel7/V-72037.rst | 15 - doc/metadata/rhel7/V-72039.rst | 19 - doc/metadata/rhel7/V-72041.rst | 8 - doc/metadata/rhel7/V-72043.rst | 8 - doc/metadata/rhel7/V-72045.rst | 8 - doc/metadata/rhel7/V-72047.rst | 13 - doc/metadata/rhel7/V-72049.rst | 13 - doc/metadata/rhel7/V-72051.rst | 16 - doc/metadata/rhel7/V-72053.rst | 9 - doc/metadata/rhel7/V-72055.rst | 10 - doc/metadata/rhel7/V-72057.rst | 12 - doc/metadata/rhel7/V-72059.rst | 13 - doc/metadata/rhel7/V-72061.rst | 13 - doc/metadata/rhel7/V-72063.rst | 13 - doc/metadata/rhel7/V-72065.rst | 13 - doc/metadata/rhel7/V-72067.rst | 23 - doc/metadata/rhel7/V-72069.rst | 14 - doc/metadata/rhel7/V-72071.rst | 14 - doc/metadata/rhel7/V-72073.rst | 12 - doc/metadata/rhel7/V-72075.rst | 9 - doc/metadata/rhel7/V-72077.rst | 17 - doc/metadata/rhel7/V-72079.rst | 8 - doc/metadata/rhel7/V-72081.rst | 29 - doc/metadata/rhel7/V-72083.rst | 13 - doc/metadata/rhel7/V-72085.rst | 21 - doc/metadata/rhel7/V-72087.rst | 32 - doc/metadata/rhel7/V-72089.rst | 16 - doc/metadata/rhel7/V-72091.rst | 16 - doc/metadata/rhel7/V-72093.rst | 14 - doc/metadata/rhel7/V-72095.rst | 18 - doc/metadata/rhel7/V-72097.rst | 24 - doc/metadata/rhel7/V-72099.rst | 24 - doc/metadata/rhel7/V-72101.rst | 24 - doc/metadata/rhel7/V-72103.rst | 24 - doc/metadata/rhel7/V-72105.rst | 24 - doc/metadata/rhel7/V-72107.rst | 24 - doc/metadata/rhel7/V-72109.rst | 24 - doc/metadata/rhel7/V-72111.rst | 15 - doc/metadata/rhel7/V-72113.rst | 24 - doc/metadata/rhel7/V-72115.rst | 24 - doc/metadata/rhel7/V-72117.rst | 15 - doc/metadata/rhel7/V-72119.rst | 24 - doc/metadata/rhel7/V-72121.rst | 24 - doc/metadata/rhel7/V-72123.rst | 15 - doc/metadata/rhel7/V-72125.rst | 15 - doc/metadata/rhel7/V-72127.rst | 15 - doc/metadata/rhel7/V-72129.rst | 15 - doc/metadata/rhel7/V-72131.rst | 15 - doc/metadata/rhel7/V-72133.rst | 15 - doc/metadata/rhel7/V-72135.rst | 13 - doc/metadata/rhel7/V-72137.rst | 13 - doc/metadata/rhel7/V-72139.rst | 14 - doc/metadata/rhel7/V-72141.rst | 14 - doc/metadata/rhel7/V-72143.rst | 12 - doc/metadata/rhel7/V-72145.rst | 9 - doc/metadata/rhel7/V-72147.rst | 13 - doc/metadata/rhel7/V-72149.rst | 14 - doc/metadata/rhel7/V-72151.rst | 14 - doc/metadata/rhel7/V-72153.rst | 14 - doc/metadata/rhel7/V-72155.rst | 14 - doc/metadata/rhel7/V-72157.rst | 14 - doc/metadata/rhel7/V-72159.rst | 13 - doc/metadata/rhel7/V-72161.rst | 14 - doc/metadata/rhel7/V-72163.rst | 14 - doc/metadata/rhel7/V-72165.rst | 14 - doc/metadata/rhel7/V-72167.rst | 14 - doc/metadata/rhel7/V-72169.rst | 14 - doc/metadata/rhel7/V-72171.rst | 14 - doc/metadata/rhel7/V-72173.rst | 14 - doc/metadata/rhel7/V-72175.rst | 14 - doc/metadata/rhel7/V-72177.rst | 14 - doc/metadata/rhel7/V-72179.rst | 14 - doc/metadata/rhel7/V-72181.rst | 18 - doc/metadata/rhel7/V-72183.rst | 14 - doc/metadata/rhel7/V-72185.rst | 14 - doc/metadata/rhel7/V-72187.rst | 15 - doc/metadata/rhel7/V-72189.rst | 15 - doc/metadata/rhel7/V-72191.rst | 14 - doc/metadata/rhel7/V-72193.rst | 14 - doc/metadata/rhel7/V-72195.rst | 14 - doc/metadata/rhel7/V-72197.rst | 20 - doc/metadata/rhel7/V-72199.rst | 15 - doc/metadata/rhel7/V-72201.rst | 15 - doc/metadata/rhel7/V-72203.rst | 15 - doc/metadata/rhel7/V-72205.rst | 16 - doc/metadata/rhel7/V-72207.rst | 16 - doc/metadata/rhel7/V-72209.rst | 10 - doc/metadata/rhel7/V-72211.rst | 14 - doc/metadata/rhel7/V-72213.rst | 20 - doc/metadata/rhel7/V-72215.rst | 11 - doc/metadata/rhel7/V-72217.rst | 16 - doc/metadata/rhel7/V-72219.rst | 8 - doc/metadata/rhel7/V-72221.rst | 15 - doc/metadata/rhel7/V-72223.rst | 14 - doc/metadata/rhel7/V-72225.rst | 28 - doc/metadata/rhel7/V-72227.rst | 13 - doc/metadata/rhel7/V-72229.rst | 23 - doc/metadata/rhel7/V-72231.rst | 23 - doc/metadata/rhel7/V-72233.rst | 11 - doc/metadata/rhel7/V-72235.rst | 23 - doc/metadata/rhel7/V-72237.rst | 30 - doc/metadata/rhel7/V-72239.rst | 7 - doc/metadata/rhel7/V-72241.rst | 30 - doc/metadata/rhel7/V-72243.rst | 14 - doc/metadata/rhel7/V-72245.rst | 14 - doc/metadata/rhel7/V-72247.rst | 21 - doc/metadata/rhel7/V-72249.rst | 14 - doc/metadata/rhel7/V-72251.rst | 19 - doc/metadata/rhel7/V-72253.rst | 15 - doc/metadata/rhel7/V-72255.rst | 9 - doc/metadata/rhel7/V-72257.rst | 9 - doc/metadata/rhel7/V-72259.rst | 14 - doc/metadata/rhel7/V-72261.rst | 14 - doc/metadata/rhel7/V-72263.rst | 14 - doc/metadata/rhel7/V-72265.rst | 20 - doc/metadata/rhel7/V-72267.rst | 27 - doc/metadata/rhel7/V-72269.rst | 25 - doc/metadata/rhel7/V-72271.rst | 32 - doc/metadata/rhel7/V-72273.rst | 23 - doc/metadata/rhel7/V-72275.rst | 14 - doc/metadata/rhel7/V-72277.rst | 18 - doc/metadata/rhel7/V-72279.rst | 9 - doc/metadata/rhel7/V-72281.rst | 8 - doc/metadata/rhel7/V-72283.rst | 19 - doc/metadata/rhel7/V-72285.rst | 9 - doc/metadata/rhel7/V-72287.rst | 15 - doc/metadata/rhel7/V-72289.rst | 9 - doc/metadata/rhel7/V-72291.rst | 16 - doc/metadata/rhel7/V-72293.rst | 9 - doc/metadata/rhel7/V-72295.rst | 9 - doc/metadata/rhel7/V-72297.rst | 14 - doc/metadata/rhel7/V-72299.rst | 7 - doc/metadata/rhel7/V-72301.rst | 18 - doc/metadata/rhel7/V-72303.rst | 14 - doc/metadata/rhel7/V-72305.rst | 10 - doc/metadata/rhel7/V-72307.rst | 17 - doc/metadata/rhel7/V-72309.rst | 22 - doc/metadata/rhel7/V-72311.rst | 9 - doc/metadata/rhel7/V-72313.rst | 10 - doc/metadata/rhel7/V-72315.rst | 14 - doc/metadata/rhel7/V-72317.rst | 9 - doc/metadata/rhel7/V-72319.rst | 18 - doc/metadata/rhel7/V-72417.rst | 19 - doc/metadata/rhel7/V-72427.rst | 10 - doc/metadata/rhel7/V-72433.rst | 9 - doc/metadata/rhel7/V-72435.rst | 9 - doc/metadata/rhel7/V-73155.rst | 9 - doc/metadata/rhel7/V-73157.rst | 9 - doc/metadata/rhel7/V-73159.rst | 14 - doc/metadata/rhel7/V-73161.rst | 9 - doc/metadata/rhel7/V-73163.rst | 9 - doc/metadata/rhel7/V-73165.rst | 9 - doc/metadata/rhel7/V-73167.rst | 9 - doc/metadata/rhel7/V-73171.rst | 9 - doc/metadata/rhel7/V-73173.rst | 9 - doc/metadata/rhel7/V-73175.rst | 9 - doc/metadata/rhel7/V-73177.rst | 9 - doc/metadata/stig_to_rst.py | 30 - doc/metadata/template_all.j2 | 24 - doc/metadata/template_all_rhel7.j2 | 24 - doc/metadata/template_doc.j2 | 16 - doc/metadata/template_doc_rhel7.j2 | 17 - doc/metadata/template_toc.j2 | 31 - doc/metadata/template_toc_rhel7.j2 | 31 - doc/source/_exts/metadata-docs-rhel7.py | 274 - doc/source/_exts/metadata-docs.py | 216 - doc/source/_static/.gitkeep | 0 doc/source/_themes/openstack/layout.html | 109 - doc/source/_themes/openstack/static/basic.css | 419 - .../_themes/openstack/static/default.css | 230 - .../_themes/openstack/static/header-line.gif | Bin 48 -> 0 bytes .../_themes/openstack/static/header_bg.jpg | Bin 3738 -> 0 bytes .../_themes/openstack/static/nature.css | 245 - .../openstack/static/openstack_logo.png | Bin 3670 -> 0 bytes .../_themes/openstack/static/tweaks.css | 128 - doc/source/_themes/openstack/theme.conf | 7 - doc/source/conf.py | 323 - doc/source/controls-rhel7.rst | 68 - doc/source/controls.rst | 46 - doc/source/developer-guide.rst | 84 - doc/source/faq.rst | 65 - doc/source/getting-started.rst | 68 - doc/source/index.rst | 134 - doc/source/special-notes.rst | 154 - files/20auto-upgrades | 2 - files/V-38682-modprobe.conf | 4 - files/dconf-profile-gdm | 3 - files/dconf-user-profile | 2 - files/login_banner.txt | 6 - handlers/main.yml | 94 - library/get_users | 122 - manual-test.rc | 33 - meta/main.yml | 20 - releasenotes/notes/.placeholder | 0 .../notes/add-v38438-3f7e905892be4b4f.yaml | 21 - .../notes/adding-v38526-381a407caa566b14.yaml | 8 - .../notes/adding-v38548-9c51b30bf9780ff3.yaml | 8 - .../aide-exclude-run-4d3c97a2d08eb373.yaml | 6 - ...e-initialization-fix-16ab0223747d7719.yaml | 17 - ...g-mac-policy-changes-fb83e0260a6431ed.yaml | 15 - .../augenrules-restart-39fe3e1e2de3eaba.yaml | 5 - ...rony-config-variable-7a1a7862c05c9675.yaml | 5 - ...able-martian-logging-370ede40b036db0b.yaml | 13 - ...-login-banner-string-d8d5ae874e8e49f3.yaml | 6 - ...ry-variables-removed-957c7b7b2108ba1f.yaml | 9 - ...access-audit-logging-789dc01c8bcbef17.yaml | 6 - ...-graphical-interface-5db89cd1bef7e12d.yaml | 13 - ...e-netconsole-service-915bb33449b4012c.yaml | 7 - ...perms-fix-by-default-b164e39717f0ada7.yaml | 6 - ...sabling-rdisc-centos-75115b3509941bfa.yaml | 8 - .../notes/enable-lsm-bae903e463079a3f.yaml | 14 - ...cp-syncookes-boolean-4a884a66a3a0e4d7.yaml | 11 - ...t-log-permission-bug-81a772e2e6d0a5b3.yaml | 10 - ...check-mode-with-tags-bf798856a27c53eb.yaml | 7 - ...g-sshd-match-stanzas-fa40b97689004e46.yaml | 7 - .../implemented-v38524-b357edec95128307.yaml | 12 - ...oved-audit-rule-keys-9fa85f758386446c.yaml | 5 - ...ocal-interfaces-only-05f03de632e81097.yaml | 5 - .../notes/package-state-6684c5634bdf127a.yaml | 13 - ...ackage-state-present-951161faa5384abd.yaml | 7 - ...educe-auditd-logging-633677a74aee5481.yaml | 25 - .../rhel-gpg-check-0b483a824314d1b3.yaml | 7 - .../rhel7-stig-default-f6c7c97498a8b2e7.yaml | 19 - ...or-unlabeled-devices-cb047c5f767e93ce.yaml | 6 - ...s-file-search-opt-in-887f600a79eef07e.yaml | 7 - ...1-renumbering-fiesta-aa047fea3ea35e74.yaml | 20 - ...rt-for-centos-xenial-2b89c318cc3df4b0.yaml | 5 - ...e-variable-migration-c0639030b495438f.yaml | 20 - releasenotes/source/_static/.placeholder | 0 releasenotes/source/_templates/.placeholder | 0 releasenotes/source/conf.py | 284 - releasenotes/source/index.rst | 12 - releasenotes/source/liberty.rst | 6 - releasenotes/source/mitaka.rst | 6 - releasenotes/source/newton.rst | 6 - releasenotes/source/ocata.rst | 6 - releasenotes/source/unreleased.rst | 5 - run_tests.sh | 65 - setup.cfg | 24 - setup.py | 29 - tasks/main.yml | 97 - tasks/rhel6stig/aide.yml | 94 - tasks/rhel6stig/apt.yml | 129 - tasks/rhel6stig/auditd.yml | 290 - tasks/rhel6stig/auth.yml | 408 - tasks/rhel6stig/boot.yml | 66 - tasks/rhel6stig/console.yml | 61 - tasks/rhel6stig/file_perms.yml | 188 - tasks/rhel6stig/kernel.yml | 222 - tasks/rhel6stig/lsm.yml | 52 - tasks/rhel6stig/mail.yml | 72 - tasks/rhel6stig/main.yml | 42 - tasks/rhel6stig/misc.yml | 339 - tasks/rhel6stig/nfsd.yml | 74 - tasks/rhel6stig/rpm.yml | 125 - tasks/rhel6stig/services.yml | 167 - tasks/rhel6stig/sshd.yml | 234 - tasks/rhel7stig/accounts.yml | 255 - tasks/rhel7stig/aide.yml | 115 - tasks/rhel7stig/apt.yml | 92 - tasks/rhel7stig/auditd.yml | 186 - tasks/rhel7stig/auth.yml | 228 - tasks/rhel7stig/file_perms.yml | 160 - tasks/rhel7stig/graphical.yml | 143 - tasks/rhel7stig/kernel.yml | 95 - tasks/rhel7stig/lsm.yml | 102 - tasks/rhel7stig/main.yml | 94 - tasks/rhel7stig/misc.yml | 409 - tasks/rhel7stig/packages.yml | 99 - tasks/rhel7stig/rpm.yml | 71 - tasks/rhel7stig/sshd.yml | 107 - templates/ZZ_aide_exclusions.j2 | 8 - templates/chrony.conf.j2 | 104 - templates/dconf-gdm-banner-message.j2 | 3 - templates/dconf-screensaver-lock.j2 | 24 - .../dconf-session-user-config-lockout.j2 | 8 - templates/jail.local.j2 | 7 - templates/osas-auditd-rhel7.j2 | 97 - templates/osas-auditd.j2 | 335 - templates/pam_faillock.j2 | 3 - templates/pwquality.conf.j2 | 8 - templates/sshd_config_block.j2 | 58 - test-requirements.txt | 18 - tests/inventory | 2 - tests/test.yml | 102 - tests/tests-repo-clone.sh | 99 - tests/vagrant.yml | 19 - tox.ini | 130 - vars/debian.yml | 161 - vars/main.yml | 346 - vars/redhat.yml | 177 - 643 files changed, 10 insertions(+), 34124 deletions(-) delete mode 100644 LICENSE delete mode 100644 README.rst delete mode 100644 Vagrantfile delete mode 100644 bindep.txt delete mode 100644 defaults/main.yml delete mode 100644 doc/Makefile delete mode 100644 doc/metadata/U_RedHat_6_V1R12_Manual-xccdf.xml delete mode 100644 doc/metadata/U_Red_Hat_Enterprise_Linux_7_STIG_V1R1_Manual-xccdf.xml delete mode 100644 doc/metadata/import-existing-notes.py delete mode 100644 doc/metadata/rhel6/V-38437.rst delete mode 100644 doc/metadata/rhel6/V-38438.rst delete mode 100644 doc/metadata/rhel6/V-38439.rst delete mode 100644 doc/metadata/rhel6/V-38443.rst delete mode 100644 doc/metadata/rhel6/V-38444.rst delete mode 100644 doc/metadata/rhel6/V-38445.rst delete mode 100644 doc/metadata/rhel6/V-38446.rst delete mode 100644 doc/metadata/rhel6/V-38447.rst delete mode 100644 doc/metadata/rhel6/V-38448.rst delete mode 100644 doc/metadata/rhel6/V-38449.rst delete mode 100644 doc/metadata/rhel6/V-38450.rst delete mode 100644 doc/metadata/rhel6/V-38451.rst delete mode 100644 doc/metadata/rhel6/V-38452.rst delete mode 100644 doc/metadata/rhel6/V-38453.rst delete mode 100644 doc/metadata/rhel6/V-38454.rst delete mode 100644 doc/metadata/rhel6/V-38455.rst delete mode 100644 doc/metadata/rhel6/V-38456.rst delete mode 100644 doc/metadata/rhel6/V-38457.rst delete mode 100644 doc/metadata/rhel6/V-38458.rst delete mode 100644 doc/metadata/rhel6/V-38459.rst delete mode 100644 doc/metadata/rhel6/V-38460.rst delete mode 100644 doc/metadata/rhel6/V-38461.rst delete mode 100644 doc/metadata/rhel6/V-38462.rst delete mode 100644 doc/metadata/rhel6/V-38463.rst delete mode 100644 doc/metadata/rhel6/V-38464.rst delete mode 100644 doc/metadata/rhel6/V-38465.rst delete mode 100644 doc/metadata/rhel6/V-38466.rst delete mode 100644 doc/metadata/rhel6/V-38467.rst delete mode 100644 doc/metadata/rhel6/V-38468.rst delete mode 100644 doc/metadata/rhel6/V-38469.rst delete mode 100644 doc/metadata/rhel6/V-38470.rst delete mode 100644 doc/metadata/rhel6/V-38471.rst delete mode 100644 doc/metadata/rhel6/V-38472.rst delete mode 100644 doc/metadata/rhel6/V-38473.rst delete mode 100644 doc/metadata/rhel6/V-38474.rst delete mode 100644 doc/metadata/rhel6/V-38475.rst delete mode 100644 doc/metadata/rhel6/V-38476.rst delete mode 100644 doc/metadata/rhel6/V-38477.rst delete mode 100644 doc/metadata/rhel6/V-38478.rst delete mode 100644 doc/metadata/rhel6/V-38479.rst delete mode 100644 doc/metadata/rhel6/V-38480.rst delete mode 100644 doc/metadata/rhel6/V-38481.rst delete mode 100644 doc/metadata/rhel6/V-38482.rst delete mode 100644 doc/metadata/rhel6/V-38483.rst delete mode 100644 doc/metadata/rhel6/V-38484.rst delete mode 100644 doc/metadata/rhel6/V-38486.rst delete mode 100644 doc/metadata/rhel6/V-38487.rst delete mode 100644 doc/metadata/rhel6/V-38488.rst delete mode 100644 doc/metadata/rhel6/V-38489.rst delete mode 100644 doc/metadata/rhel6/V-38490.rst delete mode 100644 doc/metadata/rhel6/V-38491.rst delete mode 100644 doc/metadata/rhel6/V-38492.rst delete mode 100644 doc/metadata/rhel6/V-38493.rst delete mode 100644 doc/metadata/rhel6/V-38494.rst delete mode 100644 doc/metadata/rhel6/V-38495.rst delete mode 100644 doc/metadata/rhel6/V-38496.rst delete mode 100644 doc/metadata/rhel6/V-38497.rst delete mode 100644 doc/metadata/rhel6/V-38498.rst delete mode 100644 doc/metadata/rhel6/V-38499.rst delete mode 100644 doc/metadata/rhel6/V-38500.rst delete mode 100644 doc/metadata/rhel6/V-38501.rst delete mode 100644 doc/metadata/rhel6/V-38502.rst delete mode 100644 doc/metadata/rhel6/V-38503.rst delete mode 100644 doc/metadata/rhel6/V-38504.rst delete mode 100644 doc/metadata/rhel6/V-38511.rst delete mode 100644 doc/metadata/rhel6/V-38512.rst delete mode 100644 doc/metadata/rhel6/V-38513.rst delete mode 100644 doc/metadata/rhel6/V-38514.rst delete mode 100644 doc/metadata/rhel6/V-38515.rst delete mode 100644 doc/metadata/rhel6/V-38516.rst delete mode 100644 doc/metadata/rhel6/V-38517.rst delete mode 100644 doc/metadata/rhel6/V-38518.rst delete mode 100644 doc/metadata/rhel6/V-38519.rst delete mode 100644 doc/metadata/rhel6/V-38520.rst delete mode 100644 doc/metadata/rhel6/V-38521.rst delete mode 100644 doc/metadata/rhel6/V-38522.rst delete mode 100644 doc/metadata/rhel6/V-38523.rst delete mode 100644 doc/metadata/rhel6/V-38524.rst delete mode 100644 doc/metadata/rhel6/V-38525.rst delete mode 100644 doc/metadata/rhel6/V-38526.rst delete mode 100644 doc/metadata/rhel6/V-38527.rst delete mode 100644 doc/metadata/rhel6/V-38528.rst delete mode 100644 doc/metadata/rhel6/V-38529.rst delete mode 100644 doc/metadata/rhel6/V-38530.rst delete mode 100644 doc/metadata/rhel6/V-38531.rst delete mode 100644 doc/metadata/rhel6/V-38532.rst delete mode 100644 doc/metadata/rhel6/V-38533.rst delete mode 100644 doc/metadata/rhel6/V-38534.rst delete mode 100644 doc/metadata/rhel6/V-38535.rst delete mode 100644 doc/metadata/rhel6/V-38536.rst delete mode 100644 doc/metadata/rhel6/V-38537.rst delete mode 100644 doc/metadata/rhel6/V-38538.rst delete mode 100644 doc/metadata/rhel6/V-38539.rst delete mode 100644 doc/metadata/rhel6/V-38540.rst delete mode 100644 doc/metadata/rhel6/V-38541.rst delete mode 100644 doc/metadata/rhel6/V-38542.rst delete mode 100644 doc/metadata/rhel6/V-38543.rst delete mode 100644 doc/metadata/rhel6/V-38544.rst delete mode 100644 doc/metadata/rhel6/V-38545.rst delete mode 100644 doc/metadata/rhel6/V-38546.rst delete mode 100644 doc/metadata/rhel6/V-38547.rst delete mode 100644 doc/metadata/rhel6/V-38548.rst delete mode 100644 doc/metadata/rhel6/V-38549.rst delete mode 100644 doc/metadata/rhel6/V-38550.rst delete mode 100644 doc/metadata/rhel6/V-38551.rst delete mode 100644 doc/metadata/rhel6/V-38552.rst delete mode 100644 doc/metadata/rhel6/V-38553.rst delete mode 100644 doc/metadata/rhel6/V-38554.rst delete mode 100644 doc/metadata/rhel6/V-38555.rst delete mode 100644 doc/metadata/rhel6/V-38556.rst delete mode 100644 doc/metadata/rhel6/V-38557.rst delete mode 100644 doc/metadata/rhel6/V-38558.rst delete mode 100644 doc/metadata/rhel6/V-38559.rst delete mode 100644 doc/metadata/rhel6/V-38560.rst delete mode 100644 doc/metadata/rhel6/V-38561.rst delete mode 100644 doc/metadata/rhel6/V-38563.rst delete mode 100644 doc/metadata/rhel6/V-38565.rst delete mode 100644 doc/metadata/rhel6/V-38566.rst delete mode 100644 doc/metadata/rhel6/V-38567.rst delete mode 100644 doc/metadata/rhel6/V-38568.rst delete mode 100644 doc/metadata/rhel6/V-38569.rst delete mode 100644 doc/metadata/rhel6/V-38570.rst delete mode 100644 doc/metadata/rhel6/V-38571.rst delete mode 100644 doc/metadata/rhel6/V-38572.rst delete mode 100644 doc/metadata/rhel6/V-38573.rst delete mode 100644 doc/metadata/rhel6/V-38574.rst delete mode 100644 doc/metadata/rhel6/V-38575.rst delete mode 100644 doc/metadata/rhel6/V-38576.rst delete mode 100644 doc/metadata/rhel6/V-38577.rst delete mode 100644 doc/metadata/rhel6/V-38578.rst delete mode 100644 doc/metadata/rhel6/V-38579.rst delete mode 100644 doc/metadata/rhel6/V-38580.rst delete mode 100644 doc/metadata/rhel6/V-38581.rst delete mode 100644 doc/metadata/rhel6/V-38582.rst delete mode 100644 doc/metadata/rhel6/V-38583.rst delete mode 100644 doc/metadata/rhel6/V-38584.rst delete mode 100644 doc/metadata/rhel6/V-38585.rst delete mode 100644 doc/metadata/rhel6/V-38586.rst delete mode 100644 doc/metadata/rhel6/V-38587.rst delete mode 100644 doc/metadata/rhel6/V-38588.rst delete mode 100644 doc/metadata/rhel6/V-38589.rst delete mode 100644 doc/metadata/rhel6/V-38590.rst delete mode 100644 doc/metadata/rhel6/V-38591.rst delete mode 100644 doc/metadata/rhel6/V-38592.rst delete mode 100644 doc/metadata/rhel6/V-38593.rst delete mode 100644 doc/metadata/rhel6/V-38594.rst delete mode 100644 doc/metadata/rhel6/V-38595.rst delete mode 100644 doc/metadata/rhel6/V-38596.rst delete mode 100644 doc/metadata/rhel6/V-38597.rst delete mode 100644 doc/metadata/rhel6/V-38598.rst delete mode 100644 doc/metadata/rhel6/V-38599.rst delete mode 100644 doc/metadata/rhel6/V-38600.rst delete mode 100644 doc/metadata/rhel6/V-38601.rst delete mode 100644 doc/metadata/rhel6/V-38602.rst delete mode 100644 doc/metadata/rhel6/V-38603.rst delete mode 100644 doc/metadata/rhel6/V-38604.rst delete mode 100644 doc/metadata/rhel6/V-38605.rst delete mode 100644 doc/metadata/rhel6/V-38606.rst delete mode 100644 doc/metadata/rhel6/V-38607.rst delete mode 100644 doc/metadata/rhel6/V-38608.rst delete mode 100644 doc/metadata/rhel6/V-38609.rst delete mode 100644 doc/metadata/rhel6/V-38610.rst delete mode 100644 doc/metadata/rhel6/V-38611.rst delete mode 100644 doc/metadata/rhel6/V-38612.rst delete mode 100644 doc/metadata/rhel6/V-38613.rst delete mode 100644 doc/metadata/rhel6/V-38614.rst delete mode 100644 doc/metadata/rhel6/V-38615.rst delete mode 100644 doc/metadata/rhel6/V-38616.rst delete mode 100644 doc/metadata/rhel6/V-38617.rst delete mode 100644 doc/metadata/rhel6/V-38618.rst delete mode 100644 doc/metadata/rhel6/V-38619.rst delete mode 100644 doc/metadata/rhel6/V-38620.rst delete mode 100644 doc/metadata/rhel6/V-38621.rst delete mode 100644 doc/metadata/rhel6/V-38622.rst delete mode 100644 doc/metadata/rhel6/V-38623.rst delete mode 100644 doc/metadata/rhel6/V-38624.rst delete mode 100644 doc/metadata/rhel6/V-38625.rst delete mode 100644 doc/metadata/rhel6/V-38626.rst delete mode 100644 doc/metadata/rhel6/V-38627.rst delete mode 100644 doc/metadata/rhel6/V-38628.rst delete mode 100644 doc/metadata/rhel6/V-38629.rst delete mode 100644 doc/metadata/rhel6/V-38630.rst delete mode 100644 doc/metadata/rhel6/V-38631.rst delete mode 100644 doc/metadata/rhel6/V-38632.rst delete mode 100644 doc/metadata/rhel6/V-38633.rst delete mode 100644 doc/metadata/rhel6/V-38634.rst delete mode 100644 doc/metadata/rhel6/V-38635.rst delete mode 100644 doc/metadata/rhel6/V-38636.rst delete mode 100644 doc/metadata/rhel6/V-38637.rst delete mode 100644 doc/metadata/rhel6/V-38638.rst delete mode 100644 doc/metadata/rhel6/V-38639.rst delete mode 100644 doc/metadata/rhel6/V-38640.rst delete mode 100644 doc/metadata/rhel6/V-38641.rst delete mode 100644 doc/metadata/rhel6/V-38642.rst delete mode 100644 doc/metadata/rhel6/V-38643.rst delete mode 100644 doc/metadata/rhel6/V-38644.rst delete mode 100644 doc/metadata/rhel6/V-38645.rst delete mode 100644 doc/metadata/rhel6/V-38646.rst delete mode 100644 doc/metadata/rhel6/V-38647.rst delete mode 100644 doc/metadata/rhel6/V-38648.rst delete mode 100644 doc/metadata/rhel6/V-38649.rst delete mode 100644 doc/metadata/rhel6/V-38650.rst delete mode 100644 doc/metadata/rhel6/V-38651.rst delete mode 100644 doc/metadata/rhel6/V-38652.rst delete mode 100644 doc/metadata/rhel6/V-38653.rst delete mode 100644 doc/metadata/rhel6/V-38654.rst delete mode 100644 doc/metadata/rhel6/V-38655.rst delete mode 100644 doc/metadata/rhel6/V-38656.rst delete mode 100644 doc/metadata/rhel6/V-38657.rst delete mode 100644 doc/metadata/rhel6/V-38658.rst delete mode 100644 doc/metadata/rhel6/V-38659.rst delete mode 100644 doc/metadata/rhel6/V-38660.rst delete mode 100644 doc/metadata/rhel6/V-38661.rst delete mode 100644 doc/metadata/rhel6/V-38662.rst delete mode 100644 doc/metadata/rhel6/V-38663.rst delete mode 100644 doc/metadata/rhel6/V-38664.rst delete mode 100644 doc/metadata/rhel6/V-38665.rst delete mode 100644 doc/metadata/rhel6/V-38666.rst delete mode 100644 doc/metadata/rhel6/V-38667.rst delete mode 100644 doc/metadata/rhel6/V-38668.rst delete mode 100644 doc/metadata/rhel6/V-38669.rst delete mode 100644 doc/metadata/rhel6/V-38670.rst delete mode 100644 doc/metadata/rhel6/V-38671.rst delete mode 100644 doc/metadata/rhel6/V-38672.rst delete mode 100644 doc/metadata/rhel6/V-38673.rst delete mode 100644 doc/metadata/rhel6/V-38674.rst delete mode 100644 doc/metadata/rhel6/V-38675.rst delete mode 100644 doc/metadata/rhel6/V-38676.rst delete mode 100644 doc/metadata/rhel6/V-38677.rst delete mode 100644 doc/metadata/rhel6/V-38678.rst delete mode 100644 doc/metadata/rhel6/V-38679.rst delete mode 100644 doc/metadata/rhel6/V-38680.rst delete mode 100644 doc/metadata/rhel6/V-38681.rst delete mode 100644 doc/metadata/rhel6/V-38682.rst delete mode 100644 doc/metadata/rhel6/V-38683.rst delete mode 100644 doc/metadata/rhel6/V-38684.rst delete mode 100644 doc/metadata/rhel6/V-38685.rst delete mode 100644 doc/metadata/rhel6/V-38686.rst delete mode 100644 doc/metadata/rhel6/V-38687.rst delete mode 100644 doc/metadata/rhel6/V-38688.rst delete mode 100644 doc/metadata/rhel6/V-38689.rst delete mode 100644 doc/metadata/rhel6/V-38690.rst delete mode 100644 doc/metadata/rhel6/V-38691.rst delete mode 100644 doc/metadata/rhel6/V-38692.rst delete mode 100644 doc/metadata/rhel6/V-38693.rst delete mode 100644 doc/metadata/rhel6/V-38694.rst delete mode 100644 doc/metadata/rhel6/V-38695.rst delete mode 100644 doc/metadata/rhel6/V-38696.rst delete mode 100644 doc/metadata/rhel6/V-38697.rst delete mode 100644 doc/metadata/rhel6/V-38698.rst delete mode 100644 doc/metadata/rhel6/V-38699.rst delete mode 100644 doc/metadata/rhel6/V-38700.rst delete mode 100644 doc/metadata/rhel6/V-38701.rst delete mode 100644 doc/metadata/rhel6/V-38702.rst delete mode 100644 doc/metadata/rhel6/V-43150.rst delete mode 100644 doc/metadata/rhel6/V-51337.rst delete mode 100644 doc/metadata/rhel6/V-51363.rst delete mode 100644 doc/metadata/rhel6/V-51369.rst delete mode 100644 doc/metadata/rhel6/V-51379.rst delete mode 100644 doc/metadata/rhel6/V-51391.rst delete mode 100644 doc/metadata/rhel6/V-51875.rst delete mode 100644 doc/metadata/rhel6/V-54381.rst delete mode 100644 doc/metadata/rhel6/V-57569.rst delete mode 100644 doc/metadata/rhel6/V-58901.rst delete mode 100644 doc/metadata/rhel7/V-71849.rst delete mode 100644 doc/metadata/rhel7/V-71855.rst delete mode 100644 doc/metadata/rhel7/V-71859.rst delete mode 100644 doc/metadata/rhel7/V-71861.rst delete mode 100644 doc/metadata/rhel7/V-71863.rst delete mode 100644 doc/metadata/rhel7/V-71891.rst delete mode 100644 doc/metadata/rhel7/V-71893.rst delete mode 100644 doc/metadata/rhel7/V-71895.rst delete mode 100644 doc/metadata/rhel7/V-71897.rst delete mode 100644 doc/metadata/rhel7/V-71899.rst delete mode 100644 doc/metadata/rhel7/V-71901.rst delete mode 100644 doc/metadata/rhel7/V-71903.rst delete mode 100644 doc/metadata/rhel7/V-71905.rst delete mode 100644 doc/metadata/rhel7/V-71907.rst delete mode 100644 doc/metadata/rhel7/V-71909.rst delete mode 100644 doc/metadata/rhel7/V-71911.rst delete mode 100644 doc/metadata/rhel7/V-71913.rst delete mode 100644 doc/metadata/rhel7/V-71915.rst delete mode 100644 doc/metadata/rhel7/V-71917.rst delete mode 100644 doc/metadata/rhel7/V-71919.rst delete mode 100644 doc/metadata/rhel7/V-71921.rst delete mode 100644 doc/metadata/rhel7/V-71923.rst delete mode 100644 doc/metadata/rhel7/V-71925.rst delete mode 100644 doc/metadata/rhel7/V-71927.rst delete mode 100644 doc/metadata/rhel7/V-71929.rst delete mode 100644 doc/metadata/rhel7/V-71931.rst delete mode 100644 doc/metadata/rhel7/V-71933.rst delete mode 100644 doc/metadata/rhel7/V-71935.rst delete mode 100644 doc/metadata/rhel7/V-71937.rst delete mode 100644 doc/metadata/rhel7/V-71939.rst delete mode 100644 doc/metadata/rhel7/V-71941.rst delete mode 100644 doc/metadata/rhel7/V-71943.rst delete mode 100644 doc/metadata/rhel7/V-71945.rst delete mode 100644 doc/metadata/rhel7/V-71947.rst delete mode 100644 doc/metadata/rhel7/V-71949.rst delete mode 100644 doc/metadata/rhel7/V-71951.rst delete mode 100644 doc/metadata/rhel7/V-71953.rst delete mode 100644 doc/metadata/rhel7/V-71955.rst delete mode 100644 doc/metadata/rhel7/V-71957.rst delete mode 100644 doc/metadata/rhel7/V-71959.rst delete mode 100644 doc/metadata/rhel7/V-71961.rst delete mode 100644 doc/metadata/rhel7/V-71963.rst delete mode 100644 doc/metadata/rhel7/V-71965.rst delete mode 100644 doc/metadata/rhel7/V-71967.rst delete mode 100644 doc/metadata/rhel7/V-71969.rst delete mode 100644 doc/metadata/rhel7/V-71971.rst delete mode 100644 doc/metadata/rhel7/V-71973.rst delete mode 100644 doc/metadata/rhel7/V-71975.rst delete mode 100644 doc/metadata/rhel7/V-71977.rst delete mode 100644 doc/metadata/rhel7/V-71979.rst delete mode 100644 doc/metadata/rhel7/V-71981.rst delete mode 100644 doc/metadata/rhel7/V-71983.rst delete mode 100644 doc/metadata/rhel7/V-71985.rst delete mode 100644 doc/metadata/rhel7/V-71987.rst delete mode 100644 doc/metadata/rhel7/V-71989.rst delete mode 100644 doc/metadata/rhel7/V-71991.rst delete mode 100644 doc/metadata/rhel7/V-71993.rst delete mode 100644 doc/metadata/rhel7/V-71995.rst delete mode 100644 doc/metadata/rhel7/V-71997.rst delete mode 100644 doc/metadata/rhel7/V-71999.rst delete mode 100644 doc/metadata/rhel7/V-72001.rst delete mode 100644 doc/metadata/rhel7/V-72003.rst delete mode 100644 doc/metadata/rhel7/V-72005.rst delete mode 100644 doc/metadata/rhel7/V-72007.rst delete mode 100644 doc/metadata/rhel7/V-72009.rst delete mode 100644 doc/metadata/rhel7/V-72011.rst delete mode 100644 doc/metadata/rhel7/V-72013.rst delete mode 100644 doc/metadata/rhel7/V-72015.rst delete mode 100644 doc/metadata/rhel7/V-72017.rst delete mode 100644 doc/metadata/rhel7/V-72019.rst delete mode 100644 doc/metadata/rhel7/V-72021.rst delete mode 100644 doc/metadata/rhel7/V-72023.rst delete mode 100644 doc/metadata/rhel7/V-72025.rst delete mode 100644 doc/metadata/rhel7/V-72027.rst delete mode 100644 doc/metadata/rhel7/V-72029.rst delete mode 100644 doc/metadata/rhel7/V-72031.rst delete mode 100644 doc/metadata/rhel7/V-72033.rst delete mode 100644 doc/metadata/rhel7/V-72035.rst delete mode 100644 doc/metadata/rhel7/V-72037.rst delete mode 100644 doc/metadata/rhel7/V-72039.rst delete mode 100644 doc/metadata/rhel7/V-72041.rst delete mode 100644 doc/metadata/rhel7/V-72043.rst delete mode 100644 doc/metadata/rhel7/V-72045.rst delete mode 100644 doc/metadata/rhel7/V-72047.rst delete mode 100644 doc/metadata/rhel7/V-72049.rst delete mode 100644 doc/metadata/rhel7/V-72051.rst delete mode 100644 doc/metadata/rhel7/V-72053.rst delete mode 100644 doc/metadata/rhel7/V-72055.rst delete mode 100644 doc/metadata/rhel7/V-72057.rst delete mode 100644 doc/metadata/rhel7/V-72059.rst delete mode 100644 doc/metadata/rhel7/V-72061.rst delete mode 100644 doc/metadata/rhel7/V-72063.rst delete mode 100644 doc/metadata/rhel7/V-72065.rst delete mode 100644 doc/metadata/rhel7/V-72067.rst delete mode 100644 doc/metadata/rhel7/V-72069.rst delete mode 100644 doc/metadata/rhel7/V-72071.rst delete mode 100644 doc/metadata/rhel7/V-72073.rst delete mode 100644 doc/metadata/rhel7/V-72075.rst delete mode 100644 doc/metadata/rhel7/V-72077.rst delete mode 100644 doc/metadata/rhel7/V-72079.rst delete mode 100644 doc/metadata/rhel7/V-72081.rst delete mode 100644 doc/metadata/rhel7/V-72083.rst delete mode 100644 doc/metadata/rhel7/V-72085.rst delete mode 100644 doc/metadata/rhel7/V-72087.rst delete mode 100644 doc/metadata/rhel7/V-72089.rst delete mode 100644 doc/metadata/rhel7/V-72091.rst delete mode 100644 doc/metadata/rhel7/V-72093.rst delete mode 100644 doc/metadata/rhel7/V-72095.rst delete mode 100644 doc/metadata/rhel7/V-72097.rst delete mode 100644 doc/metadata/rhel7/V-72099.rst delete mode 100644 doc/metadata/rhel7/V-72101.rst delete mode 100644 doc/metadata/rhel7/V-72103.rst delete mode 100644 doc/metadata/rhel7/V-72105.rst delete mode 100644 doc/metadata/rhel7/V-72107.rst delete mode 100644 doc/metadata/rhel7/V-72109.rst delete mode 100644 doc/metadata/rhel7/V-72111.rst delete mode 100644 doc/metadata/rhel7/V-72113.rst delete mode 100644 doc/metadata/rhel7/V-72115.rst delete mode 100644 doc/metadata/rhel7/V-72117.rst delete mode 100644 doc/metadata/rhel7/V-72119.rst delete mode 100644 doc/metadata/rhel7/V-72121.rst delete mode 100644 doc/metadata/rhel7/V-72123.rst delete mode 100644 doc/metadata/rhel7/V-72125.rst delete mode 100644 doc/metadata/rhel7/V-72127.rst delete mode 100644 doc/metadata/rhel7/V-72129.rst delete mode 100644 doc/metadata/rhel7/V-72131.rst delete mode 100644 doc/metadata/rhel7/V-72133.rst delete mode 100644 doc/metadata/rhel7/V-72135.rst delete mode 100644 doc/metadata/rhel7/V-72137.rst delete mode 100644 doc/metadata/rhel7/V-72139.rst delete mode 100644 doc/metadata/rhel7/V-72141.rst delete mode 100644 doc/metadata/rhel7/V-72143.rst delete mode 100644 doc/metadata/rhel7/V-72145.rst delete mode 100644 doc/metadata/rhel7/V-72147.rst delete mode 100644 doc/metadata/rhel7/V-72149.rst delete mode 100644 doc/metadata/rhel7/V-72151.rst delete mode 100644 doc/metadata/rhel7/V-72153.rst delete mode 100644 doc/metadata/rhel7/V-72155.rst delete mode 100644 doc/metadata/rhel7/V-72157.rst delete mode 100644 doc/metadata/rhel7/V-72159.rst delete mode 100644 doc/metadata/rhel7/V-72161.rst delete mode 100644 doc/metadata/rhel7/V-72163.rst delete mode 100644 doc/metadata/rhel7/V-72165.rst delete mode 100644 doc/metadata/rhel7/V-72167.rst delete mode 100644 doc/metadata/rhel7/V-72169.rst delete mode 100644 doc/metadata/rhel7/V-72171.rst delete mode 100644 doc/metadata/rhel7/V-72173.rst delete mode 100644 doc/metadata/rhel7/V-72175.rst delete mode 100644 doc/metadata/rhel7/V-72177.rst delete mode 100644 doc/metadata/rhel7/V-72179.rst delete mode 100644 doc/metadata/rhel7/V-72181.rst delete mode 100644 doc/metadata/rhel7/V-72183.rst delete mode 100644 doc/metadata/rhel7/V-72185.rst delete mode 100644 doc/metadata/rhel7/V-72187.rst delete mode 100644 doc/metadata/rhel7/V-72189.rst delete mode 100644 doc/metadata/rhel7/V-72191.rst delete mode 100644 doc/metadata/rhel7/V-72193.rst delete mode 100644 doc/metadata/rhel7/V-72195.rst delete mode 100644 doc/metadata/rhel7/V-72197.rst delete mode 100644 doc/metadata/rhel7/V-72199.rst delete mode 100644 doc/metadata/rhel7/V-72201.rst delete mode 100644 doc/metadata/rhel7/V-72203.rst delete mode 100644 doc/metadata/rhel7/V-72205.rst delete mode 100644 doc/metadata/rhel7/V-72207.rst delete mode 100644 doc/metadata/rhel7/V-72209.rst delete mode 100644 doc/metadata/rhel7/V-72211.rst delete mode 100644 doc/metadata/rhel7/V-72213.rst delete mode 100644 doc/metadata/rhel7/V-72215.rst delete mode 100644 doc/metadata/rhel7/V-72217.rst delete mode 100644 doc/metadata/rhel7/V-72219.rst delete mode 100644 doc/metadata/rhel7/V-72221.rst delete mode 100644 doc/metadata/rhel7/V-72223.rst delete mode 100644 doc/metadata/rhel7/V-72225.rst delete mode 100644 doc/metadata/rhel7/V-72227.rst delete mode 100644 doc/metadata/rhel7/V-72229.rst delete mode 100644 doc/metadata/rhel7/V-72231.rst delete mode 100644 doc/metadata/rhel7/V-72233.rst delete mode 100644 doc/metadata/rhel7/V-72235.rst delete mode 100644 doc/metadata/rhel7/V-72237.rst delete mode 100644 doc/metadata/rhel7/V-72239.rst delete mode 100644 doc/metadata/rhel7/V-72241.rst delete mode 100644 doc/metadata/rhel7/V-72243.rst delete mode 100644 doc/metadata/rhel7/V-72245.rst delete mode 100644 doc/metadata/rhel7/V-72247.rst delete mode 100644 doc/metadata/rhel7/V-72249.rst delete mode 100644 doc/metadata/rhel7/V-72251.rst delete mode 100644 doc/metadata/rhel7/V-72253.rst delete mode 100644 doc/metadata/rhel7/V-72255.rst delete mode 100644 doc/metadata/rhel7/V-72257.rst delete mode 100644 doc/metadata/rhel7/V-72259.rst delete mode 100644 doc/metadata/rhel7/V-72261.rst delete mode 100644 doc/metadata/rhel7/V-72263.rst delete mode 100644 doc/metadata/rhel7/V-72265.rst delete mode 100644 doc/metadata/rhel7/V-72267.rst delete mode 100644 doc/metadata/rhel7/V-72269.rst delete mode 100644 doc/metadata/rhel7/V-72271.rst delete mode 100644 doc/metadata/rhel7/V-72273.rst delete mode 100644 doc/metadata/rhel7/V-72275.rst delete mode 100644 doc/metadata/rhel7/V-72277.rst delete mode 100644 doc/metadata/rhel7/V-72279.rst delete mode 100644 doc/metadata/rhel7/V-72281.rst delete mode 100644 doc/metadata/rhel7/V-72283.rst delete mode 100644 doc/metadata/rhel7/V-72285.rst delete mode 100644 doc/metadata/rhel7/V-72287.rst delete mode 100644 doc/metadata/rhel7/V-72289.rst delete mode 100644 doc/metadata/rhel7/V-72291.rst delete mode 100644 doc/metadata/rhel7/V-72293.rst delete mode 100644 doc/metadata/rhel7/V-72295.rst delete mode 100644 doc/metadata/rhel7/V-72297.rst delete mode 100644 doc/metadata/rhel7/V-72299.rst delete mode 100644 doc/metadata/rhel7/V-72301.rst delete mode 100644 doc/metadata/rhel7/V-72303.rst delete mode 100644 doc/metadata/rhel7/V-72305.rst delete mode 100644 doc/metadata/rhel7/V-72307.rst delete mode 100644 doc/metadata/rhel7/V-72309.rst delete mode 100644 doc/metadata/rhel7/V-72311.rst delete mode 100644 doc/metadata/rhel7/V-72313.rst delete mode 100644 doc/metadata/rhel7/V-72315.rst delete mode 100644 doc/metadata/rhel7/V-72317.rst delete mode 100644 doc/metadata/rhel7/V-72319.rst delete mode 100644 doc/metadata/rhel7/V-72417.rst delete mode 100644 doc/metadata/rhel7/V-72427.rst delete mode 100644 doc/metadata/rhel7/V-72433.rst delete mode 100644 doc/metadata/rhel7/V-72435.rst delete mode 100644 doc/metadata/rhel7/V-73155.rst delete mode 100644 doc/metadata/rhel7/V-73157.rst delete mode 100644 doc/metadata/rhel7/V-73159.rst delete mode 100644 doc/metadata/rhel7/V-73161.rst delete mode 100644 doc/metadata/rhel7/V-73163.rst delete mode 100644 doc/metadata/rhel7/V-73165.rst delete mode 100644 doc/metadata/rhel7/V-73167.rst delete mode 100644 doc/metadata/rhel7/V-73171.rst delete mode 100644 doc/metadata/rhel7/V-73173.rst delete mode 100644 doc/metadata/rhel7/V-73175.rst delete mode 100644 doc/metadata/rhel7/V-73177.rst delete mode 100755 doc/metadata/stig_to_rst.py delete mode 100644 doc/metadata/template_all.j2 delete mode 100644 doc/metadata/template_all_rhel7.j2 delete mode 100644 doc/metadata/template_doc.j2 delete mode 100644 doc/metadata/template_doc_rhel7.j2 delete mode 100644 doc/metadata/template_toc.j2 delete mode 100644 doc/metadata/template_toc_rhel7.j2 delete mode 100644 doc/source/_exts/metadata-docs-rhel7.py delete mode 100644 doc/source/_exts/metadata-docs.py delete mode 100644 doc/source/_static/.gitkeep delete mode 100644 doc/source/_themes/openstack/layout.html delete mode 100644 doc/source/_themes/openstack/static/basic.css delete mode 100644 doc/source/_themes/openstack/static/default.css delete mode 100644 doc/source/_themes/openstack/static/header-line.gif delete mode 100644 doc/source/_themes/openstack/static/header_bg.jpg delete mode 100644 doc/source/_themes/openstack/static/nature.css delete mode 100644 doc/source/_themes/openstack/static/openstack_logo.png delete mode 100644 doc/source/_themes/openstack/static/tweaks.css delete mode 100644 doc/source/_themes/openstack/theme.conf delete mode 100644 doc/source/conf.py delete mode 100644 doc/source/controls-rhel7.rst delete mode 100644 doc/source/controls.rst delete mode 100644 doc/source/developer-guide.rst delete mode 100644 doc/source/faq.rst delete mode 100644 doc/source/getting-started.rst delete mode 100644 doc/source/index.rst delete mode 100644 doc/source/special-notes.rst delete mode 100644 files/20auto-upgrades delete mode 100644 files/V-38682-modprobe.conf delete mode 100644 files/dconf-profile-gdm delete mode 100644 files/dconf-user-profile delete mode 100644 files/login_banner.txt delete mode 100644 handlers/main.yml delete mode 100755 library/get_users delete mode 100644 manual-test.rc delete mode 100644 meta/main.yml delete mode 100644 releasenotes/notes/.placeholder delete mode 100644 releasenotes/notes/add-v38438-3f7e905892be4b4f.yaml delete mode 100644 releasenotes/notes/adding-v38526-381a407caa566b14.yaml delete mode 100644 releasenotes/notes/adding-v38548-9c51b30bf9780ff3.yaml delete mode 100644 releasenotes/notes/aide-exclude-run-4d3c97a2d08eb373.yaml delete mode 100644 releasenotes/notes/aide-initialization-fix-16ab0223747d7719.yaml delete mode 100644 releasenotes/notes/auditing-mac-policy-changes-fb83e0260a6431ed.yaml delete mode 100644 releasenotes/notes/augenrules-restart-39fe3e1e2de3eaba.yaml delete mode 100644 releasenotes/notes/chrony-config-variable-7a1a7862c05c9675.yaml delete mode 100644 releasenotes/notes/configurable-martian-logging-370ede40b036db0b.yaml delete mode 100644 releasenotes/notes/customizable-login-banner-string-d8d5ae874e8e49f3.yaml delete mode 100644 releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml delete mode 100644 releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml delete mode 100644 releasenotes/notes/disable-graphical-interface-5db89cd1bef7e12d.yaml delete mode 100644 releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml delete mode 100644 releasenotes/notes/disable-rpm-perms-fix-by-default-b164e39717f0ada7.yaml delete mode 100644 releasenotes/notes/disabling-rdisc-centos-75115b3509941bfa.yaml delete mode 100644 releasenotes/notes/enable-lsm-bae903e463079a3f.yaml delete mode 100644 releasenotes/notes/enable-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml delete mode 100644 releasenotes/notes/fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml delete mode 100644 releasenotes/notes/fix-check-mode-with-tags-bf798856a27c53eb.yaml delete mode 100644 releasenotes/notes/handling-sshd-match-stanzas-fa40b97689004e46.yaml delete mode 100644 releasenotes/notes/implemented-v38524-b357edec95128307.yaml delete mode 100644 releasenotes/notes/improved-audit-rule-keys-9fa85f758386446c.yaml delete mode 100644 releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml delete mode 100644 releasenotes/notes/package-state-6684c5634bdf127a.yaml delete mode 100644 releasenotes/notes/package-state-present-951161faa5384abd.yaml delete mode 100644 releasenotes/notes/reduce-auditd-logging-633677a74aee5481.yaml delete mode 100644 releasenotes/notes/rhel-gpg-check-0b483a824314d1b3.yaml delete mode 100644 releasenotes/notes/rhel7-stig-default-f6c7c97498a8b2e7.yaml delete mode 100644 releasenotes/notes/search-for-unlabeled-devices-cb047c5f767e93ce.yaml delete mode 100644 releasenotes/notes/shosts-file-search-opt-in-887f600a79eef07e.yaml delete mode 100644 releasenotes/notes/stig-rhel7-version-1-renumbering-fiesta-aa047fea3ea35e74.yaml delete mode 100644 releasenotes/notes/support-for-centos-xenial-2b89c318cc3df4b0.yaml delete mode 100644 releasenotes/notes/unique-variable-migration-c0639030b495438f.yaml delete mode 100644 releasenotes/source/_static/.placeholder delete mode 100644 releasenotes/source/_templates/.placeholder delete mode 100644 releasenotes/source/conf.py delete mode 100644 releasenotes/source/index.rst delete mode 100644 releasenotes/source/liberty.rst delete mode 100644 releasenotes/source/mitaka.rst delete mode 100644 releasenotes/source/newton.rst delete mode 100644 releasenotes/source/ocata.rst delete mode 100644 releasenotes/source/unreleased.rst delete mode 100755 run_tests.sh delete mode 100644 setup.cfg delete mode 100644 setup.py delete mode 100644 tasks/main.yml delete mode 100644 tasks/rhel6stig/aide.yml delete mode 100644 tasks/rhel6stig/apt.yml delete mode 100644 tasks/rhel6stig/auditd.yml delete mode 100644 tasks/rhel6stig/auth.yml delete mode 100644 tasks/rhel6stig/boot.yml delete mode 100644 tasks/rhel6stig/console.yml delete mode 100644 tasks/rhel6stig/file_perms.yml delete mode 100644 tasks/rhel6stig/kernel.yml delete mode 100644 tasks/rhel6stig/lsm.yml delete mode 100644 tasks/rhel6stig/mail.yml delete mode 100644 tasks/rhel6stig/main.yml delete mode 100644 tasks/rhel6stig/misc.yml delete mode 100644 tasks/rhel6stig/nfsd.yml delete mode 100644 tasks/rhel6stig/rpm.yml delete mode 100644 tasks/rhel6stig/services.yml delete mode 100644 tasks/rhel6stig/sshd.yml delete mode 100644 tasks/rhel7stig/accounts.yml delete mode 100644 tasks/rhel7stig/aide.yml delete mode 100644 tasks/rhel7stig/apt.yml delete mode 100644 tasks/rhel7stig/auditd.yml delete mode 100644 tasks/rhel7stig/auth.yml delete mode 100644 tasks/rhel7stig/file_perms.yml delete mode 100644 tasks/rhel7stig/graphical.yml delete mode 100644 tasks/rhel7stig/kernel.yml delete mode 100644 tasks/rhel7stig/lsm.yml delete mode 100644 tasks/rhel7stig/main.yml delete mode 100644 tasks/rhel7stig/misc.yml delete mode 100644 tasks/rhel7stig/packages.yml delete mode 100644 tasks/rhel7stig/rpm.yml delete mode 100644 tasks/rhel7stig/sshd.yml delete mode 100644 templates/ZZ_aide_exclusions.j2 delete mode 100644 templates/chrony.conf.j2 delete mode 100644 templates/dconf-gdm-banner-message.j2 delete mode 100644 templates/dconf-screensaver-lock.j2 delete mode 100644 templates/dconf-session-user-config-lockout.j2 delete mode 100644 templates/jail.local.j2 delete mode 100644 templates/osas-auditd-rhel7.j2 delete mode 100644 templates/osas-auditd.j2 delete mode 100644 templates/pam_faillock.j2 delete mode 100644 templates/pwquality.conf.j2 delete mode 100644 templates/sshd_config_block.j2 delete mode 100644 test-requirements.txt delete mode 100644 tests/inventory delete mode 100644 tests/test.yml delete mode 100755 tests/tests-repo-clone.sh delete mode 100644 tests/vagrant.yml delete mode 100644 tox.ini delete mode 100644 vars/debian.yml delete mode 100644 vars/main.yml delete mode 100644 vars/redhat.yml diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 8f71f43f..00000000 --- a/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - diff --git a/README.md b/README.md index 1288192e..e12198bc 100644 --- a/README.md +++ b/README.md @@ -1,92 +1,13 @@ -openstack-ansible-security -========================== +This project is no longer maintained. -**DEPRECATION NOTICE:** The openstack-ansible-security role is deprecated and -will be retired soon. Consumers of this role should use the -[ansible-hardening](https://github.com/openstack/ansible-hardening) role -instead. +The contents of this repository are still available in the Git +source code management system. To see the contents of this +repository before it reached its end of life, please check out the +previous commit with "git checkout HEAD^1". -Overview --------- +This project has been replaced by +[ansible-hardening](https://docs.openstack.org/ansible-hardening/latest/). -The openstack-ansible security role applies security hardening configurations -from the [Security Technical Implementation Guide(STIG)](http://iase.disa.mil/stigs/Pages/index.aspx) -to systems running Ubuntu 14.04, Ubuntu 16.04, CentOS 7, and Red Hat -Enterprise Linux 7. - -The role is part of the -[OpenStack-Ansible project](https://git.openstack.org/cgit/openstack/openstack-ansible), -which deploys enterprise-grade OpenStack clouds using Ansible. However, the -role can easily be used outside of an OpenStack environment to secure hosts, -virtual machines, and containers. - -For more details, review the -[openstack-ansible-security documentation](http://docs.openstack.org/developer/openstack-ansible-security/). - -Requirements ------------- - -This role can be used with or without the OpenStack-Ansible role. It requires -Ansible 2.3 or later. - -Role Variables --------------- - -All of the variables for this role are in `defaults/main.yml`. - -Dependencies ------------- - -This role has no dependencies. - -Example Playbook ----------------- - -Using the role is fairly straightforward: - - - hosts: servers - roles: - - openstack-ansible-security - -Running with Vagrant --------------------- - -This role can be tested easily on multiple platforms using Vagrant. - -The `Vagrantfile` supports testing on: - * Ubuntu 14.04 - * Ubuntu 16.04 - * CentOS 7 - -To test on all platforms: - -```shell -vagrant destroy --force && vagrant up -``` - -To test on Ubuntu 14.04 only: - -```shell -vagrant destroy ubuntu1404 --force && vagrant up ubuntu1404 -``` - -To test on Ubuntu 16.04 only: -```shell -vagrant destroy ubuntu1604 --force && vagrant up ubuntu1604 -``` - -To test on CentOS 7 only: - -```shell -vagrant destroy centos7 --force && vagrant up centos7 -``` - -License -------- - -Apache 2.0 - -Author Information ------------------- - -For more information, join `#openstack-ansible` on Freenode. +For any further questions, please email +openstack-dev@lists.openstack.org or join #openstack-ansible on +Freenode. diff --git a/README.rst b/README.rst deleted file mode 100644 index bd12adfc..00000000 --- a/README.rst +++ /dev/null @@ -1,21 +0,0 @@ -======================== -Team and repository tags -======================== - -.. image:: http://governance.openstack.org/badges/openstack-ansible-security.svg - :target: http://governance.openstack.org/reference/tags/index.html - -.. Change things from this point on - -Security hardening for OpenStack-Ansible ----------------------------------------- - -**DEPRECATION NOTICE:** The openstack-ansible-security role is deprecated and -will be retired soon. Consumers of this role should use the -`ansible-hardening `_ role -instead. - -Documentation for openstack-ansible-security is available in the `official -OpenStack documentation site`_. - -.. _official OpenStack documentation site: http://docs.openstack.org/developer/openstack-ansible-security/ diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index 09adb7ba..00000000 --- a/Vagrantfile +++ /dev/null @@ -1,51 +0,0 @@ -# Runs the role against Ubuntu 14.04, 16.04 and CentOS 7 -# for local testing purposes - -Vagrant.configure("2") do |config| - - config.vm.define "ubuntu1404" do |trusty| - trusty.vm.box = "ubuntu/trusty64" - trusty.vm.hostname = "sec-ansible-test-ubuntu1404" - - trusty.vm.provision "ansible" do |ansible| - # ansible.verbose = "vvv" - ansible.playbook = "tests/vagrant.yml" - # we'll skip V-38496 because Vagrant itself creates the user that causes - # this to fail - ansible.skip_tags = ['V-38496'] - # we need to run as sudo for a lot of the checks ansible-security runs - ansible.raw_arguments = ['-s'] - end - end - - config.vm.define "ubuntu1604" do |trusty| - trusty.vm.box = "ubuntu/xenial64" - trusty.vm.hostname = "sec-ansible-test-ubuntu1604" - - trusty.vm.provision "ansible" do |ansible| - # ansible.verbose = "vvv" - ansible.playbook = "tests/vagrant.yml" - # we'll skip V-38496 because Vagrant itself creates the user that causes - # this to fail - ansible.skip_tags = ['V-38496'] - # we need to run as sudo for a lot of the checks ansible-security runs - ansible.raw_arguments = ['-s'] - end - end - - config.vm.define "centos7" do |centos7| - centos7.vm.box = "centos/7" - centos7.vm.hostname = "sec-ansible-test-centos-7" - - centos7.vm.provision "ansible" do |ansible| - # ansible.verbose = "vvv" - ansible.playbook = "tests/vagrant.yml" - # we'll skip V-38496 because Vagrant itself creates the user that causes - # this to fail - ansible.skip_tags = ['V-38496'] - # we need to run as sudo for a lot of the checks ansible-security runs - ansible.raw_arguments = ['-s'] - end - end -end - diff --git a/bindep.txt b/bindep.txt deleted file mode 100644 index 37657bcc..00000000 --- a/bindep.txt +++ /dev/null @@ -1,46 +0,0 @@ -# This file facilitates OpenStack-CI package installation -# before the execution of any tests. -# -# See the following for details: -# - http://docs.openstack.org/infra/bindep/ -# - https://git.openstack.org/cgit/openstack-infra/bindep -# -# Even if the role does not make use of this facility, it -# is better to have this file empty, otherwise OpenStack-CI -# will fall back to installing its default packages which -# will potentially be detrimental to the tests executed. - -# Base requirements for Ubuntu -build-essential [platform:dpkg] -git-core [platform:dpkg] -libssl-dev [platform:dpkg] -libffi-dev [platform:dpkg] -libxslt1-dev [platform:dpkg] -python2.7 [platform:dpkg] -python-dev [platform:dpkg] -python-apt [platform:dpkg] - -# Base requirements for CentOS -gcc [platform:rpm] -gcc-c++ [platform:rpm] -git [platform:rpm] -libxslt-devel [platform:rpm] -python-devel [platform:rpm] - -# Requirements for Paramiko 2.0 -libffi-devel [platform:rpm] -openssl-devel [platform:rpm] - -# For SELinux -libselinux-python [platform:rpm] - -# For SSL SNI support -python-pyasn1 [platform:dpkg] -python-openssl [platform:dpkg] -python-ndg-httpsclient [platform:ubuntu !platform:ubuntu-trusty] -python2-pyasn1 [platform:rpm] -python2-pyOpenSSL [platform:rpm] -python-ndg_httpsclient [platform:rpm] - -# Required for compressing collected log files in CI -gzip diff --git a/defaults/main.yml b/defaults/main.yml deleted file mode 100644 index b68a2857..00000000 --- a/defaults/main.yml +++ /dev/null @@ -1,649 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## STIG version selection -# The RHEL 7 STIG content was first added in the Ocata release. -# The RHEL 6 STIG content is deprecated in the Ocata release. -# Valid options: rhel7, rhel6 -stig_version: rhel7 - -## APT Cache Options -# This variable is used across multiple OpenStack-Ansible roles to handle the -# apt cache updates as efficiently as possible. -cache_timeout: 600 - -# Set the package install state for distribution packages -# Options are 'present' and 'latest' -security_package_state: present - -############################################################################### -# ____ _ _ _____ _ __ ____ _____ ___ ____ -# | _ \| | | | ____| | / /_ / ___|_ _|_ _/ ___| -# | |_) | |_| | _| | | | '_ \ \___ \ | | | | | _ -# | _ <| _ | |___| |___ | (_) | ___) || | | | |_| | -# |_| \_\_| |_|_____|_____| \___/ |____/ |_| |___\____| -# -# The default configurations after this marker apply to the RHEL 6 STIG -# content in the openstack-ansible-security role. Review the comments below -# as well as the main openstack-ansible-security documentation: -# -# http://docs.openstack.org/developer/openstack-ansible-security/ -# -############################################################################### - -## AIDE -# The default Ubuntu configuration for AIDE will cause it to wander into some -# terrible places on the system, such as /var/lib/lxc and images in /opt. -# The following three default exclusions are highly recommended for AIDE to -# work properly, but additional exclusions can be added to this list if needed. -security_aide_exclude_dirs: - - /openstack - - /opt - - /run - - /var -# -# By default, the AIDE database won't be initialized immediately since it can -# consume plenty of CPU and I/O resources while it runs. To initialize the -# AIDE database immediately when the playbook finishes, set the following -# variable to 'true': -security_initialize_aide: false - -## Audit daemon -# V-38438 requires that auditd is enabled at boot time with a parameter in the -# GRUB configuration. -# -# If 'security_enable_audit_during_boot' is set to 'yes', then the 'audit=1' -# parameter will be added in /etc/default/grub.d/. -# If 'security_enable_grub_update is set to 'yes', the grub.cfg will be -# updated automatically. -security_enable_audit_during_boot: yes # V-38438 -security_enable_grub_update: yes # V-38438 - -# The following booleans control the rule sets added to auditd's default -# set of auditing rules. To see which rules will be added for each boolean, -# refer to the templates/osas-auditd.j2 file. -# -# If the template changes due to booleans being adjusted, the new template -# will be deployed onto the host and auditd will get the new rules loaded -# automatically with augenrules. -# -security_audit_account_modification: yes # V-38531, V-38534, V-38538 -security_audit_change_localtime: yes # V-38530 -security_audit_change_system_time: yes # V-38635 -security_audit_clock_settime: yes # V-38527 -security_audit_clock_settimeofday: yes # V-38522 -security_audit_clock_stime: yes # V-38525 -security_audit_DAC_chmod: no # V-38543 -security_audit_DAC_chown: no # V-38545 -security_audit_DAC_lchown: no # V-38558 -security_audit_DAC_fchmod: no # V-38547 -security_audit_DAC_fchmodat: no # V-38550 -security_audit_DAC_fchown: no # V-38552 -security_audit_DAC_fchownat: no # V-38554 -security_audit_DAC_fremovexattr: no # V-38556 -security_audit_DAC_lremovexattr: no # V-38559 -security_audit_DAC_fsetxattr: no # V-38557 -security_audit_DAC_lsetxattr: no # V-38561 -security_audit_DAC_setxattr: no # V-38565 -security_audit_deletions: no # V-38575 -security_audit_failed_access: no # V-38566 -security_audit_filesystem_mounts: yes # V-38568 -security_audit_kernel_modules: yes # V-38580 -security_audit_mac_changes: yes # V-38541 -security_audit_network_changes: yes # V-38540 -security_audit_sudoers: yes # V-38578 -# -# **DANGER** -# Changing the options below can cause systems to go offline unexpectedly or -# stop serving requests as a security precaution. Read the developer notes for -# each STIG prior to adjusting the following variables. -# **DANGER** -# -# Set an action to occur when there is a disk error. Review the -# documentation for V-38464 before changing this option. -security_disk_error_action: SYSLOG # V-38464 -# -# Set an action to occur when the disk is full. Review the documentation for -# V-38468 before changing this option. -security_disk_full_action: SYSLOG # V-38468 -# -# V-38678 - Set the amount of megabytes left when the space_left_action -# triggers. The STIG guideline doesn't specify a size, but Ubuntu chooses a -# default of 75MB, which is reasonable. -security_space_left: 75 # V-38678 -# -# Set an action to occur when the disk is approaching its capacity. -# Review the documentation for V-38470 before changing this option. -security_space_left_action: SYSLOG # V-38470 -# -# Set the maximum size of a rotated log file. Ubuntu's default -# matches the STIG requirement of 6MB. -security_max_log_file: 6 # V 38633 -# -# Sets the action to take when log files reach the maximum file size. -# Review the documentation for V-38634 before changing this option. -security_max_log_file_action: ROTATE # V-38634 -# -# Set the number of rotated audit logs to keep. Ubuntu has 5 as the default -# and this matches the STIG's requirements. -security_num_logs: 5 # V-38636 -# -# Set the email address of someone who can receive and respond to notifications -# about low disk space for log volumes. -security_action_mail_acct: root # V-38680 -# -# **IMMINENT DANGER** -# The STIG says that the system should switch to single user mode when the -# storage capacity gets very low. This can cause serious service disruptions -# and should only be set to 'single' for deployers in extremely high security -# environments. Ubuntu's default is SUSPEND, which will suspend logging. -# **IMMENENT DANGER** -security_admin_space_left_action: SUSPEND # V-54381 - -## Chrony (NTP) configuration -# Install and enable chrony to sync time with NTP servers. -security_enable_chrony: yes # V-38620 -# Adjust the following NTP servers if necessary. -security_ntp_servers: - - 0.north-america.pool.ntp.org - - 1.north-america.pool.ntp.org - - 2.north-america.pool.ntp.org - - 3.north-america.pool.ntp.org -# Chrony limits access to clients that are on certain subnets. Adjust the -# following subnets here to limit client access to chrony servers. -security_allowed_ntp_subnets: - - 10/8 - - 192.168/16 - - 172.16/12 -# Listen for NTP requests only on local interfaces. -security_ntp_bind_local_interfaces_only: yes - -## Core dumps -# V-38675 requires disabling core dumps for all users unless absolutely -# necessary. Set this variable to 'no' to skip this change. -security_disable_core_dumps: yes # V-38675 - -## Services -# The STIG recommends ensuring that some services are running if no services -# utilizing it are enabled. Setting a boolean to 'yes' here will ensure that -# a service isn't actively running and will not be started after boot-up. -# Setting a 'no' will ensure that this Ansible role does not alter the service -# in any way from its current configuration. -# -security_disable_abrtd: yes # V-38641 -security_disable_atd: yes # V-38640 -security_disable_autofs: yes # V-38437 -security_disable_avahi: yes # V-31618 -security_disable_bluetooth: yes # V-38691 -security_disable_netconsole: yes # v-38672 -security_disable_qpidd: yes # V-38648 -security_disable_rdisc: yes # V-38650 -security_disable_rsh: yes # V-38594 -security_disable_ypbind: yes # V-38604 -security_disable_xinetd: yes # V-38582 -# -# The STIG recommends ensuring that some services aren't installed at ANY time. -# Those services are listed here. Setting a boolean here to 'yes' wiil -# ensure that the STIG is followed and the service is removed. Setting a -# boolean to 'no' means that the playbook will not alter the service. -# -security_remove_ldap_server: yes # V-38627 -security_remove_rsh_server: yes # V-38591 -security_remove_sendmail: yes # V-38671 -security_remove_telnet_server: yes # V-38587 -security_remove_tftp_server: yes # V-38606 -security_remove_xinetd: yes # V-38584 -security_remove_xorg: yes # v-38676 -security_remove_ypserv: yes # V-38603 -# -# The STIG does not allow the system to run a graphical interface. Set this -# variable to 'no' if you need a graphical interface on the server. -security_disable_x_windows: yes # V-38674 - -## SSH configuration -# The following configuration items will adjust how the ssh daemon is -# configured. The recommendations from the RHEL 6 STIG are shown below, but -# they can be adjusted to fit a particular environment. -# -# Set a 15 minute time out for SSH sessions if there is no activity -security_ssh_client_alive_interval: 900 # V-38608 -# -# Timeout ssh sessions as soon as ClientAliveInterval is reached once -security_ssh_client_alive_count_max: 0 # V-38610 -# -# The ssh daemon must not permit root logins. The default value of 'yes' is a -# deviation from the STIG requirements due to how openstack-ansible operates, -# especially within OpenStack CI gate jobs. See documentation for V-38613 for -# more details. -security_ssh_permit_root_login: 'yes' # V-38613 - -## Kernel -# Set these booleans to 'yes' to disable the kernel module (following the -# STIG requirements). Set the boolean to 'no' to ensure no changes are made. -security_disable_module_bluetooth: yes # V-38682 -security_disable_module_dccp: yes # V-38514 -security_disable_module_rds: yes # V-38516 -security_disable_module_sctp: yes # V-38515 -security_disable_module_tipc: yes # V-38517 -security_disable_module_usb_storage: no # V-38490 -security_disable_icmpv4_redirects: no # V-38524 -security_disable_icmpv4_redirects_secure: no # V-38526 -security_disable_icmpv6_redirects: no # V-38548 -# -# ** DANGER ** -# It's strongly recommended to fully understand the effects of changing the -# following sysctl tunables. Refer to the documentation under 'Developer -# Notes' for each of the STIGs below before making any changes. -# ** DANGER ** -# -security_sysctl_enable_tcp_syncookies: yes # V-38539 -security_sysctl_enable_martian_logging: no # V-38528 -# -# Deployers who wish to disable IPv6 entirely must set this configuration -# variable to 'yes'. See the documentation for V-38546 before making this -# change. -security_disable_ipv6: no # V-38546 - -# Sets the global challenge ACK counter to a large value such -# that a potential attacker could not reasonably come up against it. -security_set_tcp_challenge_ack_limit: yes # CVE-2016-5696 - -## Mail -# The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will -# configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when -# Ansible installs packages). The default here is 'localhost' to meet the STIG -# requirement, but some deployers may want this set to 'all' if their hosts -# need to receive emails over the network (which isn't common). -# -# See the documentation for V-38622 for more details. -security_postfix_inet_interfaces: localhost # V-38622 -# -# Configuring an email address here will cause hosts to forward the root user's -# email to another address. -# -#security_root_forward_email: user@example.com - -## Linux Security Module (LSM) -# AppArmor and SELinux provide powerful security controls on a Linux system -# by setting policies for allowed actions. By setting the following variable -# to true, the appropriate LSM will be enabled for the Linux distribution: -# -# Ubuntu: AppArmor -# CentOS: SELinux -# -# See the openstack-ansible-security documentation for more details. -security_enable_linux_security_module: yes # V-51337 - -## PAM and authentication -# V-38497 requires that accounts with null passwords aren't allowed to -# authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the -# documentation for V-38497 for more details. Set the variable below to 'yes' -# to remove 'nullok_secure' from the PAM configuration or set it to 'no' to -# leave the PAM configuration unaltered. -security_pam_remove_nullok: yes # V-38497 -# -# V-38501 requires that failed login attempts must lock a user account using -# pam_faillock, but Ubuntu doesn't package that PAM module. Instead, fail2ban -# can be installed to lock out IP addresses with failed logins for 15 minutes. -# Set the variable below to 'yes' to install and configure fail2ban. -security_install_fail2ban: no # V-38501 -# -# The STIG requires bans to last 15 minutes. Adjust the following variable -# to set the time an IP is banned by fail2ban (in seconds). -security_fail2ban_bantime: 900 # V-38501 - -## Password complexity and aging -# V-38475 - There is no password length requirement by default in Ubuntu 14.04. -# To set a password length requirement, uncomment -# security_password_minimum_length below. The STIG recommendation is 14 -# characters. -#security_password_minimum_length: 14 # V-38475 -# V-38477 - There is no password change limitation set by default in Ubuntu. To -# set the minimum number of days between password changes, uncomment the -# security_password_minimum_days variable below. The STIG recommendation is 1 -# day. -#security_password_minimum_days: 1 # V-38477 -# V-38479 - There is no age limit on password by default in Ubuntu. Uncomment -# line below to use the STIG recommendation of 60 days. -#security_password_maximum_days: 60 # V-38479 -# V-38480 - To warn users before their password expires, uncomment the line -# below and they will be warned 7 days prior (following the STIG). -#security_password_warn_age: 7 # V-38480 -# V-38684 - Setting the maximum number of simultaneous logins per user. The -# STIG sets a limit of 10. -#security_max_simultaneous_logins: 10 # V-38684 -# V-38692 - Lock accounts that are inactive for 35 days. -#security_inactive_account_lock_days: 35 # V-38692 - -## sudo -# V-58901 requires that 'NOPASSWD' and '!authenticate' do not appear in any -# sudoers files since they could lead to a compromise. Set the following -# variables to 'yes' to comment out any lines found with these prohibited -# parameters or leave them set to 'no' (the default) to leave sudoers files -# unaltered. Deployers are urged to review the documentation for this STIG -# before making changes. -security_sudoers_remove_nopasswd: no # V-58901 -security_sudoers_remove_authenticate: no # V-58901 - -## umask settings -# The STIG recommends changing various default umask settings for users and -# daemons via different methods. However, this could cause serious issues for -# production OpenStack environements which haven't been tested with these -# changes. -# -# The variables below are set to match the STIG requirements, but they are -# commented out to ensure they require deployers to opt-in for each change. To -# opt in for one of the changes below, simply uncomment the line and run the -# playbook. Deployers are strongly advised to review the documentation for -# these changes and review their systems to ensure these changes won't cause -# service disruptions. -# -# V-38642 - Set umask for daemons in init scripts to 027 or 022 -#security_umask_daemons_init: 027 # V-38642 -# -# V-38645 - System default umask in /etc/login.defs must be 077 -#security_umask_login_defs: 077 # V-38645 -# -# V-38649 - System default umask for csh must be 077 -#security_umask_csh: 077 # V-38649 -# -# V-38651 - System default umask for bash must be 077 -#security_umask_bash: 077 # V-38651 - -## Unattended upgrades (APT) configuration -security_unattended_upgrades_enabled: false -security_unattended_upgrades_notifications: false - -############################################################################### -# ____ _ _ _____ _ _____ ____ _____ ___ ____ -# | _ \| | | | ____| | |___ | / ___|_ _|_ _/ ___| -# | |_) | |_| | _| | | / / \___ \ | | | | | _ -# | _ <| _ | |___| |___ / / ___) || | | | |_| | -# |_| \_\_| |_|_____|_____| /_/ |____/ |_| |___\____| -# -############################################################################### - -## AIDE (aide) -# Initialize the AIDE database immediately (may take time). -security_rhel7_initialize_aide: no # V-71973 - -## Audit daemon (auditd) -# Send audit records to a different system using audisp. -#security_audisp_remote_server: '10.0.21.1' # V-72083 -# Encrypt audit records when they are transmitted over the network. -#security_audisp_enable_krb5: yes # V-72085 -# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING! -security_rhel7_audit_failure_flag: 1 # V-72081 -# Set the action to take when the disk is full or network events cannot be sent. -security_rhel7_auditd_disk_full_action: syslog # V-72087 -security_rhel7_auditd_network_failure_action: syslog # V-72087 -# Size of remaining disk space (in MB) that triggers alerts. -security_rhel7_auditd_space_left: "{{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089 -# Action to take when the space_left threshold is reached. -security_rhel7_auditd_space_left_action: email # V-72091 -# Send auditd email alerts to this user. -security_rhel7_auditd_action_mail_acct: root # V-72093 -# Add audit rules for commands/syscalls. -security_rhel7_audit_chsh: yes # V-72167 -security_rhel7_audit_chage: yes # V-72155 -security_rhel7_audit_chcon: yes # V-72139 -security_rhel7_audit_chmod: no # V-72105 -security_rhel7_audit_chown: no # V-72097 -security_rhel7_audit_creat: yes # V-72123 -security_rhel7_audit_crontab: yes # V-72183 -security_rhel7_audit_delete_module: yes # V-72189 -security_rhel7_audit_fchmod: no # V-72107 -security_rhel7_audit_fchmodat: no # V-72109 -security_rhel7_audit_fchown: no # V-72099 -security_rhel7_audit_fchownat: no # V-72103 -security_rhel7_audit_fremovexattr: no # V-72119 -security_rhel7_audit_fsetxattr: no # V-72113 -security_rhel7_audit_ftruncate: yes # V-72133 -security_rhel7_audit_init_module: yes # V-72187 -security_rhel7_audit_gpasswd: yes # V-72153 -security_rhel7_audit_lchown: no # V-72101 -security_rhel7_audit_lremovexattr: no # V-72121 -security_rhel7_audit_lsetxattr: no # V-72115 -security_rhel7_audit_mount: yes # V-72171 -security_rhel7_audit_newgrp: yes # V-72165 -security_rhel7_audit_open: yes # V-72125 -security_rhel7_audit_openat: yes # V-72127 -security_rhel7_audit_open_by_handle_at: yes # V-72129 -security_rhel7_audit_pam_timestamp_check: yes # V-72185 -security_rhel7_audit_passwd: yes # V-72149 -security_rhel7_audit_postdrop: yes # V-72175 -security_rhel7_audit_postqueue: yes # V-72177 -security_rhel7_audit_pt_chown: yes # V-72181 -security_rhel7_audit_removexattr: no # V-72117 -security_rhel7_audit_rename: yes # V-72199 -security_rhel7_audit_renameat: yes # V-72201 -security_rhel7_audit_restorecon: yes # V-72141 -security_rhel7_audit_rmdir: yes # V-72203 -security_rhel7_audit_semanage: yes # V-72135 -security_rhel7_audit_setsebool: yes # V-72137 -security_rhel7_audit_setxattr: no # V-72111 -security_rhel7_audit_ssh_keysign: yes # V-72179 -security_rhel7_audit_su: yes # V-72159 -security_rhel7_audit_sudo: yes # V-72161 -security_rhel7_audit_sudoedit: yes # V-72169 -security_rhel7_audit_truncate: yes # V-72131 -security_rhel7_audit_umount: yes # V-72173 -security_rhel7_audit_unix_chkpwd: yes # V-72151 -security_rhel7_audit_unlink: yes # V-72205 -security_rhel7_audit_unlinkat: yes # V-72207 -security_rhel7_audit_userhelper: yes # V-72157 -# Add audit rules for other events. -security_rhel7_audit_account_access: yes # V-72143 -security_rhel7_audit_sudo_config_changes: yes # V-72163 -security_rhel7_audit_insmod: yes # V-72191 -security_rhel7_audit_rmmod: yes # V-72193 -security_rhel7_audit_modprobe: yes # V-72195 -security_rhel7_audit_account_actions: yes # V-72197 - -## Authentication (auth) -# Disallow logins from accounts with blank/null passwords via PAM. -security_disallow_blank_password_login: yes # V-71937 -# Apply password quality rules. -# NOTE: The security_pwquality_apply_rules variable is a "master switch". -# Set the 'security_pwquality_apply_rules' variable to 'yes' to apply all of -# the password quality rules. Each rule can be disabled with a value of 'no'. -security_pwquality_apply_rules: no -security_pwquality_require_uppercase: yes # V-71903 -security_pwquality_require_lowercase: yes # V-71905 -security_pwquality_require_numeric: yes # V-71907 -security_pwquality_require_special: yes # V-71909 -security_pwquality_require_characters_changed: yes # V-71911 -security_pwquality_require_character_classes_changed: yes # V-71913 -security_pwquality_limit_repeated_characters: yes # V-71915 -security_pwquality_limit_repeated_character_classes: yes # V-71917 -security_pwquality_require_minimum_password_length: no # V-71935 -# Use pwquality when passwords are changed or established. -security_enable_pwquality_password_set: no # V-73159 -# Ensure passwords are stored using SHA512. -security_password_encrypt_method: SHA512 # V-71921 -# Ensure user/group admin utilities only store encrypted passwords. -security_libuser_crypt_style_sha512: yes # V-71923 -# Set a minimum/maximum lifetime limit for user passwords. -#security_password_min_lifetime_days: 1 # V-71925 -#security_password_max_lifetime_days: 60 # V-71929 -# Set a delay (in seconds) between failed login attempts. -security_shadow_utils_fail_delay: 4 # V-71951 -# Set a umask for all authenticated users. -# security_shadow_utils_umask: '077' # V-71995 -# Create home directories for new users by default. -security_shadow_utils_create_home: yes # V-72013 -# How many old user password to remember to prevent password re-use. -#security_password_remember_password: 5 # V-71933 -# Disable user accounts if the password expires. -security_disable_account_if_password_expires: no # V-71941 -# Lock user accounts with excessive login failures. See documentation. -security_pam_faillock_enable: no # V-71945 / V-71943 / RHEL-07-010373 -security_pam_faillock_interval: 900 -security_pam_faillock_attempts: 3 -security_pam_faillock_deny_root: yes # RHEL-07-010373 -security_pam_faillock_unlock_time: 604800 # V-71943 -# Limit the number of concurrent connections per account. -#security_rhel7_concurrent_session_limit: 10 # V-72217 -# Remove .shosts and shosts.equiv files. -security_rhel7_remove_shosts_files: no # V-72277 - -## File permissions (file_perms) -# Reset file permissions and ownership for files installed via RPM packages. -security_reset_perm_ownership: no # V-71849 -# Search for files/directories owned by invalid users or groups. -security_search_for_invalid_owner: no # V-72007 -security_search_for_invalid_group_owner: no # V-72009 -# Set user/group owners on each home directory and set mode to 0750. -security_set_home_directory_permissions_and_owners: no # V-72017 / V-72019 / V-72021 - -## Graphical interfaces (graphical) -# Disable automatic gdm logins -security_disable_gdm_automatic_login: yes # V-71953 -# Disable timed gdm logins for guests -security_disable_gdm_timed_login: yes # V-71955 -# Enable session locking for graphical logins. -security_lock_session: no # V-71891 -# Set a timer (in seconds) when an inactive session is locked. -security_lock_session_inactive_delay: 900 # V-71893 -# Prevent users from modifying session lock settings. -security_lock_session_override_user: yes # RHEL-07-010071 -# Lock a session (start screensaver) when a session is inactive. -security_lock_session_when_inactive: yes # V-71893 -# Time after screensaver starts when user login is required. -security_lock_session_screensaver_lock_delay: 5 # V-71901 -# Enable a login banner and set the text for the banner. -security_enable_graphical_login_message: yes # V-71859 -security_enable_graphical_login_message_text: > - You are accessing a secured system and your actions will be logged along - with identifying information. Disconnect immediately if you are not an - authorized user of this system. - -## Linux Security Module (lsm) -# Enable SELinux on Red Hat/CentOS and AppArmor on Ubuntu. -security_rhel7_enable_linux_security_module: yes # V-71989 / V-71991 - -## Miscellaneous (misc) -# Disable the autofs service. -security_rhel7_disable_autofs: yes # V-71985 -# Enable virus scanning with clamav -security_enable_virus_scanner: no # V-72213 -# Run the virus scanner update during the deployment (if scanner is deployed) -security_run_virus_scanner_update: yes -# Disable ctrl-alt-delete key sequence on the console. -security_rhel7_disable_ctrl_alt_delete: yes # V-71993 -# Install and enable firewalld for iptables management. -security_enable_firewalld: no # V-72273 -# Rate limit TCP connections to 25/min and burstable to 100. -security_enable_firewalld_rate_limit: no # V-72271 -security_enable_firewalld_rate_limit_per_minute: 25 -security_enable_firewalld_rate_limit_burst: 100 -# Require authentication in GRUB to boot into single-user or maintenance modes. -security_require_grub_authentication: no # V-71961 / V-71963 -# The default password for grub authentication is 'secrete'. -security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B -# Set session timeout. -security_rhel7_session_timeout: 600 # V-72223 -# Enable chrony for NTP time synchronization. -security_rhel7_enable_chrony: yes # V-72269 -# Restrict mail relaying. -security_rhel7_restrict_mail_relaying: yes # V-72297 -# Deploy a login banner. # V-72225 / V-71863 -security_login_banner_text: | - ------------------------------------------------------------------------------ - * WARNING * - * You are accessing a secured system and your actions will be logged along * - * with identifying information. Disconnect immediately if you are not an * - * authorized user of this system. * - ------------------------------------------------------------------------------ - - -## Packages (packages) -# Remove packages from the system as required by the STIG. Set any of these -# to 'no' to skip their removal. -security_rhel7_remove_rsh_server: yes # V-71967 -security_rhel7_remove_telnet_server: yes # V-72077 -security_rhel7_remove_tftp_server: yes # V-72301 -security_rhel7_remove_xorg: yes # V-72307 -security_rhel7_remove_ypserv: yes # V-71969 -# Automatically remove dependencies when removing packages. -security_package_clean_on_remove: no # V-71987 -# Automatically update packages. -security_rhel7_automatic_package_updates: no # V-71999 -# Install packages for multi-factor authentication. -security_install_multifactor_auth_packages: yes # V-72417 - -## RPM (rpm) -# Enable GPG checks for packages and repository data. -security_enable_gpgcheck_packages: yes # V-71977 -security_enable_gpgcheck_packages_local: yes # V-71979 -security_enable_gpgcheck_repo: no # V-71981 - -## ssh server (sshd) -# Ensure sshd is running and enabled at boot time. -security_enable_sshd: yes # V-72235 -# Disallow logins from users with empty/null passwords. -security_sshd_disallow_empty_password: yes # V-71939 / RHEL-07-010440 -# Disallow users from overriding the ssh environment variables. -security_sshd_disallow_environment_override: yes # V-71957 -# Disallow host based authentication. -security_sshd_disallow_host_based_auth: yes # V-71959 -# Set a list of allowed ssh ciphers. -security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # V-72221 -# Specify a text file to be displayed as the banner/MOTD for all sessions. -security_sshd_banner_file: /etc/motd # V-71861 / V-72225 -# Set the interval for max session length and the number of intervals to allow. -security_sshd_client_alive_interval: 600 # V-72237 -security_sshd_client_alive_count_max: 0 # V-72241 -# Print the last login for a user when they log in over ssh. -security_sshd_print_last_log: yes # V-72245 -# Permit direct root logins -security_sshd_permit_root_login: no # V-72247 -# Disallow authentication using known hosts authentication. -security_sshd_disallow_known_hosts_auth: yes # V-72249 / V-72239 -# Disallow rhosts authentication. -security_sshd_disallow_rhosts_auth: yes # V-72243 -# Enable X11 forwarding. -security_sshd_enable_x11_forwarding: yes # V-72303 -# Set the allowed ssh protocols. -security_sshd_protocol: 2 # V-72251 -# Set the list of allowed Message Authentication Codes (MACs) for ssh. -security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512' # V-72253 -# Disallow Generic Security Service Application Program Interface (GSSAPI) auth. -security_sshd_disallow_gssapi: yes # V-72259 -# Disallow compression or delay after login. -security_sshd_compression: 'delayed' # V-72267 -# Require privilege separation at every opportunity. -security_sshd_enable_privilege_separation: yes # V-72265 -# Require strict mode checking of home directory configuration files. -security_sshd_enable_strict_modes: yes # V-72263 -# Disallow Kerberos authentication. -security_sshd_disable_kerberos_auth: yes # V-72261 - -## Kernel settings (kernel) -# Disallow forwarding IPv4/IPv6 source routed packets on all interfaces -# immediately and by default on new interfaces. -security_disallow_source_routed_packet_forward_ipv4: yes # V-72283 / V-72285 -security_disallow_source_routed_packet_forward_ipv6: yes # V-72319 -# Disallow responses to IPv4 ICMP echoes sent to broadcast address. -security_disallow_echoes_broadcast_address: yes # V-72287 -# Disallow IPV4 ICMP redirects on all interfaces immediately and by default on -# new interfaces. -security_disallow_icmp_redirects: yes # V-73175 / V-72289 / V-72291 / V-72293 -# Disallow IP forwarding. -security_disallow_ip_forwarding: no # V-72309 -# Disable USB storage support. -security_rhel7_disable_usb_storage: yes # V-71983 -# Disable kdump. -security_disable_kdump: yes # V-72057 diff --git a/doc/Makefile b/doc/Makefile deleted file mode 100644 index 3029a432..00000000 --- a/doc/Makefile +++ /dev/null @@ -1,195 +0,0 @@ -# Makefile for Sphinx documentation -# - -# You can set these variables from the command line. -SPHINXOPTS = "-p 8001" -SPHINXBUILD = sphinx-autobuild -PAPER = -BUILDDIR = build - -# User-friendly check for sphinx-build -ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1) -$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/) -endif - -# Internal variables. -PAPEROPT_a4 = -D latex_paper_size=a4 -PAPEROPT_letter = -D latex_paper_size=letter -ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source -# the i18n builder cannot share the environment and doctrees with the others -I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source - -.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest coverage gettext - -help: - @echo "Please use \`make ' where is one of" - @echo " html to make standalone HTML files" - @echo " dirhtml to make HTML files named index.html in directories" - @echo " singlehtml to make a single large HTML file" - @echo " pickle to make pickle files" - @echo " json to make JSON files" - @echo " htmlhelp to make HTML files and a HTML help project" - @echo " qthelp to make HTML files and a qthelp project" - @echo " applehelp to make an Apple Help Book" - @echo " devhelp to make HTML files and a Devhelp project" - @echo " epub to make an epub" - @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" - @echo " latexpdf to make LaTeX files and run them through pdflatex" - @echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx" - @echo " text to make text files" - @echo " man to make manual pages" - @echo " texinfo to make Texinfo files" - @echo " info to make Texinfo files and run them through makeinfo" - @echo " gettext to make PO message catalogs" - @echo " changes to make an overview of all changed/added/deprecated items" - @echo " xml to make Docutils-native XML files" - @echo " pseudoxml to make pseudoxml-XML files for display purposes" - @echo " linkcheck to check all external links for integrity" - @echo " doctest to run all doctests embedded in the documentation (if enabled)" - @echo " coverage to run coverage check of the documentation (if enabled)" - -clean: - rm -rf $(BUILDDIR)/* - -html: - $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html - @echo - @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." - -dirhtml: - $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml - @echo - @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." - -singlehtml: - $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml - @echo - @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." - -pickle: - $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle - @echo - @echo "Build finished; now you can process the pickle files." - -json: - $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json - @echo - @echo "Build finished; now you can process the JSON files." - -htmlhelp: - $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp - @echo - @echo "Build finished; now you can run HTML Help Workshop with the" \ - ".hhp project file in $(BUILDDIR)/htmlhelp." - -qthelp: - $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp - @echo - @echo "Build finished; now you can run "qcollectiongenerator" with the" \ - ".qhcp project file in $(BUILDDIR)/qthelp, like this:" - @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/openstack-ansible.qhcp" - @echo "To view the help file:" - @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/openstack-ansible.qhc" - -applehelp: - $(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp - @echo - @echo "Build finished. The help book is in $(BUILDDIR)/applehelp." - @echo "N.B. You won't be able to view it unless you put it in" \ - "~/Library/Documentation/Help or install it in your application" \ - "bundle." - -devhelp: - $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp - @echo - @echo "Build finished." - @echo "To view the help file:" - @echo "# mkdir -p $$HOME/.local/share/devhelp/openstack-ansible" - @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/openstack-ansible" - @echo "# devhelp" - -epub: - $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub - @echo - @echo "Build finished. The epub file is in $(BUILDDIR)/epub." - -latex: - $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex - @echo - @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." - @echo "Run \`make' in that directory to run these through (pdf)latex" \ - "(use \`make latexpdf' here to do that automatically)." - -latexpdf: - $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex - @echo "Running LaTeX files through pdflatex..." - $(MAKE) -C $(BUILDDIR)/latex all-pdf - @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." - -latexpdfja: - $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex - @echo "Running LaTeX files through platex and dvipdfmx..." - $(MAKE) -C $(BUILDDIR)/latex all-pdf-ja - @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." - -text: - $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text - @echo - @echo "Build finished. The text files are in $(BUILDDIR)/text." - -man: - $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man - @echo - @echo "Build finished. The manual pages are in $(BUILDDIR)/man." - -texinfo: - $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo - @echo - @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." - @echo "Run \`make' in that directory to run these through makeinfo" \ - "(use \`make info' here to do that automatically)." - -info: - $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo - @echo "Running Texinfo files through makeinfo..." - make -C $(BUILDDIR)/texinfo info - @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." - -gettext: - $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale - @echo - @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." - -changes: - $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes - @echo - @echo "The overview file is in $(BUILDDIR)/changes." - -linkcheck: - $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck - @echo - @echo "Link check complete; look for any errors in the above output " \ - "or in $(BUILDDIR)/linkcheck/output.txt." - -doctest: - $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest - @echo "Testing of doctests in the sources finished, look at the " \ - "results in $(BUILDDIR)/doctest/output.txt." - -coverage: - $(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage - @echo "Testing of coverage in the sources finished, look at the " \ - "results in $(BUILDDIR)/coverage/python.txt." - -xml: - $(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml - @echo - @echo "Build finished. The XML files are in $(BUILDDIR)/xml." - -pseudoxml: - $(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml - @echo - @echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml." - -livehtml: html - sphinx-autobuild -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html diff --git a/doc/metadata/U_RedHat_6_V1R12_Manual-xccdf.xml b/doc/metadata/U_RedHat_6_V1R12_Manual-xccdf.xml deleted file mode 100644 index e1ef90a5..00000000 --- a/doc/metadata/U_RedHat_6_V1R12_Manual-xccdf.xml +++ /dev/null @@ -1,3168 +0,0 @@ -acceptedRed Hat Enterprise Linux 6 Security Technical Implementation GuideThe Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 12 Benchmark Date: 22 Jul 20161I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I - Mission Critical Public - <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - II - Mission Support Classified - <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - II - Mission Support Sensitive - <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - III - Administrative Public - <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SRG-OS-000257-GPOS-00098 - <GroupDescription></GroupDescription> - - RHEL-07-010010 - The file permissions, ownership, and group membership of system files and commands must match the vendor values. - <VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. - -Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001494 - CCI-001496 - Run the following command to determine which package owns the file: - -# rpm -qf <filename> - -Reset the permissions of files within a package with the following command: - -#rpm --setperms <packagename> - -Reset the user and group ownership of files within a package with the following command: - -#rpm --setugids <packagename> - - - - Verify the file permissions, ownership, and group membership of system files and commands match the vendor values. - -Check the file permissions, ownership, and group membership of system files and commands with the following command: - -# rpm -Va | grep '^.M' - -If there is any output from the command indicating that the ownership or group of a system file or command, or a system file, has permissions less restrictive than the default, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-010020 - The cryptographic hash of system files and commands must match vendor values. - <VulnDiscussion>Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000663 - Run the following command to determine which package owns the file: - -# rpm -qf <filename> - -The package can be reinstalled from a yum repository using the command: - -# sudo yum reinstall <packagename> - -Alternatively, the package can be reinstalled from trusted media using the command: - -# sudo rpm -Uvh <packagename> - - - - Verify the cryptographic hash of system files and commands match the vendor values. - -Check the cryptographic hash of system files and commands with the following command: - -Note: System configuration files (indicated by a "c" in the second column) are expected to change over time. Unusual modifications should be investigated through the system audit log. - -# rpm -Va | grep '^..5' - -If there is any output from the command for system binaries, this is a finding. - - - - - SRG-OS-000023-GPOS-00006 - <GroupDescription></GroupDescription> - - RHEL-07-010030 - The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. - <VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: - -"I've read & consent to terms in IS user agreem't." - -Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000048 - Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command: - -# touch /etc/dconf/db/local.d/01-banner-message - -Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": - -[org/gnome/login-screen] -banner-message-enable=true - - - - Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Check to see if the operating system displays a banner at the logon screen with the following command: - -# grep banner-message-enable /etc/dconf/db/local.d/* -banner-message-enable=true - -If "banner-message-enable" is set to "false" or is missing, this is a finding. - - - - - SRG-OS-000023-GPOS-00006 - <GroupDescription></GroupDescription> - - RHEL-07-010040 - The operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. - <VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: - -"I've read & consent to terms in IS user agreem't." - -Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000048 - Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the system. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command: - -# touch /etc/dconf/db/local.d/01-banner-message - -Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": - -[org/gnome/login-screen] -banner-message-text=’You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.’ - - - - Verify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Check that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text with the command: - -# grep banner-message-text /etc/dconf/db/local.d/* -banner-message-text= -‘You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.’ - -If the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding. - - - - - SRG-OS-000023-GPOS-00006 - <GroupDescription></GroupDescription> - - RHEL-07-010050 - The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. - <VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: - -"I've read & consent to terms in IS user agreem't." - -Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000048 - Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the command line by editing the "/etc/issue" file. - -Replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - - - - Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon. - -Check to see if the operating system displays a banner at the command line logon screen with the following command: - -# more /etc/issue - -The command should return the following text: -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -If the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. - -If the text in the "/etc/issue" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. - - - - - SRG-OS-000028-GPOS-00009 - <GroupDescription></GroupDescription> - - RHEL-07-010060 - The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures. - <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. - -Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. - -Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000056 - Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -# touch /etc/dconf/db/local.d/00-screensaver - -Edit “org/gnome/desktop/session” and add or update the following lines: - -# Set the lock time out to 900 seconds before the session is considered idle -idle-delay=uint32 900 - -Edit "org/gnome/desktop/screensaver" and add or update the following lines: - -# Set this to true to lock the screen when the screensaver activates -lock-enabled=true -# Set the lock timeout to 180 seconds after the screensaver has been activated -lock-delay=uint32 180 - -You must include the "uint32" along with the integer key values as shown. - -Override the user's setting and prevent the user from changing it by editing “/etc/dconf/db/local.d/locks/screensaver” and adding or updating the following lines: - -# Lock desktop screensaver settings -/org/gnome/desktop/session/idle-delay -/org/gnome/desktop/screensaver/lock-enabled -/org/gnome/desktop/screensaver/lock-delay - -Update the system databases: - -# dconf update - -Users must log out and back in again before the system-wide settings take effect. - - - - Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Check to see if the screen lock is enabled with the following command: - -# grep -i lock-enabled /etc/dconf/db/local.d/00-screensaver -lock-enabled=true - -If the "lock-enabled" setting is missing or is not set to "true", this is a finding. - - - - - SRG-OS-000029-GPOS-00010 - <GroupDescription></GroupDescription> - - RHEL-07-010070 - The operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. - <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000057 - Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -# touch /etc/dconf/db/local.d/00-screensaver - -Edit “org/gnome/desktop/session” and add or update the following lines: - -# Set the lock time out to 900 seconds before the session is considered idle -idle-delay=uint32 900 - -Edit "org/gnome/desktop/screensaver" and add or update the following lines: - -# Set this to true to lock the screen when the screensaver activates -lock-enabled=true -# Set the lock timeout to 180 seconds after the screensaver has been activated -lock-delay=uint32 180 - -You must include the "uint32" along with the integer key values as shown. - -Override the user's setting and prevent the user from changing it by editing “/etc/dconf/db/local.d/locks/screensaver” and adding or updating the following lines: - -# Lock desktop screensaver settings -/org/gnome/desktop/session/idle-delay -/org/gnome/desktop/screensaver/lock-enabled -/org/gnome/desktop/screensaver/lock-delay - -Update the system databases: - -# dconf update - -Users must log out and back in again before the system-wide settings take effect. - - - - Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Check to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command: - -# grep -i idle-delay /etc/dconf/db/local.d/* -idle-delay=uint32 900 - -If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding. - - - - - SRG-OS-000029-GPOS-00010 - <GroupDescription></GroupDescription> - - RHEL-07-010080 - The operating system must set the idle delay setting for all connection types. - <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000057 - Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -Note: The example below is using the database "local" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory. - -# touch /etc/dconf/db/local.d/locks/session - -Add the setting to lock the screensaver idle delay: - -/org/gnome/desktop/screensaver/idle-delay - - - - Verify the operating system prevents a user from overriding session lock after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Determine which profile the system database is using with the following command: -#grep system-db /etc/dconf/profile/user - -system-db:local - -Check for the lock delay setting with the following command: - -Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. - -# grep -i idle-delay /etc/dconf/db/local.d/locks/* - -/org/gnome/desktop/screensaver/idle-delay - -If the command does not return a result, this is a finding. - - - - - SRG-OS-000029-GPOS-00010 - <GroupDescription></GroupDescription> - - RHEL-07-010090 - The operating system must have the screen package installed. - <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The screen package allows for a session lock to be implemented and configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000057 - Install the screen package to allow the initiation a session lock after a 15-minute period of inactivity for graphical users interfaces. - -Install the screen program (if it is not on the system) with the following command: - -# yum install screen - -The console can now be locked with the following key combination: - -ctrl+A x - - - - Verify the operating system has the screen package installed. - -Check to see if the screen package is installed with the following command: - -# yum list installed | grep screen -screen-4.3.1-3-x86_64.rpm - -If is not installed, this is a finding. - - - - - SRG-OS-000029-GPOS-00010 - <GroupDescription></GroupDescription> - - RHEL-07-010100 - The operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces. - <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000057 - Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -# touch /etc/dconf/db/local.d/00-screensaver - -Add the setting to enable screensaver locking after 15 minutes of inactivity: - -[org/gnome/desktop/screensaver] - -idle-activation-enabled=true - - - - Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console. - -If it is installed, GNOME must be configured to enforce a session lock after a 15-minute delay. Check for the session lock settings with the following commands: - -# grep -i idle_activation_enabled /etc/dconf/db/local.d/* -[org/gnome/desktop/screensaver] idle-activation-enabled=true - -If "idle-activation-enabled" is not set to "true", this is a finding. - - - - - SRG-OS-000029-GPOS-00010 - <GroupDescription></GroupDescription> - - RHEL-07-010110 - The operating system must initiate a session lock for graphical user interfaces when the screensaver is activated. - <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000057 - Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -# touch /etc/dconf/db/local.d/00-screensaver - -Add the setting to enable session locking when a screensaver is activated: - -[org/gnome/desktop/screensaver] -lock-delay=uint32 5 - -After the setting has been set, run dconf update. - - - - Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. The screen program must be installed to lock sessions on the console. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -If GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command: - -# grep -i lock-delay /etc/dconf/db/local.d/* -lock-delay=uint32 5 - -If the "lock-delay" setting is missing, or is not set, this is a finding. - - - - - SRG-OS-000069-GPOS-00037 - <GroupDescription></GroupDescription> - - RHEL-07-010120 - When passwords are changed or new passwords are established, the new password must contain at least one upper-case character. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000192 - Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used by setting the "ucredit" option. - -Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - -ucredit = -1 - - - - Note: The value to require a number of upper-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf". - -Check the value for "ucredit" in "/etc/security/pwquality.conf" with the following command: - -# grep ucredit /etc/security/pwquality.conf -ucredit = -1 - -If the value of "ucredit" is not set to a negative value, this is a finding. - - - - - SRG-OS-000070-GPOS-00038 - <GroupDescription></GroupDescription> - - RHEL-07-010130 - When passwords are changed or new passwords are established, the new password must contain at least one lower-case character. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000193 - Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made. - -Modify the first three lines of the "auth" section of the "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" files to match the following lines: - -Note: RHEL 7.3 and later allows for a value of “never” for "unlock_time". This is an acceptable value but should be used with caution if availability is a concern. - -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=604800 -auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=604800 - -and run the "authconfig" command. - - - - Note: The value to require a number of lower-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf". - -Check the value for "lcredit" in "/etc/security/pwquality.conf" with the following command: - -# grep lcredit /etc/security/pwquality.conf -lcredit = -1 - -If the value of "lcredit" is not set to a negative value, this is a finding. - - - - - SRG-OS-000071-GPOS-00039 - <GroupDescription></GroupDescription> - - RHEL-07-010140 - When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000194 - Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option. - -Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): - -dcredit = -1 - - - - Note: The value to require a number of numeric characters to be set is expressed as a negative number in "/etc/security/pwquality.conf". - -Check the value for "dcredit" in "/etc/security/pwquality.conf" with the following command: - -# grep dcredit /etc/security/pwquality.conf -dcredit = -1 - -If the value of "dcredit" is not set to a negative value, this is a finding. - - - - - SRG-OS-000266-GPOS-00101 - <GroupDescription></GroupDescription> - - RHEL-07-010150 - When passwords are changed or new passwords are assigned, the new password must contain at least one special character. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001619 - Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the "dcredit" option. - -Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - -ocredit = -1 - - - - Verify the operating system enforces password complexity by requiring that at least one special character be used. - -Note: The value to require a number of special characters to be set is expressed as a negative number in "/etc/security/pwquality.conf". - -Check the value for "ocredit" in "/etc/security/pwquality.conf" with the following command: - -# grep ocredit /etc/security/pwquality.conf -ocredit=-1 - -If the value of "ocredit" is not set to a negative value, this is a finding. - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> - - RHEL-07-010160 - When passwords are changed a minimum of eight of the total number of characters must be changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000195 - Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the "difok" option. - -Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - -difok = 8 - - - - The "difok" option sets the number of characters in a password that must not be present in the old password. - -Check for the value of the "difok" option in "/etc/security/pwquality.conf" with the following command: - -# grep difok /etc/security/pwquality.conf -difok = 8 - -If the value of "difok" is set to less than "8", this is a finding. - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> - - RHEL-07-010170 - When passwords are changed a minimum of four character classes must be changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000195 - Configure the operating system to require the change of at least four character classes when passwords are changed by setting the "minclass" option. - -Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): - -minclass = 4 - - - - The "minclass" option sets the minimum number of required classes of characters for the new password (digits, upper-case, lower-case, others). - -Check for the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: - -# grep minclass /etc/security/pwquality.conf -minclass = 4 - -If the value of "minclass" is set to less than "4", this is a finding. - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> - - RHEL-07-010180 - When passwords are changed the number of repeating consecutive characters must not be more than four characters. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000195 - Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option. - -Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): - -maxrepeat = 2 - - - - The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password. - -Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command: - -# grep maxrepeat /etc/security/pwquality.conf -maxrepeat = 2 - -If the value of "maxrepeat" is set to more than "2", this is a finding. - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> - - RHEL-07-010190 - When passwords are changed the number of repeating characters of the same character class must not be more than four characters. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000195 - Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option. - -Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value): - -maxclassrepeat = 4 - - - - The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. - -Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: - -# grep maxclassrepeat /etc/security/pwquality.conf -maxclassrepeat = 4 - -If the value of "maxclassrepeat" is set to more than "4", this is a finding. - - - - - SRG-OS-000073-GPOS-00041 - <GroupDescription></GroupDescription> - - RHEL-07-010200 - The PAM system service must be configured to store only encrypted representations of passwords. - <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000196 - Configure the operating system to store only SHA512 encrypted representations of passwords. - -Add the following line in "/etc/pam.d/system-auth-ac": - -password sufficient pam_unix.so sha512 - -and run the "authconfig" command. - - - - Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. - -Check that the system is configured to create SHA512 hashed passwords with the following command: - -# grep password /etc/pam.d/system-auth-ac -password sufficient pam_unix.so sha512 - -If the "/etc/pam.d/system-auth-ac" configuration files allow for password hashes other than SHA512 to be used, this is a finding. - - - - - SRG-OS-000073-GPOS-00041 - <GroupDescription></GroupDescription> - - RHEL-07-010210 - The shadow file must be configured to store only encrypted representations of passwords. - <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000196 - Configure the operating system to store only SHA512 encrypted representations of passwords. - -Add or update the following line in "/etc/login.defs": - -ENCRYPT_METHOD SHA512 - - - - Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. - -Check that the system is configured to create SHA512 hashed passwords with the following command: - -# grep -i encrypt /etc/login.defs -ENCRYPT_METHOD SHA512 - -If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding. - - - - - SRG-OS-000073-GPOS-00041 - <GroupDescription></GroupDescription> - - RHEL-07-010220 - User and group account administration utilities must be configured to store only encrypted representations of passwords. - <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000196 - Configure the operating system to store only SHA512 encrypted representations of passwords. - -Add or update the following line in "/etc/libuser.conf" in the [defaults] section: - -crypt_style = sha512 - - - - Verify the user and group account administration utilities are configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is "SHA512". - -Check that the system is configured to create "SHA512" hashed passwords with the following command: - -# cat /etc/libuser.conf | grep -i sha512 - -crypt_style = sha512 - -If the "crypt_style" variable is not set to "sha512", is not in the defaults section, or does not exist, this is a finding. - - - - - SRG-OS-000075-GPOS-00043 - <GroupDescription></GroupDescription> - - RHEL-07-010230 - Passwords for new users must be restricted to a 24 hours/1 day minimum lifetime. - <VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000198 - Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime. - -Add the following line in "/etc/login.defs" (or modify the line to have the required value): - -PASS_MIN_DAYS 1 - - - - Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts. - -Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: - -# grep -i pass_min_days /etc/login.defs -PASS_MIN_DAYS 1 - -If the "PASS_MIN_DAYS" parameter value is not "1" or greater, or is commented out, this is a finding. - - - - - SRG-OS-000075-GPOS-00043 - <GroupDescription></GroupDescription> - - RHEL-07-010240 - Passwords must be restricted to a 24 hours/1 day minimum lifetime. - <VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000198 - Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: - -# chage -m 1 [user] - - - - Check whether the minimum time period between password changes for each user account is one day or greater. - -# awk -F: '$4 < 1 {print $1}' /etc/shadow - -If any results are returned that are not associated with a system account, this is a finding. - - - - - SRG-OS-000076-GPOS-00044 - <GroupDescription></GroupDescription> - - RHEL-07-010250 - Passwords for new users must be restricted to a 60-day maximum lifetime. - <VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000199 - Configure the operating system to enforce a 60-day maximum password lifetime restriction. - -Add the following line in "/etc/login.defs" (or modify the line to have the required value): - -PASS_MAX_DAYS 60 - - - - Verify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts. - -Check for the value of "PASS_MAX_DAYS" in "/etc/login.defs" with the following command: - -# grep -i pass_max_days /etc/login.defs -PASS_MAX_DAYS 60 - -If the "PASS_MAX_DAYS" parameter value is not 60 or less, or is commented out, this is a finding. - - - - - SRG-OS-000076-GPOS-00044 - <GroupDescription></GroupDescription> - - RHEL-07-010260 - Existing passwords must be restricted to a 60-day maximum lifetime. - <VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000199 - Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction. - -# chage -M 60 [user] - - - - Check whether the maximum time period for existing passwords is restricted to 60 days. - -# awk -F: '$5 > 60 {print $1}' /etc/shadow - -If any results are returned that are not associated with a system account, this is a finding. - - - - - SRG-OS-000077-GPOS-00045 - <GroupDescription></GroupDescription> - - RHEL-07-010270 - Passwords must be prohibited from reuse for a minimum of five generations. - <VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000200 - Configure the operating system to prohibit password reuse for a minimum of five generations. - -Add the following line in "/etc/pam.d/system-auth-ac" (or modify the line to have the required value): - -password sufficient pam_unix.so use_authtok sha512 shadow remember=5 - -and run the "authconfig" command. - - - - Verify the operating system prohibits password reuse for a minimum of five generations. - -Check for the value of the "remember" argument in "/etc/pam.d/system-auth-ac" with the following command: - -# grep -i remember /etc/pam.d/system-auth-ac -password sufficient pam_unix.so use_authtok sha512 shadow remember=5 - -If the line containing the "pam_unix.so" line does not have the "remember" module argument set, or the value of the "remember" module argument is set to less than "5", this is a finding. - - - - - SRG-OS-000078-GPOS-00046 - <GroupDescription></GroupDescription> - - RHEL-07-010280 - Passwords must be a minimum of 15 characters in length. - <VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. - -Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000205 - Configure operating system to enforce a minimum 15-character password length. - -Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - -minlen = 15 - - - - Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password. - -Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command: - -# grep minlen /etc/security/pwquality.conf -minlen = 15 - -If the command does not return a "minlen" value of 15 or greater, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-010290 - The system must not have accounts configured with blank or null passwords. - <VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. - -Remove any instances of the "nullok" option in "/etc/pam.d/system-auth-ac" to prevent logons with empty passwords and run the "authconfig" command. - - - - To verify that null passwords cannot be used, run the following command: - -# grep nullok /etc/pam.d/system-auth-ac - -If this produces any output, it may be possible to log on with accounts with empty passwords. - -If null passwords can be used, this is a finding. - - - - - SRG-OS-000106-GPOS-00053 - <GroupDescription></GroupDescription> - - RHEL-07-010300 - The SSH daemon must not allow authentication using an empty password. - <VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000766 - To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": - -PermitEmptyPasswords no - -The SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. - - - - To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command: - -# grep -i PermitEmptyPasswords /etc/ssh/sshd_config -PermitEmptyPasswords no - -If no line, a commented line, or a line indicating the value "no" is returned, the required value is set. - -If the required value is not set, this is a finding. - - - - - SRG-OS-000118-GPOS-00060 - <GroupDescription></GroupDescription> - - RHEL-07-010310 - The operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires. - <VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. - -Operating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000795 - Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) after the password expires. - -Add the following line to "/etc/default/useradd" (or modify the line to have the required value): - -INACTIVE=0 - - - - Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command: - -# grep -i inactive /etc/default/useradd -INACTIVE=0 - -If the value is not set to "0", is commented out, or is not defined, this is a finding. - - - - - SRG-OS-000329-GPOS-00128 - <GroupDescription></GroupDescription> - - RHEL-07-010320 - Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period. - <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. - -Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-002238 - Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made. - -Modify the first three lines of the auth section of the "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" files to match the following lines: - -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=604800 -auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=604800 - -and run the "authconfig" command. - - - - Verify the operating system automatically locks an account for the maximum period for which the system can be configured. - -Check that the system locks an account for the maximum period after three unsuccessful logon attempts within a period of 15 minutes with the following command: - -# grep pam_faillock.so /etc/pam.d/password-auth-ac -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=604800 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=604800 - -If the "unlock_time" setting is greater than "604800" on both lines with the "pam_faillock.so" module name or is missing from a line, this is a finding. - - - - - SRG-OS-000329-GPOS-00128 - <GroupDescription></GroupDescription> - - RHEL-07-010330 - If three unsuccessful root logon attempts within 15 minutes occur the associated account must be locked. - <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. - -Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-002238 - Configure the operating system to automatically lock the root account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. - -Modify the first three lines of the auth section of the "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" files to match the following lines: - -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=604800 -auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=604800 - -and run the "authconfig" command. - - - - Verify the operating system automatically locks the root account until it is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. - -# grep pam_faillock.so /etc/pam.d/password-auth-ac -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 - -If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module name, this is a finding. - - - - - SRG-OS-000373-GPOS-00156 - <GroupDescription></GroupDescription> - - RHEL-07-010340 - Users must provide a password for privilege escalation. - <VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. - -Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-002038 - Configure the operating system to require users to supply a password for privilege escalation. - -Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command: - -# grep -i nopasswd /etc/sudoers /etc/sudoers.d/* - -Remove any occurrences of "NOPASSWD" tags in the file. - - - - Verify the operating system requires users to supply a password for privilege escalation. - -Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command: - -# grep -i nopasswd /etc/sudoers /etc/sudoers.d/* - -If any uncommented line is found with a "NOPASSWD" tag, this is a finding. - - - - - SRG-OS-000373-GPOS-00156 - <GroupDescription></GroupDescription> - - RHEL-07-010350 - Users must re-authenticate for privilege escalation. - <VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - -Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-002038 - Configure the operating system to require users to reauthenticate for privilege escalation. - -Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command: - -Remove any occurrences of "!authenticate" tags in the file. - - - - Verify the operating system requires users to reauthenticate for privilege escalation. - -Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command: - -# grep -i authenticate /etc/sudoers /etc/sudoers.d/* - -If any line is found with a "!authenticate" tag, this is a finding. - - - - - SRG-OS-000480-GPOS-00226 - <GroupDescription></GroupDescription> - - RHEL-07-010430 - The delay between logon prompts following a failed console logon attempt must be at least four seconds. - <VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. - -Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. - -Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or greater: - -FAIL_DELAY 4 - - - - Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt. - -Check the value of the "fail_delay" parameter in the "/etc/login.defs" file with the following command: - -# grep -i fail_delay /etc/login.defs -FAIL_DELAY 4 - -If the value of "FAIL_DELAY" is not set to "4" or greater, this is a finding. - - - - - SRG-OS-000480-GPOS-00229 - <GroupDescription></GroupDescription> - - RHEL-07-010440 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface. - <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false": - -[daemon] -AutomaticLoginEnable=false - - - - Verify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Check for the value of the "AutomaticLoginEnable" in the "/etc/gdm/custom.conf" file with the following command: - -# grep -i automaticloginenable /etc/gdm/custom.conf -AutomaticLoginEnable=false - -If the value of "AutomaticLoginEnable" is not set to "false", this is a finding. - - - - - SRG-OS-000480-GPOS-00229 - <GroupDescription></GroupDescription> - - RHEL-07-010450 - The operating system must not allow an unrestricted logon to the system. - <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Add or edit the line for the "TimedLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false": - -[daemon] -TimedLoginEnable=false - - - - Verify the operating system does not allow an unrestricted logon to the system via a graphical user interface. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Check for the value of the "TimedLoginEnable" parameter in "/etc/gdm/custom.conf" file with the following command: - -# grep -i timedloginenable /etc/gdm/custom.conf -TimedLoginEnable=false - -If the value of "TimedLoginEnable" is not set to "false", this is a finding. - - - - - SRG-OS-000480-GPOS-00229 - <GroupDescription></GroupDescription> - - RHEL-07-010460 - The operating system must not allow users to override SSH environment variables. - <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the operating system to not allow users to override environment variables to the SSH daemon. - -Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "PermitUserEnvironment" keyword and set the value to "no": - -PermitUserEnvironment no - -The SSH service must be restarted for changes to take effect. - - - - Verify the operating system does not allow users to override environment variables to the SSH daemon. - -Check for the value of the "PermitUserEnvironment" keyword with the following command: - -# grep -i permituserenvironment /etc/ssh/sshd_config -PermitUserEnvironment no - -If the "PermitUserEnvironment" keyword is not set to "no", is missing, or is commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00229 - <GroupDescription></GroupDescription> - - RHEL-07-010470 - The operating system must not allow a non-certificate trusted host SSH logon to the system. - <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the operating system to not allow a non-certificate trusted host SSH logon to the system. - -Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "HostbasedAuthentication" keyword and set the value to "no": - -HostbasedAuthentication no - -The SSH service must be restarted for changes to take effect. - - - - Verify the operating system does not allow a non-certificate trusted host SSH logon to the system. - -Check for the value of the "HostbasedAuthentication" keyword with the following command: - -# grep -i hostbasedauthentication /etc/ssh/sshd_config -HostbasedAuthentication no - -If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is commented out, this is a finding. - - - - - SRG-OS-000080-GPOS-00048 - <GroupDescription></GroupDescription> - - RHEL-07-010480 - Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes. - <VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000213 - Configure the system to encrypt the boot password for root. - -Generate an encrypted grub2 password for root with the following command: - -Note: The hash generated is an example. - -# grub-mkpasswd-pbkdf2 -Enter Password: -Reenter Password: -PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45 - -Using this hash, modify the "/etc/grub.d/10_linux" file with the following commands to add the password to the root entry: - -# cat << EOF -> set superusers="root" password_pbkdf2 smithj grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45 -> EOF - -Generate a new "grub.conf" file with the new password with the following commands: - -# grub2-mkconfig --output=/tmp/grub2.cfg -# mv /tmp/grub2.cfg /boot/grub2/grub.cfg - - - - Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command: - -# grep -i password /boot/grub2/grub.cfg -password_pbkdf2 superusers-account password-hash - -If the root password entry does not begin with "password_pbkdf2", this is a finding. - - - - - SRG-OS-000080-GPOS-00048 - <GroupDescription></GroupDescription> - - RHEL-07-010490 - Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes. - <VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000213 - Configure the system to encrypt the boot password for root. - -Generate an encrypted grub2 password for root with the following command: - -Note: The hash generated is an example. - -# grub-mkpasswd-pbkdf2 -Enter Password: -Reenter Password: - -PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45 - -Using this hash, modify the "/etc/grub.d/10_linux" file with the following commands to add the password to the root entry: - -# cat << EOF -> set superusers="root" password_pbkdf2 smithj grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45 -> EOF - -Generate a new "grub.conf" file with the new password with the following commands: - -# grub2-mkconfig --output=/tmp/grub2.cfg -# mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfg - - - - Check to see if an encrypted root password is set. On systems that use UEFI, use the following command: - -# grep -i password /boot/efi/EFI/redhat/grub.cfg -password_pbkdf2 superusers-account password-hash - -If the root password entry does not begin with "password_pbkdf2", this is a finding. - - - - - SRG-OS-000104-GPOS-00051 - <GroupDescription></GroupDescription> - - RHEL-07-010500 - The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - <VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. - -Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: - -1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; - -and - -2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. - -Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000766 - Configure the operating system to require individuals to be authenticated with a multifactor authenticator. - -Enable smartcard logons with the following commands: - -# authconfig --enablesmartcard --smartcardaction=1 --update -# authconfig --enablerequiresmartcard -update - -Modify the "/etc/pam_pkcs11/pkcs11_eventmgr.conf" file to uncomment the following line: - -#/usr/X11R6/bin/xscreensaver-command -lock - -Modify the "/etc/pam_pkcs11/pam_pkcs11.conf" file to use the cackey module if required. - - - - Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication. - -Check to see if smartcard authentication is enforced on the system: - -# authconfig --test | grep -i smartcard - -The entry for use only smartcard for logon may be enabled, and the smartcard module and smartcard removal actions must not be blank. - -If smartcard authentication is disabled or the smartcard and smartcard removal actions are blank, this is a finding. - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - RHEL-07-020000 - The rsh-server package must not be installed. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. - -If a privileged user were to log on using this service, the privileged user password could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000381 - Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command: - -# yum remove rsh-server - - - - Check to see if the rsh-server package is installed with the following command: - -# yum list installed rsh-server - -If the rsh-server package is installed, this is a finding. - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - RHEL-07-020010 - The ypserv package must not be installed. - <VulnDiscussion>Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000381 - Configure the operating system to disable non-essential capabilities by removing the "ypserv" package from the system with the following command: - -# yum remove ypserv - - - - The NIS service provides an unencrypted authentication service that does not provide for the confidentiality and integrity of user passwords or the remote session. - -Check to see if the "ypserve" package is installed with the following command: - -# yum list installed ypserv - -If the "ypserv" package is installed, this is a finding. - - - - - SRG-OS-000324-GPOS-00125 - <GroupDescription></GroupDescription> - - RHEL-07-020020 - The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - <VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - -Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-002165 - CCI-002235 - Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - -Use the following command to map a new user to the "sysdam_u" role: - -#semanage login -a -s sysadm_u <username> - -Use the following command to map an existing user to the "sysdam_u" role: - -#semanage login -m -s sysadm_u <username> - -Use the following command to map a new user to the "staff_u" role: - -#semanage login -a -s staff_u <username> - -Use the following command to map an existing user to the "staff_u" role: - -#semanage login -m -s staff_u <username> - -Use the following command to map a new user to the "user_u" role: - -# semanage login -a -s user_u <username> - -Use the following command to map an existing user to the "user_u" role: - -# semanage login -m -s user_u <username> - - - - Verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - -Get a list of authorized users (other than System Administrator and guest accounts) for the system. - -Check the list against the system by using the following command: - -# semanage login -l | more -Login Name SELinux User MLS/MCS Range Service -__default__ user_u s0-s0:c0.c1023 * -root unconfined_u s0-s0:c0.c1023 * -system_u system_u s0-s0:c0.c1023 * -joe staff_u s0-s0:c0.c1023 * - -All administrators must be mapped to the "sysadm_u" or "staff_u" users with the appropriate domains (sysadm_t and staff_t). - -All authorized non-administrative users must be mapped to the "user_u" role or the appropriate domain (user_t). - -If they are not mapped in this way, this is a finding. - - - - - SRG-OS-000363-GPOS-00150 - <GroupDescription></GroupDescription> - - RHEL-07-020030 - A file integrity tool must verify the baseline operating system configuration at least weekly. - <VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. - -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001744 - Configure the file integrity tool to automatically run on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: - -# cat /etc/cron.daily/aide -0 0 * * * /usr/sbin/aide --check | /bin/mail -s "aide integrity check run for <system name>" root@sysname.mil - - - - Verify the operating system routinely checks the baseline configuration for unauthorized changes. - -Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week. - -Check to see if AIDE is installed on the system with the following command: - -# yum list installed aide - -If AIDE is not installed, ask the SA how file integrity checks are performed on the system. - -Check for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence. - -Check the "/etc/cron.daily" subdirectory for a "crontab" file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command: - -# ls -al /etc/cron.* | grep aide --rwxr-xr-x 1 root root 29 Nov 22 2015 aide - -If the file integrity application does not exist, or a "crontab" file does not exist in the "/etc/cron.daily" or "/etc/cron.weekly" subdirectories, this is a finding. - - - - - SRG-OS-000363-GPOS-00150 - <GroupDescription></GroupDescription> - - RHEL-07-020040 - Designated personnel must be notified if baseline configurations are changed in an unauthorized manner. - <VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. - -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001744 - Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel through the use of the cron system. - -The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. - -# more /etc/cron.daily/aide -0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil - - - - Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner. - -Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert. - -Check to see if AIDE is installed on the system with the following command: - -# yum list installed aide - -If AIDE is not installed, ask the SA how file integrity checks are performed on the system. - -Check for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence. - -Check the "/etc/cron.daily" subdirectory for a "crontab" file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following commands: - -# ls -al /etc/cron.daily | grep aide --rwxr-xr-x 1 root root 32 Jul 1 2011 aide - -AIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example: - -# more /etc/cron.daily/aide -0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil - -If the file integrity application does not notify designated personnel of changes, this is a finding. - - - - - SRG-OS-000366-GPOS-00153 - <GroupDescription></GroupDescription> - - RHEL-07-020050 - The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. - <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - -Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. - -Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001749 - Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in the "/etc/yum.conf" file: - -gpgcheck=1 - - - - Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. - -Check that yum verifies the signature of packages from a repository prior to install with the following command: - -# grep gpgcheck /etc/yum.conf -gpgcheck=1 - -If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. - -If there is no process to validate certificates that is approved by the organization, this is a finding. - - - - - SRG-OS-000366-GPOS-00153 - <GroupDescription></GroupDescription> - - RHEL-07-020060 - The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. - <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - -Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. - -Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001749 - Configure the operating system to verify the signature of local packages prior to install by setting the following option in the "/etc/yum.conf" file: - -localpkg_gpgcheck=1 - - - - Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. - -Check that yum verifies the signature of local packages prior to install with the following command: - -# grep localpkg_gpgcheck /etc/yum.conf -localpkg_gpgcheck=1 - -If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. - -If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding. - - - - - SRG-OS-000366-GPOS-00153 - <GroupDescription></GroupDescription> - - RHEL-07-020070 - The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata. - <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - -Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. - -Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001749 - Configure the operating system to verify the repository metadata by setting the following options in the "/etc/yum.conf" file: - -repo_gpgcheck=1 - - - - Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata. - -Check that yum verifies the package metadata prior to install with the following command: - -# grep repo_gpgcheck /etc/yum.conf -repo_gpgcheck=1 - -If "repo_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the metadata of local packages and other operating system components are verified. - -If there is no process to validate the metadata of packages that is approved by the organization, this is a finding. - - - - - SRG-OS-000114-GPOS-00059 - <GroupDescription></GroupDescription> - - RHEL-07-020100 - USB mass storage must be disabled. - <VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. - -Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - CCI-000778 - CCI-001958 - Configure the operating system to disable the ability to use USB mass storage devices. - -Create a file under "/etc/modprobe.d" with the following command: - -#touch /etc/modprobe.d/nousbstorage - -Add the following line to the created file: - -install usb-storage /bin/true - - - - If there is an HBSS with a Device Control Module and a Data Loss Prevention mechanism, this requirement is not applicable. - -Verify the operating system disables the ability to use USB mass storage devices. - -Check to see if USB mass storage is disabled with the following command: - -#grep -i usb-storage /etc/modprobe.d/* - -install usb-storage /bin/true - -If the command does not return any output, and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. - - - - - SRG-OS-000114-GPOS-00059 - <GroupDescription></GroupDescription> - - RHEL-07-020110 - File system automounter must be disabled unless required. - <VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. - -Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - CCI-000778 - CCI-001958 - Configure the operating system to disable the ability to automount devices. - -Turn off the automount service with the following command: - -# systemctl disable autofs - -If "autofs" is required for Network File System (NFS), it must be documented with the ISSO. - - - - Verify the operating system disables the ability to automount devices. - -Check to see if automounter service is active with the following command: - -# systemctl status autofs -autofs.service - Automounts filesystems on demand - Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) - Active: inactive (dead) - -If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. - - - - - SRG-OS-000437-GPOS-00194 - <GroupDescription></GroupDescription> - - RHEL-07-020200 - The operating system must remove all software components after updated versions have been installed. - <VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-002617 - Configure the operating system to remove all software components after updated versions have been installed. - -Set the "clean_requirements_on_remove" option to "1" in the "/etc/yum.conf" file: - -clean_requirements_on_remove=1 - - - - Verify the operating system removes all software components after updated versions have been installed. - -Check if yum is configured to remove unneeded packages with the following command: - -# grep -i clean_requirements_on_remove /etc/yum.conf -clean_requirements_on_remove=1 - -If "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding. - - - - - SRG-OS-000445-GPOS-00199 - <GroupDescription></GroupDescription> - - RHEL-07-020210 - The operating system must enable SELinux. - <VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-002165 - CCI-002696 - Configure the operating system to verify correct operation of all security functions. - -Set the "SELinux" status and the "Enforcing" mode by modifying the "/etc/selinux/config" file to have the following line: - -SELINUX=enforcing - -A reboot is required for the changes to take effect. - - - - Verify the operating system verifies correct operation of all security functions. - -Check if "SELinux" is active and in "Enforcing" mode with the following command: - -# getenforce -Enforcing - -If "SELinux" is not active and not in "Enforcing" mode, this is a finding. - - - - - SRG-OS-000445-GPOS-00199 - <GroupDescription></GroupDescription> - - RHEL-07-020220 - The operating system must enable the SELinux targeted policy. - <VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-002165 - CCI-002696 - Configure the operating system to verify correct operation of all security functions. - -Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/config" file to have the following line: - -SELINUXTYPE=targeted - -A reboot is required for the changes to take effect. - - - - Verify the operating system verifies correct operation of all security functions. - -Check if "SELinux" is active and is enforcing the targeted policy with the following command: - -# sestatus -SELinux status: enabled -SELinuxfs mount: /selinu -XCurrent mode: enforcing -Mode from config file: enforcing -Policy version: 24 -Policy from config file: targeted - -If the "Policy from config file" is not set to "targeted", or the "Loaded policy name" is not set to "targeted", this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020230 - The x86 Ctrl-Alt-Delete key sequence must be disabled. - <VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the system to disable the Ctrl-Alt_Delete sequence for the command line with the following command: - -# systemctl mask ctrl-alt-del.target - -If GNOME is active on the system, create a database to contain the system-wide setting (if it does not already exist) with the following command: - -# cat /etc/dconf/db/local.d/00-disable-CAD - -Add the setting to disable the Ctrl-Alt_Delete sequence for GNOME: - -[org/gnome/settings-daemon/plugins/media-keys] -logout=’’ - - - - Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. - -Check that the ctrl-alt-del.service is not active with the following command: - -# systemctl status ctrl-alt-del.service -reboot.target - Reboot - Loaded: loaded (/usr/lib/systemd/system/reboot.target; disabled) - Active: inactive (dead) - Docs: man:systemd.special(7) - -If the ctrl-alt-del.service is active, this is a finding. - - - - - SRG-OS-000480-GPOS-00228 - <GroupDescription></GroupDescription> - - RHEL-07-020240 - The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. - <VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. - -Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077": - -UMASK 077 - - - - Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files. - -Check for the value of the "UMASK" parameter in "/etc/login.defs" file with the following command: - -Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I. - -# grep -i umask /etc/login.defs -UMASK 077 - -If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020250 - The operating system must be a vendor supported release. - <VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Upgrade to a supported version of the operating system. - - - - Verify the version of the operating system is vendor supported. - -Check the version of the operating system with the following command: - -# cat /etc/redhat-release - -Red Hat Enterprise Linux Server release 7.2 (Maipo) - -Current End of Life for RHEL 7.2 is Q4 2020. - -Current End of Life for RHEL 7.3 is 30 June 2024. - -If the release is not supported by the vendor, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020260 - Vendor packaged system security patches and updates must be installed and up to date. - <VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates. - - - - Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). - -Obtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. - -Check that the available package security updates have been installed on the system with the following command: - -# yum history list | more -Loaded plugins: langpacks, product-id, subscription-manager -ID | Command line | Date and time | Action(s) | Altered -------------------------------------------------------------------------------- - 70 | install aide | 2016-05-05 10:58 | Install | 1 - 69 | update -y | 2016-05-04 14:34 | Update | 18 EE - 68 | install vlc | 2016-04-21 17:12 | Install | 21 - 67 | update -y | 2016-04-21 17:04 | Update | 7 EE - 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE - -If package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. - -Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. - -If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020270 - The system must not have unnecessary accounts. - <VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the system so all accounts on the system are assigned to an active system, application, or user account. - -Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. - -Document all authorized accounts on the system. - - - - Verify all accounts on the system are assigned to an active system, application, or user account. - -Obtain the list of authorized system accounts from the Information System Security Officer (ISSO). - -Check the system accounts on the system with the following command: - -# more /etc/passwd -root:x:0:0:root:/root:/bin/bash -bin:x:1:1:bin:/bin:/sbin/nologin -daemon:x:2:2:daemon:/sbin:/sbin/nologin -sync:x:5:0:sync:/sbin:/bin/sync -shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown -halt:x:7:0:halt:/sbin:/sbin/halt -games:x:12:100:games:/usr/games:/sbin/nologin -gopher:x:13:30:gopher:/var/gopher:/sbin/nologin - -Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. - -If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding. - - - - - SRG-OS-000104-GPOS-00051 - <GroupDescription></GroupDescription> - - RHEL-07-020300 - All Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file. - <VulnDiscussion>If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000764 - Configure the system to define all GIDs found in the "/etc/passwd" file by modifying the "/etc/group" file to add any non-existent group referenced in the "/etc/passwd" file, or change the GIDs referenced in the "/etc/passwd" file to a group that exists in "/etc/group". - - - - Verify all GIDs referenced in the "/etc/passwd" file are defined in the "/etc/group" file. - -Check that all referenced GIDs exist with the following command: - -# pwck -r - -If GIDs referenced in "/etc/passwd" file are returned as not defined in "/etc/group" file, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020310 - The root account must be the only account having unrestricted access to the system. - <VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Change the UID of any account on the system, other than root, that has a UID of "0". - -If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. - - - - Check the system for duplicate UID "0" assignments with the following command: - -# awk -F: '$3 == 0 {print $1}' /etc/passwd - -If any accounts other than root have a UID of "0", this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020320 - All files and directories must have a valid owner. - <VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-002165 - Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the "chown" command: - -# chown <user> <file> - - - - Verify all files and directories on the system have a valid owner. - -Check the owner of all files and directories with the following command: - -Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. - -# find / -xdev -fstype xfs -nouser - -If any files on the system do not have an assigned owner, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020330 - All files and directories must have a valid group owner. - <VulnDiscussion>Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-002165 - Either remove all files and directories from the system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command: - -# chgrp <group> <file> - - - - Verify all files and directories on the system have a valid group. - -Check the owner of all files and directories with the following command: - -Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. - -# find / -xdev -fstype xfs -nogroup - -If any files on the system do not have an assigned group, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020600 - All local interactive users must have a home directory assigned in the /etc/passwd file. - <VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Assign home directories to all local interactive users that currently do not have a home directory assigned. - - - - Verify local interactive users on the system have a home directory assigned. - -Check for missing local interactive user home directories with the following command: - -# pwck -r -user 'lp': directory '/var/spool/lpd' does not exist -user 'news': directory '/var/spool/news' does not exist -user 'uucp': directory '/var/spool/uucp' does not exist -user 'smithj': directory '/home/smithj' does not exist - -Ask the System Administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command: - -# cut -d: -f 1,3 /etc/passwd | egrep ":[1-4][0-9]{2}$|:[0-9]{1,2}$" - -If any interactive users do not have a home directory assigned, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020610 - All local interactive user accounts, upon creation, must be assigned a home directory. - <VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. - -CREATE_HOME yes - - - - Verify all local interactive users on the system are assigned a home directory upon creation. - -Check to see if the system is configured to create home directories for local interactive users with the following command: - -# grep -i create_home /etc/login.defs -CREATE_HOME yes - -If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020620 - All local interactive user home directories defined in the /etc/passwd file must exist. - <VulnDiscussion>If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd": - -Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users assigned" in "/etc/passwd". - -# mkdir /home/smithj -# chown smithj /home/smithj -# chgrp users /home/smithj -# chmod 0750 /home/smithj - - - - Verify the assigned home directory of all local interactive users on the system exists. - -Check the home directory assignment for all local interactive non-privileged users on the system with the following command: - -# cut -d: -f 1,3 /etc/passwd | egrep ":[1-9][0-9]{2}$|:[0-9]{1,2}$" -smithj /home/smithj - -Note: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. - -Check that all referenced home directories exist with the following command: - -# pwck -r -user 'smithj': directory '/home/smithj' does not exist - -If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020630 - All local interactive user home directories must have mode 0750 or less permissive. - <VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Change the mode of interactive user’s home directories to "0750". To change the mode of a local interactive user’s home directory, use the following command: - -Note: The example will be for the user "smithj". - -# chmod 0750 /home/smithj - - - - Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive. - -Check the home directory assignment for all non-privileged users on the system with the following command: - -Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. - -# ls -ld $ (egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6) --rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj - -If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020640 - All local interactive user home directories must be owned by their respective users. - <VulnDiscussion>If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Change the owner of a local interactive user’s home directories to that owner. To change the owner of a local interactive user’s home directory, use the following command: - -Note: The example will be for the user smithj, who has a home directory of "/home/smithj". - -# chown smithj /home/smithj - - - - Verify the assigned home directory of all local interactive users on the system exists. - -Check the home directory assignment for all local interactive non-privileged users on the system with the following command: - -Note: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. - -# ls -ld $ (egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6) --rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj - -If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020650 - All local interactive user home directories must be group-owned by the home directory owners primary group. - <VulnDiscussion>If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Change the group owner of a local interactive user’s home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user’s home directory, use the following command: - -Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. - -# chgrp users /home/smithj - - - - Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID. - -Check the home directory assignment for all non-privileged users on the system with the following command: - -Note: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. - -# ls -ld $ (egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6) --rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj - -Check the user's primary group with the following command: - -# grep users /etc/group -users:x:250:smithj,jonesj,jacksons - -If the user home directory referenced in "/etc/passwd" is not group-owned by that user’s primary GID, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020660 - All files and directories contained in local interactive user home directories must be owned by the owner of the home directory. - <VulnDiscussion>If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Change the owner of a local interactive user’s files and directories to that owner. To change the owner of a local interactive user’s files and directories, use the following command: - -Note: The example will be for the user smithj, who has a home directory of "/home/smithj". - -# chown smithj /home/smithj/<file or directory> - - - - Verify all files and directories in a local interactive user’s home directory are owned by the user. - -Check the owner of all files and directories in a local interactive user’s home directory with the following command: - -Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". - -# ls -lLR /home/smithj --rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1 --rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2 --rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3 - -If any files are found with an owner different than the home directory user, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020670 - All files and directories contained in local interactive user home directories must be group-owned by a group of which the home directory owner is a member. - <VulnDiscussion>If a local interactive user’s files are group-owned by a group of which the user is not a member, unintended users may be able to access them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Change the group of a local interactive user’s files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user’s files and directories, use the following command: - -Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group. - -# chgrp users /home/smithj/<file> - - - - Verify all files and directories in a local interactive user home directory are group-owned by a group the user is a member of. - -Check the group owner of all files and directories in a local interactive user’s home directory with the following command: - -Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". - -# ls -lLR /<home directory>/<users home directory>/ --rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1 --rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2 --rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3 - -If any files are found with an owner different than the group home directory user, check to see if the user is a member of that group with the following command: - -# grep smithj /etc/group -sa:x:100:juan,shelley,bob,smithj -smithj:x:521:smithj - -If the user is not a member of a group that group owns file(s) in a local interactive user’s home directory, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020680 - All files and directories contained in local interactive user home directories must have mode 0750 or less permissive. - <VulnDiscussion>If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Set the mode on files and directories in the local interactive user home directory with the following command: - -Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group. - -# chmod 0750 /home/smithj/<file> - - - - Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of "0750". - -Check the mode of all non-initialization files in a local interactive user home directory with the following command: - -Files that begin with a "." are excluded from this requirement. - -Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". - -# ls -lLR /home/smithj --rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1 --rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2 --rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3 - -If any files are found with a mode more permissive than "0750", this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020690 - All local initialization files for interactive users must be owned by the home directory user or root. - <VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Set the owner of the local initialization files for interactive users to either the directory owner or root with the following command: - -Note: The example will be for the smithj user, who has a home directory of "/home/smithj". - -# chown smithj /home/smithj/.* - - - - Verify all local initialization files for interactive users are owned by the home directory user or root. - -Check the owner on all local initialization files with the following command: - -Note: The example will be for the "smithj" user, who has a home directory of "/home/smithj". - -# ls -al /home/smithj/.* | more --rwxr-xr-x 1 smithj users 896 Mar 10 2011 .bash_profile --rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login --rwxr-xr-x 1 smithj users 886 Jan 6 2007 .profile - -If any file that sets a local interactive user’s environment variables to override the system is not owned by the home directory owner or root, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020700 - Local initialization files for local interactive users must be group-owned by the users primary group or root. - <VulnDiscussion>Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Change the group owner of a local interactive user’s files to the group found in "/etc/passwd" for the user. To change the group owner of a local interactive user home directory, use the following command: - -Note: The example will be for the user smithj, who has a home directory of "/home/smithj", and has a primary group of users. - -# chgrp users /home/smithj/<file> - - - - Verify the local initialization files of all local interactive users are group-owned by that user’s primary Group Identifier (GID). - -Check the home directory assignment for all non-privileged users on the system with the following command: - -Note: The example will be for the smithj user, who has a home directory of "/home/smithj" and a primary group of "users". - -# cut -d: -f 1,4,6 /etc/passwd | egrep ":[1-4][0-9]{3}" -smithj:1000:/home/smithj - -# grep 1000 /etc/group -users:x:1000:smithj,jonesj,jacksons - -Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. - -Check the group owner of all local interactive users’ initialization files with the following command: - -# ls -al /home/smithj/.* --rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile --rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login --rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something - -If all local interactive users’ initialization files are not group-owned by that user’s primary GID, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020710 - All local initialization files must have mode 0740 or less permissive. - <VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Set the mode of the local initialization files to "0740" with the following command: - -Note: The example will be for the smithj user, who has a home directory of "/home/smithj". - -# chmod 0740 /home/smithj/.<INIT_FILE> - - - - Verify that all local initialization files have a mode of "0740" or less permissive. - -Check the mode on all local initialization files with the following command: - -Note: The example will be for the smithj user, who has a home directory of "/home/smithj". - -# ls -al /home/smithj/.* | more --rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile --rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login --rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something - -If any local initialization files have a mode more permissive than "0740", this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020720 - All local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory. - <VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user’s home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories for interactive users. - - - - Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the users’ home directory. - -Check the executable search path statement for all local interactive user initialization files in the users' home directory with the following commands: - -Note: The example will be for the smithj user, which has a home directory of "/home/smithj". - -# grep -i path /home/smithj/.* -/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin -/home/smithj/.bash_profile:export PATH - -If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020730 - Local initialization files must not execute world-writable programs. - <VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Set the mode on files being executed by the local initialization files with the following command: - -# chmod 0755 <file> - - - - Verify that local initialization files do not execute world-writable programs. - -Check the system for world-writable files with the following command: - -# find / -perm -002 -type f -exec ls -ld {} \; | more - -For all files listed, check for their presence in the local initialization files with the following commands: - -Note: The example will be for a system that is configured to create users’ home directories in the "/home" directory. - -# grep <file> /home/*/.* - -If any local initialization files are found to reference world-writable files, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-020900 - All system device files must be correctly labeled to prevent unauthorized modification. - <VulnDiscussion>If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000318 - CCI-000368 - CCI-001812 - CCI-001813 - CCI-001814 - Run the following command to determine which package owns the device file: - -# rpm -qf <filename> - -The package can be reinstalled from a yum repository using the command: - -# sudo yum reinstall <packagename> - -Alternatively, the package can be reinstalled from trusted media using the command: - -# sudo rpm -Uvh <packagename> - - - - Verify that all system device files are correctly labeled to prevent unauthorized modification. - -List all device files on the system that are incorrectly labeled with the following commands: - -Note: Device files are normally found under "/dev", but applications may place device files in other directories and may necessitate a search of the entire system. - -#find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" - -#find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n" - -Note: There are device files, such as "/dev/vmci", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the "device_t" label to operate. These device files are not a finding. - -If there is output from either of these commands, other than already noted, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021000 - File systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed. - <VulnDiscussion>The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories. - - - - Verify file systems that contain user home directories are mounted with the "nosuid" option. - -Find the file system(s) that contain the user home directories with the following command: - -Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system. - -# cut -d: -f 1,6 /etc/passwd | egrep ":[1-4][0-9]{3}" -smithj:/home/smithj -thomasr:/home/thomasr - -Check the file systems that are mounted at boot time with the following command: - -# more /etc/fstab - -UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2 - -If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021010 - File systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed. - <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media. - - - - Verify file systems that are used for removable media are mounted with the "nouid" option. - -Check the file systems that are mounted at boot time with the following command: - -# more /etc/fstab - -UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0 - -If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021020 - File systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed. - <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being exported via NFS. - - - - Verify file systems that are being NFS exported are mounted with the "nosuid" option. - -Find the file system(s) that contain the directories being exported with the following command: - -# more /etc/fstab | grep nfs - -UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0 - -If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021030 - All world-writable directories must be group-owned by root, sys, bin, or an application group. - <VulnDiscussion>If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others. - -The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Change the group of the world-writable directories to root with the following command: - -# chgrp root <directory> - - - - Verify all world-writable directories are group-owned by root, sys, bin, or an application group. - -Check the system for world-writable directories with the following command: - -Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. - -# find / -perm -002 -xdev -type d -fstype xfs -exec ls -lLd {} \; -drwxrwxrwt. 2 root root 40 Aug 26 13:07 /dev/mqueue -drwxrwxrwt. 2 root root 220 Aug 26 13:23 /dev/shm -drwxrwxrwt. 14 root root 4096 Aug 26 13:29 /tmp - -If any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021040 - The umask must be set to 077 for all local interactive user accounts. - <VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000318 - CCI-000368 - CCI-001812 - CCI-001813 - CCI-001814 - Remove the umask statement from all local interactive users’ initialization files. - -If the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account’s environment variables. - - - - Verify that the default umask for all local interactive users is "077". - -Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file. - -Check all local interactive user initialization files for interactive users with the following command: - -Note: The example is for a system that is configured to create users home directories in the "/home" directory. - -# grep -i umask /home/*/.* - -If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021100 - Cron logging must be implemented. - <VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf": - -cron.* /var/log/cron.log - -Note: The line must be added before the following entry if it exists in "/etc/rsyslog.conf": - -*.* ~ # discards everything - - - - Verify that "rsyslog" is configured to log cron events. - -Check the configuration of "/etc/rsyslog.conf" for the cron facility with the following command: - -Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf". - -# grep cron /etc/rsyslog.conf -cron.* /var/log/cron.log - -If the command does not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.conf" file: - -# more /etc/rsyslog.conf - -Look for the following entry: - -*.* /var/log/messages - -If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding. - -If the entry is in the "/etc/rsyslog.conf" file but is after the entry "*.*", this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021110 - If the cron.allow file exists it must be owned by root. - <VulnDiscussion>If the owner of the "cron.allow" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Set the owner on the "/etc/cron.allow" file to root with the following command: - -# chown root /etc/cron.allow - - - - Verify that the "cron.allow" file is owned by root. - -Check the owner of the "cron.allow" file with the following command: - -# l s -al /etc/cron.allow --rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow - -If the "cron.allow" file exists and has an owner other than root, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021120 - If the cron.allow file exists it must be group-owned by root. - <VulnDiscussion>If the group owner of the "cron.allow" file is not set to root, sensitive information could be viewed or edited by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Set the group owner on the "/etc/cron.allow" file to root with the following command: - -# chgrp root /etc/cron.allow - - - - Verify that the "cron.allow" file is group-owned by root. - -Check the group owner of the "cron.allow" file with the following command: - -# ls -al /etc/cron.allow --rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow - -If the "cron.allow" file exists and has a group owner other than root, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021300 - Kernel core dumps must be disabled unless needed. - <VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - If kernel core dumps are not required, disable the "kdump" service with the following command: - -# systemctl disable kdump.service - -If kernel core dumps are required, document the need with the ISSO. - - - - Verify that kernel core dumps are disabled unless needed. - -Check the status of the "kdump" service with the following command: - -# systemctl status kdump.service -kdump.service - Crash recovery kernel arming - Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled) - Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago - Main PID: 1130 (code=exited, status=0/SUCCESS) -kernel arming. - -If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO). - -If the service is active and is not documented, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021310 - A separate file system must be used for user home directories (such as /home or an equivalent). - <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Migrate the "/home" directory onto a separate file system/partition. - - - - Verify that a separate file system/partition has been created for non-privileged local interactive user home directories. - -Check the home directory assignment for all non-privileged users (those with a UID greater than 1000) on the system with the following command: - -#cut -d: -f 1,3,6,7 /etc/passwd | egrep ":[1-4][0-9]{3}" | tr ":" "\t" - -adamsj /home/adamsj /bin/bash -jacksonm /home/jacksonm /bin/bash -smithj /home/smithj /bin/bash - -The output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, /home) and users’ shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users. - -Check that a file system/partition has been created for the non-privileged interactive users with the following command: - -Note: The partition of /home is used in the example. - -# grep /home /etc/fstab -UUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2 - -If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021320 - The system must use a separate file system for /var. - <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Migrate the "/var" path onto a separate file system. - - - - Verify that a separate file system/partition has been created for "/var". - -Check that a file system/partition has been created for "/var" with the following command: - -# grep /var /etc/fstab -UUID=c274f65f /var ext4 noatime,nobarrier 1 2 - -If a separate entry for "/var" is not in use, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021330 - The system must use a separate file system for the system audit data path. - <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Migrate the system audit data path onto a separate file system. - - - - Verify the file integrity tool is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. - -Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2 approved cryptographic algorithms and hashes. - -Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command: - -# yum list installed aide - -If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - -If there is no application installed to perform file integrity checks, this is a finding. - -Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. - -Use the following command to determine if the file is in another location: - -# find / -name aide.conf - -Check the "aide.conf" file to determine if the "sha512" rule has been added to the rule list being applied to the files and directories selection lists. - -An example rule that includes the "sha512" rule follows: - -All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux -/bin All # apply the custom rule to the files in bin -/sbin All # apply the same custom rule to the files in sbin - -If the "sha512" rule is not being used on all selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021340 - The system must use a separate file system for /tmp (or equivalent). - <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Start the "tmp.mount" service with the following command: - -# systemctl enable tmp.mount - - - - Verify that a separate file system/partition has been created for "/tmp". - -Check that a file system/partition has been created for "/tmp" with the following command: - -# systemctl is-enabled tmp.mount -enabled - -If the "tmp.mount" service is not enabled, this is a finding. - - - - - SRG-OS-000033-GPOS-00014 - <GroupDescription></GroupDescription> - - RHEL-07-021350 - The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. - <VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. - -Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000068 - CCI-001199 - CCI-002450 - CCI-002476 - Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package. - -To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. - -Configure the operating system to implement DoD-approved encryption by following the steps below: - -The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key. - -For proper operation of the in-module integrity verification, the prelink has to be disabled. This can be done by configuring PRELINKING=no in the "/etc/sysconfig/prelink" configuration file. Existing prelinking, if any, should be undone on all system files using the prelink -u -a command. - -Install the dracut-fips package with the following command: - -# yum install dracut-fips - -Recreate the "initramfs" file with the following command: - -Note: This command will overwrite the existing "initramfs" file. - -# dracut -f - -Modify the kernel command line of the current kernel in the "grub.cfg" file by adding the following option to the GRUB_CMDLINE_LINUX key in the "/etc/default/grub" file and then rebuild the "grub.cfg" file: - -fips=1 - -Changes to "/etc/default/grub" require rebuilding the "grub.cfg" file as follows: - -On BIOS-based machines, use the following command: - -# grub2-mkconfig -o /boot/grub2/grub.cfg - -On UEFI-based machines, use the following command: - -# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg - -If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: - -# df /boot -Filesystem 1K-blocks Used Available Use% Mounted on -/dev/sda1 495844 53780 416464 12% /boot - -To ensure the boot= configuration option will work even if device naming changes between boots, identify the universally unique identifier (UUID) of the partition with the following command: - -# blkid /dev/sda1 -/dev/sda1: UUID="05c000f1-a213-759e-c7a2-f11b7424c797" TYPE="ext4" - -For the example above, append the following string to the kernel command line: - -boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797 - -Reboot the system for the changes to take effect. - - - - Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions. - -Check to see if the "dracut-fips" package is installed with the following command: - -# yum list installed | grep dracut-fips - -dracut-fips-033-360.el7_2.x86_64.rpm - -If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command: - -Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines. - -# grep fips /boot/grub2/grub.cfg -/vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet - -If the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command: - -# cat /proc/sys/crypto/fips_enabled -1 - -If a "dracut-fips" package is not installed, the kernel command line does not have a fips entry, or the system has a value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021600 - The file integrity tool must be configured to verify Access Control Lists (ACLs). - <VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the file integrity tool to check file and directory ACLs. - -If AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists. - - - - Verify the file integrity tool is configured to verify ACLs. - -Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command: - -# yum list installed aide - -If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - -If there is no application installed to perform file integrity checks, this is a finding. - -Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. - -Use the following command to determine if the file is in another location: - -# find / -name aide.conf - -Check the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists. - -An example rule that includes the "acl" rule is below: - -All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux -/bin All # apply the custom rule to the files in bin -/sbin All # apply the same custom rule to the files in sbin - -If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021610 - The file integrity tool must be configured to verify extended attributes. - <VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the file integrity tool to check file and directory extended attributes. - -If AIDE is installed, ensure the "xattrs" rule is present on all file and directory selection lists. - - - - Verify the file integrity tool is configured to verify extended attributes. - -Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command: - -# yum list installed aide - -If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - -If there is no application installed to perform file integrity checks, this is a finding. - -Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. - -Use the following command to determine if the file is in another location: - -# find / -name aide.conf - -Check the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists. - -An example rule that includes the "xattrs" rule follows: - -All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux -/bin All # apply the custom rule to the files in bin -/sbin All # apply the same custom rule to the files in sbin - -If the "xattrs" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021620 - The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. - <VulnDiscussion>File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. - -If AIDE is installed, ensure the "sha512" rule is present on all file and directory selection lists. - - - - Verify the file integrity tool is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. - -Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2 approved cryptographic algorithms and hashes. - -Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command: - -# yum list installed aide - -If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - -If there is no application installed to perform file integrity checks, this is a finding. - -Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. - -Use the following command to determine if the file is in another location: - -# find / -name aide.conf - -Check the "aide.conf" file to determine if the "sha512" rule has been added to the rule list being applied to the files and directories selection lists. - -An example rule that includes the "sha512" rule follows: - -All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux -/bin All # apply the custom rule to the files in bin -/sbin All # apply the same custom rule to the files in sbin - -If the "sha512" rule is not being used on all selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding. - - - - - SRG-OS-000364-GPOS-00151 - <GroupDescription></GroupDescription> - - RHEL-07-021700 - The system must not allow removable media to be used as the boot loader unless approved. - <VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000318 - CCI-000368 - CCI-001812 - CCI-001813 - CCI-001814 - Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO. - - - - Verify the system is not configured to use a boot loader on removable media. - -Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines. - -Check for the existence of alternate boot loader configuration files with the following command: - -# find / -name grub.cfg -/boot/grub2/grub.cfg - -If a "grub.cfg" is found in any subdirectories other than "/boot/grub2" and "/boot/efi/EFI/redhat", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. - -Check that the grub configuration file has the set root command in each menu entry with the following commands: - -# grep -c menuentry /boot/grub2/grub.cfg -1 -# grep ‘set root’ /boot/grub2/grub.cfg -set root=(hd0,1) - -If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding. - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - RHEL-07-021710 - The telnet-server package must not be installed. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000381 - Configure the operating system to disable non-essential capabilities by removing the telnet-server package from the system with the following command: - -# yum remove telnet-server - - - - Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. - -The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session. - -If a privileged user were to log on using this service, the privileged user password could be compromised. - -Check to see if the telnet-server package is installed with the following command: - -# yum list installed | grep telnet-server - -If the telnet-server package is installed, this is a finding. - - - - - SRG-OS-000038-GPOS-00016 - <GroupDescription></GroupDescription> - - RHEL-07-030000 - Auditing must be configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. - -These audit records must also identify individual identities of group account users. - <VulnDiscussion>Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - -Satisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000126 - CCI-000131 - Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred. - -Enable the auditd service with the following command: - -# chkconfig auditd on - - - - Verify the operating system produces audit records containing information to establish when (date and time) the events occurred. - -Check to see if auditing is active by issuing the following command: - -# systemctl is-active auditd.service -Active: active (running) since Tue 2015-01-27 19:41:23 EST; 22h ago - -If the "auditd" status is not active, this is a finding. - - - - - SRG-OS-000046-GPOS-00022 - <GroupDescription></GroupDescription> - - RHEL-07-030010 - The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure. - <VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. - -Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. - -This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. - -Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000139 - Configure the operating system to shut down in the event of an audit processing failure. - -Add or correct the option to shut down the operating system with the following command: - -# auditctl -f 2 - -If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command: - -# auditctl -f 1 - -Kernel log monitoring must also be configured to properly alert designated staff. - -The audit daemon must be restarted for the changes to take effect. - - - - Confirm the audit configuration regarding how auditing processing failures are handled. - -Check to see what level "auditctl" is set to with following command: - -# auditctl -l | grep /-f - -f 2 - -If the value of "-f" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. - -If the value of "-f" is set to "1", the system is configured to only send information to the kernel log regarding the failure. - -If the "-f" flag is not set, this is a CAT I finding. - -If the "-f" flag is set to any value other than "1" or "2", this is a CAT II finding. - -If the "-f" flag is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this is a CAT III finding. - - - - - SRG-OS-000342-GPOS-00133 - <GroupDescription></GroupDescription> - - RHEL-07-030300 - The operating system must off-load audit records onto a different system or media from the system being audited. - <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001851 - Configure the operating system to off-load audit records onto a different system or media from the system being audited. - -Set the remote server option in "/etc/audisp/audisp-remote.conf" with the IP address of the log aggregation server. - - - - Verify the operating system off-loads audit records onto a different system or media from the system being audited. - -To determine the remote server that the records are being sent to, use the following command: - -# grep -i remote_server /etc/audisp/audisp-remote.conf -remote_server = 10.0.21.1 - -If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. - -If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding. - - - - - SRG-OS-000342-GPOS-00133 - <GroupDescription></GroupDescription> - - RHEL-07-030310 - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. - <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001851 - Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. - -Uncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set it with the following line: - -enable_krb5 = yes - - - - Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited. - -To determine if the transfer is encrypted, use the following command: - -# grep -i enable_krb5 /etc/audisp/audisp-remote.conf -enable_krb5 = yes - -If the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. - -If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding. - - - - - SRG-OS-000342-GPOS-00133 - <GroupDescription></GroupDescription> - - RHEL-07-030320 - The audit system must take appropriate action when the audit storage volume is full. - <VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001851 - Configure the action the operating system takes if the disk the audit records are written to becomes full. - -Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line: - -disk_full_action = single - -Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt". - - - - Verify the action the operating system takes if the disk the audit records are written to becomes full. - -To determine the action that takes place if the disk is full on the remote server, use the following command: - -# grep -i disk_full_action /etc/audisp/audisp-remote.conf -disk_full_action = single - -To determine the action that takes place if the network connection fails, use the following command: - -# grep -i network_failure_action /etc/audisp/audisp-remote.conf -network_failure_action = stop - -If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding. - -If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding. - - - - - SRG-OS-000343-GPOS-00134 - <GroupDescription></GroupDescription> - - RHEL-07-030330 - The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. - <VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001855 - Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. - -Check the system configuration to determine the partition the audit records are being written to: - -# grep log_file /etc/audit/auditd.conf - -Determine the size of the partition that audit records are written to (with the example being "/var/log/audit/"): - -# df -h /var/log/audit/ - -Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 75 percent of the partition size. - - - - Verify the operating system immediately notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. - -Check the system configuration to determine the partition the audit records are being written to with the following command: - -# grep log_file /etc/audit/auditd.conf -log_file = /var/log/audit/audit.log - -Check the size of the partition that audit records are written to (with the example being "/var/log/audit/"): - -# df -h /var/log/audit/ -0.9G /var/log/audit - -If the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command: - -# du -sh <partition> -1.8G /var - -Determine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached: - -# grep -i space_left /etc/audit/auditd.conf -space_left = 225 - -If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding. - - - - - SRG-OS-000343-GPOS-00134 - <GroupDescription></GroupDescription> - - RHEL-07-030340 - The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. - <VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001855 - Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. - -Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". - -space_left_action = email - - - - Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. - -Check what action the operating system takes when the threshold for the repository maximum audit record storage capacity is reached with the following command: - -# grep -i space_left_action /etc/audit/auditd.conf -space_left_action = email - -If the value of the "space_left_action" keyword is not set to "email", this is a finding. - - - - - SRG-OS-000343-GPOS-00134 - <GroupDescription></GroupDescription> - - RHEL-07-030350 - The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. - <VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001855 - Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. - -Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel. - -action_mail_acct = root - - - - Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. - -Check what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command: - -# grep -i action_mail_acct /etc/audit/auditd.conf -action_mail_acct = root - -If the value of the "action_mail_acct" keyword is not set to "root" and other accounts for security personnel, this is a finding. - - - - - SRG-OS-000327-GPOS-00127 - <GroupDescription></GroupDescription> - - RHEL-07-030360 - All privileged function executions must be audited. - <VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-002234 - Configure the operating system to audit the execution of privileged functions. - -To find the relevant "setuid"/"setgid" programs, run the following command for each local partition [PART]: - -# find [PART] -xdev -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null - -For each "setuid"/"setgid" program on the system, which is not covered by an audit rule for a (sub) directory (such as "/usr/sbin"), add a line of the following form to "/etc/audit/audit.rules", where <suid_prog_with_full_path> is the full path to each "setuid"/"setgid" program in the list: - --a always,exit -F <suid_prog_with_full_path> -F perm=x -F auid>=1000 -F auid!=4294967295 -k setuid/setgid - - - - Verify the operating system audits the execution of privileged functions. - -To find relevant setuid and setgid programs, use the following command once for each local partition [PART]: - -# find [PART] -xdev -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null - -Run the following command to verify entries in the audit rules for all programs found with the previous command: - -# grep <suid_prog_with_full_path> -a always,exit -F <suid_prog_with_full_path> -F perm=x -F auid>=1000 -F auid!=4294967295 -k setuid/setgid - -All "setuid" and "setgid" files on the system must have a corresponding audit rule, or must have an audit rule for the (sub) directory that contains the "setuid"/"setgid" file. - -If all "setuid"/"setgid" files on the system do not have audit rule coverage, this is a finding. - - - - - SRG-OS-000064-GPOS-00033 - <GroupDescription></GroupDescription> - - RHEL-07-030370 - All uses of the chown command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000126 - CCI-000172 - Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chown" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i chown /etc/audit/audit.rules - --a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000064-GPOS-00033 - <GroupDescription></GroupDescription> - - RHEL-07-030380 - All uses of the fchown command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000126 - CCI-000172 - Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchown" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i fchown /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000064-GPOS-00033 - <GroupDescription></GroupDescription> - - RHEL-07-030390 - All uses of the lchown command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000126 - CCI-000172 - Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lchown" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i lchown /etc/audit/audit.rules - --a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000064-GPOS-00033 - <GroupDescription></GroupDescription> - - RHEL-07-030400 - All uses of the fchownat command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000126 - CCI-000172 - Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchownat" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i fchownat /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000458-GPOS-00203 - <GroupDescription></GroupDescription> - - RHEL-07-030410 - All uses of the chmod command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chmod" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chmod" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following command: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i chmod /etc/audit/audit.rules - --a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000458-GPOS-00203 - <GroupDescription></GroupDescription> - - RHEL-07-030420 - All uses of the fchmod command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmod" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmod" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following command: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i fchmod /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000458-GPOS-00203 - <GroupDescription></GroupDescription> - - RHEL-07-030430 - All uses of the fchmodat command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmodat" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmodat" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following command: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i fchmodat /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000458-GPOS-00203 - <GroupDescription></GroupDescription> - - RHEL-07-030440 - All uses of the setxattr command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setxattr" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setxattr" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i setxattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000458-GPOS-00203 - <GroupDescription></GroupDescription> - - RHEL-07-030450 - All uses of the fsetxattr command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fsetxattr" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fsetxattr" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i fsetxattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000458-GPOS-00203 - <GroupDescription></GroupDescription> - - RHEL-07-030460 - All uses of the lsetxattr command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lsetxattr" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lsetxattr" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i lsetxattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000458-GPOS-00203 - <GroupDescription></GroupDescription> - - RHEL-07-030470 - All uses of the removexattr command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "removexattr" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "removexattr" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i removexattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000458-GPOS-00203 - <GroupDescription></GroupDescription> - - RHEL-07-030480 - All uses of the fremovexattr command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fremovexattr" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fremovexattr" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i fremovexattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000458-GPOS-00203 - <GroupDescription></GroupDescription> - - RHEL-07-030490 - All uses of the lremovexattr command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lremovexattr" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lremovexattr" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i lremovexattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - --a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000064-GPOS-00033 - <GroupDescription></GroupDescription> - - RHEL-07-030500 - All uses of the creat command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "creat" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access - --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "creat" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i creat /etc/audit/audit.rules - --a always,exit -F arch=b32 -S creat -Fexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access - --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000064-GPOS-00033 - <GroupDescription></GroupDescription> - - RHEL-07-030510 - All uses of the open command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access - --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i open /etc/audit/audit.rules - --a always,exit -F arch=b32 -S open -Fexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access - --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000064-GPOS-00033 - <GroupDescription></GroupDescription> - - RHEL-07-030520 - All uses of the openat command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "openat" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access - --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "openat" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i openat /etc/audit/audit.rules - --a always,exit -F arch=b32 -S openat -Fexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access - --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000064-GPOS-00033 - <GroupDescription></GroupDescription> - - RHEL-07-030530 - All uses of the open_by_handle_at command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open_by_handle_at" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access - --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open_by_handle_at" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i open_by_handle_at /etc/audit/audit.rules - --a always,exit -F arch=b32 -S open_by_handle_at -Fexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access - --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000064-GPOS-00033 - <GroupDescription></GroupDescription> - - RHEL-07-030540 - All uses of the truncate command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "truncate" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access - --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "truncate" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i truncate /etc/audit/audit.rules - --a always,exit -F arch=b32 -S truncate -Fexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access - --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000064-GPOS-00033 - <GroupDescription></GroupDescription> - - RHEL-07-030550 - All uses of the ftruncate command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ftruncate" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access - --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ftruncate" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i ftruncate /etc/audit/audit.rules - --a always,exit -F arch=b32 -S ftruncate -Fexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access - --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> - - RHEL-07-030560 - All uses of the semanage command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "semanage" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -# grep -i /usr/sbin/semanage /etc/audit/audit.rules - --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> - - RHEL-07-030570 - All uses of the setsebool command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setsebool" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -# grep -i /usr/sbin/setsebool /etc/audit/audit.rules - --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> - - RHEL-07-030580 - All uses of the chcon command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chcon" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -# grep -i /usr/bin/chcon /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> - - RHEL-07-030590 - All uses of the restorecon command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "restorecon" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -k -F privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "restorecon" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -# grep -i /usr/sbin/restorecon /etc/audit/audit.rules - --a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> - - RHEL-07-030600 - The operating system must generate audit records for all successful/unsuccessful account access count events. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000126 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful account access count events occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /var/log/tallylog -p wa -k logins - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful account access count events occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following commands: - -# grep -i /var/log/tallylog /etc/audit/audit.rules - --w /var/log/tallylog -p wa -k logins - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> - - RHEL-07-030610 - The operating system must generate audit records for all unsuccessful account access events. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000126 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when unsuccessful account access events occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /var/run/faillock/ -p wa -k logins - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when unsuccessful account access events occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following commands: - -# grep -i /var/run/faillock /etc/audit/audit.rules - --w /var/run/faillock -p wa -k logins - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> - - RHEL-07-030620 - The operating system must generate audit records for all successful account access events. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000126 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful account access events occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /var/log/lastlog -p wa -k logins - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful account access events occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -i /var/log/lastlog /etc/audit/audit.rules - --w /var/log/lastlog -p wa -k logins - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030630 - All uses of the passwd command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "passwd" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -# grep -i /usr/bin/passwd /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030640 - All uses of the unix_chkpwd command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -# grep -i /sbin/unix_chkpwd /etc/audit/audit.rules - --a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030650 - All uses of the gpasswd command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -# grep -i /usr/bin/gpasswd /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030660 - All uses of the chage command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chage" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -# grep -i /usr/bin/chage /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030670 - All uses of the userhelper command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "userhelper" command occur. - -Check the file system rule in "/etc/audit/audit.rules" with the following command: - -# grep -i /usr/sbin/userhelper /etc/audit/audit.rules - --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> - - RHEL-07-030680 - All uses of the su command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000130 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur. - -Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -# grep -i /bin/su /etc/audit/audit.rules - --a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> - - RHEL-07-030690 - All uses of the sudo command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000130 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudo" command occur. - -Check for the following system calls being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -# grep -i /usr/bin/sudo /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> - - RHEL-07-030700 - All uses of the sudoers command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000130 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudoer" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /etc/sudoers -p wa -k privileged-actions - --w /etc/sudoers.d -p wa -k privileged-actions - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudoer" command occur. - -Check for modification of the following files being audited by performing the following commands to check the file system rules in "/etc/audit/audit.rules": - -# grep /etc/sudoers /etc/audit/audit.rules - --w /etc/sudoers -p wa -k privileged-actions - -# grep /etc/sudoers.d /etc/audit/audit.rules - --w /etc/sudoers.d -p wa -k privileged-actions - -If the commands do not return output that does not match the examples, this is a finding. - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> - - RHEL-07-030710 - All uses of the newgrp command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000130 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "newgrp" command occur. - -Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -# grep -i /usr/bin/newgrp /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> - - RHEL-07-030720 - All uses of the chsh command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000130 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chsh" command occur. - -Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -# grep -i /usr/bin/chsh /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> - - RHEL-07-030730 - All uses of the sudoedit command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000130 - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudoedit" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudoedit" command occur. - -Check for the following system calls being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -# grep -i /usr/bin/sudoedit /etc/audit/audit.rules - --a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030740 - All uses of the mount command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000135 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount - --a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command occur. - -Check for the following system calls being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": - -# grep -i /bin/mount /etc/audit/audit.rules - --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount - --a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030750 - All uses of the umount command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000135 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "umount" command occur. - -Check for the following system calls being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": - -# grep -i /bin/umount /etc/audit/audit.rules - --a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030760 - All uses of the postdrop command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000135 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur. - -Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -# grep -i /usr/sbin/postdrop /etc/audit/audit.rules - --a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030770 - All uses of the postqueue command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000135 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur. - -Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -# grep -i /usr/sbin/postqueue /etc/audit/audit.rules - --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030780 - All uses of the ssh-keysign command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. - -Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -# grep -i /usr/libexec/openssh/ssh-keysign /etc/audit/audit.rules - --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030790 - All uses of the pt_chown command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pt_chown" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_terminal - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pt_chown" command occur. - -Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -# grep -i /usr/libexec/pt_chown /etc/audit/audit.rules - --a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_terminal - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - RHEL-07-030800 - All uses of the crontab command must be audited. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000135 - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. - -Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -# grep -i /usr/bin/crontab /etc/audit/audit.rules - --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000471-GPOS-00215 - <GroupDescription></GroupDescription> - - RHEL-07-030810 - All uses of the pam_timestamp_check command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -# grep -i /sbin/pam_timestamp_check /etc/audit/audit.rules - --a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000471-GPOS-00216 - <GroupDescription></GroupDescription> - - RHEL-07-030820 - All uses of the init_module command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system generates audit records when successful/unsuccessful attempts to use the "init_module" command occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S init_module -k module-change - --a always,exit -F arch=b64 -S init_module -k module-change - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "init_module" command occur. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the line appropriate for the system architecture must be present. - -# grep -i init_module /etc/audit/audit.rules - -If the command does not return the following output (appropriate to the architecture), this is a finding. - --a always,exit -F arch=b32 -S init_module -k module-change - --a always,exit -F arch=b64 -S init_module -k module-change - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000471-GPOS-00216 - <GroupDescription></GroupDescription> - - RHEL-07-030830 - All uses of the delete_module command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" command occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S delete_module -k module-change - --a always,exit -F arch=b64 -S delete_module -k module-change - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" command occur. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the line appropriate for the system architecture must be present. - -# grep -i delete_module /etc/audit/audit.rules - -If the command does not return the following output (appropriate to the architecture), this is a finding. - --a always,exit -F arch=b32 -S delete_module -k module-change - --a always,exit -F arch=b64 -S delete_module -k module-change - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000471-GPOS-00216 - <GroupDescription></GroupDescription> - - RHEL-07-030840 - All uses of the insmod command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "insmod" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --w /sbin/insmod -p x -F auid!=4294967295 -k module-change - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "insmod" command occur. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -# grep -i insmod /etc/audit/audit.rules - -If the command does not return the following output (appropriate to the architecture), this is a finding. - --w /sbin/insmod -p x -F auid!=4294967295 -k module-change - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000471-GPOS-00216 - <GroupDescription></GroupDescription> - - RHEL-07-030850 - All uses of the rmmod command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmmod" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --w /sbin/rmmod-p x -F auid!=4294967295 -k module-change - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rmmod" command occur. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -# grep -i rmmod /etc/audit/audit.rules - -If the command does not return the following output (appropriate to the architecture), this is a finding. - --w /sbin/rmmod -p x -F auid!=4294967295 -k module-change - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000471-GPOS-00216 - <GroupDescription></GroupDescription> - - RHEL-07-030860 - All uses of the modprobe command must be audited. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "modprobe" command occur. - -Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --w /sbin/modprobe -p x -F auid!=4294967295 -k module-change - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "modprobe" command occur. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the line appropriate for the system architecture must be present. - -# grep -i modprobe /etc/audit/audit.rules - -If the command does not return the following output (appropriate to the architecture), this is a finding. - --w /sbin/modprobe -p x -F auid!=4294967295 -k module-change - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000004-GPOS-00004 - <GroupDescription></GroupDescription> - - RHEL-07-030870 - The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000018 - CCI-000172 - CCI-001403 - CCI-002130 - Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". - -Add or update the following rule "/etc/audit/rules.d/audit.rules": - --w /etc/passwd -p wa -k identity - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -# grep /etc/passwd /etc/audit/audit.rules - --w /etc/passwd -p wa -k audit_rules_usergroup_modification - -If the command does not return a line, or the line is commented out, this is a finding. - - - - - SRG-OS-000466-GPOS-00210 - <GroupDescription></GroupDescription> - - RHEL-07-030880 - All uses of the rename command must be audited. - <VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. - -Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rename" command occur. - -Add the following rules in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rename" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i rename /etc/audit/audit.rules --a always,exit -F arch=b32 -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000466-GPOS-00210 - <GroupDescription></GroupDescription> - - RHEL-07-030890 - All uses of the renameat command must be audited. - <VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. - -Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "renameat" command occur. - -Add the following rules in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "renameat" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i renameat /etc/audit/audit.rules --a always,exit -F arch=b32 -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000466-GPOS-00210 - <GroupDescription></GroupDescription> - - RHEL-07-030900 - All uses of the rmdir command must be audited. - <VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. - -Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmdir" command occur. - -Add the following rules in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S rmdir -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S rmdir -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rmdir" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i rmdir /etc/audit/audit.rules --a always,exit -F arch=b32 -S rmdir -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S rmdir -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000466-GPOS-00210 - <GroupDescription></GroupDescription> - - RHEL-07-030910 - All uses of the unlink command must be audited. - <VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. - -Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlink" command occur. - -Add the following rules in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S unlink -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S unlink -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlink" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i unlink/etc/audit/audit.rules --a always,exit -F arch=b32 -S unlink -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S unlink -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000466-GPOS-00210 - <GroupDescription></GroupDescription> - - RHEL-07-030920 - All uses of the unlinkat command must be audited. - <VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. - -Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000172 - CCI-002884 - Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlinkat" command occur. - -Add the following rules in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture): - --a always,exit -F arch=b32 -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlinkat" command occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present. - -# grep -i unlinkat/etc/audit/audit.rules --a always,exit -F arch=b32 -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete - -If the command does not return any output, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-031000 - The system must send rsyslog output to a log aggregation server. - <VulnDiscussion>Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Modify the "/etc/rsyslog.conf" file to contain a configuration line to send all "rsyslog" output to a log aggregation system: - -*.* @@<log aggregation system name> - - - - Verify "rsyslog" is configured to send all messages to a log aggregation server. - -Check the configuration of "rsyslog" with the following command: - -Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf". - -# grep @ /etc/rsyslog.conf -*.* @@logagg.site.mil - -If there are no lines in the "/etc/rsyslog.conf" file that contain the "@" or "@@" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all "rsyslog" output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. - -If there is no evidence that the audit logs are being sent to another system, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-031010 - The rsyslog daemon must not accept log messages from other servers unless the server is being used for log aggregation. - <VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service. -If the system is intended to be a log aggregation server its use must be documented with the ISSO.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000318 - CCI-000368 - CCI-001812 - CCI-001813 - CCI-001814 - Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp" configuration line, or document the system as being used for log aggregation. - - - - Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server. - -Check the configuration of "rsyslog" with the following command: - -# grep imtcp /etc/rsyslog.conf -ModLoad imtcp - -If the "imtcp" module is being loaded in the "/etc/rsyslog.conf" file, ask to see the documentation for the system being used for log aggregation. - -If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-032000 - The system must use a DoD-approved virus scan program. - <VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. - -The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis. - -If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001668 - Install an approved DoD antivirus solution on the system. - - - - Verify the system is using a DoD-approved virus scan program. - -Check for the presence of "McAfee VirusScan Enterprise for Linux" with the following command: - -# systemctl status nails -nails - service for McAfee VirusScan Enterprise for Linux -> Loaded: loaded /opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.<build_number>; enabled) -> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago - -If the "nails" service is not active, check for the presence of "clamav" on the system with the following command: - -# systemctl status clamav-daemon.socket - systemctl status clamav-daemon.socket - clamav-daemon.socket - Socket for Clam AntiVirus userspace daemon - Loaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled) - Active: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago - -If neither of these applications are loaded and active, ask the System Administrator if there is an antivirus package installed and active on the system. - -If no antivirus scan program is active on the system, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-032010 - The system must update the DoD-approved virus scan program every seven days or more frequently. - <VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. - -The virus scanning software should be configured to check for software and virus definition updates with a frequency no longer than seven days. If a manual process is required to update the virus scan software or definitions, it must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001668 - Update the approved DoD virus scan software and virus definition files. - - - - Verify the system is using a DoD-approved virus scan program and the virus definition file is less than seven days old. - -Check for the presence of "McAfee VirusScan Enterprise for Linux" with the following command: - -# systemctl status nails -nails - service for McAfee VirusScan Enterprise for Linux -> Loaded: loaded /opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.<build_number>; enabled) -> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago - -If the "nails" service is not active, check for the presence of "clamav" on the system with the following command: - -# systemctl status clamav-daemon.socket -systemctl status clamav-daemon.socket - clamav-daemon.socket - Socket for Clam AntiVirus userspace daemon - Loaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled) - Active: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago - -If "McAfee VirusScan Enterprise for Linux" is active on the system, check the dates of the virus definition files with the following command: - -# ls -al /opt/NAI/LinuxShield/engine/dat/*.dat -<need output> - -If the virus definition files have dates older than seven days from the current date, this is a finding. - -If "clamav" is active on the system, check the dates of the virus database with the following commands: - -# grep -I databasedirectory /etc/clamav.conf -DatabaseDirectory /var/lib/clamav - -# ls -al /var/lib/clamav/*.cvd --rwxr-xr-x 1 root root 149156 Mar 5 2011 daily.cvd - -If the database file has a date older than seven days from the current date, this is a finding. - - - - - SRG-OS-000027-GPOS-00008 - <GroupDescription></GroupDescription> - - RHEL-07-040000 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. - <VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. - -This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000054 - Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types. - -Add the following line to the top of the /etc/security/limits.conf: - -* hard maxlogins 10 - - - - Verify the operating system limits the number of concurrent sessions to "10" for all accounts and/or account types by issuing the following command: - -# grep "maxlogins" /etc/security/limits.conf -* hard maxlogins 10 - -This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. - -If the "maxlogins" item is missing or the value is not set to "10" or less for all domains that have the "maxlogins" item assigned, this is a finding. - - - - - SRG-OS-000096-GPOS-00050 - <GroupDescription></GroupDescription> - - RHEL-07-040100 - The host must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments. - <VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. - -To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. - -Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000382 - CCI-002314 - Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL. - - - - Inspect the firewall configuration and running services to verify that it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited. - -Check which services are currently active with the following command: - -# firewall-cmd --list-all -public (default, active) - interfaces: enp0s3 - sources: - services: dhcpv6-client dns http https ldaps rpc-bind ssh - ports: - masquerade: no - forward-ports: - icmp-blocks: - rich rules: - -Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. - -If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding. - - - - - SRG-OS-000033-GPOS-00014 - <GroupDescription></GroupDescription> - - RHEL-07-040110 - A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications. - <VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. - -Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000068 - CCI-000366 - CCI-000803 - Configure SSH to use FIPS 140-2 approved cryptographic algorithms. - -Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). - -Ciphers aes128-ctr,aes192-ctr,aes256-ctr - -The SSH service must be restarted for changes to take effect. - - - - Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. - -Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes. - -The location of the "sshd_config" file may vary if a different daemon is in use. - -Inspect the "Ciphers" configuration with the following command: - -# grep -i ciphers /etc/ssh/sshd_config -Ciphers aes128-ctr,aes192-ctr,aes256-ctr - -If any ciphers other than "aes128-ctr", "aes192-ctr", or "aes256-ctr" are listed, the "Ciphers" keyword is missing, or the retuned line is commented out, this is a finding. - - - - - SRG-OS-000163-GPOS-00072 - <GroupDescription></GroupDescription> - - RHEL-07-040160 - All network connections associated with a communication session must be terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. - <VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001133 - CCI-002361 - Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity. - -Add the following line to "/etc/profile" (or modify the line to have the required value): - -TMOUT=600 - -The SSH service must be restarted for changes to take effect. - - - - Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity. - -Check the value of the system inactivity timeout with the following command: - -# grep -i tmout /etc/bashrc -TMOUT=600 - -If "TMOUT" is not set to "600" or less in "/etc/bashrc", this is a finding. - - - - - SRG-OS-000023-GPOS-00006 - <GroupDescription></GroupDescription> - - RHEL-07-040170 - The Standard Mandatory DoD Notice and Consent Banner must be displayed immediately prior to, or as part of, remote access logon prompts. - <VulnDiscussion>Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000048 - CCI-000050 - CCI-001384 - CCI-001385 - CCI-001386 - CCI-001387 - CCI-001388 - Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh. - -Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is: - -banner=/etc/issue - -Either create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -The SSH service must be restarted for changes to take effect. - - - - Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. - -Check for the location of the banner file being used with the following command: - -# grep -i banner /etc/ssh/sshd_config - -banner=/etc/issue - -This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue"). - -If the line is commented out, this is a finding. - -View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. - -If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. - - - - - SRG-OS-000250-GPOS-00093 - <GroupDescription></GroupDescription> - - RHEL-07-040180 - The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications. - <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001453 - Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions. - -Set the USELDAPAUTH=yes in "/etc/sysconfig/authconfig". - -Set "ssl start_tls" in "/etc/pam_ldap.conf". - - - - Verify the operating system implements cryptography to protect the integrity of remote LDAP authentication sessions. - -To determine if LDAP is being used for authentication, use the following command: - -# grep -i useldapauth /etc/sysconfig/authconfig -USELDAPAUTH=yes - -If USELDAPAUTH=yes, then LDAP is being used. To see if LDAP is configured to use TLS, use the following command: - -# grep -i ssl /etc/pam_ldap.conf -ssl start_tls - -If the "ssl" option is not "start_tls", this is a finding. - - - - - SRG-OS-000250-GPOS-00093 - <GroupDescription></GroupDescription> - - RHEL-07-040190 - The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. - <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001453 - Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions. - -Set the "tls_cacertdir" option in "/etc/pam_ldap.conf" to point to the directory that will contain the X.509 certificates for peer authentication. - -Set the "tls_cacertfile" option in "/etc/pam_ldap.conf" to point to the path for the X.509 certificates used for peer authentication. - - - - Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions. - -To determine if LDAP is being used for authentication, use the following command: - -# grep -i useldapauth /etc/sysconfig/authconfig -USELDAPAUTH=yes - -If USELDAPAUTH=yes, then LDAP is being used. - -Check for the directory containing X.509 certificates for peer authentication with the following command: - -# grep -i cacertdir /etc/pam_ldap.conf -tls_cacertdir /etc/openldap/certs - -Verify the directory set with the "tls_cacertdir" option exists. - -If the directory does not exist or the option is commented out, this is a finding. - - - - - SRG-OS-000250-GPOS-00093 - <GroupDescription></GroupDescription> - - RHEL-07-040200 - The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. - <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001453 - Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions. - -Set the "tls_cacertfile" option in "/etc/pam_ldap.conf" to point to the path for the X.509 certificates used for peer authentication. - - - - Verify the operating system implements cryptography to protect the integrity of remote ldap access sessions. - -To determine if LDAP is being used for authentication, use the following command: - -# grep -i useldapauth /etc/sysconfig/authconfig -USELDAPAUTH=yes - -If USELDAPAUTH=yes, then LDAP is being used. - -Check that the path to the X.509 certificate for peer authentication with the following command: - -# grep -i cacertfile /etc/pam_ldap.conf -tls_cacertfile /etc/openldap/ldap-cacert.pem - -Verify the "tls_cacertfile" option points to a file that contains the trusted CA certificate. - -If this file does not exist, or the option is commented out or missing, this is a finding. - - - - - SRG-OS-000423-GPOS-00187 - <GroupDescription></GroupDescription> - - RHEL-07-040300 - All networked systems must have SSH installed. - <VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. - -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-002418 - CCI-002420 - CCI-002421 - CCI-002422 - Install SSH packages onto the host with the following commands: - -# yum install openssh-clients.x86_64 -# yum install openssh-server.x86_64 - -Note: 32-bit versions will require different packages. - - - - Check to see if sshd is installed with the following command: - -# yum list installed ssh -libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1 -openssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1 -openssh-clients.x86_64 6.6.1p1-11.el7 @anaconda/7.1 -openssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1 - -If the "SSH server" package is not installed, this is a finding. - -If the "SSH client" package is not installed, this is a finding. - - - - - SRG-OS-000423-GPOS-00187 - <GroupDescription></GroupDescription> - - RHEL-07-040310 - All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission. - <VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. - -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS-000423-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-002418 - CCI-002420 - CCI-002421 - CCI-002422 - Configure the SSH service to automatically start after reboot with the following command: - -# systemctl enable sshd ln -s '/usr/lib/systemd/system/sshd.service' '/etc/systemd/system/multi-user.target.wants/sshd.service' - - - - Verify SSH is loaded and active with the following command: - -# systemctl status sshd - sshd.service - OpenSSH server daemon - Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled) - Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago - Main PID: 1348 (sshd) - CGroup: /system.slice/sshd.service - ??1348 /usr/sbin/sshd -D - -If "sshd" does not show a status of "active" and "running", this is a finding. - - - - - SRG-OS-000163-GPOS-00072 - <GroupDescription></GroupDescription> - - RHEL-07-040320 - All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. - <VulnDiscussion>Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. - -Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001133 - CCI-002361 - Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown. - -Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - -ClientAliveInterval 600 - -The SSH service must be restarted for changes to take effect. - - - - Verify the operating system automatically terminates a user session after inactivity time-outs have expired. - -Check for the value of the "ClientAlive" keyword with the following command: - -# grep -i clientalive /etc/ssh/sshd_config - -ClientAliveInterval 600 - -If "ClientAliveInterval" is not set to "600" in "/etc/ ssh/sshd_config", and a lower value is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040330 - The SSH daemon must not allow authentication using RSA rhosts authentication. - <VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the SSH daemon to not allow authentication using RSA rhosts authentication. - -Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": - -RhostsRSAAuthentication yes - -The SSH service must be restarted for changes to take effect. - - - - Verify the SSH daemon does not allow authentication using RSA rhosts authentication. - -To determine how the SSH daemon's "RhostsRSAAuthentication" option is set, run the following command: - -# grep RhostsRSAAuthentication /etc/ssh/sshd_config - -RhostsRSAAuthentication yes - -If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding. - - - - - SRG-OS-000163-GPOS-00072 - <GroupDescription></GroupDescription> - - RHEL-07-040340 - All network connections associated with SSH traffic must terminate after a period of inactivity. - <VulnDiscussion>Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. - -Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001133 - CCI-002361 - Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown. - -Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - -ClientAliveCountMax 0 - -The SSH service must be restarted for changes to take effect. - - - - Verify the operating system automatically terminates a user session after inactivity time-outs have expired. - -Check for the value of the "ClientAliveCountMax" keyword with the following command: - -# grep -i clientalivecount /etc/ssh/sshd_config -ClientAliveCountMax 0 - -If "ClientAliveCountMax" is not set to "0" in "/etc/ ssh/sshd_config", this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040350 - The SSH daemon must not allow authentication using rhosts authentication. - <VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the SSH daemon to not allow authentication using known hosts authentication. - -Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": - -IgnoreRhosts yes - - - - Verify the SSH daemon does not allow authentication using known hosts authentication. - -To determine how the SSH daemon's "IgnoreRhosts" option is set, run the following command: - -# grep -i IgnoreRhosts /etc/ssh/sshd_config - -IgnoreRhosts yes - -If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040360 - The system must display the date and time of the last successful account logon upon an SSH logon. - <VulnDiscussion>Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). - -Add the following line to the top of "/etc/pam.d/sshd": - -session required pam_lastlog.so showfailed - -Or modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following: - -PrintLastLog yes - -The SSH service must be restarted for changes to "sshd_config" to take effect. - - - - Verify SSH provides users with feedback on when account accesses last occurred. - -Check that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command: - -# grep -i printlastlog /etc/ssh/sshd_config -PrintLastLog yes - -If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040370 - The system must not permit direct logons to the root account using remote access via SSH. - <VulnDiscussion>Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure SSH to stop users from logging on remotely as the root user. - -Edit the appropriate "/etc/ssh/sshd_config" file to uncomment or add the line for the "PermitRootLogin" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - -PermitRootLogin no - -The SSH service must be restarted for changes to take effect. - - - - Verify remote access using SSH prevents users from logging on directly as root. - -Check that SSH prevents users from logging on directly as root with the following command: - -# grep -i permitrootlogin /etc/ssh/sshd_config -PermitRootLogin no - -If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040380 - The SSH daemon must not allow authentication using known hosts authentication. - <VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the SSH daemon to not allow authentication using known hosts authentication. - -Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": - -IgnoreUserKnownHosts yes - -The SSH service must be restarted for changes to take effect. - - - - Verify the SSH daemon does not allow authentication using known hosts authentication. - -To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the following command: - -# grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config - -IgnoreUserKnownHosts yes - -If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding. - - - - - SRG-OS-000074-GPOS-00042 - <GroupDescription></GroupDescription> - - RHEL-07-040390 - The SSH daemon must be configured to only use the SSHv2 protocol. - <VulnDiscussion>SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. - -Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000197 - CCI-000366 - Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows: - -Protocol 2 - -The SSH service must be restarted for changes to take effect. - - - - Verify the SSH daemon is configured to only use the SSHv2 protocol. - -Check that the SSH daemon is configured to only use the SSHv2 protocol with the following command: - -# grep -i protocol /etc/ssh/sshd_config -Protocol 2 -#Protocol 1,2 - -If any protocol line other than "Protocol 2" is uncommented, this is a finding. - - - - - SRG-OS-000250-GPOS-00093 - <GroupDescription></GroupDescription> - - RHEL-07-040400 - The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. - <VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001453 - Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-256" and/or "hmac-sha2-512" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - -MACs hmac-sha2-256,hmac-sha2-512 - -The SSH service must be restarted for changes to take effect. - - - - Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers. - -Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes. - -Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers with the following command: - -# grep -i macs /etc/ssh/sshd_config -MACs hmac-sha2-256,hmac-sha2-512 - -If any ciphers other than "hmac-sha2-256" or "hmac-sha2-512" are listed or the retuned line is commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040410 - The SSH public host key files must have mode 0644 or less permissive. - <VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Note: SSH public key files may be found in other directories on the system depending on the installation. - -Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: - -# chmod 0644 /etc/ssh/*.key.pub - - - - Verify the SSH public host key files have mode "0644" or less permissive. - -Note: SSH public key files may be found in other directories on the system depending on the installation. - -The following command will find all SSH public key files on the system: - -# find /etc/ssh -name '*.pub' -exec ls -lL {} \; - --rw-r--r-- 1 root wheel 618 Nov 28 06:43 ssh_host_dsa_key.pub --rw-r--r-- 1 root wheel 347 Nov 28 06:43 ssh_host_key.pub --rw-r--r-- 1 root wheel 238 Nov 28 06:43 ssh_host_rsa_key.pub - -If any file has a mode more permissive than "0644", this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040420 - The SSH private host key files must have mode 0600 or less permissive. - <VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the mode of SSH private host key files under "/etc/ssh" to "0600" with the following command: - -# chmod 0600 /etc/ssh/ssh_host*key - - - - Verify the SSH private host key files have mode "0600" or less permissive. - -The following command will find all SSH private key files on the system: - -# find / -name '*ssh_host*key' - -Check the mode of the private host key files under "/etc/ssh" file with the following command: - -# ls -lL /etc/ssh/*key --rw------- 1 root wheel 668 Nov 28 06:43 ssh_host_dsa_key --rw------- 1 root wheel 582 Nov 28 06:43 ssh_host_key --rw------- 1 root wheel 887 Nov 28 06:43 ssh_host_rsa_key - -If any file has a mode more permissive than "0600", this is a finding. - - - - - SRG-OS-000364-GPOS-00151 - <GroupDescription></GroupDescription> - - RHEL-07-040430 - The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed. - <VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000318 - CCI-000368 - CCI-001812 - CCI-001813 - CCI-001814 - Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": - -GSSAPIAuthentication no - -The SSH service must be restarted for changes to take effect. - -If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO. - - - - Verify the SSH daemon does not permit GSSAPI authentication unless approved. - -Check that the SSH daemon does not permit GSSAPI authentication with the following command: - -# grep -i gssapiauth /etc/ssh/sshd_config -GSSAPIAuthentication no - -If the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding. - - - - - SRG-OS-000364-GPOS-00151 - <GroupDescription></GroupDescription> - - RHEL-07-040440 - The SSH daemon must not permit Kerberos authentication unless needed. - <VulnDiscussion>Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000318 - CCI-000368 - CCI-001812 - CCI-001813 - CCI-001814 - Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": - -KerberosAuthentication no - -The SSH service must be restarted for changes to take effect. - -If Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO. - - - - Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved. - -Check that the SSH daemon does not permit Kerberos to authenticate passwords with the following command: - -# grep -i kerberosauth /etc/ssh/sshd_config -KerberosAuthentication no - -If the "KerberosAuthentication" keyword is missing, or is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040450 - The SSH daemon must perform strict mode checking of home directory configuration files. - <VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes": - -StrictModes yes - -The SSH service must be restarted for changes to take effect. - - - - Verify the SSH daemon performs strict mode checking of home directory configuration files. - -The location of the "sshd_config" file may vary if a different daemon is in use. - -Inspect the "sshd_config" file with the following command: - -# grep -i strictmodes /etc/ssh/sshd_config - -StrictModes yes - -If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040460 - The SSH daemon must use privilege separation. - <VulnDiscussion>SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox" or "yes": - -UsePrivilegeSeparation sandbox - -The SSH service must be restarted for changes to take effect. - - - - Verify the SSH daemon performs privilege separation. - -Check that the SSH daemon performs privilege separation with the following command: - -# grep -i usepriv /etc/ssh/sshd_config - -UsePrivilegeSeparation sandbox - -If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the retuned line is commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040470 - The SSH daemon must not allow compression or must only allow compression after successful authentication. - <VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no": - -Compression no - -The SSH service must be restarted for changes to take effect. - - - - Verify the SSH daemon performs compression after a user successfully authenticates. - -Check that the SSH daemon performs compression after a user successfully authenticates with the following command: - -# grep -i compression /etc/ssh/sshd_config -Compression delayed - -If the "Compression" keyword is set to "yes", is missing, or the retuned line is commented out, this is a finding. - - - - - SRG-OS-000355-GPOS-00143 - <GroupDescription></GroupDescription> - - RHEL-07-040500 - The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). - <VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. - -Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. - -Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). - -Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001891 - CCI-002046 - Edit the "/etc/ntp.conf" file and add or update an entry to define "maxpoll" to "10" as follows: - -maxpoll 10 - -If NTP was running and "maxpoll" was updated, the NTP service must be restarted: - -# systemctl restart ntpd - -If NTP was not running, it must be started: - -# systemctl start ntpd - - - - Check to see if NTP is running in continuous mode. - -# ps -ef | grep ntp - -If NTP is not running, this is a finding. - -If the process is found, then check the "ntp.conf" file for the "maxpoll" option setting: - -# grep maxpoll /etc/ntp.conf - -maxpoll 17 - -If the option is set to "17" or is not set, this is a finding. - -If the file does not exist, check the "/etc/cron.daily" subdirectory for a crontab file controlling the execution of the "ntpdate" command. - -# grep –l ntpdate /etc/cron.daily - -# ls -al /etc/cron.* | grep aide -ntp - -If a crontab file does not exist in the "/etc/cron.daily" that executes the "ntpdate" file, this is a finding. - - - - - SRG-OS-000420-GPOS-00186 - <GroupDescription></GroupDescription> - - RHEL-07-040510 - The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces. - <VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. - -This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-002385 - Create a direct firewall rule to protect against DoS attacks with the following command: - -Note: The command is to add a rule to the public zone. - -# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT - - - - Verify the operating system protects against or limits the effects of DoS attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. - -Check the firewall configuration with the following command: - -Note: The command is to query rules for the public zone. - -# firewall-cmd --direct --get-rule ipv4 filter IN_public_allow -rule ipv4 filter IN_public_allow 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT - -If a rule with both the limit and limit-burst arguments parameters does not exist, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040520 - The operating system must enable an application firewall, if available. - <VulnDiscussion>Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. - -Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Ensure the operating system's application firewall is enabled. - -Install the "firewalld" package, if it is not on the system, with the following command: - -# yum install firewalld - -Start the firewall via "systemctl" with the following command: - -# systemctl start firewalld - - - - Verify the operating system enabled an application firewall. - -Check to see if "firewalld" is installed with the following command: - -# yum list installed firewalld -firewalld-0.3.9-11.el7.noarch.rpm - -If the "firewalld" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed. - -If an application firewall is not installed, this is a finding. - -Check to see if the firewall is loaded and active with the following command: - -# systemctl status firewalld -firewalld.service - firewalld - dynamic firewall daemon - - Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) - Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago - -If "firewalld" does not show a status of "loaded" and "active", this is a finding. - -Check the state of the firewall: - -# firewall-cmd --state -running - -If "firewalld" does not show a state of "running", this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040530 - The system must display the date and time of the last successful account logon upon logon. - <VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin-ac". - -Add the following line to the top of "/etc/pam.d/postlogin-ac": - -session required pam_lastlog.so showfailed - - - - Verify users are provided with feedback on when account accesses last occurred. - -Check that "pam_lastlog" is used and not silent with the following command: - -# grep pam_lastlog /etc/pam.d/postlogin-ac - -session required pam_lastlog.so showfailed silent - -If "pam_lastlog" is missing from "/etc/pam.d/postlogin-ac" file, or the silent option is present on the line check for the "PrintLastLog" keyword in the sshd daemon configuration file, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040540 - There must be no .shosts files on the system. - <VulnDiscussion>The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Remove any found ".shosts" files from the system. - -# rm /[path]/[to]/[file]/.shosts - - - - Verify there are no ".shosts" files on the system. - -Check the system for the existence of these files with the following command: - -# find / -name '*.shosts' - -If any ".shosts" files are found on the system, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040550 - There must be no shosts.equiv files on the system. - <VulnDiscussion>The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Remove any found "shosts.equiv" files from the system. - -# rm /[path]/[to]/[file]/shosts.equiv - - - - Verify there are no "shosts.equiv" files on the system. - -Check the system for the existence of these files with the following command: - -# find / -name shosts.equiv - -If any "shosts.equiv" files are found on the system, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040600 - For systems using DNS resolution, at least two name servers must be configured. - <VulnDiscussion>To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the operating system to use two or more name servers for DNS resolution. - -Edit the "/etc/resolv.conf" file to uncomment or add the two or more "nameserver" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the "/etc/resolv.conf" file must be empty. An empty "/etc/resolv.conf" file can be created as follows: - -# echo -n > /etc/resolv.conf - -And then make the file immutable with the following command: - -# chattr +i /etc/resolv.conf - -If the "/etc/resolv.conf" file must be mutable, the required configuration must be documented with the Information System Security Officer (ISSO) and the file must be verified by the system file integrity tool. - - - - Determine whether the system is using local or DNS name resolution with the following command: - -# grep hosts /etc/nsswitch.conf -hosts: files dns - -If the DNS entry is missing from the host’s line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty. - -Verify the "/etc/resolv.conf" file is empty with the following command: - -# ls -al /etc/resolv.conf --rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf - -If local host authentication is being used and the "/etc/resolv.conf" file is not empty, this is a finding. - -If the DNS entry is found on the host’s line of the "/etc/nsswitch.conf" file, verify the operating system is configured to use two or more name servers for DNS resolution. - -Determine the name servers used by the system with the following command: - -# grep nameserver /etc/resolv.conf -nameserver 192.168.1.2 -nameserver 192.168.1.3 - -If less than two lines are returned that are not commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040610 - The system must not forward Internet Protocol version 4 (IPv4) source-routed packets. - <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): - -net.ipv4.conf.all.accept_source_route = 0 - - - - Verify the system does not accept IPv4 source-routed packets. - -Check the value of the accept source route variable with the following command: - -# /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route -net.ipv4.conf.all.accept_source_route=0 - -If the returned line does not have a value of "0", a line is not returned, or the returned line is commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040620 - The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. - <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): - -net.ipv4.conf.default.accept_source_route = 0 - - - - Verify the system does not accept IPv4 source-routed packets by default. - -Check the value of the accept source route variable with the following command: - -# /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route -net.ipv4.conf.default.accept_source_route=0 - -If the returned line does not have a value of "0", a line is not returned, or the returned line is commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040630 - The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. - <VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): - -net.ipv4.icmp_echo_ignore_broadcasts=1 - - - - Verify the system does not respond to IPv4 ICMP echoes sent to a broadcast address. - -Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command: - -# /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts -net.ipv4.icmp_echo_ignore_broadcasts=1 - -If the returned line does not have a value of "1", a line is not returned, or the retuned line is commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040640 - The system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): - -net.ipv4.conf.default.accept_redirects = 0 - - - - Verify the system will not accept IPv4 ICMP redirect messages. - -Check the value of the default "accept_redirects" variables with the following command: - -# /sbin/sysctl -a | grep 'net.ipv4.conf.default.accept_redirects' -net.ipv4.conf.default.accept_redirects=0 - -If the returned line does not have a value of "0", or a line is not returned, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040650 - The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. - -Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): - -net.ipv4.conf.default.send_redirects=0 - - - - Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default. - -Check the value of the "default send_redirects" variables with the following command: - -# grep 'net.ipv4.conf.default.send_redirects' /etc/sysctl.conf -net.ipv4.conf.default.send_redirects=0 - -If the returned line does not have a value of "0", or a line is not returned, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040660 - The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the system to not allow interfaces to perform IPv4 ICMP redirects. - -Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): - -net.ipv4.conf.all.send_redirects=0 - - - - Verify the system does not send IPv4 ICMP redirect messages. - -Check the value of the "all send_redirects" variables with the following command: - -# grep 'net.ipv4.conf.all.send_redirects' /etc/sysctl.conf - -net.ipv4.conf.all.send_redirects=0 - -If the returned line does not have a value of "0", or a line is not returned, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040670 - Network interfaces must not be in promiscuous mode. - <VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems. - -If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented. - -Set the promiscuous mode of an interface to off with the following command: - -#ip link set dev <devicename> multicast off promisc off - - - - Verify network interfaces are not in promiscuous mode unless approved by the ISSO and documented. - -Check for the status with the following command: - -# ip link | grep -i promisc - -If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040680 - The system must be configured to prevent unrestricted mail relaying. - <VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: - -# postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' - - - - Verify the system is configured to prevent unrestricted mail relaying. - -Determine if "postfix" is installed with the following commands: - -# yum list installed postfix -postfix-2.6.6-6.el7.x86_64.rpm - -If postfix is not installed, this is Not Applicable. - -If postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with the following command: - -# postconf -n smtpd_client_restrictions -smtpd_client_restrictions = permit_mynetworks, reject - -If the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject", this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040690 - A File Transfer Protocol (FTP) server package must not be installed unless needed. - <VulnDiscussion>The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Document the "lftpd" package with the ISSO as an operational requirement or remove it from the system with the following command: - -# yum remove lftpd - - - - Verify a lightweight FTP server has not been installed on the system. - -Check to see if a lightweight FTP server has been installed with the following commands: - -# yum list installed lftpd - lftp-4.4.8-7.el7.x86_64.rpm - -If "lftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040700 - The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support. - <VulnDiscussion>If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000318 - CCI-000368 - CCI-001812 - CCI-001813 - CCI-001814 - Remove the TFTP package from the system with the following command: - -# yum remove tftp - - - - Verify a TFTP server has not been installed on the system. - -Check to see if a TFTP server has been installed with the following command: - -# yum list installed tftp-server -tftp-server-0.49-9.el7.x86_64.rpm - -If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040710 - Remote X connections for interactive users must be encrypted. - <VulnDiscussion>Open X displays allow an attacker to capture keystrokes and execute commands remotely.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure SSH to encrypt connections for interactive users. - -Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - -X11Fowarding yes - -The SSH service must be restarted for changes to take effect. - - - - Verify remote X connections for interactive users are encrypted. - -Check that remote X connections are encrypted with the following command: - -# grep -i x11forwarding /etc/ssh/sshd_config -X11Fowarding yes - -If the "X11Forwarding" keyword is set to "no", is missing, or is commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040720 - If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode. - <VulnDiscussion>Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the TFTP daemon to operate in secure mode by adding the following line to "/etc/xinetd.d/tftp" (or modify the line to have the required value): - -server_args = -s /var/lib/tftpboot - - - - Verify the TFTP daemon is configured to operate in secure mode. - -Check to see if a TFTP server has been installed with the following commands: - -# yum list installed | grep tftp -tftp-0.49-9.el7.x86_64.rpm - -If a TFTP server is not installed, this is Not Applicable. - -If a TFTP server is installed, check for the server arguments with the following command: - -# grep server_arge /etc/xinetd.d/tftp -server_args = -s /var/lib/tftpboot - -If the "server_args" line does not have a "-s" option and a subdirectory is not assigned, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040730 - An X Windows display manager must not be installed unless approved. - <VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. X Windows has a long history of security vulnerabilities and will not be used unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Document the requirement for an X Windows server with the ISSO or remove the related packages with the following commands: - -#yum groupremove "X Window System" - -#yum remove xorg-x11-server-common - - - - Verify that if the system has X Windows System installed, it is authorized. - -Check for the X11 package with the following command: - -# yum group list installed "X Window System" - -Ask the System Administrator if use of the X Windows System is an operational requirement. - -If the use of X Windows on the system is not documented with the Information System Security Officer (ISSO), this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040740 - The system must not be performing packet forwarding unless the system is a router. - <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): - -net.ipv4.ip_forward = 0 - - - - Verify the system is not performing packet forwarding, unless the system is a router. - -Check to see if IP forwarding is enabled using the following command: - -# /sbin/sysctl -a | grep net.ipv4.ip_forward -net.ipv4.ip_forward=0 - -If IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040750 - The Network File System (NFS) must be configured to use RPCSEC_GSS. - <VulnDiscussion>When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. - -Ensure the "sec" option is defined as "krb5:krb5i:krb5p". - - - - Verify "AUTH_GSS" is being used to authenticate NFS mounts. - -To check if the system is importing an NFS file system, look for any entries in the "/etc/fstab" file that have a file system type of "nfs" with the following command: - -# cat /etc/fstab | grep nfs -192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p - -If the system is mounting file systems via NFS and has the sec option without the "krb5:krb5i:krb5p" settings, the "sec" option has the "sys" setting, or the "sec" option is missing, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040800 - SNMP community strings must be changed from the default. - <VulnDiscussion>Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - If the "/etc/snmp/snmpd.conf" file exists, modify any lines that contain a community string value of "public" or "private" to another string value. - - - - Verify that a system using SNMP is not using default community strings. - -Check to see if the "/etc/snmp/snmpd.conf" file exists with the following command: - -# ls -al /etc/snmp/snmpd.conf - -rw------- 1 root root 52640 Mar 12 11:08 snmpd.conf - -If the file does not exist, this is Not Applicable. - -If the file does exist, check for the default community strings with the following commands: - -# grep public /etc/snmp/snmpd.conf -# grep private /etc/snmp/snmpd.conf - -If either of these commands returns any output, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040810 - The system access control program must be configured to grant or deny system access to specific hosts and services. - <VulnDiscussion>If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts. - -If "tcpwrappers" is installed, configure the "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts. - - - - If the "firewalld" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. - -Verify the system's access control program is configured to grant or deny system access to specific hosts. - -Check to see if "firewalld" is active with the following command: - -# systemctl status firewalld -firewalld.service - firewalld - dynamic firewall daemon - Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) - Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago - -If "firewalld" is active, check to see if it is configured to grant or deny access to specific hosts or services with the following commands: - -# firewall-cmd --get-default-zone -public - -# firewall-cmd --list-all --zone=public -public (default, active) - interfaces: eth0 - sources: - services: mdns ssh - ports: - masquerade: no - forward-ports: - icmp-blocks: - rich rules: - rule family="ipv4" source address="92.188.21.1/24" accept - rule family="ipv4" source address="211.17.142.46/32" accept - -If "firewalld" is not active, determine whether "tcpwrappers" is being used by checking whether the "hosts.allow" and "hosts.deny" files are empty with the following commands: - -# ls -al /etc/hosts.allow -rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow - -# ls -al /etc/hosts.deny --rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny - -If "firewalld" and "tcpwrappers" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services. - -If "firewalld" is active and is not configured to grant access to specific hosts and "tcpwrappers" is not configured to grant or deny access to specific hosts, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040820 - The system must not have unauthorized IP tunnels configured. - <VulnDiscussion>IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Remove all unapproved tunnels from the system, or document them with the ISSO. - - - - Verify the system does not have unauthorized IP tunnels configured. - -Check to see if "libreswan" is installed with the following command: - -# yum list installed libreswan -openswan-2.6.32-27.el6.x86_64 - -If "libreswan" is installed, check to see if the "IPsec" service is active with the following command: - -# systemctl status ipsec -ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec - Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) - Active: inactive (dead) - -If the "IPsec" service is active, check to see if any tunnels are configured in "/etc/ipsec.conf" and "/etc/ipsec.d/" with the following commands: - -# grep -i conn /etc/ipsec.conf -conn mytunnel - -# grep -i conn /etc/ipsec.d/*.conf -conn mytunnel - -If there are indications that a "conn" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040830 - The system must not forward IPv6 source-routed packets. - <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): - -net.ipv6.conf.all.accept_source_route = 0 - - - - Verify the system does not accept IPv6 source-routed packets. - -Note: If IPv6 is not enabled, the key will not exist, and this is not a finding. - -Check the value of the accept source route variable with the following command: - -# /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route -net.ipv6.conf.all.accept_source_route=0 - -If the returned lines do not have a value of "0", or a line is not returned, this is a finding. - - - - - SRG-OS-000375-GPOS-00160 - <GroupDescription></GroupDescription> - - RHEL-07-041001 - The operating system must have the required packages for multifactor authentication installed. - <VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. - -A privileged account is defined as an information system account with authorizations of a privileged user. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). - -Requires further clarification from NIST. - -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001948 - CCI-001953 - CCI-001954 - Configure the operating system to implement multifactor authentication by installing the required packages. - -Install the "esc", "pam_pkcs11", "authconfig", and "authconfig-gtk" packages on the system with the following command: - -# yum install esc pam_pkcs11 authconfig-gtk - - - - Verify the operating system has the packages required for multifactor authentication installed. - -Check for the presence of the packages required to support multifactor authentication with the following commands: - -# yum list installed esc -esc-1.1.0-26.el7.noarch.rpm - -# yum list installed pam_pkcs11 -pam_pkcs11-0.6.2-14.el7.noarch.rpm - -# yum list installed authconfig-gtk -authconfig-gtk-6.1.12-19.el7.noarch.rpm - -If the "esc", "pam_pkcs11", and "authconfig-gtk" packages are not installed, this is a finding. - - - - - SRG-OS-000375-GPOS-00160 - <GroupDescription></GroupDescription> - - RHEL-07-041002 - The operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM). - <VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. - -A privileged account is defined as an information system account with authorizations of a privileged user. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). - -Requires further clarification from NIST. - -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001948 - CCI-001953 - CCI-001954 - Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM). - -Modify all of the services lines in /etc/sssd/sssd.conf to include pam. - - - - Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM). - -Check the "/etc/sssd/sssd.conf" file for the authentication services that are being used with the following command: - -# grep services /etc/sssd/sssd.conf - -services = nss, pam - -If the "pam" service is not present, this is a finding. - - - - - SRG-OS-000375-GPOS-00160 - <GroupDescription></GroupDescription> - - RHEL-07-041003 - The operating system must implement certificate status checking for PKI authentication. - <VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. - -A privileged account is defined as an information system account with authorizations of a privileged user. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). - -Requires further clarification from NIST. - -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001948 - CCI-001953 - CCI-001954 - Configure the operating system to do certificate status checking for PKI authentication. - -Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on". - - - - Verify the operating system implements certificate status checking for PKI authentication. - -Check to see if Online Certificate Status Protocol (OCSP) is enabled on the system with the following command: - -# grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf - -cert_policy =ca, ocsp_on, signature; -cert_policy =ca, ocsp_on, signature; -cert_policy =ca, ocsp_on, signature; - -There should be at least three lines returned. All lines must match the example output; specifically that "oscp_on" must be included in the "cert_policy" line. - -If "oscp_on" is present in all "cert_policy" lines, this is not a finding. - - - - - SRG-OS-000375-GPOS-00160 - <GroupDescription></GroupDescription> - - RHEL-07-041004 - The operating system must implement smart card logons for multifactor authentication for access to privileged accounts. - <VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. - -A privileged account is defined as an information system account with authorizations of a privileged user. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). - -Requires further clarification from NIST. - -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001948 - CCI-001953 - CCI-001954 - Configure the operating system to implement smart card logon for multifactor authentication to uniquely identify privileged users. - -Enable smart card logons with the following commands: - -#authconfig --enablesmartcard --smartcardaction=1 --update -# authconfig --enablerequiresmartcard --update - - - - Verify the operating system requires smart card logons for multifactor authentication to uniquely identify privileged users. - -Check to see if smartcard authentication is enforced on the system with the following command: - -# authconfig --test | grep -i smartcard - -The entry for use only smartcard for logon may be enabled, and the smartcard module and smartcard removal actions must not be blank. - -If smartcard authentication is disabled or the smartcard and smartcard removal actions are blank, this is a finding. - - - - - SRG-OS-000029-GPOS-00010 - <GroupDescription></GroupDescription> - - RHEL-07-010081 - The operating system must set the lock delay setting for all connection types. - <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000057 - Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. - -# touch /etc/dconf/db/local.d/locks/session - -Add the setting to lock the screensaver lock delay: - -/org/gnome/desktop/screensaver/lock-delay - - - - Verify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. - -Determine which profile the system database is using with the following command: -# grep system-db /etc/dconf/profile/user - -system-db:local - -Check for the lock delay setting with the following command: - -Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. - -# grep -i lock-delay /etc/dconf/db/local.d/locks/* - -/org/gnome/desktop/screensaver/lock-delay - -If the command does not return a result, this is a finding. - - - - - SRG-OS-000029-GPOS-00010 - <GroupDescription></GroupDescription> - - RHEL-07-010082 - The operating system must set the session idle delay setting for all connection types. - <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000057 - Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -Note: The example below is using the database "local" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory. - -# touch /etc/dconf/db/local.d/locks/session - -Add the setting to lock the session idle delay: - -/org/gnome/desktop/session/idle-delay - - - - Verify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console. - -Note: If the system does not have GNOME installed, this requirement is Not Applicable. - -Determine which profile the system database is using with the following command: -# grep system-db /etc/dconf/profile/user - -system-db:local - -Check for the session idle delay setting with the following command: - -Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. - -# grep -i idle-delay /etc/dconf/db/local.d/locks/* - -/org/gnome/desktop/session/idle-delay - -If the command does not return a result, this is a finding. - - - - - SRG-OS-000069-GPOS-00037 - <GroupDescription></GroupDescription> - - RHEL-07-010119 - When passwords are changed or new passwords are established, pwquality must be used. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "Pwquality" enforces complex password construction configuration on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000192 - Configure the operating system to use "pwquality" to enforce password complexity rules. - -Add the following line to "/etc/pam.d/passwd" (or modify the line to have the required value): - -password required pam_pwquality.so retry=3 - - - - Verify the operating system uses "pwquality" to enforce the password complexity rules. - -Check for the use of "pwquality" with the following command: - -# grep pwquality /etc/pam.d/passwd - -password required pam_pwquality.so retry=3 - -If the command does not return a line containing the value "pam_pwquality.so", this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-021021 - File systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed. - <VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Configure the "/etc/fstab" to use the "noexec" option on file systems that are being exported via NFS. - - - - Verify file systems that are being NFS exported are mounted with the "noexec" option. - -Find the file system(s) that contain the directories being exported with the following command: - -# more /etc/fstab | grep nfs - -UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0 - -If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS exported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. - - - - - SRG-OS-000342-GPOS-00133 - <GroupDescription></GroupDescription> - - RHEL-07-030321 - The audit system must take appropriate action when there is an error sending audit records to a remote system. - <VulnDiscussion>Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001851 - Configure the action the operating system takes if there is an error sending audit records to a remote system. - -Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt". - -network_failure_action = single - - - - Verify the action the operating system takes if there is an error sending audit records to a remote system. - -Check the action that takes place if there is an error sending audit records to a remote system with the following command: - -# grep -i network_failure_action /etc/audisp/audisp-remote.conf -network_failure_action = stop - -If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding. - - - - - SRG-OS-000004-GPOS-00004 - <GroupDescription></GroupDescription> - - RHEL-07-030871 - The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000018 - CCI-000172 - CCI-001403 - CCI-002130 - Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /etc/group -p wa -k identity - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -# grep /etc/group /etc/audit/audit.rules - --w /etc/group -p wa -k audit_rules_usergroup_modification - -If the command does not return a line, or the line is commented out, this is a finding. - - - - - SRG-OS-000004-GPOS-00004 - <GroupDescription></GroupDescription> - - RHEL-07-030872 - The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000018 - CCI-000172 - CCI-001403 - CCI-002130 - Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". - -Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --w /etc/gshadow -p wa -k identity - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -# grep /etc/gshadow /etc/audit/audit.rules - --w /etc/gshadow -p wa -k audit_rules_usergroup_modification - -If the command does not return a line, or the line is commented out, this is a finding. - - - - - SRG-OS-000004-GPOS-00004 - <GroupDescription></GroupDescription> - - RHEL-07-030873 - The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000018 - CCI-000172 - CCI-001403 - CCI-002130 - Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. - -Add or update the following file system rule in "/etc/audit/rules.d/audit.rules": - --w /etc/shadow -p wa -k identity - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -# grep /etc/shadow /etc/audit/audit.rules - --w /etc/shadow -p wa -k audit_rules_usergroup_modification - -If the command does not return a line, or the line is commented out, this is a finding. - - - - - SRG-OS-000004-GPOS-00004 - <GroupDescription></GroupDescription> - - RHEL-07-030874 - The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000018 - CCI-000172 - CCI-001403 - CCI-002130 - Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. - -Add or update the following file system rule in "/etc/audit/rules.d/audit.rules": - --w /etc/opasswd -p wa -k identity - -The audit daemon must be restarted for the changes to take effect. - - - - Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. - -Check the auditing rules in "/etc/audit/rules.d/audit.rules" with the following command: - -# grep /etc/opasswd /etc/audit/rules.d/audit.rules - --w /etc/opasswd -p wa -k audit_rules_usergroup_modification - -If the command does not return a line, or the line is commented out, this is a finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-07-040641 - The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-000366 - Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): - -net.ipv4.conf.all.accept_redirects = 0 - - - - Verify the system ignores IPv4 ICMP redirect messages. - -Check the value of the "accept_redirects" variables with the following command: - -# /sbin/sysctl -a | grep 'net.ipv4.conf.all.accept_redirects' - -net.ipv4.conf.all.accept_redirects=0 - -If both of the returned lines do not have a value of "0", or a line is not returned, this is a finding. - - - - - SRG-OS-000424-GPOS-00188 - <GroupDescription></GroupDescription> - - RHEL-07-041010 - Wireless network adapters must be disabled. - <VulnDiscussion>The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat 7 - DISA - DPMS Target - Red Hat 7 - 2777 - - CCI-001443 - CCI-001444 - CCI-002418 - Configure the system to disable all wireless network interfaces with the following command: - -#nmcli radio wifi off - - - - Verify that there are no wireless interfaces configured on the system. - -This is N/A for systems that do not have wireless network adapters. - -Check for the presence of active wireless interfaces with the following command: - -# nmcli device -DEVICE TYPE STATE -eth0 ethernet connected -wlp3s0 wifi disconnected -lo loopback unmanaged - -If a wireless interface is configured and its use on the system is not documented with the Information System Security Officer (ISSO), this is a finding. - - - - diff --git a/doc/metadata/import-existing-notes.py b/doc/metadata/import-existing-notes.py deleted file mode 100644 index 51b36276..00000000 --- a/doc/metadata/import-existing-notes.py +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env python -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Import existing developer notes into base YAML format.""" -import os - - -import jinja2 - - -SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__)) -METADATA_DIR = "{0}/rhel6".format(SCRIPT_DIR) -NOTES_DIR = "{0}/../source/stig-notes".format(SCRIPT_DIR) - -yaml_tmp = """--- -id: {{ note_data['id'] }} -status: {{ note_data['status'] }} -tag: {{ note_data['tag'] }} ---- - -{{ note_data['deployer_notes'] }} -""" - - -note_files = [x for x in os.listdir(NOTES_DIR) if 'developer' in x] -for note_file in note_files: - stig_id = note_file[0:7] - - with open("{0}/{1}".format(NOTES_DIR, note_file), 'r') as f: - content = f.read() - - first_line = content.splitlines()[0] - print(first_line) - if 'exception' in first_line.lower(): - status = 'exception' - elif 'opt-in' in first_line.lower(): - status = 'opt-in' - else: - status = 'implemented' - - note_data = { - 'id': stig_id, - 'status': status, - 'tag': 'misc', - 'deployer_notes': content - } - - with open("{0}/{1}.rst".format(METADATA_DIR, stig_id), 'w') as f: - template = jinja2.Template(yaml_tmp) - f.write(template.render(note_data=note_data)) diff --git a/doc/metadata/rhel6/V-38437.rst b/doc/metadata/rhel6/V-38437.rst deleted file mode 100644 index d050d210..00000000 --- a/doc/metadata/rhel6/V-38437.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38437 -status: implemented -tag: services ---- - -If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out -of this change, adjust the following variable: - -.. code-block:: yaml - - security_disable_autofs: no diff --git a/doc/metadata/rhel6/V-38438.rst b/doc/metadata/rhel6/V-38438.rst deleted file mode 100644 index 17bfefc3..00000000 --- a/doc/metadata/rhel6/V-38438.rst +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: V-38438 -status: implemented -tag: boot ---- - -To opt-out of the change, set the following variable: - -.. code-block:: yaml - - security_enable_audit_during_boot: no - -Deployers may opt-in for the change without automatically updating the active -``grub.cfg`` file by setting the following Ansible variables: - -.. code-block:: yaml - - security_enable_audit_during_boot: yes - security_enable_grub_update: no diff --git a/doc/metadata/rhel6/V-38439.rst b/doc/metadata/rhel6/V-38439.rst deleted file mode 100644 index 05dedcf5..00000000 --- a/doc/metadata/rhel6/V-38439.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38439 -status: exception - manual intervention -tag: auth ---- - -Although adding centralized authentication and carefully managing user -accounts is critical for securing any system, that's left up to deployers -to handle via their internal business processes. diff --git a/doc/metadata/rhel6/V-38443.rst b/doc/metadata/rhel6/V-38443.rst deleted file mode 100644 index de21a6f0..00000000 --- a/doc/metadata/rhel6/V-38443.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38443 -status: implemented -tag: auth ---- - -The ``/etc/gshadow`` file is owned by root by default on Ubuntu 14.04, Ubuntu -16.04 and CentOS 7. The security role ensures that the file is owned by root. diff --git a/doc/metadata/rhel6/V-38444.rst b/doc/metadata/rhel6/V-38444.rst deleted file mode 100644 index 03c9ad8d..00000000 --- a/doc/metadata/rhel6/V-38444.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38444 -status: exception - manual intervention -tag: network ---- - -See V-38551 for additional details. IPv6 configuration and filtering is left -up to the deployer. diff --git a/doc/metadata/rhel6/V-38445.rst b/doc/metadata/rhel6/V-38445.rst deleted file mode 100644 index b29a4a55..00000000 --- a/doc/metadata/rhel6/V-38445.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38445 -status: implemented -tag: auditd ---- - -The logs generated by the audit daemon are owned by root in Ubuntu 14.04, -Ubuntu 16.04 and CentOS 7. The Ansible task for V-38445 ensures that the files -are owned by the root user. diff --git a/doc/metadata/rhel6/V-38446.rst b/doc/metadata/rhel6/V-38446.rst deleted file mode 100644 index 8946e490..00000000 --- a/doc/metadata/rhel6/V-38446.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38446 -status: configuration required -tag: mail ---- - -Forwarding root's email to another user is highly recommended so that someone -can receive emails about errors or security events. - -Deployers should set ``security_root_forward_email`` to a valid email address -of a user or mailing list that should receive critical automated emails from -the server. diff --git a/doc/metadata/rhel6/V-38447.rst b/doc/metadata/rhel6/V-38447.rst deleted file mode 100644 index 1387b811..00000000 --- a/doc/metadata/rhel6/V-38447.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-38447 -status: exception -tag: package ---- - -Although Ubuntu provides the ``debsums`` command for checking the contents of -files installed from packages, it cannot perform a detailed level of checking -sufficient to meet the STIG requirement. Some packages are not shipped with MD5 -checksums for all files. Deployers are encouraged to use ``debsums -c`` -regularly to check for alterations in as many packages as possible. - -Ubuntu does not currently have a capability to check file permissions, -ownership, or group ownership against the permissions that were originally set -when the package was installed. - -In CentOS, the ``rpm`` command can verify package contents, ownership, group -ownership, and permissions after the package has been installed. However, many -configuration files are changed by the security role and this will cause the -verification to fail. - -Deployers should utilize the monitoring capabilities of the ``aide`` package -(which is installed by other Ansible tasks in this role) to determine which -configuration files, libraries or binaries may have been changed. diff --git a/doc/metadata/rhel6/V-38448.rst b/doc/metadata/rhel6/V-38448.rst deleted file mode 100644 index 1bee5107..00000000 --- a/doc/metadata/rhel6/V-38448.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38448 -status: implemented -tag: auth ---- - -Although the ``/etc/gshadow`` file is group-owned by root by default, the -Ansible tasks will ensure that it is configured that way. diff --git a/doc/metadata/rhel6/V-38449.rst b/doc/metadata/rhel6/V-38449.rst deleted file mode 100644 index b8ba84ae..00000000 --- a/doc/metadata/rhel6/V-38449.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38449 -status: implemented -tag: auth ---- - -The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet -the requirements of the STIG. diff --git a/doc/metadata/rhel6/V-38450.rst b/doc/metadata/rhel6/V-38450.rst deleted file mode 100644 index 375ada87..00000000 --- a/doc/metadata/rhel6/V-38450.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38450 -status: implemented -tag: auth ---- - -The ownership of ``/etc/passwd`` will be changed to root. diff --git a/doc/metadata/rhel6/V-38451.rst b/doc/metadata/rhel6/V-38451.rst deleted file mode 100644 index 361c674c..00000000 --- a/doc/metadata/rhel6/V-38451.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38451 -status: implemented -tag: auth ---- - -The group ownership for ``/etc/passwd`` will be set to root. diff --git a/doc/metadata/rhel6/V-38452.rst b/doc/metadata/rhel6/V-38452.rst deleted file mode 100644 index eb82a66e..00000000 --- a/doc/metadata/rhel6/V-38452.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-38452 -status: exception -tag: package ---- - -Although Ubuntu provides the ``debsums`` command for checking the contents of -files installed from packages, it cannot perform a detailed level of checking -sufficient to meet the STIG requirement. Some packages are not shipped with MD5 -checksums for all files. Deployers are encouraged to use ``debsums -c`` -regularly to check for alterations in as many packages as possible. - -Ubuntu does not currently have a capability to check file permissions, -ownership, or group ownership against the permissions that were originally set -when the package was installed. - -In CentOS, the ``rpm`` command can verify package contents, ownership, group -ownership, and permissions after the package has been installed. However, many -configuration files are changed by the security role and this will cause the -verification to fail. - -Deployers should utilize the monitoring capabilities of the ``aide`` package -(which is installed by other Ansible tasks in this role) to determine which -configuration files, libraries or binaries may have been changed. diff --git a/doc/metadata/rhel6/V-38453.rst b/doc/metadata/rhel6/V-38453.rst deleted file mode 100644 index 9bb227be..00000000 --- a/doc/metadata/rhel6/V-38453.rst +++ /dev/null @@ -1,11 +0,0 @@ ---- -id: V-38453 -status: exception - ubuntu -tag: package ---- - -Verifying ownership and permissions of installed packages isn't possible in the -current version of ``dpkg`` as it is with ``rpm``. This security configuration -is skipped for Ubuntu. - -For CentOS, this check is done as part of V-38637. diff --git a/doc/metadata/rhel6/V-38454.rst b/doc/metadata/rhel6/V-38454.rst deleted file mode 100644 index 2a97162a..00000000 --- a/doc/metadata/rhel6/V-38454.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-38454 -status: exception -tag: package ---- - -Although Ubuntu provides the ``debsums`` command for checking the contents of -files installed from packages, it cannot perform a detailed level of checking -sufficient to meet the STIG requirement. Some packages are not shipped with MD5 -checksums for all files. Deployers are encouraged to use ``debsums -c`` -regularly to check for alterations in as many packages as possible. - -Ubuntu does not currently have a capability to check file permissions, -ownership, or group ownership against the permissions that were originally set -when the package was installed. - -In CentOS, the ``rpm`` command can verify package contents, ownership, group -ownership, and permissions after the package has been installed. However, many -configuration files are changed by the security role and this will cause the -verification to fail. - -Deployers should utilize the monitoring capabilities of the ``aide`` package -(which is installed by other Ansible tasks in this role) to determine which -configuration files, libraries or binaries may have been changed. diff --git a/doc/metadata/rhel6/V-38455.rst b/doc/metadata/rhel6/V-38455.rst deleted file mode 100644 index f690d0f9..00000000 --- a/doc/metadata/rhel6/V-38455.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38455 -status: exception - initial provisioning -tag: boot ---- - -Configuring another mount for ``/tmp`` can disrupt a running system and this -configuration is skipped. - -However, deployers are strongly urged to consider creating a separate -partition and/or LVM logical volume for ``/tmp`` during installation of the OS -if possible. diff --git a/doc/metadata/rhel6/V-38456.rst b/doc/metadata/rhel6/V-38456.rst deleted file mode 100644 index faed78ab..00000000 --- a/doc/metadata/rhel6/V-38456.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38456 -status: exception - initial provisioning -tag: boot ---- - -Configuring another mount for ``/var`` can disrupt a running system and this -configuration is skipped. - -However, deployers are strongly urged to consider creating a separate -partition and/or LVM logical volume for ``/var`` during installation of the OS -if possible. diff --git a/doc/metadata/rhel6/V-38457.rst b/doc/metadata/rhel6/V-38457.rst deleted file mode 100644 index 074ccc7e..00000000 --- a/doc/metadata/rhel6/V-38457.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38457 -status: implemented -tag: auth ---- - -The permissions for ``/etc/passwd`` will be set to ``0644``. diff --git a/doc/metadata/rhel6/V-38458.rst b/doc/metadata/rhel6/V-38458.rst deleted file mode 100644 index 3d3f7332..00000000 --- a/doc/metadata/rhel6/V-38458.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38458 -status: implemented -tag: auth ---- - -The Ansible task will ensure that the ``/etc/group`` file is owned by the root -user. diff --git a/doc/metadata/rhel6/V-38459.rst b/doc/metadata/rhel6/V-38459.rst deleted file mode 100644 index a61ba6ad..00000000 --- a/doc/metadata/rhel6/V-38459.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38459 -status: implemented -tag: auth ---- - -The Ansible tasks will ensure that ``/etc/group`` is owned by the ``root`` -user. diff --git a/doc/metadata/rhel6/V-38460.rst b/doc/metadata/rhel6/V-38460.rst deleted file mode 100644 index 81eb0313..00000000 --- a/doc/metadata/rhel6/V-38460.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38460 -status: implemented -tag: nfsd ---- - -The Ansible tasks will check for ``all_squash`` in ``/etc/exports`` (if it is -present). If found, a warning message will be printed. No configuration -changes will be made since neither Ubuntu or openstack-ansible configures -the NFS server by default. diff --git a/doc/metadata/rhel6/V-38461.rst b/doc/metadata/rhel6/V-38461.rst deleted file mode 100644 index b68ef5aa..00000000 --- a/doc/metadata/rhel6/V-38461.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38461 -status: implemented -tag: auth ---- - -The Ansible tasks will ensure that the mode of ``/etc/group//` is set to -``0644``. diff --git a/doc/metadata/rhel6/V-38462.rst b/doc/metadata/rhel6/V-38462.rst deleted file mode 100644 index 49b30466..00000000 --- a/doc/metadata/rhel6/V-38462.rst +++ /dev/null @@ -1,23 +0,0 @@ ---- -id: V-38462 -status: implemented -tag: package ---- - -All versions of Ubuntu and CentOS supported by the role verify packages against -GPG signatures by default. - -Deployers can disable GPG verification for all packages in Ubuntu by setting -the ``AllowUnauthenticated`` configuration option in a file within -``/etc/apt/apt.conf.d/``. The Ansible tasks will search for this configuration -option and will stop the playbook execution if the option is set. Note -that users can pass an argument on the apt command line to bypass the checks as -well, but that's outside the scope of this check and remediation. - -In CentOS, deployers can set ``gpgcheck=0`` within individual yum repository -files in ``/etc/yum.repos.d/`` to disable GPG signature checking. The Ansible -tasks will check for this configuration option in those files and stop the -playbook execution. - -Deployers can use ``--skip-tags V-38462`` to omit these tasks when applying the -security role on systems where GPG verification must be disabled. diff --git a/doc/metadata/rhel6/V-38463.rst b/doc/metadata/rhel6/V-38463.rst deleted file mode 100644 index 5dd410a8..00000000 --- a/doc/metadata/rhel6/V-38463.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38463 -status: exception - initial provisioning -tag: misc ---- - -Configuring a separate partition for ``/var/log`` is currently left up to the -deployer. There are security and operational benefits that come from the -change, but it must be done when the system is initially installed. - -Deployers are urged to consider making a separate partition for ``/var/log`` -during OS installation. diff --git a/doc/metadata/rhel6/V-38464.rst b/doc/metadata/rhel6/V-38464.rst deleted file mode 100644 index d827640f..00000000 --- a/doc/metadata/rhel6/V-38464.rst +++ /dev/null @@ -1,26 +0,0 @@ ---- -id: V-38464 -status: implemented -tag: auditd ---- - -The default configuration for ``disk_error_action`` is ``SUSPEND``, which -only suspends audit logging when there is a disk error on the system. -Suspending audit logging can lead to security problems because the system is no -longer keeping track of which syscalls were made. - -The security role sets the configuration to ``SYSLOG`` so that messages are -sent to syslog when disk errors occur. There are additional options available, -like ``EXEC``, ``SINGLE`` or ``HALT``. - -To configure a different ``disk_error_action``, set the following Ansible -variable: - -.. code-block:: yaml - - security_disk_error_action: SYSLOG - -For details on available settings and what they do, run ``man auditd.conf``. -Some options can cause the host to go offline until the issue is fixed. -Deployers are urged to **carefully read the auditd documentation** prior to -changing the ``security_disk_error_action`` setting from the default. diff --git a/doc/metadata/rhel6/V-38465.rst b/doc/metadata/rhel6/V-38465.rst deleted file mode 100644 index c1031383..00000000 --- a/doc/metadata/rhel6/V-38465.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38465 -status: exception -tag: file_perms ---- - -Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set library files to have ``0755`` (or -more restrictive) permissions by default. Deployers are urged to review the -permissions of libraries regularly to ensure the system has not been altered. diff --git a/doc/metadata/rhel6/V-38466.rst b/doc/metadata/rhel6/V-38466.rst deleted file mode 100644 index 87eb69db..00000000 --- a/doc/metadata/rhel6/V-38466.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38466 -status: exception -tag: file_perms ---- - -As with V-38465, Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the ownership of -library files to root by default. Deployers are urged to configure monitoring -for changes to these files. diff --git a/doc/metadata/rhel6/V-38467.rst b/doc/metadata/rhel6/V-38467.rst deleted file mode 100644 index 52de7efe..00000000 --- a/doc/metadata/rhel6/V-38467.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38467 -status: exception - initial provisioning -tag: auditd ---- - -Storing audit logs on a separate partition is recommended, but this change -is left up to deployers to configure during the installation of the OS. diff --git a/doc/metadata/rhel6/V-38468.rst b/doc/metadata/rhel6/V-38468.rst deleted file mode 100644 index 5f06f25f..00000000 --- a/doc/metadata/rhel6/V-38468.rst +++ /dev/null @@ -1,27 +0,0 @@ ---- -id: V-38468 -status: implemented -tag: auditd ---- - -The default configuration for ``disk_full_action`` is ``SUSPEND``, which only -suspends audit logging. Suspending audit logging can lead to security problems -because the system is no longer keeping track of which syscalls were made. - -The security role sets the configuration to ``SYSLOG`` so that messages are -sent to syslog when the disk is full. If syslog messages are being sent to -remote servers, these log messages should alert an administrator about the disk -being full. There are additional options available, like ``EXEC``, ``SINGLE`` -or ``HALT``. - -To configure a different ``disk_full_action``, set the following -Ansible variable: - -.. code-block:: yaml - - security_disk_full_action: SYSLOG - -For details on available settings and what they do, run ``man auditd.conf``. -Some options can cause the host to go offline until the issue is fixed. -Deployers are urged to **carefully read the auditd documentation** prior to -changing the ``disk_full_action`` setting from the default. diff --git a/doc/metadata/rhel6/V-38469.rst b/doc/metadata/rhel6/V-38469.rst deleted file mode 100644 index 46d3d69b..00000000 --- a/doc/metadata/rhel6/V-38469.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38469 -status: exception -tag: file_perms ---- - -Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the permissions for system -commands to ``0755`` or less already. Deployers are urged to review these -permissions for changes over time as they can be a sign of a compromise. diff --git a/doc/metadata/rhel6/V-38470.rst b/doc/metadata/rhel6/V-38470.rst deleted file mode 100644 index 29a9732e..00000000 --- a/doc/metadata/rhel6/V-38470.rst +++ /dev/null @@ -1,28 +0,0 @@ ---- -id: V-38470 -status: implemented -tag: auditd ---- - -The default configuration for ``security_space_left_action`` is ``SUSPEND``, -which actually only suspends audit logging. Suspending audit logging can lead -to security problems because the system is no longer keeping track of which -syscalls were made. - -The security role sets the configuration to ``SYSLOG`` so that messages are -sent to syslog when the available disk space reaches a low level. If syslog -messages are being sent to remote servers, these log messages should alert an -administrator about the disk being almost full. There are additional options -available, like ``EXEC``, ``SINGLE`` or ``HALT``. - -To configure a different ``space_left_action``, set the following -Ansible variable: - -.. code-block:: yaml - - security_space_left_action: SYSLOG - -For details on available settings and what they do, run ``man auditd.conf``. -Some options can cause the host to go offline until the issue is fixed. -Deployers are urged to **carefully read the auditd documentation** prior to -changing the ``space_left_action`` setting from the default. diff --git a/doc/metadata/rhel6/V-38471.rst b/doc/metadata/rhel6/V-38471.rst deleted file mode 100644 index 152da008..00000000 --- a/doc/metadata/rhel6/V-38471.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38471 -status: implemented -tag: auditd ---- - -An Ansible task will adjust ``active`` from ``no`` to ``yes`` in -``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to -syslog automatically. The auditd daemon will be restarted if the configuration -file is changed. diff --git a/doc/metadata/rhel6/V-38472.rst b/doc/metadata/rhel6/V-38472.rst deleted file mode 100644 index d3d4d515..00000000 --- a/doc/metadata/rhel6/V-38472.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38472 -status: exception -tag: file_perms ---- - -Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set system commands to be owned by -root by default. Deployers are urged to review ownership changes via auditd -rules to ensure system commands haven't changed ownership over time. diff --git a/doc/metadata/rhel6/V-38473.rst b/doc/metadata/rhel6/V-38473.rst deleted file mode 100644 index d9173ae5..00000000 --- a/doc/metadata/rhel6/V-38473.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38473 -status: exception - initial provisioning -tag: misc ---- - -Creating ``/home`` on a different partition is highly recommended but it is -left to deployers to configure during the installation of the OS. diff --git a/doc/metadata/rhel6/V-38474.rst b/doc/metadata/rhel6/V-38474.rst deleted file mode 100644 index 104a021d..00000000 --- a/doc/metadata/rhel6/V-38474.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38474 -status: exception -tag: x11 ---- - -The openstack-ansible roles don't install X by default, so there is no -graphical desktop to configure. diff --git a/doc/metadata/rhel6/V-38475.rst b/doc/metadata/rhel6/V-38475.rst deleted file mode 100644 index 67eff981..00000000 --- a/doc/metadata/rhel6/V-38475.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-38475 -status: configuration required -tag: auth ---- - -The STIG recommends passwords to be a minimum of 14 characters in length. To -apply this setting, set the following Ansible variable: - -.. code-block:: yaml - - security_password_minimum_length: 14 - -Deployers are urged to avoid the use of passwords and rely upon SSH keys if -possible. diff --git a/doc/metadata/rhel6/V-38476.rst b/doc/metadata/rhel6/V-38476.rst deleted file mode 100644 index 4f6c701e..00000000 --- a/doc/metadata/rhel6/V-38476.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38476 -status: implemented -tag: package ---- - -The security role verifies that the GPG keys that correspond to each supported -Linux distribution are installed on each host. If the GPG keys are not found, -or if they differ from the list of trusted GPG keys, the playbook execution -will stop. - -Deployers can skip this task (and avoid this failure) by using ``--skip-tags -V-38476`` when they are applying the security role. diff --git a/doc/metadata/rhel6/V-38477.rst b/doc/metadata/rhel6/V-38477.rst deleted file mode 100644 index 3e3266d4..00000000 --- a/doc/metadata/rhel6/V-38477.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38477 -status: configuration required -tag: auth ---- - -The STIG recommends setting a limit of one password change per day. To enable -this configuration, use this Ansible variable: - -.. code-block:: yaml - - security_password_minimum_days: 14 diff --git a/doc/metadata/rhel6/V-38478.rst b/doc/metadata/rhel6/V-38478.rst deleted file mode 100644 index 78aba6a0..00000000 --- a/doc/metadata/rhel6/V-38478.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38478 -status: exception -tag: package ---- - -Ubuntu and CentOS do not use the Red Hat Network Service. However, there are -tasks in the security role which ensure that all packages have GPG checks -enabled (see V-38462) and provide the option for deployers to apply updates -automatically. diff --git a/doc/metadata/rhel6/V-38479.rst b/doc/metadata/rhel6/V-38479.rst deleted file mode 100644 index 52223d82..00000000 --- a/doc/metadata/rhel6/V-38479.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38479 -status: configuration required -tag: auth ---- - -The STIG recommends setting a limit of 60 days before a password must -be changed. To enable this configuration, use this Ansible variable: - -.. code-block:: yaml - - security_password_maximum_days: 60 diff --git a/doc/metadata/rhel6/V-38480.rst b/doc/metadata/rhel6/V-38480.rst deleted file mode 100644 index d062505a..00000000 --- a/doc/metadata/rhel6/V-38480.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38480 -status: configuration required -tag: auth ---- - -After enabling password age limits in V-38479, be sure to configure -warnings for users so they know when their password is approaching expiration. -STIG's recommendation is seven days prior to the expiration. Use an Ansible -variable to configure the warning: - -.. code-block:: yaml - - security_password_warn_age: 7 diff --git a/doc/metadata/rhel6/V-38481.rst b/doc/metadata/rhel6/V-38481.rst deleted file mode 100644 index a1eb9233..00000000 --- a/doc/metadata/rhel6/V-38481.rst +++ /dev/null @@ -1,32 +0,0 @@ ---- -id: V-38481 -status: opt-in -tag: package ---- - -Operating system patching policies vary from organization to organization and -are typically established based on business requirements and risk tolerance. - -.. note:: - - Automatically upgrading packages can provide significant security benefits, - but they can reduce availability and reliability. Updating packages can - cause daemons to restart on some systems and they can cause local - customizations of configuration files to be lost. - - Deployers are **strongly urged** to understand the nature of this change - and the associated risks prior to enabling automatic upgrades. - -Deployers can enable automatic updates by setting -``security_unattended_upgrades`` to ``True``: - -.. code-block:: yaml - - security_unattended_upgrades: true - -In Ubuntu, the ``unattended-upgrades`` package is installed and enabled. This -will apply updates that are made available to the trusty-security (Ubuntu -14.04) or xenial-security (Ubuntu 16.04) repositories. - -In CentOS, the ``yum-cron`` package is installed and configured to -automatically apply updates. diff --git a/doc/metadata/rhel6/V-38482.rst b/doc/metadata/rhel6/V-38482.rst deleted file mode 100644 index ad8db957..00000000 --- a/doc/metadata/rhel6/V-38482.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38482 -status: exception -tag: auth ---- - -Password complexity requirements are left up to the deployer. Deployers are -urged to rely on SSH keys as often as possible to avoid problems with -passwords. - -Review the pam_cracklib documentation by running ``man pam_cracklib`` or -read the `detailed documentation from Hal Pomeranz`_. - -.. _detailed documentation from Hal Pomeranz: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html diff --git a/doc/metadata/rhel6/V-38483.rst b/doc/metadata/rhel6/V-38483.rst deleted file mode 100644 index 87edb3a5..00000000 --- a/doc/metadata/rhel6/V-38483.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38483 -status: implemented -tag: package ---- - -The Ansible task for V-38462 already checks for configurations that would -disable any GPG checks when installing packages. However, it is possible for -the root user to override these configurations via command line parameters. diff --git a/doc/metadata/rhel6/V-38484.rst b/doc/metadata/rhel6/V-38484.rst deleted file mode 100644 index 125db0dc..00000000 --- a/doc/metadata/rhel6/V-38484.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38484 -status: implemented -tag: package ---- - -Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last -successful login for a user immediately after login. An Ansible task ensures -this setting is applied and restarts the ssh daemon if necessary. diff --git a/doc/metadata/rhel6/V-38486.rst b/doc/metadata/rhel6/V-38486.rst deleted file mode 100644 index 8b7a0008..00000000 --- a/doc/metadata/rhel6/V-38486.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38486 -status: exception -tag: misc ---- - -System backups are left to the deployer to configure. Deployers are stringly -urged to maintain backups of each system, including log files and critical -configuration information. diff --git a/doc/metadata/rhel6/V-38487.rst b/doc/metadata/rhel6/V-38487.rst deleted file mode 100644 index b34de394..00000000 --- a/doc/metadata/rhel6/V-38487.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38487 -status: implemented -tag: package ---- - -The Ansible task for V-38462 already checks for apt configurations that would -disable any GPG checks when installing packages. However, it's possible for -the root user to override these configurations via command line parameters. diff --git a/doc/metadata/rhel6/V-38488.rst b/doc/metadata/rhel6/V-38488.rst deleted file mode 100644 index 1eb8b731..00000000 --- a/doc/metadata/rhel6/V-38488.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38488 -status: exception -tag: misc ---- - -System backups are left to the deployer to configure. Deployers are stringly -urged to maintain backups of each system, including log files and critical -configuration information. diff --git a/doc/metadata/rhel6/V-38489.rst b/doc/metadata/rhel6/V-38489.rst deleted file mode 100644 index 68a3e6fa..00000000 --- a/doc/metadata/rhel6/V-38489.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38489 -status: implemented -tag: aide ---- - -The security role installs and configures the ``aide`` package to provide file -integrity monitoring on the host. diff --git a/doc/metadata/rhel6/V-38490.rst b/doc/metadata/rhel6/V-38490.rst deleted file mode 100644 index 631d97f1..00000000 --- a/doc/metadata/rhel6/V-38490.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-38490 -status: opt-in -tag: kernel ---- - -Disabling the ``usb-storage`` module can add extra security, but it's not -necessary on most systems. To disable the ``usb-storage`` module on hosts, -set the following variable to ``yes``: - -.. code-block:: yaml - - security_disable_module_usb_storage: yes - -**NOTE:** The module will be disabled on the next reboot. diff --git a/doc/metadata/rhel6/V-38491.rst b/doc/metadata/rhel6/V-38491.rst deleted file mode 100644 index 1285518d..00000000 --- a/doc/metadata/rhel6/V-38491.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38491 -status: implemented -tag: auth ---- - -The Ansible task will check for the presence of ``/etc/hosts.equiv`` and -``/root/.rhosts``. Both of those files could potentially be used with ``rsh`` -for host access. - -The ``rshd`` daemon is not installed by default with Ubuntu 14.04, Ubuntu -16.04, CentOS 7, or OpenStack-Ansible. diff --git a/doc/metadata/rhel6/V-38492.rst b/doc/metadata/rhel6/V-38492.rst deleted file mode 100644 index 40b6031f..00000000 --- a/doc/metadata/rhel6/V-38492.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38492 -status: exception -tag: auth ---- - -Virtual consoles are helpful during an emergency and they can only be reached -by physical or other out-of-band access (such as DRAC, iLO, or iKVM). This -change can be confusing for system administrators and it is left up to the -deployer to complete. - -As an alternative, deployers could take action to restrict physical access to -server terminals. Out-of-band access mechanisms should be segmented onto their -own restricted network and should use centralized authentication. diff --git a/doc/metadata/rhel6/V-38493.rst b/doc/metadata/rhel6/V-38493.rst deleted file mode 100644 index f2c87f75..00000000 --- a/doc/metadata/rhel6/V-38493.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38493 -status: implemented -tag: auditd ---- - -Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the mode of ``/var/log/audit/`` to -``0750`` by default. The Ansible task for this requirement ensures that the -mode is ``0750`` (which is more strict than the STIG requirement). diff --git a/doc/metadata/rhel6/V-38494.rst b/doc/metadata/rhel6/V-38494.rst deleted file mode 100644 index 9bfd9973..00000000 --- a/doc/metadata/rhel6/V-38494.rst +++ /dev/null @@ -1,11 +0,0 @@ ---- -id: V-38494 -status: exception -tag: auth ---- - -Removing serial consoles from ``/etc/securetty`` can make troubleshooting -a server extremely difficult. Deployers are urged to use strong physical -security practices to prevent unauthorized users from gaining physical access -to critical hosts. In addition, out-of-band systems that allow for serial -over LAN access should also be heavily secured. diff --git a/doc/metadata/rhel6/V-38495.rst b/doc/metadata/rhel6/V-38495.rst deleted file mode 100644 index 827df0c9..00000000 --- a/doc/metadata/rhel6/V-38495.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38495 -status: implemented -tag: auditd ---- - -The Ansible tasks will ensure that files in ``/var/log/audit`` are owned -by the root user. diff --git a/doc/metadata/rhel6/V-38496.rst b/doc/metadata/rhel6/V-38496.rst deleted file mode 100644 index 4dafc238..00000000 --- a/doc/metadata/rhel6/V-38496.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38496 -status: exception - manual intervention -tag: auth ---- - -The Ansible tasks will check for default system accounts (other than root) -that are not locked. The tasks won't take any action, however, because -any action could cause authorized users to be unable to access the system. -However, if any unlocked default system accounts are found, the playbook will -fail with an error message until the user accounts are locked. - -Deployers who intentionally want to skip this step should use -``--skip-tags V-38496`` to avoid a playbook failure on this check. - -Deployers are urged to audit the accounts on their systems and lock any users -that don't need to log in via consoles or via ssh. diff --git a/doc/metadata/rhel6/V-38497.rst b/doc/metadata/rhel6/V-38497.rst deleted file mode 100644 index 701563ab..00000000 --- a/doc/metadata/rhel6/V-38497.rst +++ /dev/null @@ -1,28 +0,0 @@ ---- -id: V-38497 -status: implemented -tag: auth ---- - -Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to -authenticate via PAM by default. This STIG requires that those login attempts -are blocked. - -For Ubuntu, the ``nullok_secure`` option will be removed from ``/etc/pam.d -/common-auth``. - -For CentOS, the ``nullok`` option will be removed from ``/etc/pam.d/system- -auth``. - -The effects of the change are **immediate** and no service restarts are -required. - -Deployers can opt-out of this change by adjusting an Ansible variable: - -.. code-block:: yaml - - security_pam_remove_nullok: no - -Setting the variable to ``yes`` (the default) will cause the Ansible tasks to -remove the ``nullok_secure`` parameter while setting the variable to ``no`` -will leave the PAM configuration unchanged. diff --git a/doc/metadata/rhel6/V-38498.rst b/doc/metadata/rhel6/V-38498.rst deleted file mode 100644 index c11b635c..00000000 --- a/doc/metadata/rhel6/V-38498.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38498 -status: implemented -tag: auditd ---- - -Ubuntu and CentOS set the current audit log (the one that is actively being -written to) to ``0600`` so that only the root user can read and write to it. -The older, rotated logs are set to ``0400`` since they should not receive -any more writes. - -The STIG requirement states that log files must have mode ``0640`` or less. The -security role will remove any permissions that are not allowed by the STIG -(``u-x,g-wx,o-rwx``). diff --git a/doc/metadata/rhel6/V-38499.rst b/doc/metadata/rhel6/V-38499.rst deleted file mode 100644 index 6acc252a..00000000 --- a/doc/metadata/rhel6/V-38499.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38499 -status: implemented -tag: auth ---- - -The Ansible task will search for password hashes in ``/etc/passwd`` using -awk and report a failure if any are found. diff --git a/doc/metadata/rhel6/V-38500.rst b/doc/metadata/rhel6/V-38500.rst deleted file mode 100644 index 03529480..00000000 --- a/doc/metadata/rhel6/V-38500.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38500 -status: implemented -tag: auth ---- - -The Ansible tasks will search for accounts in ``/etc/passwd`` that have UID 0 -that aren't the normal root account. If any matching accounts are found, a -warning is printed to stdout and the Ansible play will fail. - -No action is taken on those accounts as that action may disrupt a production -environment. Deployers are strongly urged to use ``sudo`` for these types of -actions. diff --git a/doc/metadata/rhel6/V-38501.rst b/doc/metadata/rhel6/V-38501.rst deleted file mode 100644 index a58fb5d7..00000000 --- a/doc/metadata/rhel6/V-38501.rst +++ /dev/null @@ -1,43 +0,0 @@ ---- -id: V-38501 -status: opt-in -tag: auth ---- - -Adjusting PAM configurations is very risky since it affects how all users -authenticate. In addition, ``pam_faillock.so`` isn't available in Ubuntu. - -Another option is to utilize ``pam_tally`` to deny logins after failed -attempts. Adjusting PAM configurations automatically can disrupt the operation -of production systems, so this is left up to the deployer to configure. -For more details on how to configure ``pam_tally``, refer to `this AskUbuntu -article about pam_tally`_. - -Another alternative is `fail2ban`_. Read the notes below for more tails on -this option. - -The Ansible tasks will install `fail2ban`_ and configure it to ban IP -addresses using the following logic - -* The IP has attempted three logins in the last 10 minutes and all have failed -* That IP will be banned for 15 minutes (via iptables rules) - -Deployers must opt-in for fail2ban to be installed and configured. To opt-in, -set the ``security_install_fail2ban`` Ansible variable to ``yes``. The time -period for bans can also be configured (in seconds) via tha -``security_fail2ban_bantime`` variable: - -.. code-block:: yaml - - security_install_fail2ban: yes - security_fail2ban_bantime: 900 - -**NOTE:** Fail2ban can only review authentication attempts for services that -listen on the network, such as ssh. It has no control over physical consoles. -Deployers are strongly urged to use stong physical security policies to -prevent unauthorized users from accessing server consoles. In addition, -deployers must secure out-of-band access methods, like IPMI, as they can be -vectors for physical console access as well. - -.. _this AskUbuntu article about pam_tally: http://askubuntu.com/questions/59459/how-do-i-enable-account-lockout-using-pam-tally -.. _fail2ban: https://en.wikipedia.org/wiki/Fail2ban diff --git a/doc/metadata/rhel6/V-38502.rst b/doc/metadata/rhel6/V-38502.rst deleted file mode 100644 index f02ed570..00000000 --- a/doc/metadata/rhel6/V-38502.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38502 -status: implemented -tag: auth ---- - -The user and group ownership of ``/etc/passwd`` is root by default. The Ansible -task will ensure that the default is maintained. diff --git a/doc/metadata/rhel6/V-38503.rst b/doc/metadata/rhel6/V-38503.rst deleted file mode 100644 index 84787e95..00000000 --- a/doc/metadata/rhel6/V-38503.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38503 -status: implemented -tag: auth ---- - -The user and group ownership of ``/etc/passwd`` is root by default. The Ansible -task will ensure that the default is maintained. diff --git a/doc/metadata/rhel6/V-38504.rst b/doc/metadata/rhel6/V-38504.rst deleted file mode 100644 index b01a883e..00000000 --- a/doc/metadata/rhel6/V-38504.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38504 -status: implemented -tag: auth ---- - -Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but -CentOS 7 sets it to ``000``. The STIG requires the mode to be ``000`` and the -Ansible tasks in the security role ensure that the mode meets the requirement. - -**Special note for Ubuntu:** This change doesn't affect how the system operates -since root is the only user that should be able to read from and write to -``/etc/shadow``. Allowing users to read the file could open up the system to -attacks since the password hashes can be dumped and brute forced. diff --git a/doc/metadata/rhel6/V-38511.rst b/doc/metadata/rhel6/V-38511.rst deleted file mode 100644 index 7d3d0b7c..00000000 --- a/doc/metadata/rhel6/V-38511.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38511 -status: implemented -tag: misc ---- - -Running virtual infrastructure requires IP forwarding to be enabled on various -interfaces. The STIG allows for this, so long as the system is being operated -as a router (as is the case for an OpenStack host). diff --git a/doc/metadata/rhel6/V-38512.rst b/doc/metadata/rhel6/V-38512.rst deleted file mode 100644 index 8a380292..00000000 --- a/doc/metadata/rhel6/V-38512.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38512 -status: exception -tag: network ---- - -Although a minimal set of iptables rules are configured on openstack-ansible -hosts, the "deny all" requirement of the STIG is not met. This is largely left -up to the deployer to do, based on their assessment of their own network -segmentation. - -Deployers are urged to review the network access controls that are applied -on the network devices between their OpenStack environment and the rest of -their network. diff --git a/doc/metadata/rhel6/V-38513.rst b/doc/metadata/rhel6/V-38513.rst deleted file mode 100644 index 4b4ec54d..00000000 --- a/doc/metadata/rhel6/V-38513.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38513 -status: exception - manual intervention -tag: network ---- - -Although a minimal set of iptables rules are configured on openstack-ansible -hosts, the "deny all" requirement of the STIG is not met. This is largely left -up to the deployer to do, based on their assessment of their own network -segmentation. - -Deployers are urged to review the network access controls that are applied -on the network devices between their OpenStack environment and the rest of -their network. diff --git a/doc/metadata/rhel6/V-38514.rst b/doc/metadata/rhel6/V-38514.rst deleted file mode 100644 index c834849f..00000000 --- a/doc/metadata/rhel6/V-38514.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-38514 -status: implemented -tag: kernel ---- - -The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not -needed. Although this protocol is occasionally used in some OpenStack -environments for quality of service functions, it is not in the default -implementation. - -To opt-out of this change, simply change the following variable to ``no``: - -.. code-block:: yaml - - security_disable_module_dccp: no - -**NOTE:** The module will be disabled on the next reboot. diff --git a/doc/metadata/rhel6/V-38515.rst b/doc/metadata/rhel6/V-38515.rst deleted file mode 100644 index af224af7..00000000 --- a/doc/metadata/rhel6/V-38515.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38515 -status: implemented -tag: kernel ---- - -The Stream Control Transmission Protocol (SCTP) must be disabled. To opt-out of -this change, set the following variable to ``no``: - -.. code-block:: yaml - - security_disable_module_sctp: no - -**NOTE:** The module will be disabled on the next reboot. diff --git a/doc/metadata/rhel6/V-38516.rst b/doc/metadata/rhel6/V-38516.rst deleted file mode 100644 index 78e84122..00000000 --- a/doc/metadata/rhel6/V-38516.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-38516 -status: implemented -tag: kernel ---- - -The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. The Ansible -tasks in this role will disable the module. - -.. _Reliable Datagram Sockets (RDS): https://en.wikipedia.org/wiki/Reliable_Datagram_Sockets - -To opt-out of this change, set the following variable to ``no``: - -.. code-block:: yaml - - security_disable_module_rds: no - -**NOTE:** The module will be disabled on the next reboot. diff --git a/doc/metadata/rhel6/V-38517.rst b/doc/metadata/rhel6/V-38517.rst deleted file mode 100644 index fc5d5ed5..00000000 --- a/doc/metadata/rhel6/V-38517.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38517 -status: implemented -tag: kernel ---- - -The `Transparent Inter-Process Communication (TIPC)`_ protocol must be -disabled. To opt-out of this change, set the following variable to ``no``: - -.. _Transparent Inter-Process Communication (TIPC): https://en.wikipedia.org/wiki/TIPC - -.. code-block:: yaml - - security_disable_module_tipc: no - -**NOTE:** The module will be disabled on the next reboot. diff --git a/doc/metadata/rhel6/V-38518.rst b/doc/metadata/rhel6/V-38518.rst deleted file mode 100644 index 0ca417b3..00000000 --- a/doc/metadata/rhel6/V-38518.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38518 -status: exception -tag: file_perms ---- - -Different systems may have different log files populated depending on the type -of data that ``rsyslogd`` receives. By default, log files are created with the -user and group ownership set to root. - -Deployers should review the files generated by the ``rsyslogd`` daemon to -verify that they have the most restrictive ownership and permissions. diff --git a/doc/metadata/rhel6/V-38519.rst b/doc/metadata/rhel6/V-38519.rst deleted file mode 100644 index c3bd6a67..00000000 --- a/doc/metadata/rhel6/V-38519.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38519 -status: exception -tag: file_perms ---- - -Different systems may have different log files populated depending on the type -of data that ``rsyslogd`` receives. By default, log files are created with the -user and group ownership set to root. - -Deployers should review the files generated by the ``rsyslogd`` daemon to -verify that they have the most restrictive ownership and permissions. diff --git a/doc/metadata/rhel6/V-38520.rst b/doc/metadata/rhel6/V-38520.rst deleted file mode 100644 index baaa7a1d..00000000 --- a/doc/metadata/rhel6/V-38520.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38520 -status: exception - manual intervention -tag: log ---- - -At the moment, openstack-ansible already sends logs to the rsyslog container -from various containers and hosts. However, deployers are strongly urged -to forward these logs to a system outside their openstack-ansible environment -to ensure that they cannot be altered. - -Some compliance programs require centralized logging, including PCI-DSS. diff --git a/doc/metadata/rhel6/V-38521.rst b/doc/metadata/rhel6/V-38521.rst deleted file mode 100644 index 6751a53b..00000000 --- a/doc/metadata/rhel6/V-38521.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38521 -status: exception - manual intervention -tag: log ---- - -At the moment, openstack-ansible already sends logs to the rsyslog container -from various containers and hosts. However, deployers are strongly urged -to forward these logs to a system outside their openstack-ansible environment -to ensure that they cannot be altered. - -Some compliance programs require centralized logging, including PCI-DSS. diff --git a/doc/metadata/rhel6/V-38522.rst b/doc/metadata/rhel6/V-38522.rst deleted file mode 100644 index c785ed94..00000000 --- a/doc/metadata/rhel6/V-38522.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38522 -status: implemented -tag: misc ---- - -Rules are added for auditing changes to system time made via ``settimeofday``. diff --git a/doc/metadata/rhel6/V-38523.rst b/doc/metadata/rhel6/V-38523.rst deleted file mode 100644 index 2ea5258e..00000000 --- a/doc/metadata/rhel6/V-38523.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38523 -status: exception -tag: kernel ---- - -The STIG makes several requirements for IPv4 network restrictions, but these -restrictions can impact certain network interfaces and cause service -disruptions. Some security configurations make sense for certain types of -network interfaces, like bridges, but other restrictions cause the network -interface to stop passing valid traffic between hosts, containers, or virtual -machines. - -The default network scripts and LXC userspace tools already configure various -network devices to their most secure setting. Since some hosts will act as -routers, enabling security configurations that restrict network traffic can -cause service disruptions for OpenStack environments. diff --git a/doc/metadata/rhel6/V-38524.rst b/doc/metadata/rhel6/V-38524.rst deleted file mode 100644 index b32c35c7..00000000 --- a/doc/metadata/rhel6/V-38524.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-38524 -status: opt-in -tag: kernel ---- - -The STIG requires that ICMPv4 redirects are disabled on the host. However, this -can cause problems with LXC-based deployments, such as environments deployed -with OpenStack-Ansible. - -Deployers can opt-in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_disable_icmpv4_redirects: yes diff --git a/doc/metadata/rhel6/V-38525.rst b/doc/metadata/rhel6/V-38525.rst deleted file mode 100644 index 5778d348..00000000 --- a/doc/metadata/rhel6/V-38525.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38525 -status: implemented -tag: auditd ---- - -Rules are added for auditing changes to system time done via ``stime``. diff --git a/doc/metadata/rhel6/V-38526.rst b/doc/metadata/rhel6/V-38526.rst deleted file mode 100644 index 27efc170..00000000 --- a/doc/metadata/rhel6/V-38526.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38526 -status: opt-in -tag: kernel ---- - -The STIG requires that secure ICMP redirects are disabled, but this can cause -issues in some virtualized or containerized environments. The Ansible tasks -in the security role will not disable these redirects by default. - -Deployers who want to enable the task (and disable ICMP redirects), should set -the following Ansible variable: - -.. code-block:: yaml - - security_disable_icmpv4_redirects_secure: yes diff --git a/doc/metadata/rhel6/V-38527.rst b/doc/metadata/rhel6/V-38527.rst deleted file mode 100644 index 88bf3242..00000000 --- a/doc/metadata/rhel6/V-38527.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38527 -status: implemented -tag: auditd ---- - -Rules are added for auditing changes to system time done via -``clock_settime``. diff --git a/doc/metadata/rhel6/V-38528.rst b/doc/metadata/rhel6/V-38528.rst deleted file mode 100644 index 16f486b0..00000000 --- a/doc/metadata/rhel6/V-38528.rst +++ /dev/null @@ -1,26 +0,0 @@ ---- -id: V-38528 -status: opt-in -tag: kernel ---- - -The STIG requires that all martian packets are logged by setting the sysctl -parameter ``net.ipv4.conf.all.log_martians`` to ``1``. - -Although the logs can be valuable in some situations, the setting can generate -a *significant* amount of logging in OpenStack environments, especially those -that use neutron's Linux bridge networking. In some situations, the logging can -flood the physical terminal and make troubleshooting at the console or via out -of band (like iKVM, DRAC and iLO) **extremely difficult**. - -The role will ensure that martian packet logging is disabled by default. -Deployers that need this logging enabled will need to set the following -Ansible variable: - -.. code-block:: yaml - - security_sysctl_enable_martian_logging: yes - -Wikpedia's article on `martian packets`_ provides additional information. - -.. _martian packets: https://en.wikipedia.org/wiki/Martian_packet diff --git a/doc/metadata/rhel6/V-38529.rst b/doc/metadata/rhel6/V-38529.rst deleted file mode 100644 index 78ed16e9..00000000 --- a/doc/metadata/rhel6/V-38529.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38529 -status: exception -tag: kernel ---- - -The STIG makes several requirements for IPv4 network restrictions, but these -restrictions can impact certain network interfaces and cause service -disruptions. Some security configurations make sense for certain types of -network interfaces, like bridges, but other restrictions cause the network -interface to stop passing valid traffic between hosts, containers, or virtual -machines. - -The default network scripts and LXC userspace tools already configure various -network devices to their most secure setting. Since some hosts will act as -routers, enabling security configurations that restrict network traffic can -cause service disruptions for OpenStack environments. diff --git a/doc/metadata/rhel6/V-38530.rst b/doc/metadata/rhel6/V-38530.rst deleted file mode 100644 index 552fe6cb..00000000 --- a/doc/metadata/rhel6/V-38530.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38530 -status: implemented -tag: auditd ---- - -Rules are added to auditd to log all attempts to change the system time using -``/etc/localtime``. diff --git a/doc/metadata/rhel6/V-38531.rst b/doc/metadata/rhel6/V-38531.rst deleted file mode 100644 index 7bccd652..00000000 --- a/doc/metadata/rhel6/V-38531.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38531 -status: implemented -tag: auditd ---- - -The audit rules from V-38534 already cover all account modifications. diff --git a/doc/metadata/rhel6/V-38532.rst b/doc/metadata/rhel6/V-38532.rst deleted file mode 100644 index e6d33f48..00000000 --- a/doc/metadata/rhel6/V-38532.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38532 -status: exception -tag: kernel ---- - -The STIG makes several requirements for IPv4 network restrictions, but these -restrictions can impact certain network interfaces and cause service -disruptions. Some security configurations make sense for certain types of -network interfaces, like bridges, but other restrictions cause the network -interface to stop passing valid traffic between hosts, containers, or virtual -machines. - -The default network scripts and LXC userspace tools already configure various -network devices to their most secure setting. Since some hosts will act as -routers, enabling security configurations that restrict network traffic can -cause service disruptions for OpenStack environments. diff --git a/doc/metadata/rhel6/V-38533.rst b/doc/metadata/rhel6/V-38533.rst deleted file mode 100644 index 9478de85..00000000 --- a/doc/metadata/rhel6/V-38533.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38533 -status: exception -tag: kernel ---- - -The STIG makes several requirements for IPv4 network restrictions, but these -restrictions can impact certain network interfaces and cause service -disruptions. Some security configurations make sense for certain types of -network interfaces, like bridges, but other restrictions cause the network -interface to stop passing valid traffic between hosts, containers, or virtual -machines. - -The default network scripts and LXC userspace tools already configure various -network devices to their most secure setting. Since some hosts will act as -routers, enabling security configurations that restrict network traffic can -cause service disruptions for OpenStack environments. diff --git a/doc/metadata/rhel6/V-38534.rst b/doc/metadata/rhel6/V-38534.rst deleted file mode 100644 index 6b00d0e0..00000000 --- a/doc/metadata/rhel6/V-38534.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38534 -status: implemented -tag: auditd ---- - -Audit rules are added in a task so that any events associated with -account modifications are logged. The new audit rule will be loaded immediately -with ``augenrules --load``. diff --git a/doc/metadata/rhel6/V-38535.rst b/doc/metadata/rhel6/V-38535.rst deleted file mode 100644 index 956bd4ce..00000000 --- a/doc/metadata/rhel6/V-38535.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38535 -status: implemented -tag: kernel ---- - -The Ansible tasks will ensure that ``net.ipv4.icmp_echo_ignore_broadcasts`` is -set to ``1``, which will cause the system to stop responding to ICMPv4 packets -sent to the broadcast address. diff --git a/doc/metadata/rhel6/V-38536.rst b/doc/metadata/rhel6/V-38536.rst deleted file mode 100644 index e7b35ed7..00000000 --- a/doc/metadata/rhel6/V-38536.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38536 -status: implemented -tag: auditd ---- - -The audit rules from V-38534 already cover all account modifications. diff --git a/doc/metadata/rhel6/V-38537.rst b/doc/metadata/rhel6/V-38537.rst deleted file mode 100644 index 31e9c245..00000000 --- a/doc/metadata/rhel6/V-38537.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38537 -status: implemented -tag: kernel ---- - -The Ansible tasks will ensure that -``net.ipv4.icmp_ignore_bogus_error_responses`` is set to ``1``. This prevents -a host from responding to bogus ICMPv4 error messages. diff --git a/doc/metadata/rhel6/V-38538.rst b/doc/metadata/rhel6/V-38538.rst deleted file mode 100644 index 2dadb702..00000000 --- a/doc/metadata/rhel6/V-38538.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38538 -status: implemented -tag: auditd ---- - -The audit rules from V-38534 already cover all account modifications. diff --git a/doc/metadata/rhel6/V-38539.rst b/doc/metadata/rhel6/V-38539.rst deleted file mode 100644 index 3e5ac159..00000000 --- a/doc/metadata/rhel6/V-38539.rst +++ /dev/null @@ -1,27 +0,0 @@ ---- -id: V-38539 -status: implemented -tag: kernel ---- - -The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods. - -Note that high-traffic environments may require TCP SYN cookies to be disabled. -Certain load balancers may forward requests in such a way that web servers may -think they're being SYN flooded during peak traffic events. Putting well- -configured hardware network devices in front of OpenStack environments is -always recommended and this may allow some deployers to turn off SYN cookies -within their environment. - -Deployers can disable TCP SYN cookies by setting an Ansible variable: - -.. code-block:: yaml - - security_sysctl_enable_tcp_syncookies: no - -Most operating systems, such as Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 have -TCP syncookies enabled by default upon installation. For more information on -TCP SYN cookies and TCP SYN floods, refer to these links: - -* `Wikipedia: SYN flood `_ -* `Wikipedia: SYN cookies `_ diff --git a/doc/metadata/rhel6/V-38540.rst b/doc/metadata/rhel6/V-38540.rst deleted file mode 100644 index 0c7b64a9..00000000 --- a/doc/metadata/rhel6/V-38540.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38540 -status: implemented -tag: auditd ---- - -Rules are added that allows auditd to track network configuration changes. diff --git a/doc/metadata/rhel6/V-38541.rst b/doc/metadata/rhel6/V-38541.rst deleted file mode 100644 index b511fd0d..00000000 --- a/doc/metadata/rhel6/V-38541.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38541 -status: implemented -tag: auditd ---- - -For Ubuntu, rules are added to auditd that will log any changes made in the -``/etc/apparmor`` directory. - -For CentOS, rules are added to auditd that will log any changes made in the -``/etc/selinux`` directory. - -To opt-out of this change, set the following Ansible variable: - -.. code-block:: yaml - - security_audit_mac_changes: no diff --git a/doc/metadata/rhel6/V-38542.rst b/doc/metadata/rhel6/V-38542.rst deleted file mode 100644 index c9ec5fd2..00000000 --- a/doc/metadata/rhel6/V-38542.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38542 -status: exception -tag: kernel ---- - -The STIG makes several requirements for IPv4 network restrictions, but these -restrictions can impact certain network interfaces and cause service -disruptions. Some security configurations make sense for certain types of -network interfaces, like bridges, but other restrictions cause the network -interface to stop passing valid traffic between hosts, containers, or virtual -machines. - -The default network scripts and LXC userspace tools already configure various -network devices to their most secure setting. Since some hosts will act as -routers, enabling security configurations that restrict network traffic can -cause service disruptions for OpenStack environments. diff --git a/doc/metadata/rhel6/V-38543.rst b/doc/metadata/rhel6/V-38543.rst deleted file mode 100644 index 3abd610e..00000000 --- a/doc/metadata/rhel6/V-38543.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38543 -status: opt-in -tag: auditd ---- - -The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat`` -syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments -and while updating packages with apt. By default, these rules are disabled. - -These audit rules can be enabled by setting any of the following variables: - -.. code-block:: yaml - - security_audit_DAC_chmod: yes - security_audit_DAC_fchmod: yes - security_audit_DAC_fchmodat: yes diff --git a/doc/metadata/rhel6/V-38544.rst b/doc/metadata/rhel6/V-38544.rst deleted file mode 100644 index aaad20b4..00000000 --- a/doc/metadata/rhel6/V-38544.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38544 -status: exception -tag: kernel ---- - -The STIG makes several requirements for IPv4 network restrictions, but these -restrictions can impact certain network interfaces and cause service -disruptions. Some security configurations make sense for certain types of -network interfaces, like bridges, but other restrictions cause the network -interface to stop passing valid traffic between hosts, containers, or virtual -machines. - -The default network scripts and LXC userspace tools already configure various -network devices to their most secure setting. Since some hosts will act as -routers, enabling security configurations that restrict network traffic can -cause service disruptions for OpenStack environments. diff --git a/doc/metadata/rhel6/V-38545.rst b/doc/metadata/rhel6/V-38545.rst deleted file mode 100644 index d2135219..00000000 --- a/doc/metadata/rhel6/V-38545.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38545 -status: opt-in -tag: auditd ---- - -The audit rules for permission changes made with ``chown`` are disabled by -default as they can generate an excessive amount of logs in a short period of -time, especially during a deployment. - -Deployers can enable auditing for ``chown`` usage by setting the following -Ansible variable: - -.. code-block:: yaml - - security_audit_DAC_chown: yes diff --git a/doc/metadata/rhel6/V-38546.rst b/doc/metadata/rhel6/V-38546.rst deleted file mode 100644 index 16114862..00000000 --- a/doc/metadata/rhel6/V-38546.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-38546 -status: opt-in -tag: kernel ---- - -The STIG requires IPv6 to be disabled system-wide unless it is needed for the -system to operate. Deployers must consider how their network is configured -before disabling IPv6 entirely. - -To opt-in for this change, set the following Ansible variable to ``yes``: - -.. code-block:: yaml - - security_disable_ipv6: yes - -**NOTE:** This change will go into effect **immediately** on the system and -persist through reboots. diff --git a/doc/metadata/rhel6/V-38547.rst b/doc/metadata/rhel6/V-38547.rst deleted file mode 100644 index cbc9e923..00000000 --- a/doc/metadata/rhel6/V-38547.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38547 -status: opt-in -tag: auditd ---- - -The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat`` -syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments -and while updating packages with apt. By default, these rules are disabled. - -These audit rules can be enabled by setting any of the following variables: - -.. code-block:: yaml - - security_audit_DAC_chmod: yes - security_audit_DAC_fchmod: yes - security_audit_DAC_fchmodat: yes diff --git a/doc/metadata/rhel6/V-38548.rst b/doc/metadata/rhel6/V-38548.rst deleted file mode 100644 index 10df5483..00000000 --- a/doc/metadata/rhel6/V-38548.rst +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: V-38548 -status: opt-in -tag: kernel ---- - -Accepting ICMP redirects has few legitimate uses. It should be disabled unless -it is absolutely required. - -It is configurable by ``security_disable_icmpv6_redirects`` variable. This -feature is disabled by default. Disabling IPv6 redirects can cause issues with -OpenStack environments which have IPv6 enabled and are routing IPv6 traffic. - -Deployers can opt-in to this change and disable ICMPv6 redirects by setting -the following Ansible variable: - -.. code-block:: yaml - - security_disable_icmpv6_redirects: yes diff --git a/doc/metadata/rhel6/V-38549.rst b/doc/metadata/rhel6/V-38549.rst deleted file mode 100644 index 5ab1a3f3..00000000 --- a/doc/metadata/rhel6/V-38549.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38549 -status: exception - manual intervention -tag: network ---- - -Adding IPv6 firewalling on OpenStack hosts is left up to the deployer to -configure. Deployers are urged to use proper network segmentation between -their OpenStack infrastructure and virtual machines, which will mitigate -many of the most critical threats. diff --git a/doc/metadata/rhel6/V-38550.rst b/doc/metadata/rhel6/V-38550.rst deleted file mode 100644 index 1dedbedb..00000000 --- a/doc/metadata/rhel6/V-38550.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38550 -status: opt-in -tag: auditd ---- - -The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat`` -syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments -and while updating packages with apt. By default, these rules are disabled. - -These audit rules can be enabled by setting any of the following variables: - -.. code-block:: yaml - - security_audit_DAC_chmod: yes - security_audit_DAC_fchmod: yes - security_audit_DAC_fchmodat: yes diff --git a/doc/metadata/rhel6/V-38551.rst b/doc/metadata/rhel6/V-38551.rst deleted file mode 100644 index 5f879a9c..00000000 --- a/doc/metadata/rhel6/V-38551.rst +++ /dev/null @@ -1,22 +0,0 @@ ---- -id: V-38551 -status: exception - manual intervention -tag: network ---- - -Filtering IPv6 traffic is left up to the deployer to implement. The -openstack-ansible roles don't configure IPv6 (at this time) and adding -persistent ip6tables rules could harm a running system. - -However, deployers are strongly recommended to implement IPv6 filtering at the -edges of the network via network devices. In addition, deployers should be -aware that link-local IPv6 addresses are configured automatcally by the system -and those addresses could open up new network paths for future attacks. - -For example, if IPv4 access was tightly controlled and segmented, hosts and/or -containers could possibly communicate across these boundaries using IPv6 -link-local addresses. For more detailed information on this security topic, -review Cisco's documentation titled `IPv6 Security Brief`_ that is available -on their website. - -.. _IPv6 Security Brief: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-678658.html diff --git a/doc/metadata/rhel6/V-38552.rst b/doc/metadata/rhel6/V-38552.rst deleted file mode 100644 index 7da11a1b..00000000 --- a/doc/metadata/rhel6/V-38552.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38552 -status: opt-in -tag: auditd ---- - -The audit rules for permission changes made with ``fchown`` are disabled by -default as they can generate an excessive amount of logs in a short period of -time, especially during a deployment. - -Deployers can enable auditing for ``fchown`` usage by setting the following -Ansible variable: - -.. code-block:: yaml - - security_audit_DAC_fchown: yes diff --git a/doc/metadata/rhel6/V-38553.rst b/doc/metadata/rhel6/V-38553.rst deleted file mode 100644 index c6d222ad..00000000 --- a/doc/metadata/rhel6/V-38553.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38553 -status: exception - manual intervention -tag: network ---- - -Adding IPv6 firewalling on OpenStack hosts is left up to the deployer to -configure. Deployers are urged to use proper network segmentation between -their OpenStack infrastructure and virtual machines, which will mitigate -many of the most critical threats. diff --git a/doc/metadata/rhel6/V-38554.rst b/doc/metadata/rhel6/V-38554.rst deleted file mode 100644 index f70173dc..00000000 --- a/doc/metadata/rhel6/V-38554.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38554 -status: opt-in -tag: auditd ---- - -The audit rules for permission changes made with ``fchownat`` are disabled by -default as they can generate an excessive amount of logs in a short period of -time, especially during a deployment. - -Deployers can enable auditing for ``fchownat`` usage by setting the following -Ansible variable: - -.. code-block:: yaml - - security_audit_DAC_fchownat: yes diff --git a/doc/metadata/rhel6/V-38555.rst b/doc/metadata/rhel6/V-38555.rst deleted file mode 100644 index 23a9fe92..00000000 --- a/doc/metadata/rhel6/V-38555.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38555 -status: exception - manual intervention -tag: network ---- - -Adding IPv4 firewalling on OpenStack hosts is left up to the deployer to -configure. Deployers are urged to use proper network segmentation between -their OpenStack infrastructure and virtual machines, which will mitigate -many of the most critical threats. diff --git a/doc/metadata/rhel6/V-38556.rst b/doc/metadata/rhel6/V-38556.rst deleted file mode 100644 index e245864f..00000000 --- a/doc/metadata/rhel6/V-38556.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38556 -status: opt-in -tag: auditd ---- - -The audit rules for permission changes made with ``fremovexattr`` are disabled -by default as they can generate an excessive amount of logs in a short period -of time, especially during a deployment. - -Deployers can enable auditing for ``fremovexattr`` usage by setting the -following Ansible variable: - -.. code-block:: yaml - - security_audit_DAC_fremovexattr: yes diff --git a/doc/metadata/rhel6/V-38557.rst b/doc/metadata/rhel6/V-38557.rst deleted file mode 100644 index a770df81..00000000 --- a/doc/metadata/rhel6/V-38557.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38557 -status: opt-in -tag: auditd ---- - -The audit rules for permission changes made with ``fsetxattr`` are disabled by -default as they can generate an excessive amount of logs in a short period of -time, especially during a deployment. - -Deployers can enable auditing for ``fsetxattr`` usage by setting the following -Ansible variable: - -.. code-block:: yaml - - security_audit_DAC_fsetxattr: yes diff --git a/doc/metadata/rhel6/V-38558.rst b/doc/metadata/rhel6/V-38558.rst deleted file mode 100644 index bc42996d..00000000 --- a/doc/metadata/rhel6/V-38558.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38558 -status: opt-in -tag: auditd ---- - -The audit rules for permission changes made with ``lchown`` are disabled by -default as they can generate an excessive amount of logs in a short period of -time, especially during a deployment. - -Deployers can enable auditing for ``lchown`` usage by setting the following -Ansible variable: - -.. code-block:: yaml - - security_audit_DAC_lchown: yes diff --git a/doc/metadata/rhel6/V-38559.rst b/doc/metadata/rhel6/V-38559.rst deleted file mode 100644 index 77006cc8..00000000 --- a/doc/metadata/rhel6/V-38559.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38559 -status: opt-in -tag: auditd ---- - -The audit rules for permission changes made with ``lremovexattr`` are disabled -by default as they can generate an excessive amount of logs in a short period -of time, especially during a deployment. - -Deployers can enable auditing for ``lremovexattr`` usage by setting the -following Ansible variable: - -.. code-block:: yaml - - security_audit_DAC_lremovexattr: yes diff --git a/doc/metadata/rhel6/V-38560.rst b/doc/metadata/rhel6/V-38560.rst deleted file mode 100644 index f30d30ac..00000000 --- a/doc/metadata/rhel6/V-38560.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38560 -status: exception - manual intervention -tag: network ---- - -Adding IPv4 firewalling on OpenStack hosts is left up to the deployer to -configure. Deployers are urged to use proper network segmentation between -their OpenStack infrastructure and virtual machines, which will mitigate -many of the most critical threats. diff --git a/doc/metadata/rhel6/V-38561.rst b/doc/metadata/rhel6/V-38561.rst deleted file mode 100644 index 83dc479a..00000000 --- a/doc/metadata/rhel6/V-38561.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38561 -status: opt-in -tag: auditd ---- - -The audit rules for permission changes made with ``lxsetxattr`` are disabled by -default as they can generate an excessive amount of logs in a short period of -time, especially during a deployment. - -Deployers can enable auditing for ``lsetxattr`` usage by setting the following -Ansible variable: - -.. code-block:: yaml - - security_audit_DAC_lsetxattr: yes diff --git a/doc/metadata/rhel6/V-38563.rst b/doc/metadata/rhel6/V-38563.rst deleted file mode 100644 index 16443b4f..00000000 --- a/doc/metadata/rhel6/V-38563.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38563 -status: implemented -tag: auditd ---- - -Audit rules are added in a task so that any events associated with the -discretionary access controls (DAC) permission modifications are logged. -The new audit rule will be loaded immediately with ``augenrules --load``. diff --git a/doc/metadata/rhel6/V-38565.rst b/doc/metadata/rhel6/V-38565.rst deleted file mode 100644 index cec0d930..00000000 --- a/doc/metadata/rhel6/V-38565.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38565 -status: opt-in -tag: auditd ---- - -The audit rules for permission changes made with ``setxattr`` are disabled by -default as they can generate an excessive amount of logs in a short period of -time, especially during a deployment. - -Deployers can enable auditing for ``lsetxattr`` usage by setting the following -Ansible variable: - -.. code-block:: yaml - - security_audit_DAC_lsetxattr: yes diff --git a/doc/metadata/rhel6/V-38566.rst b/doc/metadata/rhel6/V-38566.rst deleted file mode 100644 index f6eafdc7..00000000 --- a/doc/metadata/rhel6/V-38566.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38566 -status: opt-in -tag: auditd ---- - -The audit rules for logging failed access attempts can generate significant -amounts of log traffic in some environments. These rules are disabled by -default. - -To opt-in for this change and enable audit logging for these events, adjust -the following Ansible variable: - -.. code-block:: yaml - - security_auditd_failed_access: yes diff --git a/doc/metadata/rhel6/V-38567.rst b/doc/metadata/rhel6/V-38567.rst deleted file mode 100644 index a46e73e3..00000000 --- a/doc/metadata/rhel6/V-38567.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38567 -status: exception -tag: file_perms ---- - -Keeping the list of setuid/setgid applications up to date and adding the paths -to those files within the ``audit.rules`` file is challenging. Deployers are -urged to use setuid/setgid sparingly and carefully monitor all applications -with those permissions set. diff --git a/doc/metadata/rhel6/V-38568.rst b/doc/metadata/rhel6/V-38568.rst deleted file mode 100644 index 20c4035c..00000000 --- a/doc/metadata/rhel6/V-38568.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38568 -status: implemented -tag: auditd ---- - -Rules are added for auditd to log successful filesystem mounts. diff --git a/doc/metadata/rhel6/V-38569.rst b/doc/metadata/rhel6/V-38569.rst deleted file mode 100644 index 47163ed1..00000000 --- a/doc/metadata/rhel6/V-38569.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38569 -status: exception -tag: auth ---- - -Password complexity requirements are left up to the deployer. Deployers are -urged to rely on SSH keys as often as possible to avoid problems with -passwords. - -Review the pam_cracklib documentation by running ``man pam_cracklib`` or -read the `detailed documentation from Hal Pomeranz`_. - -.. _detailed documentation from Hal Pomeranz: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html diff --git a/doc/metadata/rhel6/V-38570.rst b/doc/metadata/rhel6/V-38570.rst deleted file mode 100644 index b25f7202..00000000 --- a/doc/metadata/rhel6/V-38570.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38570 -status: exception -tag: auth ---- - -Password complexity requirements are left up to the deployer. Deployers are -urged to rely on SSH keys as often as possible to avoid problems with -passwords. - -Review the pam_cracklib documentation by running ``man pam_cracklib`` or -read the `detailed documentation from Hal Pomeranz`_. - -.. _detailed documentation from Hal Pomeranz: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html diff --git a/doc/metadata/rhel6/V-38571.rst b/doc/metadata/rhel6/V-38571.rst deleted file mode 100644 index 26729681..00000000 --- a/doc/metadata/rhel6/V-38571.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38571 -status: exception -tag: auth ---- - -Password complexity requirements are left up to the deployer. Deployers are -urged to rely on SSH keys as often as possible to avoid problems with -passwords. - -Review the pam_cracklib documentation by running ``man pam_cracklib`` or -read the `detailed documentation from Hal Pomeranz`_. - -.. _detailed documentation from Hal Pomeranz: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html diff --git a/doc/metadata/rhel6/V-38572.rst b/doc/metadata/rhel6/V-38572.rst deleted file mode 100644 index 0d2c9777..00000000 --- a/doc/metadata/rhel6/V-38572.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38572 -status: exception -tag: auth ---- - -Password complexity requirements are left up to the deployer. Deployers are -urged to rely on SSH keys as often as possible to avoid problems with -passwords. - -Review the pam_cracklib documentation by running ``man pam_cracklib`` or -read the `detailed documentation from Hal Pomeranz`_. - -.. _detailed documentation from Hal Pomeranz: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html diff --git a/doc/metadata/rhel6/V-38573.rst b/doc/metadata/rhel6/V-38573.rst deleted file mode 100644 index 82c80797..00000000 --- a/doc/metadata/rhel6/V-38573.rst +++ /dev/null @@ -1,43 +0,0 @@ ---- -id: V-38573 -status: opt-in -tag: auth ---- - -Adjusting PAM configurations is very risky since it affects how all users -authenticate. In addition, ``pam_faillock.so`` isn't available in Ubuntu. - -Another option is to utilize ``pam_tally`` to deny logins after failed -attempts. Adjusting PAM configurations automatically can disrupt the operation -of production systems, so this is left up to the deployer to configure. -For more details on how to configure ``pam_tally``, refer to `this AskUbuntu -article about pam_tally`_. - -Another alternative is `fail2ban`_. Read the notes below for more tails on -this option. - -The Ansible tasks will install `fail2ban`_ and configure it to ban IP -addresses using the following logic - -* The IP has attempted three logins in the last 10 minutes and all have failed -* That IP will be banned for 15 minutes (via iptables rules) - -Deployers must opt-in for fail2ban to be installed and configured. To opt-in, -set the ``security_install_fail2ban`` Ansible variable to ``yes``. The time -period for bans can also be configured (in seconds) via tha -``security_fail2ban_bantime`` variable: - -.. code-block:: yaml - - security_install_fail2ban: yes - security_fail2ban_bantime: 900 - -**NOTE:** Fail2ban can only review authentication attempts for services that -listen on the network, such as ssh. It has no control over physical consoles. -Deployers are strongly urged to use stong physical security policies to -prevent unauthorized users from accessing server consoles. In addition, -deployers must secure out-of-band access methods, like IPMI, as they can be -vectors for physical console access as well. - -.. _this AskUbuntu article about pam_tally: http://askubuntu.com/questions/59459/how-do-i-enable-account-lockout-using-pam-tally -.. _fail2ban: https://en.wikipedia.org/wiki/Fail2ban diff --git a/doc/metadata/rhel6/V-38574.rst b/doc/metadata/rhel6/V-38574.rst deleted file mode 100644 index 9db6745d..00000000 --- a/doc/metadata/rhel6/V-38574.rst +++ /dev/null @@ -1,21 +0,0 @@ ---- -id: V-38574 -status: implemented -tag: auth ---- - -The STIG requires SHA512 to be used for hashing password since it is -in the list of FIPS 140-2 approved hashing algorithms. This is also the -default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7. - -The Ansible tasks will verify that the secure default is still set in the -system's PAM configuration. If it has been altered, the playbook will fail -and display an error. - -Further reading: - -* `FIPS 140-2 on Wikipedia`_ -* `FIPS 140-2 from NIST`_ - -.. _FIPS 140-2 on Wikipedia: https://en.wikipedia.org/wiki/FIPS_140-2 -.. _FIPS 140-2 from NIST: http://csrc.nist.gov/groups/STM/cmvp/standards.html diff --git a/doc/metadata/rhel6/V-38575.rst b/doc/metadata/rhel6/V-38575.rst deleted file mode 100644 index 5248c8c5..00000000 --- a/doc/metadata/rhel6/V-38575.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38575 -status: opt-in -tag: auditd ---- - -The audit rules for monitoring deleted files can cause very high system load -during OpenStack-Ansible deployments and during package updates using apt. -It's recommended that deployers keep these rules disabled unless they're -explicitly required. - -These rules are disabled by default, but they can be enabled by setting the -following Ansible variable: - -.. code-block:: yaml - - security_audit_deletions: yes diff --git a/doc/metadata/rhel6/V-38576.rst b/doc/metadata/rhel6/V-38576.rst deleted file mode 100644 index a9f49bd9..00000000 --- a/doc/metadata/rhel6/V-38576.rst +++ /dev/null @@ -1,21 +0,0 @@ ---- -id: V-38576 -status: implemented -tag: auth ---- - -The STIG requires SHA512 to be used for hashing password since it is -in the list of FIPS 140-2 approved hashing algorithms. This is also the -default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7. - -The Ansible tasks will verify that the secure default is still set in -``/etc/login.defs``. If it has been altered, the playbook will fail -and display an error. - -Further reading: - -* `FIPS 140-2 on Wikipedia`_ -* `FIPS 140-2 from NIST`_ - -.. _FIPS 140-2 on Wikipedia: https://en.wikipedia.org/wiki/FIPS_140-2 -.. _FIPS 140-2 from NIST: http://csrc.nist.gov/groups/STM/cmvp/standards.html diff --git a/doc/metadata/rhel6/V-38577.rst b/doc/metadata/rhel6/V-38577.rst deleted file mode 100644 index 4d3f4b1b..00000000 --- a/doc/metadata/rhel6/V-38577.rst +++ /dev/null @@ -1,26 +0,0 @@ ---- -id: V-38577 -status: implemented -tag: auth ---- - -The STIG requires SHA512 to be used for hashing password since it is -in the list of FIPS 140-2 approved hashing algorithms. This is also the -default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7. - -The ``libuser`` package isn't installed by default in Ubuntu or via -openstack-ansible. The Ansible tasks will do the following: - -* Check to see if libuser is installed -* If it's installed, it will check for the password hashing algorithm in - ``/etc/libuser.conf`` -* If libuser is installed **and** the password hashing algorithm isn't SHA512, - an error will be printed and the playbook will fail - -Further reading: - -* `FIPS 140-2 on Wikipedia`_ -* `FIPS 140-2 from NIST`_ - -.. _FIPS 140-2 on Wikipedia: https://en.wikipedia.org/wiki/FIPS_140-2 -.. _FIPS 140-2 from NIST: http://csrc.nist.gov/groups/STM/cmvp/standards.html diff --git a/doc/metadata/rhel6/V-38578.rst b/doc/metadata/rhel6/V-38578.rst deleted file mode 100644 index 217e5f42..00000000 --- a/doc/metadata/rhel6/V-38578.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38578 -status: implemented -tag: auditd ---- - -Rules are added to audit changes to ``/etc/sudoers``. diff --git a/doc/metadata/rhel6/V-38579.rst b/doc/metadata/rhel6/V-38579.rst deleted file mode 100644 index 216eab49..00000000 --- a/doc/metadata/rhel6/V-38579.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-38579 -status: implemented -tag: boot ---- - -Ubuntu 14.04 sets the ownership on ``/boot/grub/grub.cfg`` to root by default. -The Ansible task will ensure that the secure default is maintained. - -In Ubuntu 16.04 and CentOS 7, the bootloader configuration files in -``/boot/grub2`` are owned by the root user by default. - -Deployers should monitor these files for changes in ownership, permissions and -contents. The ``aide`` daemon is installed by the security role to monitor -these files. diff --git a/doc/metadata/rhel6/V-38580.rst b/doc/metadata/rhel6/V-38580.rst deleted file mode 100644 index 787d52ba..00000000 --- a/doc/metadata/rhel6/V-38580.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38580 -status: implemented -tag: auditd ---- - -Rules will be added to auditd so that any kernel module loading or unloading -events will be logged. diff --git a/doc/metadata/rhel6/V-38581.rst b/doc/metadata/rhel6/V-38581.rst deleted file mode 100644 index a6504651..00000000 --- a/doc/metadata/rhel6/V-38581.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38581 -status: implemented -tag: file_perms ---- - -The group ownership for ``/boot/grub/grub.cfg`` will be set to `root`. diff --git a/doc/metadata/rhel6/V-38582.rst b/doc/metadata/rhel6/V-38582.rst deleted file mode 100644 index 71d8abdd..00000000 --- a/doc/metadata/rhel6/V-38582.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-38582 -status: implemented -tag: services ---- - -If the ``xinetd`` package is installed, it will be stopped immediately and -will not start on the next boot. No action is taken if xinetd isn't installed. - -To opt-out of this change, simply adjust the following configuration item to -``no``: - -.. code-block:: yaml - - security_disable_xinetd: no diff --git a/doc/metadata/rhel6/V-38583.rst b/doc/metadata/rhel6/V-38583.rst deleted file mode 100644 index f91bf30b..00000000 --- a/doc/metadata/rhel6/V-38583.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38583 -status: exception -tag: boot ---- - -For Ubuntu 14.04, the permissions on ``/boot/grub/grub.cfg`` will be set to -``0644``. - -Ubuntu 16.04 and CentOS 7 use grub2. The configuration files in ``/boot/grub2`` -are regenerated when new kernels are installed or when the root user -regenerates the configuration file. File ownership and permissions are set -appropriately after each of these events. diff --git a/doc/metadata/rhel6/V-38584.rst b/doc/metadata/rhel6/V-38584.rst deleted file mode 100644 index c968faa9..00000000 --- a/doc/metadata/rhel6/V-38584.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38584 -status: implemented -tag: services ---- - -The ``xinetd`` service will be removed by the Ansible tasks, if it is -installed. To opt-out of this change, adjust the following variable -to ``no``: - -.. code-block:: yaml - - security_remove_xinetd: no diff --git a/doc/metadata/rhel6/V-38585.rst b/doc/metadata/rhel6/V-38585.rst deleted file mode 100644 index 0d0dc020..00000000 --- a/doc/metadata/rhel6/V-38585.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38585 -status: exception - manual intervention -tag: boot ---- - -Configuring a password for the bootloader is left up to the deployer to -configure. Each deployer should consider the potential damage to their -system should someone gain unauthorized physical access at the server -itself or via an out-of-band management solution (like IPMI, DRAC, or iLO). diff --git a/doc/metadata/rhel6/V-38586.rst b/doc/metadata/rhel6/V-38586.rst deleted file mode 100644 index 2a10ea60..00000000 --- a/doc/metadata/rhel6/V-38586.rst +++ /dev/null @@ -1,11 +0,0 @@ ---- -id: V-38586 -status: exception -tag: boot ---- - -As with V-38585, this is left to the deployer to configure based on their -exposure to physical threats. If there is a concern around a user gaining -unauthorized physical access and/or gaining access through an out-of-band -access mechanism, deployers are strongly urged to consider applying this -security configuration. diff --git a/doc/metadata/rhel6/V-38587.rst b/doc/metadata/rhel6/V-38587.rst deleted file mode 100644 index a7885c4c..00000000 --- a/doc/metadata/rhel6/V-38587.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38587 -status: implemented -tag: services ---- - -The ``telnetd`` service will be removed by the Ansible tasks, if it is -installed. To opt-out of this change, adjust the following variable -to ``no``: - -.. code-block:: yaml - - security_remove_telnet_server: no diff --git a/doc/metadata/rhel6/V-38588.rst b/doc/metadata/rhel6/V-38588.rst deleted file mode 100644 index 9c448178..00000000 --- a/doc/metadata/rhel6/V-38588.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38588 -status: exception -tag: boot ---- - -As with V-38585, this configuration is left up to the deployer to determine -their risk of attacks via physical access or out-of-band access to a server -console. diff --git a/doc/metadata/rhel6/V-38589.rst b/doc/metadata/rhel6/V-38589.rst deleted file mode 100644 index 07246fef..00000000 --- a/doc/metadata/rhel6/V-38589.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38589 -status: implemented -tag: services ---- - -Running a telnet daemon isn't recommended under most situations, so the telnet -server package will be removed from the system if it is installed. The telnet -server is removed by the Ansible tasks for V-38587, so no action is required -here. diff --git a/doc/metadata/rhel6/V-38590.rst b/doc/metadata/rhel6/V-38590.rst deleted file mode 100644 index 7ddbf1fa..00000000 --- a/doc/metadata/rhel6/V-38590.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38590 -status: exception -tag: console ---- - -While providing text screen locking does add additional security, deployers -are strongly urged to limit physical access and out-of-band access to -servers where someone else might be able to join a user's session when -they step away. In addition, if a user is logging in remotely via ssh, -they should lock their entire workstation to prevent unauthorized access -to their system as well as the systems they are actively accessing. diff --git a/doc/metadata/rhel6/V-38591.rst b/doc/metadata/rhel6/V-38591.rst deleted file mode 100644 index 6449580b..00000000 --- a/doc/metadata/rhel6/V-38591.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38591 -status: implemented -tag: services ---- - -The ``rshd`` service will be removed by the Ansible tasks, if it is -installed. To opt-out of this change, adjust the following variable -to ``no``: - -.. code-block:: yaml - - security_remove_rsh_server: no diff --git a/doc/metadata/rhel6/V-38592.rst b/doc/metadata/rhel6/V-38592.rst deleted file mode 100644 index 1c607280..00000000 --- a/doc/metadata/rhel6/V-38592.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38592 -status: exception - manual intervention -tag: auth ---- - -Adjusting PAM configurations on a running system carries a fair amount of risk, -and deployers are urged to rely upon ssh keys or centralized authentication -for user authentication. - -Centralized authentication systems provide a benefit of locking a user's -account in all systems they have access to, rather than locking access to only -one system. diff --git a/doc/metadata/rhel6/V-38593.rst b/doc/metadata/rhel6/V-38593.rst deleted file mode 100644 index 76d9f30c..00000000 --- a/doc/metadata/rhel6/V-38593.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38593 -status: implemented -tag: console ---- - -A default warning banner will replace the contents of ``/etc/issue.net``. To -configure the banner, simply edit ``files/login_banner.txt``. diff --git a/doc/metadata/rhel6/V-38594.rst b/doc/metadata/rhel6/V-38594.rst deleted file mode 100644 index 3bf7d906..00000000 --- a/doc/metadata/rhel6/V-38594.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38594 -status: implemented -tag: services ---- - -Running a rsh daemon isn't recommended under most situations, so the rsh server -package will be removed from the system if it is installed. The rsh server is -removed by the Ansible tasks for V-38591, so no action is required here. diff --git a/doc/metadata/rhel6/V-38595.rst b/doc/metadata/rhel6/V-38595.rst deleted file mode 100644 index cd2c18f1..00000000 --- a/doc/metadata/rhel6/V-38595.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38595 -status: exception - manual intervention -tag: auth ---- - -Use of additional factors for authentication is left up to the deployer, but -it is strongly recommended. diff --git a/doc/metadata/rhel6/V-38596.rst b/doc/metadata/rhel6/V-38596.rst deleted file mode 100644 index 527e6476..00000000 --- a/doc/metadata/rhel6/V-38596.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38596 -status: implemented -tag: kernel ---- - -The Ansible tasks will set ``kernel.randomize_va_space`` to ``2`` immediately -and will also ensure that the setting is applied on the next boot. This setting -is currently the default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7. diff --git a/doc/metadata/rhel6/V-38597.rst b/doc/metadata/rhel6/V-38597.rst deleted file mode 100644 index 896c0ffd..00000000 --- a/doc/metadata/rhel6/V-38597.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38597 -status: implemented -tag: kernel ---- - -Non-Executable Memory (NX) is the successor to ExecShield, and it is enabled by -default on Ubuntu 14.04, Ubuntu 16.04, and CentOS 7. - -For more information, refer to `Ubuntu's security feature documentation on -NX`_. - -.. _Ubuntu's security feature documentation on NX: https://wiki.ubuntu.com/Security/Features#nx diff --git a/doc/metadata/rhel6/V-38598.rst b/doc/metadata/rhel6/V-38598.rst deleted file mode 100644 index 7db843c9..00000000 --- a/doc/metadata/rhel6/V-38598.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38598 -status: implemented -tag: services ---- - -On Ubuntu, the ``rexecd`` daemon is part of the package that contains the -``rsh`` daemon. CentOS 7 doesn't provide the ``rexecd`` daemon in any packages. - -Running a rsh daemon isn't recommended under most situations, so the rsh server -package will be removed from the system if it is installed. The rsh server is -removed by the Ansible tasks for V-38591, so no action is required here. diff --git a/doc/metadata/rhel6/V-38599.rst b/doc/metadata/rhel6/V-38599.rst deleted file mode 100644 index d7fb24ae..00000000 --- a/doc/metadata/rhel6/V-38599.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38599 -status: implemented -tag: services ---- - -If the ``vsftpd`` package is installed, a login banner will be applied so that -users will see if after logging in. This package isn't installed by default -in Ubuntu 14.04 and it isn't installed by openstack-ansible either. diff --git a/doc/metadata/rhel6/V-38600.rst b/doc/metadata/rhel6/V-38600.rst deleted file mode 100644 index 0c625931..00000000 --- a/doc/metadata/rhel6/V-38600.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38600 -status: implemented -tag: kernel ---- - -The Ansible tasks will disable the sending of ICMPv4 redirects by setting -the sysctl variable ``net.ipv4.conf.default.send_redirects`` to ``0``. However, -bridging still requires redirects to be enabled, so those interfaces won't -be affected by this change. diff --git a/doc/metadata/rhel6/V-38601.rst b/doc/metadata/rhel6/V-38601.rst deleted file mode 100644 index 3634d662..00000000 --- a/doc/metadata/rhel6/V-38601.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38601 -status: implemented -tag: kernel ---- - -The Ansible tasks will set ``net.ipv4.conf.all.send_redirects`` to ``0`` so -that hosts will stop sending ICMPv4 redirects on all interfaces. diff --git a/doc/metadata/rhel6/V-38602.rst b/doc/metadata/rhel6/V-38602.rst deleted file mode 100644 index c284b23d..00000000 --- a/doc/metadata/rhel6/V-38602.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38602 -status: implemented -tag: services ---- - -In Ubuntu, the ``rlogind`` daemon is part of the package that contains the -``rsh`` daemon. CentOS 7 does not provide the ``rlogind`` daemon in any -packages. - -Running a rsh daemon isn't recommended under most situations, so the rsh server -package will be removed from the system if it is installed. The rsh server is -removed by the Ansible tasks for V-38591, so no action is required here. diff --git a/doc/metadata/rhel6/V-38603.rst b/doc/metadata/rhel6/V-38603.rst deleted file mode 100644 index c1ae31b9..00000000 --- a/doc/metadata/rhel6/V-38603.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-38603 -status: implemented -tag: services ---- - -This packages is named differently depending on the Linux distribution: - -* Ubuntu 14.04: ``nis`` -* Ubuntu 16.04: ``nis`` -* CentOS 7: ``ypserv`` - -The Ansible tasks will remove the appropriate package if it is installed. To -opt-out of this change, adjust the following configuration variable to ``no``: - -.. code-block:: yaml - - security_remove_ypserv: no diff --git a/doc/metadata/rhel6/V-38604.rst b/doc/metadata/rhel6/V-38604.rst deleted file mode 100644 index fcb4aa24..00000000 --- a/doc/metadata/rhel6/V-38604.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38604 -status: implemented -tag: services ---- - -The ``ypbind`` service is removed entirely as part of V-38603. diff --git a/doc/metadata/rhel6/V-38605.rst b/doc/metadata/rhel6/V-38605.rst deleted file mode 100644 index 78ad7de2..00000000 --- a/doc/metadata/rhel6/V-38605.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38605 -status: implemented -tag: services ---- - -The ``cron`` service is running by default in Ubuntu 14.04, Ubuntu 16.04, and -CentOS 7. It is required for various OpenStack services to function properly. -The Ansible tasks in this role will ensure that ``cron`` is running and is -configured to start at boot time. diff --git a/doc/metadata/rhel6/V-38606.rst b/doc/metadata/rhel6/V-38606.rst deleted file mode 100644 index 42e7a455..00000000 --- a/doc/metadata/rhel6/V-38606.rst +++ /dev/null @@ -1,20 +0,0 @@ ---- -id: V-38606 -status: implemented -tag: services ---- - -The package containing the tftp daemon has different names depending on the -Linux distribution: - -* Ubuntu 14.04: ``tftpd`` -* Ubuntu 16.04: ``tftpd`` -* CentOS 7: ``tftp-server`` - -The Ansible tasks will select the appropriate package for the Linux -distribution and remove the package. To opt-out, adjust the following -configuration variable to ``no``: - -.. code-block:: yaml - - security_remove_tftp_server: no diff --git a/doc/metadata/rhel6/V-38607.rst b/doc/metadata/rhel6/V-38607.rst deleted file mode 100644 index 4486f709..00000000 --- a/doc/metadata/rhel6/V-38607.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38607 -status: implemented -tag: sshd ---- - -The tasks in ``sshd.yml`` will ensure that SSH requires all connections to use -protocol version 2. diff --git a/doc/metadata/rhel6/V-38608.rst b/doc/metadata/rhel6/V-38608.rst deleted file mode 100644 index 7dc2b033..00000000 --- a/doc/metadata/rhel6/V-38608.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-38608 -status: implemented -tag: sshd ---- - -The ``ClientAliveInterval`` in the ssh configuration will be set to 15 minutes -as recommended by the STIG. However, this time is configurable by setting -``security_ssh_client_alive_interval`` to another value, in seconds. - -To change to 10 minutes, adjust the configuration item to 600 seconds: - -.. code-block:: yaml - - security_ssh_client_alive_interval: 600 diff --git a/doc/metadata/rhel6/V-38609.rst b/doc/metadata/rhel6/V-38609.rst deleted file mode 100644 index 7baf02dc..00000000 --- a/doc/metadata/rhel6/V-38609.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38609 -status: implemented -tag: services ---- - -The package containing the ``tftpd`` service is removed by V-38606. diff --git a/doc/metadata/rhel6/V-38610.rst b/doc/metadata/rhel6/V-38610.rst deleted file mode 100644 index 56b9dc50..00000000 --- a/doc/metadata/rhel6/V-38610.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38610 -status: implemented -tag: sshd ---- - -The STIG recommends setting ``ClientAliveCountMax`` to ensure that ssh -connections will close after reaching the ``ClientAliveInterval`` one -time. To change this setting, simply change this configuration option -to something other than ``0``: - -.. code-block:: yaml - - security_ssh_client_alive_count_max: 0 diff --git a/doc/metadata/rhel6/V-38611.rst b/doc/metadata/rhel6/V-38611.rst deleted file mode 100644 index 4a7e3ad4..00000000 --- a/doc/metadata/rhel6/V-38611.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38611 -status: implemented -tag: sshd ---- - -Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 configure the ssh daemon so that rsh's -``.rhosts`` files are ignored by default. The Ansible tasks will ensure that -this setting has not changed from the default. diff --git a/doc/metadata/rhel6/V-38612.rst b/doc/metadata/rhel6/V-38612.rst deleted file mode 100644 index 397dddf0..00000000 --- a/doc/metadata/rhel6/V-38612.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38612 -status: implemented -tag: sshd ---- - -The Ansible tasks in the security role ensure that the ssh daemon does not -allow host based authentication. diff --git a/doc/metadata/rhel6/V-38613.rst b/doc/metadata/rhel6/V-38613.rst deleted file mode 100644 index bd1c5284..00000000 --- a/doc/metadata/rhel6/V-38613.rst +++ /dev/null @@ -1,21 +0,0 @@ ---- -id: V-38613 -status: opt-in -tag: sshd ---- - -Although the STIG recommends disabling root logins via ssh, the default in -this role is to allow it. The openstack-ansible deployment uses the root -user by default at this time, but that may change later and allow for this -configuration to be set. - -To disallow root logins via ssh, simply adjust this configuration variable: - -.. code-block:: yaml - - security_ssh_permit_root_login: 'no' - -**NOTE:** The quotes around ``'no'`` or ``'yes'`` are very important. Ansible -will treat ``no`` and ``yes`` as booleans by default and that will cause a -``True`` to land in your sshd configuration file. This will causes errors -during sshd's startup. diff --git a/doc/metadata/rhel6/V-38614.rst b/doc/metadata/rhel6/V-38614.rst deleted file mode 100644 index 8245b005..00000000 --- a/doc/metadata/rhel6/V-38614.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38614 -status: implemented -tag: sshd ---- - -The tasks in ``sshd.yml`` will ensure that SSH does not allow empty passwords. diff --git a/doc/metadata/rhel6/V-38615.rst b/doc/metadata/rhel6/V-38615.rst deleted file mode 100644 index 1900cac6..00000000 --- a/doc/metadata/rhel6/V-38615.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38615 -status: implemented -tag: sshd ---- - -The ssh daemon will be configured so that a warning banner will be displayed -after login. To configure the banner, edit the ``files/login_banner.txt`` -file. diff --git a/doc/metadata/rhel6/V-38616.rst b/doc/metadata/rhel6/V-38616.rst deleted file mode 100644 index 4ae1ae14..00000000 --- a/doc/metadata/rhel6/V-38616.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38616 -status: implemented -tag: sshd ---- - -The ssh daemon will be configured to disallow user environment settings that -may allow users to bypass access restrictions in some cases. diff --git a/doc/metadata/rhel6/V-38617.rst b/doc/metadata/rhel6/V-38617.rst deleted file mode 100644 index 7a87b7e8..00000000 --- a/doc/metadata/rhel6/V-38617.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38617 -status: implemented -tag: sshd ---- - -The ssh daemon will be configured to use the approved list of ciphers as -recommended by the STIG. diff --git a/doc/metadata/rhel6/V-38618.rst b/doc/metadata/rhel6/V-38618.rst deleted file mode 100644 index ff079f13..00000000 --- a/doc/metadata/rhel6/V-38618.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38618 -status: implemented -tag: services ---- - -The avahi daemon will be disabled if the package is installed. diff --git a/doc/metadata/rhel6/V-38619.rst b/doc/metadata/rhel6/V-38619.rst deleted file mode 100644 index 4b27f4a9..00000000 --- a/doc/metadata/rhel6/V-38619.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38619 -status: implemented -tag: misc ---- - -The Ansible tasks will check for ``.netrc`` files in ``/root`` and -``/home`` on the system and print a failure warning if any are found. diff --git a/doc/metadata/rhel6/V-38620.rst b/doc/metadata/rhel6/V-38620.rst deleted file mode 100644 index 0014c766..00000000 --- a/doc/metadata/rhel6/V-38620.rst +++ /dev/null @@ -1,34 +0,0 @@ ---- -id: V-38620 -status: implemented -tag: misc ---- - -The ``chrony`` service is installed to manage clock synchronization for hosts -and to serve as an NTP server for NTP clients. Chrony was chosen over ntpd -because it's actively maintained and has some enhancements for virtualized -environments. - -Deployers can opt out of the ``chrony`` installation by setting the following -Ansible variable: - -.. code-block:: yaml - - security_enable_chrony: no - -There are two configurations available for users to adjust chrony's default -configuration: - -The ``security_ntp_servers`` variable is a list of NTP servers that -chrony should use to synchronize time. They are set to North American NTP -servers by default. - -The ``security_allowed_ntp_subnets`` variable is a list of subnets (in CIDR -notation) that are allowed to reach your servers running chrony. A sane -default is chosen (all RFC1918 networks are allowed), but this can be easily -adjusted. - -For more information on chrony, review the `chrony documentation`_ at the -upstream site, or run `man chrony` on a host with chrony installed. - -.. _chrony documentation: http://chrony.tuxfamily.org/faq.html diff --git a/doc/metadata/rhel6/V-38621.rst b/doc/metadata/rhel6/V-38621.rst deleted file mode 100644 index 0dd69d4e..00000000 --- a/doc/metadata/rhel6/V-38621.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38621 -status: implemented -tag: misc ---- - -**Fixed by another STIG** - -The Ansible tasks for V-38620 will configure the ``chrony`` daemon and allow -deployers to specify their NTP servers. Deployers that are subject to US DoD -requirements will need to use DoD-approved time servers. Refer to the STIG in -the STIG viewer using the link above this "Developer Notes" section. diff --git a/doc/metadata/rhel6/V-38622.rst b/doc/metadata/rhel6/V-38622.rst deleted file mode 100644 index b10105c2..00000000 --- a/doc/metadata/rhel6/V-38622.rst +++ /dev/null @@ -1,25 +0,0 @@ ---- -id: V-38622 -status: implemented -tag: mail ---- - -The STIG requires that postfix only listens on the localhost so that it isn't -abused as a mail relay. The Ansible task will adjust the ``inet_interfaces`` -line in the Postfix configuration and restart postfix if the line is changed. - -Although it's not common, some deployers may need to configure hosts so they -can receive email over the network. In that case, deployers would need to set -the following Ansible variable: - -.. code-block:: yaml - - security_postfix_inet_interfaces: all - -Note that postfix can have ``inet_interfaces`` set to ``localhost`` and it can -still send email on the network. The ``inet_interfaces`` directive only -controls where postfix **listens** for incoming email. - -For more information, review the postfix documentation for `inet_interfaces`_. - -.. _inet_interfaces: http://www.postfix.org/postconf.5.html#inet_interfaces diff --git a/doc/metadata/rhel6/V-38623.rst b/doc/metadata/rhel6/V-38623.rst deleted file mode 100644 index 0cac5a10..00000000 --- a/doc/metadata/rhel6/V-38623.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38623 -status: implemented -tag: file_perms ---- - -The mode on rsyslog files is set to ``0640`` by default in Ubuntu 14.04 and -Ubuntu 16.04 by default. CentOS 7 sets the mode to ``0600`` by default. The -Ansible tasks will adjust the rsyslog configuration so that any new log files -will have the mode set to ``0600``. - -This will take effect the next time that log files are rotated with -``logrotate`` (configured in V-38624). Deployers can also make this change -manually with ``chmod``. diff --git a/doc/metadata/rhel6/V-38624.rst b/doc/metadata/rhel6/V-38624.rst deleted file mode 100644 index d03289e5..00000000 --- a/doc/metadata/rhel6/V-38624.rst +++ /dev/null @@ -1,11 +0,0 @@ ---- -id: V-38624 -status: implemented -tag: misc ---- - -The STIG requires that system logs are rotated daily, but the check only -involves verifying that logrotate is installed and activated by cron. The -openstack-ansible project already configures weekly log rotation with -compression. For high-traffic logging environments, changing the frequency -to weekly in ``/etc/logrotate.conf`` may help. diff --git a/doc/metadata/rhel6/V-38625.rst b/doc/metadata/rhel6/V-38625.rst deleted file mode 100644 index ed304a9c..00000000 --- a/doc/metadata/rhel6/V-38625.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38625 -status: exception - manual intervention -tag: auth ---- - -Deployers that use LDAP authentication for systems are strongly urged to use -TLS connectivity between client hosts and LDAP servers to prevent eavesdroppers -on the network from reading the authentication attempts as they are made. The -certificates on the LDAP server must be trusted by each client. - -The tasks in the security role do not adjust the LDAP configuration since this -could disrupt future authentication attempts. diff --git a/doc/metadata/rhel6/V-38626.rst b/doc/metadata/rhel6/V-38626.rst deleted file mode 100644 index d1dda851..00000000 --- a/doc/metadata/rhel6/V-38626.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38626 -status: exception - manual intervention -tag: auth ---- - -Deployers that use LDAP authentication for systems are strongly urged to use -TLS connectivity between client hosts and LDAP servers to prevent eavesdroppers -on the network from reading the authentication attempts as they are made. The -certificates on the LDAP server must be trusted by each client. - -The tasks in the security role do not adjust the LDAP configuration since this -could disrupt future authentication attempts. diff --git a/doc/metadata/rhel6/V-38627.rst b/doc/metadata/rhel6/V-38627.rst deleted file mode 100644 index d433da61..00000000 --- a/doc/metadata/rhel6/V-38627.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38627 -status: implemented -tag: services ---- - -The STIG requires that any LDAP server packages on the system are removed. -The Ansible role will remove ``slapd`` from the server if it is present. - -To opt-out of this change, set the following Ansible variable to ``no``: - -.. code-block:: yaml - - security_remove_ldap_server: no diff --git a/doc/metadata/rhel6/V-38628.rst b/doc/metadata/rhel6/V-38628.rst deleted file mode 100644 index bd14c863..00000000 --- a/doc/metadata/rhel6/V-38628.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38628 -status: implemented -tag: auditd ---- - -This STIG requirement overlaps with V-38632. diff --git a/doc/metadata/rhel6/V-38629.rst b/doc/metadata/rhel6/V-38629.rst deleted file mode 100644 index 07898e8d..00000000 --- a/doc/metadata/rhel6/V-38629.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38629 -status: exception -tag: x11 ---- - -Deployers are urged to use graphical desktops only on client machines that -connect to the OpenStack environment, rather than configuring graphical -desktops within the OpenStack infrastructure itself. diff --git a/doc/metadata/rhel6/V-38630.rst b/doc/metadata/rhel6/V-38630.rst deleted file mode 100644 index d9e79c71..00000000 --- a/doc/metadata/rhel6/V-38630.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38630 -status: exception -tag: x11 ---- - -Deployers are urged to use graphical desktops only on client machines that -connect to the OpenStack environment, rather than configuring graphical -desktops within the OpenStack infrastructure itself. diff --git a/doc/metadata/rhel6/V-38631.rst b/doc/metadata/rhel6/V-38631.rst deleted file mode 100644 index e54ad5e9..00000000 --- a/doc/metadata/rhel6/V-38631.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-38631 -status: implemented -tag: auditd ---- - -This STIG requirement overlaps with V-38632. diff --git a/doc/metadata/rhel6/V-38632.rst b/doc/metadata/rhel6/V-38632.rst deleted file mode 100644 index 21d09ee1..00000000 --- a/doc/metadata/rhel6/V-38632.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38632 -status: implemented -tag: auditd ---- - -The tasks in auth.yml will install `auditd`_ and ensure it is running. - -.. _auditd: http://people.redhat.com/sgrubb/audit/ diff --git a/doc/metadata/rhel6/V-38633.rst b/doc/metadata/rhel6/V-38633.rst deleted file mode 100644 index 721e6211..00000000 --- a/doc/metadata/rhel6/V-38633.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38633 -status: implemented -tag: auditd ---- - -The default setting for ``security_max_log_file`` in Ubuntu 14.04, Ubuntu -16.04, and CentOS 7 matches the STIG requirement of rotating logs when they -reach 6MB. The Ansible task for this STIG requirement ensures that the secure -default is maintained. - -Deployers who want to exceed the STIG guideline can increase the size of logs -by adjusting the following Ansible variable: - -.. code-block:: yaml - - security_max_log_file: 6 diff --git a/doc/metadata/rhel6/V-38634.rst b/doc/metadata/rhel6/V-38634.rst deleted file mode 100644 index c42a7235..00000000 --- a/doc/metadata/rhel6/V-38634.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38634 -status: implemented -tag: auditd ---- - -The default action for ``security_max_log_file_action`` on Ubuntu 14.04, Ubuntu -16.04, and CentOS 7 is to rotate the logs. This meets the STIG requirements and -the Ansible task will ensure that the secure default is maintained. - -Use caution when changing this option. Certain values, like ``SUSPEND`` will -cause the audit daemon to lock the machine when the maximum size for a log -file is reached. Review the audit documentation carefully before making -adjustments. diff --git a/doc/metadata/rhel6/V-38635.rst b/doc/metadata/rhel6/V-38635.rst deleted file mode 100644 index b2fae013..00000000 --- a/doc/metadata/rhel6/V-38635.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38635 -status: implemented -tag: auditd ---- - -Audit rules are added in a task so that any events associated with altering -system time are logged. The new audit rule will be loaded immediately with -``augenrules --load``. diff --git a/doc/metadata/rhel6/V-38636.rst b/doc/metadata/rhel6/V-38636.rst deleted file mode 100644 index d09cb184..00000000 --- a/doc/metadata/rhel6/V-38636.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38636 -status: implemented -tag: auditd ---- - -Ubuntu keeps 5 rotated logs with the ``security_num_logs`` option and this -meets the STIG requirement. The Ansible task will ensure that the secure -default is maintained. - -Deployers who want to allow logs to grow to larger sizes prior to rotation can -adjust the following Ansible variable: - -.. code-block:: yaml - - security_num_logs: 5 diff --git a/doc/metadata/rhel6/V-38637.rst b/doc/metadata/rhel6/V-38637.rst deleted file mode 100644 index 1fbd0b39..00000000 --- a/doc/metadata/rhel6/V-38637.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38637 -status: implemented -tag: auditd ---- - -The auditd package is verified with ``debsums`` in Ubuntu and with ``rpm`` in -CentOS. The playbook will fail immediately if any of the files from the auditd -package have been altered. This could be the sign of a system compromise. - -.. note:: - - If the ``debsums`` package isn't installed on Ubuntu, the Ansible task will - install it during the playbook run. diff --git a/doc/metadata/rhel6/V-38638.rst b/doc/metadata/rhel6/V-38638.rst deleted file mode 100644 index c3ad3ffd..00000000 --- a/doc/metadata/rhel6/V-38638.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38638 -status: exception -tag: x11 ---- - -Deployers are urged to use graphical desktops only on client machines that -connect to the OpenStack environment, rather than configuring graphical -desktops within the OpenStack infrastructure itself. diff --git a/doc/metadata/rhel6/V-38639.rst b/doc/metadata/rhel6/V-38639.rst deleted file mode 100644 index 52da4564..00000000 --- a/doc/metadata/rhel6/V-38639.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38639 -status: exception -tag: x11 ---- - -Deployers are urged to use graphical desktops only on client machines that -connect to the OpenStack environment, rather than configuring graphical -desktops within the OpenStack infrastructure itself. diff --git a/doc/metadata/rhel6/V-38640.rst b/doc/metadata/rhel6/V-38640.rst deleted file mode 100644 index 164be01b..00000000 --- a/doc/metadata/rhel6/V-38640.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38640 -status: implemented -tag: services ---- - -The Ansible tasks in the security role will disable the abrtd service and stop -the service immediately. To opt-out of this change, set the following Ansible -variable: - -.. code-block:: yaml - - security_disable_abrtd: no diff --git a/doc/metadata/rhel6/V-38641.rst b/doc/metadata/rhel6/V-38641.rst deleted file mode 100644 index 691e7dec..00000000 --- a/doc/metadata/rhel6/V-38641.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38641 -status: implemented -tag: services ---- - -The Ansible tasks in the security role will disable the atd service and stop -the service immediately. To opt-out of this change, set the following Ansible -variable: - -.. code-block:: yaml - - security_disable_atd: no diff --git a/doc/metadata/rhel6/V-38642.rst b/doc/metadata/rhel6/V-38642.rst deleted file mode 100644 index 5e42e5a0..00000000 --- a/doc/metadata/rhel6/V-38642.rst +++ /dev/null @@ -1,11 +0,0 @@ ---- -id: V-38642 -status: opt-in -tag: file_perms ---- - -The STIG requires that daemons have their umask set to ``027`` or ``022``. -Since changing umasks can disrupt some systems, this is an opt-in change. - -Deployers that want this change applied to their systems must set the Ansible -variable ``security_umask_daemons_init`` to ``027``. diff --git a/doc/metadata/rhel6/V-38643.rst b/doc/metadata/rhel6/V-38643.rst deleted file mode 100644 index ec879c98..00000000 --- a/doc/metadata/rhel6/V-38643.rst +++ /dev/null @@ -1,23 +0,0 @@ ---- -id: V-38643 -status: exception -tag: file_perms ---- - -Searching for world-writable files on a host deployed with openstack-ansible -can be very time consuming and it can create unnecessary I/O load on hosts. -Deployers are urged to check for world-writable files on a regular basis in -directories where those files might be a concern (especially web accessible -directories). - -The command provided with the STIG is helpful for finding these types of files: - -.. code-block:: bash - - find ${MOUNT_POINT} -xdev -type f -perm -002 - -Running ``find /`` isn't recommended on systems without LVM storage for -containers since it will eventually search through the filesystems of the LXC -containers that are deployed by openstack-ansible. The ``-xdev`` option -prevents ``find`` from wandering into other mounted filesystems and will -prevent it from searching through containers in logical volumes. diff --git a/doc/metadata/rhel6/V-38644.rst b/doc/metadata/rhel6/V-38644.rst deleted file mode 100644 index d33604d3..00000000 --- a/doc/metadata/rhel6/V-38644.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38644 -status: implemented -tag: misc ---- - -Time synchronization is added within the fixes for V-38620 (where ``chrony`` is -installed and configured). The ``ntpdate`` service is not used. diff --git a/doc/metadata/rhel6/V-38645.rst b/doc/metadata/rhel6/V-38645.rst deleted file mode 100644 index 151df41f..00000000 --- a/doc/metadata/rhel6/V-38645.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38645 -status: opt-in -tag: file_perms ---- - -Changing umask settings can disrupt some systems and this change requires a -deployer to opt-in. To opt-in for this change and adjust the umask, set the -following Ansible variable: - -.. code-block:: yaml - - security_umask_login_defs: 077 diff --git a/doc/metadata/rhel6/V-38646.rst b/doc/metadata/rhel6/V-38646.rst deleted file mode 100644 index 3c009db7..00000000 --- a/doc/metadata/rhel6/V-38646.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38646 -status: exception - manual intervention -tag: services ---- - -Very few environments run the ``oddjobd`` service, and those that do run it are -usually associated with highly-available, clustered systems. Deployers will -need to disable this service manually if it is running on the system. diff --git a/doc/metadata/rhel6/V-38647.rst b/doc/metadata/rhel6/V-38647.rst deleted file mode 100644 index a552f6ae..00000000 --- a/doc/metadata/rhel6/V-38647.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38647 -status: implemented -tag: file_perms ---- - -Ubuntu 14.04 doesn't use umask settings in ``/etc/profile``. Those settings -are expected to be in ``/etc/login.defs`` instead. - -For CentOS 7, umask settings are present in ``/etc/profile`` but they are -overidden by settings in ``/etc/login.defs``. - -See V-38645 for more details. diff --git a/doc/metadata/rhel6/V-38648.rst b/doc/metadata/rhel6/V-38648.rst deleted file mode 100644 index ce08b3da..00000000 --- a/doc/metadata/rhel6/V-38648.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38648 -status: implemented -tag: services ---- - -Although some OpenStack implementations use ``qpidd`` for their messaging hub, -neither Ubuntu or openstack-ansible configures the service on the hosts by -default. The Ansible task for this STIG will check to see if the init script -exists for ``qpidd``. If it does, the daemon will be stopped and disable on -the next boot. - -To opt-out of this change, adjust the following Ansible variable to ``no``: - -.. code-block:: yaml - - security_disable_qpidd: no diff --git a/doc/metadata/rhel6/V-38649.rst b/doc/metadata/rhel6/V-38649.rst deleted file mode 100644 index 8880fca2..00000000 --- a/doc/metadata/rhel6/V-38649.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38649 -status: opt-in -tag: file_perms ---- - -Since umask changes can be disruptive on some systems, the deployer must opt-in -for this change to happen. If the ``security_umask_csh`` Ansible variable is -set **and** the csh package is installed, the Ansible tasks will ensure the -appropriate umask is set in the csh configuration file. - -If users have an active csh shell session, they will need to logout and create -a new session to pick up the new umask change. diff --git a/doc/metadata/rhel6/V-38650.rst b/doc/metadata/rhel6/V-38650.rst deleted file mode 100644 index cbbcfdce..00000000 --- a/doc/metadata/rhel6/V-38650.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38650 -status: implemented -tag: services ---- - -Ubuntu doesn't provide packages containing the ``rdisc`` service at this time. - -In CentOS, the ``rdisc`` service will be stopped and disabled if it is present -on the system. To opt-out of this change, set the following Ansible variable: - -.. code-block:: yaml - - security_disable_rdisc: no diff --git a/doc/metadata/rhel6/V-38651.rst b/doc/metadata/rhel6/V-38651.rst deleted file mode 100644 index 21887fc0..00000000 --- a/doc/metadata/rhel6/V-38651.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38651 -status: opt-in -tag: file_perms ---- - -Changing the umask for the bash shell is an opt-in setting. Deployers that -want to set the umask for bash sessions to match the STIG requirement must -set the Ansible variable ``security_umask_bash`` to ``077``. diff --git a/doc/metadata/rhel6/V-38652.rst b/doc/metadata/rhel6/V-38652.rst deleted file mode 100644 index d9be6ec1..00000000 --- a/doc/metadata/rhel6/V-38652.rst +++ /dev/null @@ -1,11 +0,0 @@ ---- -id: V-38652 -status: exception - manual intervention -tag: misc ---- - -Deployers are urged to use the ``nodev`` option on any remotely mounted -filesystems whenever possible. - -The security role does not take action on filesystem mounts since this could -affect the stability or availability of the host. diff --git a/doc/metadata/rhel6/V-38653.rst b/doc/metadata/rhel6/V-38653.rst deleted file mode 100644 index 8b6af349..00000000 --- a/doc/metadata/rhel6/V-38653.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38653 -status: exception -tag: misc ---- - -The OpenStack-Ansible project doesn't install snmpd by default. Deployers are -strongly recommended to use SNMPv3 with strong passwords for all connectivity -if they choose to install snmpd. diff --git a/doc/metadata/rhel6/V-38654.rst b/doc/metadata/rhel6/V-38654.rst deleted file mode 100644 index 9fe0fe21..00000000 --- a/doc/metadata/rhel6/V-38654.rst +++ /dev/null @@ -1,11 +0,0 @@ ---- -id: V-38654 -status: exception - manual intervention -tag: misc ---- - -Deployers are urged to use the ``nosuid`` option on any remotely mounted -filesystems whenever possible. - -The security role does not take action on filesystem mounts since this could -affect the stability or availability of the host. diff --git a/doc/metadata/rhel6/V-38655.rst b/doc/metadata/rhel6/V-38655.rst deleted file mode 100644 index a0342799..00000000 --- a/doc/metadata/rhel6/V-38655.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38655 -status: exception - manual intervention -tag: misc ---- - -Deployers are strongly urged to mount any additional disks with the ``noexec`` -mount option set whenever possible. - -For more information about the ``noexec`` mount option, review this `good -answer from a ServerFault user about noexec`_. - -.. _good answer from a ServerFault user about noexec: http://serverfault.com/questions/72356/how-useful-is-mounting-tmp-noexec diff --git a/doc/metadata/rhel6/V-38656.rst b/doc/metadata/rhel6/V-38656.rst deleted file mode 100644 index 477a72b9..00000000 --- a/doc/metadata/rhel6/V-38656.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38656 -status: implemented -tag: services ---- - -The Ansible tasks will check to see if the samba package is installed and the -configuration file will be adjusted. If adjustments are made, the service will -be restarted. diff --git a/doc/metadata/rhel6/V-38657.rst b/doc/metadata/rhel6/V-38657.rst deleted file mode 100644 index fb4eeea5..00000000 --- a/doc/metadata/rhel6/V-38657.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38657 -status: exception - manual intervention -tag: services ---- - -Deployers are urged to require SMB client signing if they ever mount samba -shares within their infrastructure. diff --git a/doc/metadata/rhel6/V-38658.rst b/doc/metadata/rhel6/V-38658.rst deleted file mode 100644 index 66cd565f..00000000 --- a/doc/metadata/rhel6/V-38658.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38658 -status: exception - manual intervention -tag: auth ---- - -Making adjustments to PAM configurations via automated methods is risky since -it can disrupt user authentication on various hosts. Deployers are strongly -urged to rely on ssh keys as opposed to enforcing password complexity and -rotation requirements. diff --git a/doc/metadata/rhel6/V-38659.rst b/doc/metadata/rhel6/V-38659.rst deleted file mode 100644 index 33e6ff2c..00000000 --- a/doc/metadata/rhel6/V-38659.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-38659 -status: exception - initial provisioning -tag: misc ---- - -Creating encrypted storage is left up to the deployer to consider and -implement. Although encrypting data at rest on storage volumes does reduce -the chances of data theft if the server is physically compromised, it doesn't -provide protection from a user who is logged in while the server is running. - -Linux systems provide various options for storage encryption. The `Linux -Unified Key Setup`_ is a good implementation to review. - -.. _Linux Unified Key Setup: https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup diff --git a/doc/metadata/rhel6/V-38660.rst b/doc/metadata/rhel6/V-38660.rst deleted file mode 100644 index 46db6ed8..00000000 --- a/doc/metadata/rhel6/V-38660.rst +++ /dev/null @@ -1,21 +0,0 @@ ---- -id: V-38660 -status: implemented -tag: misc ---- - -The Ansible tasks will check to see if the SNMP configuration file is present. -If the file is present, and the file contains configurations for insecure SNMP -protocols, an error will be printed and the playbook will fail. - -The task specifically looks for uncommented configuration lines containing: - -* ``v1`` -* ``v2c`` -* ``com2sec`` -* ``community`` - -`Red Hat's guide to SNMP`_ has some example configurations that deployers -can use to enable SNMPv3. - -.. _Red Hat's guide to SNMP: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-System_Monitoring_Tools-Net-SNMP-Configuring.html diff --git a/doc/metadata/rhel6/V-38661.rst b/doc/metadata/rhel6/V-38661.rst deleted file mode 100644 index 15c68c74..00000000 --- a/doc/metadata/rhel6/V-38661.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-38661 -status: exception - initial provisioning -tag: misc ---- - -Creating encrypted storage is left up to the deployer to consider and -implement. Although encrypting data at rest on storage volumes does reduce -the chances of data theft if the server is physically compromised, it doesn't -provide protection from a user who is logged in while the server is running. - -Linux systems provide various options for storage encryption. The `Linux -Unified Key Setup`_ is a good implementation to review. - -.. _Linux Unified Key Setup: https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup diff --git a/doc/metadata/rhel6/V-38662.rst b/doc/metadata/rhel6/V-38662.rst deleted file mode 100644 index 87183c91..00000000 --- a/doc/metadata/rhel6/V-38662.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-38662 -status: exception - initial provisioning -tag: misc ---- - -Creating encrypted storage is left up to the deployer to consider and -implement. Although encrypting data at rest on storage volumes does reduce -the chances of data theft if the server is physically compromised, it doesn't -provide protection from a user who is logged in while the server is running. - -Linux systems provide various options for storage encryption. The `Linux -Unified Key Setup`_ is a good implementation to review. - -.. _Linux Unified Key Setup: https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup diff --git a/doc/metadata/rhel6/V-38663.rst b/doc/metadata/rhel6/V-38663.rst deleted file mode 100644 index 49b9a102..00000000 --- a/doc/metadata/rhel6/V-38663.rst +++ /dev/null @@ -1,11 +0,0 @@ ---- -id: V-38663 -status: exception - ubuntu -tag: package ---- - -Verifying ownership and permissions of installed packages isn't possible in the -current version of ``dpkg`` as it is with ``rpm``. This security configuration -is skipped for Ubuntu. - -For CentOS, this check is done as part of V-38637. diff --git a/doc/metadata/rhel6/V-38664.rst b/doc/metadata/rhel6/V-38664.rst deleted file mode 100644 index 2dc84507..00000000 --- a/doc/metadata/rhel6/V-38664.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38664 -status: exception - ubuntu -tag: package ---- - -Verifying ownership and permissions of installed packages isn't possible in the -current version of ``dpkg`` as it is with ``rpm``. This security configuration -is skipped for Ubuntu. For CentOS, this check is done as part of V-38637. diff --git a/doc/metadata/rhel6/V-38665.rst b/doc/metadata/rhel6/V-38665.rst deleted file mode 100644 index 40877998..00000000 --- a/doc/metadata/rhel6/V-38665.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38665 -status: exception - ubuntu -tag: package ---- - -Verifying ownership and permissions of installed packages isn't possible in the -current version of ``dpkg`` as it is with ``rpm``. This security configuration -is skipped for Ubuntu. For CentOS, this check is done as part of V-38637. diff --git a/doc/metadata/rhel6/V-38666.rst b/doc/metadata/rhel6/V-38666.rst deleted file mode 100644 index 95f36511..00000000 --- a/doc/metadata/rhel6/V-38666.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-38666 -status: exception - manual intervention -tag: misc ---- - -The installation of an antivirus program is left up to the deployer. There are -strong arguments against virus scanners due to detection failures and -performance impacts. - -The following links provide more information about installing antivirus -software on Ubuntu and CentOS: - -* `Ubuntu documentation - Antivirus`_ -* `CentOS Blog - How to Install ClamAV and Configure Daily Scanning on CentOS`_ - -.. _Ubuntu documentation - Antivirus: https://help.ubuntu.com/community/Antivirus -.. _CentOS Blog - How to Install ClamAV and Configure Daily Scanning on CentOS: https://www.centosblog.com/how-to-install-clamav-and-configure-daily-scanning-on-centos/ diff --git a/doc/metadata/rhel6/V-38667.rst b/doc/metadata/rhel6/V-38667.rst deleted file mode 100644 index 23984c46..00000000 --- a/doc/metadata/rhel6/V-38667.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38667 -status: implemented -tag: lsm ---- - -The openstack-ansible project already installs and configures AppArmor, which -is a Linux Security Module providing similar functionality to SELinux. In -addition, AIDE is installed to monitor system files in the Ansible tasks for -V-38429. diff --git a/doc/metadata/rhel6/V-38668.rst b/doc/metadata/rhel6/V-38668.rst deleted file mode 100644 index 2bc38544..00000000 --- a/doc/metadata/rhel6/V-38668.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38668 -status: implemented -tag: console ---- - -In Ubuntu 14.04, the Ansible tasks disable the control-alt-delete keyboard -sequence via a configuration in ``/etc/init/control-alt-delete.conf``. A -reboot is recommended to apply the change. - -Linux distributions that use systemd, such as Ubuntu 16.04 and CentOS 7, -disable the key sequence by masking the ``ctrl-alt-del.target`` with -``systemctl``. diff --git a/doc/metadata/rhel6/V-38669.rst b/doc/metadata/rhel6/V-38669.rst deleted file mode 100644 index 01f59cc9..00000000 --- a/doc/metadata/rhel6/V-38669.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38669 -status: implemented -tag: mail ---- - -The ``postfix`` package will be installed and configured to run at boot time. -Review the documentation for V-38446 to ensure that root's email is -forwarded to an email account that can monitor for critical alerts and other -notifications. diff --git a/doc/metadata/rhel6/V-38670.rst b/doc/metadata/rhel6/V-38670.rst deleted file mode 100644 index 15848b6e..00000000 --- a/doc/metadata/rhel6/V-38670.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38670 -status: implemented -tag: aide ---- - -The ``aide`` package is already installed as part of the Ansible tasks to fix -V-38429, but these Ansible tasks will verify that the cron job file is actually -in place. - -The cron job is installed as part of the ``aide`` package installation. If the -cron job is missing, an error will be printed and the playbook will fail. diff --git a/doc/metadata/rhel6/V-38671.rst b/doc/metadata/rhel6/V-38671.rst deleted file mode 100644 index 7f8d55bd..00000000 --- a/doc/metadata/rhel6/V-38671.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38671 -status: implemented -tag: services ---- - -The security role will remove the sendmail package if it exists on the system. -To opt-out of this change, adjust the following Ansible variable to ``no``: - -.. code-block:: yaml - - security_remove_sendmail: no diff --git a/doc/metadata/rhel6/V-38672.rst b/doc/metadata/rhel6/V-38672.rst deleted file mode 100644 index 330a22dc..00000000 --- a/doc/metadata/rhel6/V-38672.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38672 -status: implemented -tag: services ---- - -Ubuntu doesn't provide the ``netconsole`` package and the daemon isn't included -in any other Ubuntu packages. - -In CentOS, the ``netconsole`` daemon will be stopped and disabled if it is -found to be installed. Deployers can opt-out of this change by setting the -following Ansible variable: - -.. code-block:: yaml - - security_disable_netconsole: no diff --git a/doc/metadata/rhel6/V-38673.rst b/doc/metadata/rhel6/V-38673.rst deleted file mode 100644 index fb70c016..00000000 --- a/doc/metadata/rhel6/V-38673.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38673 -status: implemented -tag: aide ---- - -AIDE is configured to exclude certain directories, and that list of directories -is controlled by the ``security_aide_exclude_dirs`` Ansible variable. diff --git a/doc/metadata/rhel6/V-38674.rst b/doc/metadata/rhel6/V-38674.rst deleted file mode 100644 index efa6995f..00000000 --- a/doc/metadata/rhel6/V-38674.rst +++ /dev/null @@ -1,32 +0,0 @@ ---- -id: V-38674 -status: implemented -tag: x11 ---- - -In Ubuntu 14.04, the upstart init system looks for the default runlevel in the -``/etc/init/rc-sysinit.conf`` file. The tasks in the security role will ensure -that the ``DEFAULT_RUNLEVEL`` environment variable is set to ``2``, which is a -non-graphical runlevel. - -In Ubuntu 16.04 and CentOS 7, systemd handles various targets, which are -similar to runlevels from earlier init systems. There are two targets that are -important for this STIG: - -* ``graphical.target``: similar to runlevel 5 from earlier init systems -* ``multi-user.target``: similar to runlevel 2 or 3 from earlier init systems - -The tasks in the security role will ensure that the default target is the -``multi-user.target``, which provides a text-based system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_disable_x_windows: no - -.. note:: - - This change will not take effect until the server is rebooted. Changing a - runlevel on an actively running system can cause certain services to stop, - start, or restart. diff --git a/doc/metadata/rhel6/V-38675.rst b/doc/metadata/rhel6/V-38675.rst deleted file mode 100644 index 9be319e1..00000000 --- a/doc/metadata/rhel6/V-38675.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-38675 -status: implemented -tag: misc ---- - -The security role will add a file in ``/etc/security/limits.d/`` that disables -core dumps for all users. Although this setting is more secure, it can prevent -users from debugging kernel errors. - -To opt-out of this change, set the following Ansible variable to ``no``: - -.. code-block:: yaml - - security_disable_core_dumps: no diff --git a/doc/metadata/rhel6/V-38676.rst b/doc/metadata/rhel6/V-38676.rst deleted file mode 100644 index 5e041aeb..00000000 --- a/doc/metadata/rhel6/V-38676.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-38676 -status: implemented -tag: services ---- - -The Ansible tasks will remove the ``xserver-xorg`` package if it is present. - -To opt-out of the change, set the following Ansible variable to ``no``: - -.. code-block:: yaml - - security_remove_xorg: no diff --git a/doc/metadata/rhel6/V-38677.rst b/doc/metadata/rhel6/V-38677.rst deleted file mode 100644 index 35416b05..00000000 --- a/doc/metadata/rhel6/V-38677.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38677 -status: implemented -tag: nfsd ---- - -If the system has NFS exports configured, the Ansible tasks will search for -``insecure_locks`` in the options column for any of the available exports. If -the option is found, the playbook will fail with an error. diff --git a/doc/metadata/rhel6/V-38678.rst b/doc/metadata/rhel6/V-38678.rst deleted file mode 100644 index fe184142..00000000 --- a/doc/metadata/rhel6/V-38678.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38678 -status: implemented -tag: auditd ---- - -When auditd notices that free disk space on its logging partition is low, it -will trigger the ``security_space_left_action``. The threshold of remaining -disk space is configured by ``security_space_left`` in -``/etc/audit/auditd.conf``. - -By default, Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set this value to 75 -megabytes. The STIG doesn't set a specific requirement for the exact size, so -the Ansible task will ensure that the default of 75 megabytes is set. diff --git a/doc/metadata/rhel6/V-38679.rst b/doc/metadata/rhel6/V-38679.rst deleted file mode 100644 index 5a29a05e..00000000 --- a/doc/metadata/rhel6/V-38679.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38679 -status: exception -tag: services ---- - -The DHCP client is needed for containers to function properly and may be -needed for some hosts as well. Deployers should examine their networking -configuration to verify if DHCP clients can be disabled. diff --git a/doc/metadata/rhel6/V-38680.rst b/doc/metadata/rhel6/V-38680.rst deleted file mode 100644 index 38ef2d6f..00000000 --- a/doc/metadata/rhel6/V-38680.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38680 -status: implemented -tag: mail ---- - -The Ansible tasks will ensure that mail for the ``auditd`` user is forwarded -to the ``root`` user for review. - -Deployers are strongly urged to review V-38446 to ensure they have set the -``security_root_forward_email`` variable so that the email system can route -these critical notifications to a monitored mailbox. diff --git a/doc/metadata/rhel6/V-38681.rst b/doc/metadata/rhel6/V-38681.rst deleted file mode 100644 index 837330ef..00000000 --- a/doc/metadata/rhel6/V-38681.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-38681 -status: implemented -tag: auth ---- - -The Ansible tasks will run ``pwck`` to find any groups that are defined in -``/etc/passwd`` but not in ``/etc/group``. This could be a sign of an -accidental misconfiguration or a more serious security problem. If the command -returns output about missing groups, the playbook will fail. - -To see the exact problems on the system when the playbook fails, run this -command as root: - -.. code-block:: bash - - pwck -r | grep 'no group' diff --git a/doc/metadata/rhel6/V-38682.rst b/doc/metadata/rhel6/V-38682.rst deleted file mode 100644 index d7017dcf..00000000 --- a/doc/metadata/rhel6/V-38682.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-38682 -status: implemented -tag: kernel ---- - -The Ansible task will disable the bluetooth kernel modules to meet the STIG -requirements. To opt-out of this change, adjust the following Ansible variable -to ``no``: - -.. code-block:: yaml - - disable_bluetooth_module: no - -**NOTE:** The module will be disabled on the next system reboot. diff --git a/doc/metadata/rhel6/V-38683.rst b/doc/metadata/rhel6/V-38683.rst deleted file mode 100644 index efa6945d..00000000 --- a/doc/metadata/rhel6/V-38683.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-38683 -status: implemented -tag: auth ---- - -The Ansible task will use the ``pwck`` command to search for non-unique -usernames on the system. If any matching usernames are found, an error -will be printed and the playbook will fail. - -**NOTE:** The ``pwck`` command will find other abnormalities on the system, -including users that exist in ``/etc/passwd`` but not in ``/etc/shadow``, and -vice versa. If the playbook fails on this task, try to run this command -on the system as root to find out what caused the failure: - -.. code-block:: bash - - pwck -rq diff --git a/doc/metadata/rhel6/V-38684.rst b/doc/metadata/rhel6/V-38684.rst deleted file mode 100644 index 92fb86b8..00000000 --- a/doc/metadata/rhel6/V-38684.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-38684 -status: opt-in -tag: misc ---- - -Ubuntu does not set a limit on the maximum number of active sessions that -a single user can have at one time. The STIG requires setting a limit of -``10``. - -To opt-in for this change, set the following Ansible variable: - -.. code-block:: yaml - - security_max_simultaneous_logins: 10 diff --git a/doc/metadata/rhel6/V-38685.rst b/doc/metadata/rhel6/V-38685.rst deleted file mode 100644 index e9203879..00000000 --- a/doc/metadata/rhel6/V-38685.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38685 -status: exception - manual intervention -tag: misc ---- - -It's not possible to determine which accounts may be temporary or permanent -via automated methods, so this configuration change is left to deployers to -configure and manage. Refer to the documentation in the STIG Viewer (link -above) about configuring temporary accounts with an expiration date. diff --git a/doc/metadata/rhel6/V-38686.rst b/doc/metadata/rhel6/V-38686.rst deleted file mode 100644 index f2ec11d4..00000000 --- a/doc/metadata/rhel6/V-38686.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38686 -status: exception - manual intervention -tag: network ---- - -Although a minimal set of iptables rules are configured on OpenStack-Ansible -hosts, the "deny all" requirement of the STIG is not met. This is largely left -up to the deployer to do, based on their assessment of their own network -segmentation. - -Deployers are urged to review the network access controls that are applied -on the network devices between their OpenStack environment and the rest of -their network. diff --git a/doc/metadata/rhel6/V-38687.rst b/doc/metadata/rhel6/V-38687.rst deleted file mode 100644 index d610c25a..00000000 --- a/doc/metadata/rhel6/V-38687.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-38687 -status: exception - manual intervention -tag: network ---- - -The configuration of encrypted tunnels between deployers and their OpenStack -environment is left up to the deployers to configure. diff --git a/doc/metadata/rhel6/V-38688.rst b/doc/metadata/rhel6/V-38688.rst deleted file mode 100644 index 9fbc1e6e..00000000 --- a/doc/metadata/rhel6/V-38688.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38688 -status: exception -tag: x11 ---- - -Deployers are urged to use graphical desktops only on client machines that -connect to the OpenStack environment, rather than configuring graphical -desktops within the OpenStack infrastructure itself. diff --git a/doc/metadata/rhel6/V-38689.rst b/doc/metadata/rhel6/V-38689.rst deleted file mode 100644 index 2cfa9624..00000000 --- a/doc/metadata/rhel6/V-38689.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-38689 -status: exception -tag: x11 ---- - -Deployers are urged to use graphical desktops only on client machines that -connect to the OpenStack environment, rather than configuring graphical -desktops within the OpenStack infrastructure itself. diff --git a/doc/metadata/rhel6/V-38690.rst b/doc/metadata/rhel6/V-38690.rst deleted file mode 100644 index 180f8ab1..00000000 --- a/doc/metadata/rhel6/V-38690.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38690 -status: exception - manual intervention -tag: auth ---- - -It's not possible to determine which accounts may be temporary or permanent -via automated methods, so this configuration change is left to deployers to -configure and manage. Refer to the documentation in the STIG Viewer (link -above) about configuring temporary accounts with an expiration date. diff --git a/doc/metadata/rhel6/V-38691.rst b/doc/metadata/rhel6/V-38691.rst deleted file mode 100644 index 3b57d311..00000000 --- a/doc/metadata/rhel6/V-38691.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38691 -status: implemented -tag: services ---- - -The Ansible tasks will disable the ``bluetooth`` service and stop it if it is -running on the system. - -To opt-out of this change, adjust the following Ansible variable to ``no``: - -.. code-block:: yaml - - security_disable_bluetooth: no diff --git a/doc/metadata/rhel6/V-38692.rst b/doc/metadata/rhel6/V-38692.rst deleted file mode 100644 index e3af1906..00000000 --- a/doc/metadata/rhel6/V-38692.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38692 -status: opt-in -tag: auth ---- - -Deployers must opt-in for this change by setting the following Ansible -variable: - -.. code-block:: yaml - - security_inactive_account_lock_days: 35 - -The STIG requires this to be set to 35 days at a maximum. The Ansible tasks -will not make any changes to ``/etc/default/useradd`` unless -``security_inactive_account_lock_days`` is set. diff --git a/doc/metadata/rhel6/V-38693.rst b/doc/metadata/rhel6/V-38693.rst deleted file mode 100644 index deeb2fcf..00000000 --- a/doc/metadata/rhel6/V-38693.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38693 -status: exception - manual intervention -tag: auth ---- - -Password complexity requirements are left up to the deployer. Deployers are -urged to rely on SSH keys as often as possible to avoid problems with -passwords. - -Review the pam_cracklib documentation by running ``man pam_cracklib`` or -read the `detailed documentation from Hal Pomeranz`_. - -.. _detailed documentation from Hal Pomeranz: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html diff --git a/doc/metadata/rhel6/V-38694.rst b/doc/metadata/rhel6/V-38694.rst deleted file mode 100644 index a2e9fb6c..00000000 --- a/doc/metadata/rhel6/V-38694.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-38694 -status: opt-in -tag: auth ---- - -Deployers must opt-in for this change by setting the following Ansible -variable: - -.. code-block:: yaml - - security_inactive_account_lock_days: 35 - -The STIG requires this to be set to 35 days at a maximum. The Ansible tasks -will not make any changes to ``/etc/default/useradd`` unless -``security_inactive_account_lock_days`` is set. diff --git a/doc/metadata/rhel6/V-38695.rst b/doc/metadata/rhel6/V-38695.rst deleted file mode 100644 index ab5c4da4..00000000 --- a/doc/metadata/rhel6/V-38695.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-38695 -status: implemented -tag: aide ---- - -The AIDE package is already installed as part of the Ansible tasks to fix -V-38429, but these Ansible tasks will verify that the cron job file is actually -in place. The cron job is installed as part of the aide package installation. - -If the cron job is missing, an error will be printed and the playbook will -fail. diff --git a/doc/metadata/rhel6/V-38696.rst b/doc/metadata/rhel6/V-38696.rst deleted file mode 100644 index 566e14ce..00000000 --- a/doc/metadata/rhel6/V-38696.rst +++ /dev/null @@ -1,11 +0,0 @@ ---- -id: V-38696 -status: implemented -tag: aide ---- - -The AIDE package is already installed as part of the Ansible tasks to fix -V-38429, but these Ansible tasks will verify that the cron job file is actually -in place. The cron job is installed as part of the aide package installation. -If the cron job is missing, an error will be printed and the playbook will -fail. diff --git a/doc/metadata/rhel6/V-38697.rst b/doc/metadata/rhel6/V-38697.rst deleted file mode 100644 index 91d2d6b2..00000000 --- a/doc/metadata/rhel6/V-38697.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-38697 -status: exception -tag: misc ---- - -Running a ``find`` command on the system during the playbook run is -time-consuming and will also slow down disk I/O while it runs. Deployers -are urged to review public directories to ensure the sticky bit is -configured. - -Further reading: `sticky bit on Wikipedia`_ - -.. _sticky bit on Wikipedia: https://en.wikipedia.org/wiki/Sticky_bit diff --git a/doc/metadata/rhel6/V-38698.rst b/doc/metadata/rhel6/V-38698.rst deleted file mode 100644 index 8a27ddcb..00000000 --- a/doc/metadata/rhel6/V-38698.rst +++ /dev/null @@ -1,11 +0,0 @@ ---- -id: V-38698 -status: implemented -tag: aide ---- - -The AIDE package is already installed as part of the Ansible tasks to fix -V-38429, but these Ansible tasks will verify that the cron job file is actually -in place. The cron job is installed as part of the aide package installation. -If the cron job is missing, an error will be printed and the playbook will -fail. diff --git a/doc/metadata/rhel6/V-38699.rst b/doc/metadata/rhel6/V-38699.rst deleted file mode 100644 index 9a39a0b0..00000000 --- a/doc/metadata/rhel6/V-38699.rst +++ /dev/null @@ -1,20 +0,0 @@ ---- -id: V-38699 -status: exception - manual intervention -tag: file_perms ---- - -The STIG requires administrators to search for directories meeting all of the -following criteria: - -* World writable -* Owned by a normal user (UID > 499) - -It requires that those directories are owned by root to prevent users from -removing and replacing files. This ``find`` command isn't run within the -Ansible tasks in openstack-ansible-security because it can be a very -time-consuming task and it can slow down disk I/O while it runs. - -Deployers are strongly urged to review the permissions and ownerships of -critical directories on their systems regularly to verify that they meet -the requirements of this STIG. diff --git a/doc/metadata/rhel6/V-38700.rst b/doc/metadata/rhel6/V-38700.rst deleted file mode 100644 index f2c89609..00000000 --- a/doc/metadata/rhel6/V-38700.rst +++ /dev/null @@ -1,11 +0,0 @@ ---- -id: V-38700 -status: implemented -tag: aide ---- - -The AIDE package is already installed as part of the Ansible tasks to fix -V-38429, but these Ansible tasks will verify that the cron job file is actually -in place. The cron job is installed as part of the aide package installation. -If the cron job is missing, an error will be printed and the playbook will -fail. diff --git a/doc/metadata/rhel6/V-38701.rst b/doc/metadata/rhel6/V-38701.rst deleted file mode 100644 index ddce1996..00000000 --- a/doc/metadata/rhel6/V-38701.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38701 -status: exception -tag: services ---- - -Neither OpenStack-Ansible or any of the operating systems supported by the -security role will install the ``tftp`` daemon by default. Deployers with a -``tftp`` server deployed should review the risks associated with running the -service and configure it to meet the STIG's requirements. diff --git a/doc/metadata/rhel6/V-38702.rst b/doc/metadata/rhel6/V-38702.rst deleted file mode 100644 index 72bb0433..00000000 --- a/doc/metadata/rhel6/V-38702.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-38702 -status: implemented -tag: misc ---- - -The security role will ensure that the appropriate log configuration lines are -applied to ``/etc/vsftpd.conf`` to meet the STIG requirements. If the -``vsftpd`` package isn't installed, the Ansible tasks won't make any changes to -the system. diff --git a/doc/metadata/rhel6/V-43150.rst b/doc/metadata/rhel6/V-43150.rst deleted file mode 100644 index 8ab1b018..00000000 --- a/doc/metadata/rhel6/V-43150.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-43150 -status: exception -tag: x11 ---- - -Deployers are urged to use graphical desktops only on client machines that -connect to the OpenStack environment, rather than configuring graphical -desktops within the OpenStack infrastructure itself. diff --git a/doc/metadata/rhel6/V-51337.rst b/doc/metadata/rhel6/V-51337.rst deleted file mode 100644 index 760195c6..00000000 --- a/doc/metadata/rhel6/V-51337.rst +++ /dev/null @@ -1,45 +0,0 @@ ---- -id: V-51337 -status: implemented -tag: lsm ---- - -The tasks in the security role will enable the Linux Security -Module (LSM) that is appropriate for the Linux distribution in use. - -For Ubuntu, the default LSM is AppArmor. Refer to Ubuntu's `AppArmor -documentation`_ for more details on how AppArmor works. The tasks will enable -AppArmor and start it immediately on the system. - -For CentOS, the default LSM is SELinux. Refer to Red Hat's `Security-Enhanced -Linux`_ documentation for more details on SELinux. The tasks will enable -SELinux on the next boot. - -.. note:: - - **If SELinux was disabled before the security role was applied, the - filesystem will be automatically relabeled on the next boot.** For most - systems, this process only takes a few minutes. However, it can take - additional time to finish on systems with slow disks or a large number of - files. - - Deployers are strongly urged to relabel the filesystem if the system has - never had SELinux in enforcing mode previously. Rebooting into enforcing - mode with a partially-labeled filesystem can lead to unnecessary SELinux - policy denials. - -Deployers can opt-out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_enable_linux_security_module: False - -Setting the variable to ``False`` will prevent the tasks from making any -adjustments to the LSM status. - -On CentOS 7, the security role will verify that SELinux is in *Enforcing* mode. -If SELinux is in *Disabled* or *Permissive* mode, the playbook will fail with -an error message. - -.. _AppArmor documentation: https://help.ubuntu.com/community/AppArmor -.. _Security-Enhanced Linux: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/ diff --git a/doc/metadata/rhel6/V-51363.rst b/doc/metadata/rhel6/V-51363.rst deleted file mode 100644 index 34ed4413..00000000 --- a/doc/metadata/rhel6/V-51363.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-51363 -status: implemented -tag: lsm ---- - -For Ubuntu, the standard AppArmor policies provided by the AppArmor package are -loaded. The OpenStack-Ansible project also configures AppArmor to limit the -actions of containers and reduce the changes (and potential damages) of a -container breakout. - -On CentOS 7, the ``selinux-policy-targeted`` package provides SELinux policies -that enforce limits on system services and users. diff --git a/doc/metadata/rhel6/V-51369.rst b/doc/metadata/rhel6/V-51369.rst deleted file mode 100644 index 2e573212..00000000 --- a/doc/metadata/rhel6/V-51369.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-51369 -status: implemented -tag: misc ---- - -For Ubuntu, the standard AppArmor policies provided by the AppArmor package are -loaded. The OpenStack-Ansible project also configures AppArmor to limit the -actions of containers and reduce the changes (and potential damages) of a -container breakout. - -On CentOS 7, the ``selinux-policy-targeted`` package provides SELinux policies -that enforce limits on system services and users. SELinux is configured to use -the ``targeted`` policy by default. diff --git a/doc/metadata/rhel6/V-51379.rst b/doc/metadata/rhel6/V-51379.rst deleted file mode 100644 index 44b241d1..00000000 --- a/doc/metadata/rhel6/V-51379.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-51379 -status: exception - ubuntu -tag: lsm ---- - -The security role will search for unlabeled devices on CentOS and the playbook -will fail with an error message if any unlabeled devices are found. - -Although SELinux works through a labeling system where every file (including -devices) receives a label, AppArmor on Ubuntu works purely through policies -without labels. However, OpenStack-Ansible does configure several AppArmor -policies to reduce the chances and impact of LXC container breakouts on -OpenStack hosts. diff --git a/doc/metadata/rhel6/V-51391.rst b/doc/metadata/rhel6/V-51391.rst deleted file mode 100644 index d7c4f20e..00000000 --- a/doc/metadata/rhel6/V-51391.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-51391 -status: implemented -tag: aide ---- - -When AIDE is first installed for V-38429, a new database will be created. -The creation process takes some time because AIDE needs to review each file -in its list of monitored files to get timestamps and hashes. The -initialization will be forked into the background so that it doesn't slow -down the playbook run. - -Some directories are excluded from AIDE runs to prevent AIDE from wandering -into directories where it shouldn't be hashing/monitoring files. The -``defaults/main.yml`` file has some recommended directories as part of the -``security_aide_exclude_dirs`` variable. diff --git a/doc/metadata/rhel6/V-51875.rst b/doc/metadata/rhel6/V-51875.rst deleted file mode 100644 index ce226132..00000000 --- a/doc/metadata/rhel6/V-51875.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-51875 -status: implemented -tag: auth ---- - -Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last -successful login for a user immediately after login. An Ansible task ensures -this setting is applied and restarts the ssh daemon if necessary. diff --git a/doc/metadata/rhel6/V-54381.rst b/doc/metadata/rhel6/V-54381.rst deleted file mode 100644 index c0a50132..00000000 --- a/doc/metadata/rhel6/V-54381.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-54381 -status: opt-in -tag: auditd ---- - -The STIG requires that the audit system must switch the entire system into -single-user mode when the space for logging becomes dangerously low. - -.. note:: - - **This will cause serious service disruptions for any environment and - should only be enabled for extremely high security environments.** - -The ``security_admin_space_left_action`` configuration is set to ``SUSPEND`` by -default, and this will cause logging to be temporarily suspended until disk -space is freed. - -For extremely high security environments, this Ansible variable can be -provided to meet the requirements of the STIG: - -.. code-block:: yaml - - security_admin_space_left_action: SINGLE diff --git a/doc/metadata/rhel6/V-57569.rst b/doc/metadata/rhel6/V-57569.rst deleted file mode 100644 index 109dd868..00000000 --- a/doc/metadata/rhel6/V-57569.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-57569 -status: exception - initial provisioning -tag: boot ---- - -Altering partitions and how they are mounted is left up to the deployer -to configure during the OS installation process. Mounting ``/tmp/`` -with the ``noexec`` option is highly recommended to prevent scripts -or binaries from being executed from ``/tmp``. diff --git a/doc/metadata/rhel6/V-58901.rst b/doc/metadata/rhel6/V-58901.rst deleted file mode 100644 index 11f7f809..00000000 --- a/doc/metadata/rhel6/V-58901.rst +++ /dev/null @@ -1,28 +0,0 @@ ---- -id: V-58901 -status: implemented -tag: auth ---- - -This STIG requires that ``NOPASSWD`` and ``!authenticate`` are not used within -the sudoers configuration files. Using these directives reduces the security -of the system. - -``NOPASSWD`` allows users to run commands as root without providing a password -first. Using ``!authenticate`` with the ``Defaults`` directive will disable -password usage for any users which use ``sudo``. - -There are two configuration options for handling these changes. By default, -both of these options are set to ``no``, which means that the sudoers -configuration files will not be altered: - -.. code-block:: yaml - - security_sudoers_remove_nopasswd: no - security_sudoers_remove_authenticate: no - -Setting ``security_sudoers_remove_nopasswd`` to ``yes`` will cause the Ansible -tasks to search for any lines containing ``NOPASSWD`` and comment them out of -the configuration. Setting ``security_sudoers_remove_authenticate`` will do the -same actions on lines containing ``!authenticate``. Lines that are already -commented will be left unaltered. diff --git a/doc/metadata/rhel7/V-71849.rst b/doc/metadata/rhel7/V-71849.rst deleted file mode 100644 index 4ebc58f5..00000000 --- a/doc/metadata/rhel7/V-71849.rst +++ /dev/null @@ -1,26 +0,0 @@ ---- -id: V-71849 -status: opt-in -tag: file_perms ---- - -.. note:: - - Ubuntu's ``debsums`` command does not support verification of permissions - and ownership for files that were installed by packages. This STIG - requirement will be skipped on Ubuntu. - -The STIG requires that all files owned by an installed package must have their -permissions, user ownership, and group ownership set back to the vendor -defaults. - -Although this is a good practice, it can cause issues if permissions or -ownership were intentionally set after the packages were installed. It also -causes significant delays in deployments. Therefore, this STIG is not applied -by default. - -Deployers may opt in for the change by setting the following Ansible variable: - -.. code-block:: yaml - - security_reset_perm_ownership: yes diff --git a/doc/metadata/rhel7/V-71855.rst b/doc/metadata/rhel7/V-71855.rst deleted file mode 100644 index 0fc331cc..00000000 --- a/doc/metadata/rhel7/V-71855.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-71855 -status: implemented -tag: packages ---- - -Ansible tasks will check the ``rpm -Va`` output (on CentOS and RHEL) or the -output of ``debsums`` (on Ubuntu) to see if any files installed from packages -have been altered. The tasks will print a list of files that have changed -since their package was installed. - -Deployers should be most concerned with any checksum failures for binaries and -their libraries. These are most often a sign of system compromise or poor -system administration practices. - -Configuration files may appear in the list as well, but these are often less -concerning since some of these files are adjusted by the security role itself. diff --git a/doc/metadata/rhel7/V-71859.rst b/doc/metadata/rhel7/V-71859.rst deleted file mode 100644 index d1d6fc7b..00000000 --- a/doc/metadata/rhel7/V-71859.rst +++ /dev/null @@ -1,29 +0,0 @@ ---- -id: V-71859 -status: implemented -tag: graphical ---- - -The tasks in the security role configure ``dconf`` to display a login banner -each time a graphical session starts on the system. The default banner message -set by the role is: - - You are accessing a secured system and your actions will be logged along - with identifying information. Disconnect immediately if you are not an - authorized user of this system. - -Deployers can customize this message by setting an Ansible variable: - -.. code-block:: yaml - - security_enable_graphical_login_message_text: > - This is a customized banner message. - -.. warning:: - - The dconf configuration does not support multi-line strings. Ensure that - ``security_enable_graphical_login_message_text`` contains a single line - of text. - -In addition, deployers can opt out of displaying a login banner message by -changing ``security_enable_graphical_login_message`` to ``no``. diff --git a/doc/metadata/rhel7/V-71861.rst b/doc/metadata/rhel7/V-71861.rst deleted file mode 100644 index e196b71c..00000000 --- a/doc/metadata/rhel7/V-71861.rst +++ /dev/null @@ -1,28 +0,0 @@ ---- -id: V-71861 -status: implemented -tag: graphical ---- - -The security role configures a login banner for graphical logins using -``dconf``. Deployers can opt out of this change by setting the following -Ansible variable: - -.. code-block:: yaml - - security_enable_graphical_login_message: no - -The message is customized by setting another Ansible variable: - -.. code-block:: yaml - - security_enable_graphical_login_message_text: > - You are accessing a secured system and your actions will be logged along - with identifying information. Disconnect immediately if you are not an - authorized user of this system. - -.. note:: - - The space available for the graphical banner is relatively short. Deployers - should limit the length of their graphical login banners to the shortest - length possible. diff --git a/doc/metadata/rhel7/V-71863.rst b/doc/metadata/rhel7/V-71863.rst deleted file mode 100644 index 6f0c8de0..00000000 --- a/doc/metadata/rhel7/V-71863.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-71863 -status: implemented -tag: misc ---- - -The security role already deploys a login banner for console logins with tasks -from another STIG: - -* :ref:`stig-V-V-7225` diff --git a/doc/metadata/rhel7/V-71891.rst b/doc/metadata/rhel7/V-71891.rst deleted file mode 100644 index d8dc9d25..00000000 --- a/doc/metadata/rhel7/V-71891.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-71891 -status: implemented -tag: graphical ---- - -The STIG requires that graphical sessions are locked when the screensaver -starts and that users must re-enter credentials to restore access to the -system. The screensaver lock is enabled by default if ``dconf`` is present on -the system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_lock_session: no diff --git a/doc/metadata/rhel7/V-71893.rst b/doc/metadata/rhel7/V-71893.rst deleted file mode 100644 index 7a854aec..00000000 --- a/doc/metadata/rhel7/V-71893.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-71893 -status: implemented -tag: graphical ---- - -The STIG requires that the screensaver appears when a session reaches a certain -period of inactivity. The tasks will enable the screensaver for inactive -sessions by default. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_lock_session_when_inactive: no diff --git a/doc/metadata/rhel7/V-71895.rst b/doc/metadata/rhel7/V-71895.rst deleted file mode 100644 index 95d4acda..00000000 --- a/doc/metadata/rhel7/V-71895.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-71895 -status: implemented -tag: graphical ---- - -This control is implemented by the tasks for another control. Refer to the -documentation for more details on the change and how to opt out: - -* :ref:`stig-V-71893` diff --git a/doc/metadata/rhel7/V-71897.rst b/doc/metadata/rhel7/V-71897.rst deleted file mode 100644 index e302ee99..00000000 --- a/doc/metadata/rhel7/V-71897.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-71897 -status: implemented -tag: packages ---- - -The role will ensure that the ``screen`` package is installed. diff --git a/doc/metadata/rhel7/V-71899.rst b/doc/metadata/rhel7/V-71899.rst deleted file mode 100644 index ae883ee1..00000000 --- a/doc/metadata/rhel7/V-71899.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-71899 -status: implemented -tag: graphical ---- - -This control is implemented by the tasks for another control. Refer to the -documentation for more details on the change and how to opt out: - -* :ref:`stig-V-71893` diff --git a/doc/metadata/rhel7/V-71901.rst b/doc/metadata/rhel7/V-71901.rst deleted file mode 100644 index 39cb3c56..00000000 --- a/doc/metadata/rhel7/V-71901.rst +++ /dev/null @@ -1,20 +0,0 @@ ---- -id: V-71901 -status: implemented -tag: graphical ---- - -The STIG requires that a graphical session is locked when the screensaver -starts. This requires a user to re-enter their credentials to regain access to -the system. - -The tasks will set a timeout of 5 seconds after the screensaver has started -before the session is locked. This gives a user a few seconds to press a key or -wiggle their mouse after the screensaver appears without needing to re-enter -their credentials. - -Deployers can adjust this timeout by setting an Ansible variable: - -.. code-block:: yaml - - security_lock_session_screensaver_lock_delay: 5 diff --git a/doc/metadata/rhel7/V-71903.rst b/doc/metadata/rhel7/V-71903.rst deleted file mode 100644 index a482ef4c..00000000 --- a/doc/metadata/rhel7/V-71903.rst +++ /dev/null @@ -1,29 +0,0 @@ ---- -id: V-71903 -status: opt-in -tag: accounts ---- - -The password quality requirements from the STIG are examples of good security -practice, but deployers are strongly encouraged to use centralized -authentication for administrative server access whenever possible. - -Password quality requirements are controlled by two Ansible variables: one for -each individual password requirement and one "master switch" variable. The -master switch variable controls all password requirements and it is **disabled -by default**. - -Deployers can enable all password quality requirements by setting the master -switch variable to ``yes``: - -.. code-block:: yaml - - security_pwquality_apply_rules: yes - -When the master switch variable is enabled, each individual password quality -requirement can be disabled by a variable. To disable the fix for this STIG -control, set the following Ansible variable: - -.. code-block:: yaml - - security_pwquality_require_uppercase: no diff --git a/doc/metadata/rhel7/V-71905.rst b/doc/metadata/rhel7/V-71905.rst deleted file mode 100644 index d81063a4..00000000 --- a/doc/metadata/rhel7/V-71905.rst +++ /dev/null @@ -1,29 +0,0 @@ ---- -id: V-71905 -status: opt-in -tag: accounts ---- - -The password quality requirements from the STIG are examples of good security -practice, but deployers are strongly encouraged to use centralized -authentication for administrative server access whenever possible. - -Password quality requirements are controlled by two Ansible variables: one for -each individual password requirement and one "master switch" variable. The -master switch variable controls all password requirements and it is **disabled -by default**. - -Deployers can enable all password quality requirements by setting the master -switch variable to ``yes``: - -.. code-block:: yaml - - security_pwquality_apply_rules: yes - -When the master switch variable is enabled, each individual password quality -requirement can be disabled by a variable. To disable the fix for this STIG -control, set the following Ansible variable: - -.. code-block:: yaml - - security_pwquality_require_lowercase: no diff --git a/doc/metadata/rhel7/V-71907.rst b/doc/metadata/rhel7/V-71907.rst deleted file mode 100644 index faff2586..00000000 --- a/doc/metadata/rhel7/V-71907.rst +++ /dev/null @@ -1,29 +0,0 @@ ---- -id: V-71907 -status: opt-in -tag: accounts ---- - -The password quality requirements from the STIG are examples of good security -practice, but deployers are strongly encouraged to use centralized -authentication for administrative server access whenever possible. - -Password quality requirements are controlled by two Ansible variables: one for -each individual password requirement and one "master switch" variable. The -master switch variable controls all password requirements and it is **disabled -by default**. - -Deployers can enable all password quality requirements by setting the master -switch variable to ``yes``: - -.. code-block:: yaml - - security_pwquality_apply_rules: yes - -When the master switch variable is enabled, each individual password quality -requirement can be disabled by a variable. To disable the fix for this STIG -control, set the following Ansible variable: - -.. code-block:: yaml - - security_pwquality_require_numeric: no diff --git a/doc/metadata/rhel7/V-71909.rst b/doc/metadata/rhel7/V-71909.rst deleted file mode 100644 index 0edacfd1..00000000 --- a/doc/metadata/rhel7/V-71909.rst +++ /dev/null @@ -1,29 +0,0 @@ ---- -id: V-71909 -status: opt-in -tag: accounts ---- - -The password quality requirements from the STIG are examples of good security -practice, but deployers are strongly encouraged to use centralized -authentication for administrative server access whenever possible. - -Password quality requirements are controlled by two Ansible variables: one for -each individual password requirement and one "master switch" variable. The -master switch variable controls all password requirements and it is **disabled -by default**. - -Deployers can enable all password quality requirements by setting the master -switch variable to ``yes``: - -.. code-block:: yaml - - security_pwquality_apply_rules: yes - -When the master switch variable is enabled, each individual password quality -requirement can be disabled by a variable. To disable the fix for this STIG -control, set the following Ansible variable: - -.. code-block:: yaml - - security_pwquality_require_special: no diff --git a/doc/metadata/rhel7/V-71911.rst b/doc/metadata/rhel7/V-71911.rst deleted file mode 100644 index c74eb450..00000000 --- a/doc/metadata/rhel7/V-71911.rst +++ /dev/null @@ -1,29 +0,0 @@ ---- -id: V-71911 -status: opt-in -tag: accounts ---- - -The password quality requirements from the STIG are examples of good security -practice, but deployers are strongly encouraged to use centralized -authentication for administrative server access whenever possible. - -Password quality requirements are controlled by two Ansible variables: one for -each individual password requirement and one "master switch" variable. The -master switch variable controls all password requirements and it is **disabled -by default**. - -Deployers can enable all password quality requirements by setting the master -switch variable to ``yes``: - -.. code-block:: yaml - - security_pwquality_apply_rules: yes - -When the master switch variable is enabled, each individual password quality -requirement can be disabled by a variable. To disable the fix for this STIG -control, set the following Ansible variable: - -.. code-block:: yaml - - security_pwquality_require_characters_changed: no diff --git a/doc/metadata/rhel7/V-71913.rst b/doc/metadata/rhel7/V-71913.rst deleted file mode 100644 index 15374818..00000000 --- a/doc/metadata/rhel7/V-71913.rst +++ /dev/null @@ -1,29 +0,0 @@ ---- -id: V-71913 -status: opt-in -tag: accounts ---- - -The password quality requirements from the STIG are examples of good security -practice, but deployers are strongly encouraged to use centralized -authentication for administrative server access whenever possible. - -Password quality requirements are controlled by two Ansible variables: one for -each individual password requirement and one "master switch" variable. The -master switch variable controls all password requirements and it is **disabled -by default**. - -Deployers can enable all password quality requirements by setting the master -switch variable to ``yes``: - -.. code-block:: yaml - - security_pwquality_apply_rules: yes - -When the master switch variable is enabled, each individual password quality -requirement can be disabled by a variable. To disable the fix for this STIG -control, set the following Ansible variable: - -.. code-block:: yaml - - security_pwquality_require_character_classes_changed: no diff --git a/doc/metadata/rhel7/V-71915.rst b/doc/metadata/rhel7/V-71915.rst deleted file mode 100644 index b021e4d2..00000000 --- a/doc/metadata/rhel7/V-71915.rst +++ /dev/null @@ -1,29 +0,0 @@ ---- -id: V-71915 -status: opt-in -tag: accounts ---- - -The password quality requirements from the STIG are examples of good security -practice, but deployers are strongly encouraged to use centralized -authentication for administrative server access whenever possible. - -Password quality requirements are controlled by two Ansible variables: one for -each individual password requirement and one "master switch" variable. The -master switch variable controls all password requirements and it is **disabled -by default**. - -Deployers can enable all password quality requirements by setting the master -switch variable to ``yes``: - -.. code-block:: yaml - - security_pwquality_apply_rules: yes - -When the master switch variable is enabled, each individual password quality -requirement can be disabled by a variable. To disable the fix for this STIG -control, set the following Ansible variable: - -.. code-block:: yaml - - security_pwquality_limit_repeated_characters: no diff --git a/doc/metadata/rhel7/V-71917.rst b/doc/metadata/rhel7/V-71917.rst deleted file mode 100644 index da792c87..00000000 --- a/doc/metadata/rhel7/V-71917.rst +++ /dev/null @@ -1,29 +0,0 @@ ---- -id: V-71917 -status: opt-in -tag: accounts ---- - -The password quality requirements from the STIG are examples of good security -practice, but deployers are strongly encouraged to use centralized -authentication for administrative server access whenever possible. - -Password quality requirements are controlled by two Ansible variables: one for -each individual password requirement and one "master switch" variable. The -master switch variable controls all password requirements and it is **disabled -by default**. - -Deployers can enable all password quality requirements by setting the master -switch variable to ``yes``: - -.. code-block:: yaml - - security_pwquality_apply_rules: yes - -When the master switch variable is enabled, each individual password quality -requirement can be disabled by a variable. To disable the fix for this STIG -control, set the following Ansible variable: - -.. code-block:: yaml - - security_pwquality_limit_repeated_character_classes: no diff --git a/doc/metadata/rhel7/V-71919.rst b/doc/metadata/rhel7/V-71919.rst deleted file mode 100644 index 87c21146..00000000 --- a/doc/metadata/rhel7/V-71919.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-71919 -status: implemented -tag: accounts ---- - -The PAM configuration file for password storage is checked to ensure that -``sha512`` is found on the ``pam_unix.so`` line. If ``sha512`` is not found, -a debug message is printed in the Ansible output. diff --git a/doc/metadata/rhel7/V-71921.rst b/doc/metadata/rhel7/V-71921.rst deleted file mode 100644 index b3a5be3f..00000000 --- a/doc/metadata/rhel7/V-71921.rst +++ /dev/null @@ -1,22 +0,0 @@ ---- -id: V-71921 -status: implemented -tag: accounts ---- - -The default password storage mechanism for Ubuntu 16.04, CentOS 7, and Red Hat -Enterprise Linux 7 is ``SHA512`` and the tasks in the security role ensure that -the default is maintained. - -Deployers can configure a different password storage mechanism by setting the -following Ansible variable: - -.. code-block:: yaml - - security_password_encrypt_method: SHA512 - -.. warning:: - - SHA512 is the default on most modern Linux distributions and it meets the - requirement of the STIG. Do not change the value unless a system has - a specific need for a different password mechanism. diff --git a/doc/metadata/rhel7/V-71923.rst b/doc/metadata/rhel7/V-71923.rst deleted file mode 100644 index 50ac2f7a..00000000 --- a/doc/metadata/rhel7/V-71923.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-71923 -status: implemented - red hat only -tag: accounts ---- - -The role ensures that ``crypt_style`` is set to ``sha512`` in -``/etc/libuser.conf``, which is the default for CentOS 7 and Red Hat Enterprise -Linux 7. - -Ubuntu does not use ``libuser``, so this change is not applicable. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_libuser_crypt_style_sha512: no diff --git a/doc/metadata/rhel7/V-71925.rst b/doc/metadata/rhel7/V-71925.rst deleted file mode 100644 index 04961530..00000000 --- a/doc/metadata/rhel7/V-71925.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-71925 -status: opt-in -tag: accounts ---- - -Although the STIG requires that all passwords have a minimum lifetime set, this -can cause issue in some production environments. Therefore, deployers must opt -in for this change. - -Set the following Ansible variable to an integer (in days) to enable this -setting: - -.. code-block:: yaml - - security_password_min_lifetime_days: 1 - -The STIG requires the minimum lifetime for password to be one day. diff --git a/doc/metadata/rhel7/V-71927.rst b/doc/metadata/rhel7/V-71927.rst deleted file mode 100644 index 87bf56a9..00000000 --- a/doc/metadata/rhel7/V-71927.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-71927 -status: implemented -tag: accounts ---- - -The tasks in the security role search for accounts with a minimum lifetime -under 24 hours and display the usernames associated with those accounts. -Ubuntu, CentOS, and Red Hat Enterprise Linux set the minimum life time to -unlimited by default. diff --git a/doc/metadata/rhel7/V-71929.rst b/doc/metadata/rhel7/V-71929.rst deleted file mode 100644 index 67854df5..00000000 --- a/doc/metadata/rhel7/V-71929.rst +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: V-71929 -status: opt-in -tag: accounts ---- - -Although the STIG requires that all passwords have a maximum lifetime set, this -can cause authentication disruptions in production environments if users are -not aware that their password will expire. Therefore, this change is not -applied by default. - -Deployers can opt in for this change and provide a maximum lifetime for user -passwords (in days) by setting the following Ansible variable: - -.. code-block:: yaml - - security_password_max_lifetime_days: 60 - -The STIG requires that all passwords expire after 60 days. diff --git a/doc/metadata/rhel7/V-71931.rst b/doc/metadata/rhel7/V-71931.rst deleted file mode 100644 index 10e6a434..00000000 --- a/doc/metadata/rhel7/V-71931.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-71931 -status: implemented -tag: accounts ---- - -If any users have a maximum password age on their current password set to a -length of over 60 days, a list of those users is provided in the Ansible -output. diff --git a/doc/metadata/rhel7/V-71933.rst b/doc/metadata/rhel7/V-71933.rst deleted file mode 100644 index 3c41b3b2..00000000 --- a/doc/metadata/rhel7/V-71933.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-71933 -status: opt-in -tag: accounts ---- - -Although the STIG requires that five passwords are remembered to prevent re- -use, this can cause issues in production environment if the change is not -communicated well to users. Therefore, the tasks in the security role do not -apply this change by default. - -Deployers can opt in for the change and specify a number of passwords to -remember by setting the following Ansible variable: - -.. code-block:: yaml - - security_password_remember_password: 5 diff --git a/doc/metadata/rhel7/V-71935.rst b/doc/metadata/rhel7/V-71935.rst deleted file mode 100644 index b894a25a..00000000 --- a/doc/metadata/rhel7/V-71935.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-71935 -status: opt-in -tag: accounts ---- - -Although the STIG requires that passwords have a minimum length of 15 -characters, this change might be disruptive to users on a production system -without communicating the change first. Therefore, this change is not applied -by default. - -Deployers can opt in for the change by setting the following Ansible variable: - -.. code-block:: yaml - - security_pwquality_require_minimum_password_length: yes diff --git a/doc/metadata/rhel7/V-71937.rst b/doc/metadata/rhel7/V-71937.rst deleted file mode 100644 index 54ddead3..00000000 --- a/doc/metadata/rhel7/V-71937.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-71937 -status: implemented -tag: auth ---- - -The Ansible tasks will ensure that PAM is configured to disallow logins from -accounts with null or blank passwords. This involves removing a single option -from one of the PAM configuration files: - -* CentOS or RHEL: removes ``nullok`` from ``/etc/pam.d/system-auth`` -* Ubuntu: removes ``nullok_secure`` from ``/etc/pam.d/common-auth`` - -Deployers can opt-out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_disallow_blank_password_login: no diff --git a/doc/metadata/rhel7/V-71939.rst b/doc/metadata/rhel7/V-71939.rst deleted file mode 100644 index b10b1255..00000000 --- a/doc/metadata/rhel7/V-71939.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-71939 -status: implemented -tag: sshd ---- - -The ``PermitEmptyPasswords`` configuration will be set to ``no`` in -``/etc/ssh/sshd_config`` and sshd will be restarted. This disallows logins over -ssh for users with a empty or null password set. - -Deployers can opt-out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_sshd_disallow_empty_password: no diff --git a/doc/metadata/rhel7/V-71941.rst b/doc/metadata/rhel7/V-71941.rst deleted file mode 100644 index 258154cb..00000000 --- a/doc/metadata/rhel7/V-71941.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-71941 -status: opt-in -tag: accounts ---- - -The STIG requires that user accounts are disabled when their password expires. -This might be disruptive for some users or for automated processes. Therefore, -the tasks in the security role do not apply this change by default. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_disable_account_if_password_expires: yes diff --git a/doc/metadata/rhel7/V-71943.rst b/doc/metadata/rhel7/V-71943.rst deleted file mode 100644 index b4faff8a..00000000 --- a/doc/metadata/rhel7/V-71943.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-71943 -status: opt-in - Red Hat Only -tag: auth ---- - -This STIG control is implemented by: - -* :ref:`stig-V-71945` diff --git a/doc/metadata/rhel7/V-71945.rst b/doc/metadata/rhel7/V-71945.rst deleted file mode 100644 index e053a7f9..00000000 --- a/doc/metadata/rhel7/V-71945.rst +++ /dev/null @@ -1,44 +0,0 @@ ---- -id: V-71945 -status: opt-in - Red Hat Only -tag: auth ---- - -The STIG requires that accounts with excessive failed login attempts are -locked. It sets a limit of three failed attempts in a 15 minute interval and -these restrictions are applied to all users (including root). Accounts cannot -be automatically unlocked for seven days. - -This change might cause disruptions in production environments without proper -communication to users. Therefore, this change is not applied by default. - -Deployers can opt in for the change by setting the following variable: - -.. code-block:: yaml - - security_pam_faillock_enable: yes - -There are also three configuration options that can be adjusted by setting -Ansible variables: - -* ``security_pam_faillock_attempts``: This many failed login attempts within - the specified time interval with trigger the account to lock. - (STIG requirement: ``3`` attempts) - -* ``security_pam_faillock_interval``: This is the time interval (in seconds) - to use when measuring excessive failed login attempts. - (STIG requirement: ``900`` seconds) - -* ``security_pam_faillock_deny_root``: Set to ``yes`` to apply the restriction - to the root user or set to ``no`` to exempt the root user from the account - locking restrictions. - (STIG requirement: ``yes``) - -* ``security_pam_faillock_unlock_time``: This sets the time delay (in seconds) - before a locked account is automatically unlocked. - (STIG requirement: ``604800`` seconds) - -.. note:: - - Ubuntu does not provide ``pam_faillock``. This change is only applied to - CentOS 7 or Red Hat Enterprise Linux 7 systems. diff --git a/doc/metadata/rhel7/V-71947.rst b/doc/metadata/rhel7/V-71947.rst deleted file mode 100644 index bda50cf5..00000000 --- a/doc/metadata/rhel7/V-71947.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-71947 -status: exception - manual intervention -tag: auth ---- - -The STIG requires all users to authenticate when using ``sudo``, but this -change can be highly disruptive for automated scripts or applications that -cannot perform interactive authentication. Automated edits from Ansible tasks -might cause authentication disruptions on some hosts, and deployers are urged -to carefully review each use of the ``NOPASSWD`` directive in their ``sudo`` -configuration files. diff --git a/doc/metadata/rhel7/V-71949.rst b/doc/metadata/rhel7/V-71949.rst deleted file mode 100644 index ea4d82a6..00000000 --- a/doc/metadata/rhel7/V-71949.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-71949 -status: exception - manual intervention -tag: auth ---- - -The STIG requires all users to re-authenticate when using ``sudo``, but this -change can be highly disruptive for automated scripts or applications that -cannot perform interactive authentication. Automated edits from Ansible tasks -might cause authentication disruptions on some hosts, and deployers are urged -to carefully review each use of the ``!authenticate`` directive in their -``sudo`` configuration files. diff --git a/doc/metadata/rhel7/V-71951.rst b/doc/metadata/rhel7/V-71951.rst deleted file mode 100644 index 6cc48939..00000000 --- a/doc/metadata/rhel7/V-71951.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-71951 -status: implemented -tag: accounts ---- - -The tasks in the Ansible role set a four second delay between failed login -attempts. Deployers can configure a different delay (in seconds) by setting the -following Ansible variable: - -.. code-block:: yaml - - security_shadow_utils_fail_delay: 4 diff --git a/doc/metadata/rhel7/V-71953.rst b/doc/metadata/rhel7/V-71953.rst deleted file mode 100644 index 62e6df7e..00000000 --- a/doc/metadata/rhel7/V-71953.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-71953 -status: implemented -tag: graphical ---- - -If ``AutomaticLoginEnable=true`` exists in the gdm configuration file, -``/etc/gdm/custom.conf``, the configuration will removed. This disallows -automatic logins for gdm and requires a user to complete the username and -password prompts. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_disable_gdm_automatic_login: no diff --git a/doc/metadata/rhel7/V-71955.rst b/doc/metadata/rhel7/V-71955.rst deleted file mode 100644 index e6a694c8..00000000 --- a/doc/metadata/rhel7/V-71955.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-71955 -status: implemented -tag: graphical ---- - -If ``TimedLoginEnable=true`` exists in the gdm configuration file, -``/etc/gdm/custom.conf``, the configuration will removed. This disallows timed -logins for guest users in gdm. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_disable_gdm_timed_login: no diff --git a/doc/metadata/rhel7/V-71957.rst b/doc/metadata/rhel7/V-71957.rst deleted file mode 100644 index be95d9a6..00000000 --- a/doc/metadata/rhel7/V-71957.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-71957 -status: implemented -tag: sshd ---- - -The ``PermitUserEnvironment`` configuration is set to ``no`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_sshd_disallow_environment_override: no diff --git a/doc/metadata/rhel7/V-71959.rst b/doc/metadata/rhel7/V-71959.rst deleted file mode 100644 index 65e58ad6..00000000 --- a/doc/metadata/rhel7/V-71959.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-71959 -status: implemented -tag: sshd ---- - -The ``HostbasedAuthentication`` configuration is set to ``no`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_sshd_disallow_host_based_auth: no diff --git a/doc/metadata/rhel7/V-71961.rst b/doc/metadata/rhel7/V-71961.rst deleted file mode 100644 index a49522e0..00000000 --- a/doc/metadata/rhel7/V-71961.rst +++ /dev/null @@ -1,28 +0,0 @@ ---- -id: V-71961 -status: opt-in -tag: misc ---- - -Although the STIG requires that GRUB 2 asks for a password whenever a user -attempts to enter single-user or maintenance mode, this change might be -disruptive in an emergency situation. Therefore, this change is not applied by -default. - -Deployers that wish to opt in for this change should set two Ansible variables: - -.. code-block:: yaml - - security_require_grub_authentication: yes - security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC... - -The default password set in the security role is 'secrete', but deployers -should set a much more secure password for production environments. Use the -``grub2-mkpasswd-pbkdf2`` command to create a password hash string and use it -as the value for the Ansible variable ``security_grub_password_hash``. - -.. warning:: - - This change must be tested in a non-production environment first. Requiring - authentication in GRUB 2 without proper communication to users could cause - extensive delays in emergency situations. diff --git a/doc/metadata/rhel7/V-71963.rst b/doc/metadata/rhel7/V-71963.rst deleted file mode 100644 index 06061782..00000000 --- a/doc/metadata/rhel7/V-71963.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-71963 -status: opt-in -tag: misc ---- - -The tasks in the security role for V-71961 will also apply changes to -systems that use UEFI. For more details, refer to the following documentation: - -* :ref:`stig-V-71961` diff --git a/doc/metadata/rhel7/V-71965.rst b/doc/metadata/rhel7/V-71965.rst deleted file mode 100644 index 7943e079..00000000 --- a/doc/metadata/rhel7/V-71965.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-71965 -status: exception - manual intervention -tag: auth ---- - -Deploying multi-factor authentication methods, including smart cards, is a -complicated process that requires preparation and communication. This work is -left to deployers to complete manually. diff --git a/doc/metadata/rhel7/V-71967.rst b/doc/metadata/rhel7/V-71967.rst deleted file mode 100644 index ec5410c3..00000000 --- a/doc/metadata/rhel7/V-71967.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-71967 -status: implemented -tag: packages ---- - -The role will remove the ``rsh-server`` package from the system if it is -installed. Deployers can opt-out of this change by setting the following -Ansible variable: - -.. code-block:: yaml - - security_rhel7_remove_rsh_server: no diff --git a/doc/metadata/rhel7/V-71969.rst b/doc/metadata/rhel7/V-71969.rst deleted file mode 100644 index 46c54643..00000000 --- a/doc/metadata/rhel7/V-71969.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-71969 -status: implemented -tag: packages ---- - -The role will remove the NIS server package from the system if it is -installed. The package name differs between Linux distributions: - -* CentOS: ``ypserv`` -* Ubuntu: ``nis`` - -Deployers can opt-out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_remove_ypserv: no diff --git a/doc/metadata/rhel7/V-71971.rst b/doc/metadata/rhel7/V-71971.rst deleted file mode 100644 index 6cd03017..00000000 --- a/doc/metadata/rhel7/V-71971.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-71971 -status: exception - manual intervention -tag: auth ---- - -The tasks in the security role cannot determine the access levels of individual -users. - -Deployers are strongly encouraged to configure SELinux user confinement on -compatible systems using ``semanage login``. Refer to the -`Confining Existing Linux Users`_ documentation from Red Hat for detailed -information and command line examples. - -.. _Confining Existing Linux Users: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html diff --git a/doc/metadata/rhel7/V-71973.rst b/doc/metadata/rhel7/V-71973.rst deleted file mode 100644 index 78ae265e..00000000 --- a/doc/metadata/rhel7/V-71973.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-71973 -status: opt-in -tag: aide ---- - -Initializing the AIDE database and completing the first AIDE run causes -increased disk I/O and CPU usage for extended periods. Therefore, the AIDE -database is not automatically initialized by the tasks in the security role. - -Deployers can enable the AIDE database initialization within the security role -by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_initialize_aide: yes diff --git a/doc/metadata/rhel7/V-71975.rst b/doc/metadata/rhel7/V-71975.rst deleted file mode 100644 index 997d5e36..00000000 --- a/doc/metadata/rhel7/V-71975.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-71975 -status: implemented -tag: aide ---- - -The cron job for AIDE is configured to send emails to the root user after each -AIDE run. diff --git a/doc/metadata/rhel7/V-71977.rst b/doc/metadata/rhel7/V-71977.rst deleted file mode 100644 index 9d272408..00000000 --- a/doc/metadata/rhel7/V-71977.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-71977 -status: implemented -tag: packages ---- - -On Ubuntu systems, the tasks check for the ``AllowUnauthenticated`` string -anywhere in the apt configuration files found within ``/etc/apt/apt.conf.d/``. -If the string is found, a warning is printed on the console. - -On CentOS 7 systems, the tasks set the ``gpgcheck`` option to ``1`` in the -``/etc/yum.conf`` file. This enables GPG checks for all packages installed -with ``yum``. - -Setting ``security_enable_gpgcheck_packages`` to ``no`` will skip the -``AllowUnauthenticated`` string check on Ubuntu and it will set ``gpgcheck=0`` -in ``/etc/yum.conf`` on CentOS systems. diff --git a/doc/metadata/rhel7/V-71979.rst b/doc/metadata/rhel7/V-71979.rst deleted file mode 100644 index 0f6145d2..00000000 --- a/doc/metadata/rhel7/V-71979.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-71979 -status: implemented -tag: packages ---- - -On Ubuntu systems, the tasks comment out the ``no-debsig`` configuration line -in ``/etc/dpkg/dpkg.cfg``. This causes ``dpkg`` to verify GPG signatures for -all packages that are installed locally. - -On CentOS 7 systems, the tasks set the ``localpkg_gpgcheck`` option to ``1`` in -the ``/etc/yum.conf`` file. This enables GPG checks for all packages installed -locally with ``yum``. - -Setting ``security_enable_gpgcheck_packages_local`` to ``no`` will skip the -``no-debsig`` adjustment on Ubuntu and it will set ``local_gpgcheck=0`` in -``/etc/yum.conf`` on CentOS systems. diff --git a/doc/metadata/rhel7/V-71981.rst b/doc/metadata/rhel7/V-71981.rst deleted file mode 100644 index b1018c24..00000000 --- a/doc/metadata/rhel7/V-71981.rst +++ /dev/null @@ -1,21 +0,0 @@ ---- -id: V-71981 -status: opt-in -tag: packages ---- - -The STIG requires that repository XML files are verified during ``yum`` runs. - -.. warning:: - - This setting is disabled by default because it can cause issues with CentOS - systems and prevent them from retrieving repository information. Deployers - who choose to enable this setting should test it thoroughly on - non-production environments before applying it to production systems. - -Deployers can override this default and opt in for the change by setting the -following Ansible variable: - -.. code-block:: yaml - - security_enable_gpgcheck_repo: yes diff --git a/doc/metadata/rhel7/V-71983.rst b/doc/metadata/rhel7/V-71983.rst deleted file mode 100644 index 72a7b676..00000000 --- a/doc/metadata/rhel7/V-71983.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-71983 -status: opt-in -tag: kernel ---- - -The tasks in the security role disable the ``usb-storage`` module and the -change is applied the next time the server is rebooted. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_disable_usb_storage: no diff --git a/doc/metadata/rhel7/V-71985.rst b/doc/metadata/rhel7/V-71985.rst deleted file mode 100644 index 71b10dcf..00000000 --- a/doc/metadata/rhel7/V-71985.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-71985 -status: implemented -tag: misc ---- - -The ``autofs`` service is stopped and disabled if it is found on the system. -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_disable_autofs: no diff --git a/doc/metadata/rhel7/V-71987.rst b/doc/metadata/rhel7/V-71987.rst deleted file mode 100644 index 4a9f78db..00000000 --- a/doc/metadata/rhel7/V-71987.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-71987 -status: opt-in -tag: packages ---- - -Although the STIG requires that dependent packages are removed automatically -when a package is removed, this can cause problems with certain packages, -especially kernels. Deployers must opt in to meet the requirements of this STIG -control. - -Deployers should set the following variable to enable automatic dependent -package removal: - -.. code-block:: yaml - - security_package_clean_on_remove: yes diff --git a/doc/metadata/rhel7/V-71989.rst b/doc/metadata/rhel7/V-71989.rst deleted file mode 100644 index 80206488..00000000 --- a/doc/metadata/rhel7/V-71989.rst +++ /dev/null @@ -1,29 +0,0 @@ ---- -id: V-71989 -status: implemented -tag: lsm ---- - -The tasks in the security role enable the appropriate Linux Security Module -(LSM) for the operating system. - -For Ubuntu systems, AppArmor is installed and enabled. This change takes -effect immediately. - -For CentOS or Red Hat Enterprise Linux systems, SELinux is enabled (in -enforcing mode) and its user tools are automatically installed. If SELinux is -not in enforcing mode already, a reboot is required to enable SELinux and -relabel the filesystem. - -.. warning:: - - Relabeling a filesystem takes time and the server must be offline for the - relabeling to complete. Filesystems with large amounts of files and - filesystems on slow disks will cause the relabeling process to take more - time. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_enable_linux_security_module: no diff --git a/doc/metadata/rhel7/V-71991.rst b/doc/metadata/rhel7/V-71991.rst deleted file mode 100644 index 04b9fdd0..00000000 --- a/doc/metadata/rhel7/V-71991.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-71991 -status: implemented -tag: misc ---- - -The SELinux targeted policy is enabled on CentOS 7 and Red Hat systems. -AppArmor only has one set of policies, so this change has no effect on Ubuntu -systems running AppArmor. - -For more information on this change and how to opt out, refer to -:ref:`stig-V-71989`. diff --git a/doc/metadata/rhel7/V-71993.rst b/doc/metadata/rhel7/V-71993.rst deleted file mode 100644 index 72cdbf78..00000000 --- a/doc/metadata/rhel7/V-71993.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-71993 -status: implemented -tag: misc ---- - -The tasks in the security role disable the control-alt-delete key sequence by -masking its systemd service unit. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_disable_ctrl_alt_delete: no diff --git a/doc/metadata/rhel7/V-71995.rst b/doc/metadata/rhel7/V-71995.rst deleted file mode 100644 index 4b733065..00000000 --- a/doc/metadata/rhel7/V-71995.rst +++ /dev/null @@ -1,38 +0,0 @@ ---- -id: V-71995 -status: opt-in - Ubuntu only -tag: accounts ---- - -The STIG requires that the umask for all authenticated users is ``077``. This -ensures that all new files and directories created by a user are accessible -only by that user. - -Although this change has a significant security benefit, it can cause problems -for users who are not expecting the change. The security role will not adjust -the umask by default. - -Deployers can opt-in for the change by setting the default umask with an -Ansible variable: - -.. code-block:: yaml - - security_shadow_utils_umask: 077 - -.. note:: - - Ubuntu uses ``pam_umask`` and it uses the default umask provided by the - ``UMASK`` line in ``/etc/login.defs``. The default setting on Ubuntu - systems is ``022``. This allows the user's group and other users on the - system to read and execute files, but they cannot write to them. - - CentOS and Red Hat Enterprise Linux do not use ``pam_umask`` and instead - set a default umask of ``0002`` for regular users and ``0022`` for root. - This gives the regular user's group full access to newly created files, but - other users cannot write to those files. - - The tasks for this STIG requirement are not currently applied to CentOS and - Red Hat Enterprise Linux systems. See `Launchpad Bug #1656003`_ for more - details. - -.. _Launchpad Bug #1656003: https://bugs.launchpad.net/openstack-ansible/+bug/1656003 diff --git a/doc/metadata/rhel7/V-71997.rst b/doc/metadata/rhel7/V-71997.rst deleted file mode 100644 index 67ac822f..00000000 --- a/doc/metadata/rhel7/V-71997.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-71997 -status: exception - manual intervention -tag: packages ---- - -The STIG requires that the current release of the operating system is still -supported and is actively receiving security updates. Deployers are urged to -stay current with the latest releases from Ubuntu, CentOS and Red Hat. - -The following links provide more details on end of life (EOL) dates for the -distributions supported by this role: - -* `Ubuntu releases `_ -* `CentOS EOL dates `_ -* `Red Hat Enterprise Linux Life Cycle `_ diff --git a/doc/metadata/rhel7/V-71999.rst b/doc/metadata/rhel7/V-71999.rst deleted file mode 100644 index 7c6c6a1e..00000000 --- a/doc/metadata/rhel7/V-71999.rst +++ /dev/null @@ -1,20 +0,0 @@ ---- -id: V-71999 -status: opt-in -tag: packages ---- - -Although the STIG requires that security patches and updates are applied when -they are made available, this might be disruptive to some systems. Therefore, -the tasks in the security role will not configure automatic updates by default. - -Deployers can opt in for automatic package updates by setting the following -Ansible variable: - -.. code-block:: yaml - - security_rhel7_automatic_package_updates: yes - -When enabled, the tasks install and configure ``yum-cron`` on CentOS and Red -Hat Enterprise Linux. On Ubuntu systems, the ``unattended-upgrades`` package -is installed and configured. diff --git a/doc/metadata/rhel7/V-72001.rst b/doc/metadata/rhel7/V-72001.rst deleted file mode 100644 index 34d8d449..00000000 --- a/doc/metadata/rhel7/V-72001.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-72001 -status: exception - manual intervention -tag: auth ---- - -Deployers are strongly urged to review the list of user accounts on each server -regularly. Evaluation of user accounts must be done on a case-by-case basis and -the tasks in the security role are unable to determine which user accounts are -valid. Deployers must complete this work manually. diff --git a/doc/metadata/rhel7/V-72003.rst b/doc/metadata/rhel7/V-72003.rst deleted file mode 100644 index 9c9e7add..00000000 --- a/doc/metadata/rhel7/V-72003.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72003 -status: implemented -tag: accounts ---- - -If any users are found with invalid GIDs, those users are printed in the -Ansible output. Deployers should review the list and ensure all users are -assigned to a valid group that is defined in ``/etc/group``. diff --git a/doc/metadata/rhel7/V-72005.rst b/doc/metadata/rhel7/V-72005.rst deleted file mode 100644 index 089041ae..00000000 --- a/doc/metadata/rhel7/V-72005.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-72005 -status: implemented -tag: accounts ---- - -If an account with UID 0 other than ``root`` exists on the system, the playbook -will fail with an error message that includes the other accounts which have a -UID of 0. - -Deployers are strongly urged to keep only one account with UID 0, ``root``, and -to use ``sudo`` any situations where root access is required. diff --git a/doc/metadata/rhel7/V-72007.rst b/doc/metadata/rhel7/V-72007.rst deleted file mode 100644 index f1b2e848..00000000 --- a/doc/metadata/rhel7/V-72007.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-72007 -status: opt-in -tag: file_perms ---- - -Searching an entire filesystem with ``find`` reduces system performance and -might impact certain applications negatively. Therefore, the search for files -and directories with an invalid owner is **disabled by default**. - -Deployers can opt in for this search by setting the following Ansible variable: - -.. code-block:: yaml - - security_search_for_invalid_owner: yes - -Any files or directories without a valid user owner are displayed in the -Ansible output. diff --git a/doc/metadata/rhel7/V-72009.rst b/doc/metadata/rhel7/V-72009.rst deleted file mode 100644 index 15b2e699..00000000 --- a/doc/metadata/rhel7/V-72009.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-72009 -status: opt-in -tag: file_perms ---- - -Searching an entire filesystem with ``find`` reduces system performance and -might impact certain applications negatively. Therefore, the search for files -and directories with an invalid group owner is **disabled by default**. - -Deployers can opt in for this search by setting the following Ansible variable: - -.. code-block:: yaml - - security_search_for_invalid_group_owner: yes - -Any files or directories without a valid group owner are displayed in the -Ansible output. diff --git a/doc/metadata/rhel7/V-72011.rst b/doc/metadata/rhel7/V-72011.rst deleted file mode 100644 index 4b2d75db..00000000 --- a/doc/metadata/rhel7/V-72011.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72011 -status: implemented -tag: accounts ---- - -The usernames of all users without home directories assigned are provided in -the Ansible console output. Deployers should use this list of usernames to -audit each system to ensure every user has a valid home directory. diff --git a/doc/metadata/rhel7/V-72013.rst b/doc/metadata/rhel7/V-72013.rst deleted file mode 100644 index e570351f..00000000 --- a/doc/metadata/rhel7/V-72013.rst +++ /dev/null @@ -1,21 +0,0 @@ ---- -id: V-72013 -status: implemented -tag: accounts ---- - -The ``CREATE_HOME`` variable is set to ``yes`` by the tasks in the security -role. This ensures that home directories are created each time a new user -account is created. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_shadow_utils_create_home: no - -.. note:: - - On CentOS 7 and Red Hat Enterprise Linux 7 systems, home directories are - always created with new users by default. Home directories are not created - by default on Ubuntu systems. diff --git a/doc/metadata/rhel7/V-72015.rst b/doc/metadata/rhel7/V-72015.rst deleted file mode 100644 index 5b51048a..00000000 --- a/doc/metadata/rhel7/V-72015.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-72015 -status: implemented -tag: accounts ---- - -Each interactive user on the system is checked to verify that their assigned -home directory exists on the filesystem. If a home directory is missing, the -name of the user and their assigned home directory is printed in the Ansible -console output. diff --git a/doc/metadata/rhel7/V-72017.rst b/doc/metadata/rhel7/V-72017.rst deleted file mode 100644 index a2b808de..00000000 --- a/doc/metadata/rhel7/V-72017.rst +++ /dev/null @@ -1,25 +0,0 @@ ---- -id: V-72017 -status: opt-in -tag: file_perms ---- - -Although the STIG requires that all home directories have the proper owner, -group owner, and permissions, these changes might be disruptive in some -environments. These tasks are not executed by default. - -Deployers can opt in for the following changes to each home directory: - -* Permissions are set to ``0750`` at a maximum. If permissions are already - more restrictive than ``0750``, the permissions are left unchanged. - -* User ownership is set to the ``UID`` of the user. - -* Group ownership is set to the ``GID`` of the user. - -Deployers can opt in for these changes by setting the following Ansible -variable: - -.. code-block:: yaml - - security_set_home_directory_permissions_and_owners: yes diff --git a/doc/metadata/rhel7/V-72019.rst b/doc/metadata/rhel7/V-72019.rst deleted file mode 100644 index ed5f260e..00000000 --- a/doc/metadata/rhel7/V-72019.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-72019 -status: opt-in -tag: file_perms ---- - -This control is implemented by the tasks for another control. Refer to the -documentation for more details on the change and how to opt out: - -* :ref:`stig-V-72017` diff --git a/doc/metadata/rhel7/V-72021.rst b/doc/metadata/rhel7/V-72021.rst deleted file mode 100644 index a81deb94..00000000 --- a/doc/metadata/rhel7/V-72021.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-72021 -status: opt-in -tag: file_perms ---- - -This control is implemented by the tasks for another control. Refer to the -documentation for more details on the change and how to opt out: - -* :ref:`stig-V-72017` diff --git a/doc/metadata/rhel7/V-72023.rst b/doc/metadata/rhel7/V-72023.rst deleted file mode 100644 index 6f20fe95..00000000 --- a/doc/metadata/rhel7/V-72023.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-72023 -status: exception - manual intervention -tag: file_perms ---- - -Although the STIG has requirements for ownership and permissions of files and -directories in each user's home directory, broad changes to these settings -might cause disruptions to users on a system. Therefore, these changes are left -to deployers to examine and adjust manually. diff --git a/doc/metadata/rhel7/V-72025.rst b/doc/metadata/rhel7/V-72025.rst deleted file mode 100644 index 732dd8f0..00000000 --- a/doc/metadata/rhel7/V-72025.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-72025 -status: exception - manual intervention -tag: file_perms ---- - -Although the STIG has requirements for ownership and permissions of files and -directories in each user's home directory, broad changes to these settings -might cause disruptions to users on a system. Therefore, these changes are left -to deployers to examine and adjust manually. diff --git a/doc/metadata/rhel7/V-72027.rst b/doc/metadata/rhel7/V-72027.rst deleted file mode 100644 index c9d596e8..00000000 --- a/doc/metadata/rhel7/V-72027.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-72027 -status: exception - manual intervention -tag: file_perms ---- - -Although the STIG has requirements for ownership and permissions of files and -directories in each user's home directory, broad changes to these settings -might cause disruptions to users on a system. Therefore, these changes are left -to deployers to examine and adjust manually. diff --git a/doc/metadata/rhel7/V-72029.rst b/doc/metadata/rhel7/V-72029.rst deleted file mode 100644 index 0e0b4821..00000000 --- a/doc/metadata/rhel7/V-72029.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72029 -status: exception - manual intervention -tag: file_perms ---- - -Although the STIG requires that all initialization files for interactive users -have proper owners, group owners, and permissions, these changes are often -disruptive for users. The tasks in the security role do not make any changes -to user initialization files. - -Deployers should review the content and discretionary access controls applied -to each user's initialization files in their home directory. diff --git a/doc/metadata/rhel7/V-72031.rst b/doc/metadata/rhel7/V-72031.rst deleted file mode 100644 index 70aa5629..00000000 --- a/doc/metadata/rhel7/V-72031.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72031 -status: exception - manual intervention -tag: file_perms ---- - -Although the STIG requires that all initialization files for interactive users -have proper owners, group owners, and permissions, these changes are often -disruptive for users. The tasks in the security role do not make any changes -to user initialization files. - -Deployers should review the content and discretionary access controls applied -to each user's initialization files in their home directory. diff --git a/doc/metadata/rhel7/V-72033.rst b/doc/metadata/rhel7/V-72033.rst deleted file mode 100644 index 21fe68ed..00000000 --- a/doc/metadata/rhel7/V-72033.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72033 -status: exception - manual intervention -tag: file_perms ---- - -Although the STIG requires that all initialization files for interactive users -have proper owners, group owners, and permissions, these changes are often -disruptive for users. The tasks in the security role do not make any changes -to user initialization files. - -Deployers should review the content and discretionary access controls applied -to each user's initialization files in their home directory. diff --git a/doc/metadata/rhel7/V-72035.rst b/doc/metadata/rhel7/V-72035.rst deleted file mode 100644 index 88dd3287..00000000 --- a/doc/metadata/rhel7/V-72035.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-72035 -status: exception - manual intervention -tag: misc ---- - -Although the STIG requires that all initialization files must contain -executable search paths that resolve to the user's home directory, this change -be disruptive for most users. The tasks in the security role do not make any -changes to user initialization files. diff --git a/doc/metadata/rhel7/V-72037.rst b/doc/metadata/rhel7/V-72037.rst deleted file mode 100644 index f5e43670..00000000 --- a/doc/metadata/rhel7/V-72037.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72037 -status: exception - manual intervention -tag: file_perms ---- - -Deployers should manually search their system for world-writable programs and -change the permissions on those programs. They are easily found with this -command: - -.. code-block:: console - - find / -perm -002 -type f - -World-writable executables should not be needed under almost all circumstances. diff --git a/doc/metadata/rhel7/V-72039.rst b/doc/metadata/rhel7/V-72039.rst deleted file mode 100644 index fe78bdf8..00000000 --- a/doc/metadata/rhel7/V-72039.rst +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: V-72039 -status: implemented - red hat only -tag: lsm ---- - -The tasks in the security role examine the SELinux contexts on each device file -found on the system. Any devices without appropriate labels are printed in -the Ansible output. - -Deployers should investigate the unlabeled devices and ensure that the correct -labels are applied for the class of device. - -.. note:: - - This change applies only to CentOS or Red Hat Enterprise Linux systems - since they rely on SELinux as their default Linux Security Module (LSM). - Ubuntu systems use AppArmor, which uses policy files rather than labels - applied to individual files. diff --git a/doc/metadata/rhel7/V-72041.rst b/doc/metadata/rhel7/V-72041.rst deleted file mode 100644 index d67059df..00000000 --- a/doc/metadata/rhel7/V-72041.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-72041 -status: exception - manual intervention -tag: misc ---- - -Deployers should examine any filesystem mounts that contain home directories to -ensure that the ``nosetuid`` option is set. diff --git a/doc/metadata/rhel7/V-72043.rst b/doc/metadata/rhel7/V-72043.rst deleted file mode 100644 index bd957fff..00000000 --- a/doc/metadata/rhel7/V-72043.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-72043 -status: exception - manual intervention -tag: misc ---- - -Deployers should examine any filesystem mounts of removable media to ensure -that the ``nosetuid`` option is set. diff --git a/doc/metadata/rhel7/V-72045.rst b/doc/metadata/rhel7/V-72045.rst deleted file mode 100644 index 09c8f705..00000000 --- a/doc/metadata/rhel7/V-72045.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-72045 -status: exception - manual intervention -tag: misc ---- - -Deployers should examine any filesystem mounts of NFS imports to ensure that -the ``nosetuid`` option is set. diff --git a/doc/metadata/rhel7/V-72047.rst b/doc/metadata/rhel7/V-72047.rst deleted file mode 100644 index 18b4ace4..00000000 --- a/doc/metadata/rhel7/V-72047.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72047 -status: implemented -tag: file_perms ---- - -The tasks in the security role examine the world-writable directories on the -system and report any directories that are not group-owned by the ``root`` -user. Those directories appear in the Ansible output. - -Deployers should review the list of directories and group owners to ensure -that they are appropriate for the directory. Unauthorized group ownership -could allow certain users to modify files from other users. diff --git a/doc/metadata/rhel7/V-72049.rst b/doc/metadata/rhel7/V-72049.rst deleted file mode 100644 index 746152ff..00000000 --- a/doc/metadata/rhel7/V-72049.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72049 -status: exception - manual intervention -tag: file_perms ---- - -Although the STIG requires that all local interactive user accounts have a -umask of ``077``, this change can be disruptive for users and the applications -they run. This change cannot be applied in an automated way. - -Deployers should review user initialization files regularly to ensure that the -umask is not specified. This allows the system-wide setting of ``077`` to be -applied to all user sessions. diff --git a/doc/metadata/rhel7/V-72051.rst b/doc/metadata/rhel7/V-72051.rst deleted file mode 100644 index f9c65e10..00000000 --- a/doc/metadata/rhel7/V-72051.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-72051 -status: exception - manual intervention -tag: misc ---- - -Ubuntu, CentOS and Red Hat Enterprise Linux already capture the logs from cron. - -Ubuntu systems collect cron job logs into the main syslog file -(``/var/log/syslog``) rather than separate them into their own log file. -CentOS and Red Hat Enterprise Linux systems collect cron logs in -``/var/log/cron``. - -Deployers should not need to adjust these configurations unless a specific -environment requires it. The tasks in the security role do not make changes to -the ``rsyslog`` configuration. diff --git a/doc/metadata/rhel7/V-72053.rst b/doc/metadata/rhel7/V-72053.rst deleted file mode 100644 index d57a9ce5..00000000 --- a/doc/metadata/rhel7/V-72053.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72053 -status: implemented -tag: file_perms ---- - -The tasks in the security role check for the existence of ``/etc/cron.allow`` -and set both the user and group ownership to ``root``. This is the default on -Ubuntu, CentOS, and Red Hat Enterprise Linux systems already. diff --git a/doc/metadata/rhel7/V-72055.rst b/doc/metadata/rhel7/V-72055.rst deleted file mode 100644 index 0d2f6267..00000000 --- a/doc/metadata/rhel7/V-72055.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-72055 -status: implemented -tag: misc ---- - -The group ownership for ``/etc/cron.allow`` is already set by the task for the -following STIG control: - -:ref:`stig-V-72053` diff --git a/doc/metadata/rhel7/V-72057.rst b/doc/metadata/rhel7/V-72057.rst deleted file mode 100644 index 911fa838..00000000 --- a/doc/metadata/rhel7/V-72057.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-72057 -status: implemented -tag: kernel ---- - -The ``kdump`` service is disabled if it exists on the system. Deployers can opt -out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_disable_kdump: no diff --git a/doc/metadata/rhel7/V-72059.rst b/doc/metadata/rhel7/V-72059.rst deleted file mode 100644 index 2ca45c16..00000000 --- a/doc/metadata/rhel7/V-72059.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72059 -status: exception - initial provisioning -tag: misc ---- - -Deployers should consider using filesystem mounts for home directories during -the initial server provisioning process. Adding filesystem mounts after a -system is provisioned might lead to downtime. - -The tasks in the security role do not take action on filesystem mounts. If the -server does not mount ``/home`` as a separate filesystem, a warning is printed -in the Ansible output. diff --git a/doc/metadata/rhel7/V-72061.rst b/doc/metadata/rhel7/V-72061.rst deleted file mode 100644 index 667a5bfa..00000000 --- a/doc/metadata/rhel7/V-72061.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72061 -status: exception - initial provisioning -tag: misc ---- - -Deployers should consider using filesystem mounts for ``/var`` during -the initial server provisioning process. Adding filesystem mounts after a -system is provisioned might lead to downtime. - -The tasks in the security role do not take action on filesystem mounts. If the -server does not mount ``/var`` as a separate filesystem, a warning is printed -in the Ansible output. diff --git a/doc/metadata/rhel7/V-72063.rst b/doc/metadata/rhel7/V-72063.rst deleted file mode 100644 index 92888168..00000000 --- a/doc/metadata/rhel7/V-72063.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72063 -status: exception - initial provisioning -tag: misc ---- - -Deployers should consider using filesystem mounts for ``/var/log/audit`` during -the initial server provisioning process. Adding filesystem mounts after a -system is provisioned might lead to downtime. - -The tasks in the security role do not take action on filesystem mounts. If the -server does not mount ``/var/log/audit`` as a separate filesystem, a warning is -printed in the Ansible output. diff --git a/doc/metadata/rhel7/V-72065.rst b/doc/metadata/rhel7/V-72065.rst deleted file mode 100644 index 5cc437d4..00000000 --- a/doc/metadata/rhel7/V-72065.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72065 -status: exception - initial provisioning -tag: misc ---- - -Deployers should consider using filesystem mounts for ``/tmp`` during -the initial server provisioning process. Adding filesystem mounts after a -system is provisioned might lead to downtime. - -The tasks in the security role do not take action on filesystem mounts. If the -server does not mount ``/tmp`` as a separate filesystem, a warning is -printed in the Ansible output. diff --git a/doc/metadata/rhel7/V-72067.rst b/doc/metadata/rhel7/V-72067.rst deleted file mode 100644 index 03d5dc7e..00000000 --- a/doc/metadata/rhel7/V-72067.rst +++ /dev/null @@ -1,23 +0,0 @@ ---- -id: V-72067 -status: implemented - red hat only -tag: misc ---- - -The tasks in the Ansible role install the ``dracut-fips`` and -``dracut-fips-aesni`` packages and check to see if FIPS is enabled on the -system. If it is not enabled, a warning message is printed in the Ansible -output. - -Enabling FIPS at boot time requires additional manual configuration. Refer to -`Chapter 7. Federal Standards and Regulations`_ in the Red Hat documentation -for more details. Section 7.1.1 contains the steps required for updating -the bootloader configuration and regenerating the initramfs. - -.. _Chapter 7. Federal Standards and Regulations : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Federal_Standards_and_Regulations.html - -.. note:: - - This change only applies to CentOS and Red Hat Enterprise Linux. Ubuntu - does not use dracut by default and the process for enabling the FIPS - functionality at boot time is more complex. diff --git a/doc/metadata/rhel7/V-72069.rst b/doc/metadata/rhel7/V-72069.rst deleted file mode 100644 index b72fb762..00000000 --- a/doc/metadata/rhel7/V-72069.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72069 -status: implemented -tag: aide ---- - -CentOS 7 and Red Hat Enterprise Linux 7 already deploy a very secure AIDE -configuration that checks access control lists (ACLs) and extended attributes -by default. No configuration changes are applied on these systems. - -However, Ubuntu lacks the rules that include ACL and extended attribute checks. -The tasks in the security role will add a small configuration block at the end -of the AIDE configuration file to meet the requirements of this STIG, as well -as V-72071. diff --git a/doc/metadata/rhel7/V-72071.rst b/doc/metadata/rhel7/V-72071.rst deleted file mode 100644 index 38c26425..00000000 --- a/doc/metadata/rhel7/V-72071.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72071 -status: implemented -tag: aide ---- - -CentOS 7 and Red Hat Enterprise Linux 7 already deploy a very secure AIDE -configuration that checks access control lists (ACLs) and extended attributes -by default. No configuration changes are applied on these systems. - -However, Ubuntu lacks the rules that include ACL and extended attribute checks. -The tasks in the security role will add a small configuration block at the end -of the AIDE configuration file to meet the requirements of this STIG, as well -as V-72069. diff --git a/doc/metadata/rhel7/V-72073.rst b/doc/metadata/rhel7/V-72073.rst deleted file mode 100644 index ff99eac1..00000000 --- a/doc/metadata/rhel7/V-72073.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-72073 -status: implemented -tag: aide ---- - -The default AIDE configuration in CentOS 7 and Red Hat Enterprise Linux 7 -already uses SHA512 to validate file contents and directories. No changes are -required on these systems. - -The tasks in the security role add a rule to end of the AIDE configuration on -Ubuntu systems that uses SHA512 for validation. diff --git a/doc/metadata/rhel7/V-72075.rst b/doc/metadata/rhel7/V-72075.rst deleted file mode 100644 index 0c994301..00000000 --- a/doc/metadata/rhel7/V-72075.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72075 -status: exception - initial provisioning -tag: misc ---- - -When a server is initially provisioned, deployers should avoid storing -the boot loader on removable media. It is not possible to change this via -automated tasks. diff --git a/doc/metadata/rhel7/V-72077.rst b/doc/metadata/rhel7/V-72077.rst deleted file mode 100644 index 839669a5..00000000 --- a/doc/metadata/rhel7/V-72077.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-72077 -status: implemented -tag: packages ---- - -The role will remove the telnet server package from the system if it is -installed. The package name differs between Linux distributions: - -* CentOS: ``telnet-server`` -* Ubuntu: ``telnetd`` - -Deployers can opt-out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_remove_telnet_server: no diff --git a/doc/metadata/rhel7/V-72079.rst b/doc/metadata/rhel7/V-72079.rst deleted file mode 100644 index 9964f7ed..00000000 --- a/doc/metadata/rhel7/V-72079.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-72079 -status: implemented -tag: auditd ---- - -The tasks in the security role start the audit daemon immediately and ensure -that it starts at boot time. diff --git a/doc/metadata/rhel7/V-72081.rst b/doc/metadata/rhel7/V-72081.rst deleted file mode 100644 index c4bb041a..00000000 --- a/doc/metadata/rhel7/V-72081.rst +++ /dev/null @@ -1,29 +0,0 @@ ---- -id: V-72081 -status: implemented -tag: auditd ---- - -The audit daemon takes various actions when there is an auditing failure. There -are three options for the ``-f`` flag for ``auditctl``: - -* ``0``: In the event of an auditing failure, do nothing. -* ``1``: In the event of an auditing failure, write messages to the kernel log. -* ``2``: In the event of an auditing failure, cause a kernel panic. - -Most operating systems set the failure flag to ``1`` by default, which -maximizes system availability while still causing an alert. The tasks in the -security role set the flag to ``1`` by default. - -Deployers can adjust the following Ansible variable to customize the failure -flag: - -.. code-block:: yaml - - security_rhel7_audit_failure_flag: 1 - -.. warning:: - - Setting the failure flag to ``2`` is **strongly** discouraged unless the - security of the system takes priority over its availability. Any failure in - auditing causes a kernel panic and the system requires a hard reboot. diff --git a/doc/metadata/rhel7/V-72083.rst b/doc/metadata/rhel7/V-72083.rst deleted file mode 100644 index cbb1309a..00000000 --- a/doc/metadata/rhel7/V-72083.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72083 -status: opt-in -tag: auditd ---- - -The ``audispd`` service transmits audit logs to other servers. Deployers -should specify the address of another server that can receive audit logs by -setting the following Ansible variable: - -.. code-block:: yaml - - security_audisp_remote_server: '10.0.21.1' diff --git a/doc/metadata/rhel7/V-72085.rst b/doc/metadata/rhel7/V-72085.rst deleted file mode 100644 index 38a1f8cc..00000000 --- a/doc/metadata/rhel7/V-72085.rst +++ /dev/null @@ -1,21 +0,0 @@ ---- -id: V-72085 -status: opt-in -tag: auditd ---- - -The ``audispd`` daemon transmits audit logs without encryption by default. The -STIG requires that these logs are encrypted while they are transferred across -the network. The encryption is controlled by the ``enable_krb5`` option in -``/etc/audisp/audisp-remote.conf``. - -Deployers can opt-in for encrypted audit log transmission by setting the -following Ansible variable: - -.. code-block:: yaml - - security_audisp_enable_krb5: yes - -.. warning:: - - Only enable this setting if kerberos is already configured. diff --git a/doc/metadata/rhel7/V-72087.rst b/doc/metadata/rhel7/V-72087.rst deleted file mode 100644 index 14c4628b..00000000 --- a/doc/metadata/rhel7/V-72087.rst +++ /dev/null @@ -1,32 +0,0 @@ ---- -id: V-72087 -status: implemented -tag: auditd ---- - -The tasks in the security role set the ``disk_full_action`` and -``network_failure_action`` to ``syslog`` in the audispd remote configuration. -In the event of a full disk on the remote log server or a network interruption, -the local system sends warnings to syslog. This is the safest option since it -maximizes the availability of the local system. - -Deployers have two other options available: - -* ``single``: Switch the local server into single-user mode in the event of a - logging failure. - -* ``halt``: Shut off the local server gracefully in the event of a logging - failure. - -.. warning:: - - Choosing ``single`` or ``halt`` causes a server to go into a degraded or - offline state immediately after a logging failure. - -Deployers can adjust these configurations by setting the following Ansible -variables (the safe defaults are shown here): - -.. code-block:: yaml - - security_rhel7_auditd_disk_full_action: syslog - security_rhel7_auditd_network_failure_action: syslog diff --git a/doc/metadata/rhel7/V-72089.rst b/doc/metadata/rhel7/V-72089.rst deleted file mode 100644 index 0d7a8c1b..00000000 --- a/doc/metadata/rhel7/V-72089.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-72089 -status: implemented -tag: auditd ---- - -The ``space_left`` configuration is set to 25% of the size of the disk mounted -on ``/``. This calculation is done automatically. - -Deployers can set a custom threshold for the ``space_left`` configuration (in -megabytes) by setting the following Ansible variable: - -.. code-block:: yaml - - # Example: A setting of 1GB (1024MB) - security_rhel7_auditd_space_left: 1024 diff --git a/doc/metadata/rhel7/V-72091.rst b/doc/metadata/rhel7/V-72091.rst deleted file mode 100644 index 66d2312f..00000000 --- a/doc/metadata/rhel7/V-72091.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-72091 -status: implemented -tag: auditd ---- - -The ``space_left_action`` in the audit daemon configuration is set to -``email``. This configuration causes the root user to receive an email when the -``space_left`` threshold is reached. - -Deployers can customize this configuration by setting the following Ansible -variable: - -.. code-block:: yaml - - security_rhel7_auditd_space_left_action: email diff --git a/doc/metadata/rhel7/V-72093.rst b/doc/metadata/rhel7/V-72093.rst deleted file mode 100644 index 33c1f00f..00000000 --- a/doc/metadata/rhel7/V-72093.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72093 -status: implemented -tag: auditd ---- - -The ``action_mail_acct`` configuration in the audit daemon configuration file -is set to ``root`` to meet the requirements of the STIG. Deployers can -customize the recipient of the emails that come from auditd by setting the -following Ansible variable: - -.. code-block:: yaml - - security_rhel7_auditd_action_mail_acct: root diff --git a/doc/metadata/rhel7/V-72095.rst b/doc/metadata/rhel7/V-72095.rst deleted file mode 100644 index 6e2a71d0..00000000 --- a/doc/metadata/rhel7/V-72095.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-72095 -status: exception - manual intervention -tag: auditd ---- - -This STIG is difficult to implement in an automated way because the number of -applications on a system with setuid/setgid permissions changes over time. -In addition, adding audit rules for some of these automatically could cause a -significant increase in logging traffic when these applications are used -regularly. - -Deployers are urged to do the following instead: - -* Minimize the amount of applications with setuid/setgid privileges -* Monitor any new applications that gain setuid/setgid privileges -* Add risky applications with setuid/setgid privileges to auditd for detailed - syscall monitoring diff --git a/doc/metadata/rhel7/V-72097.rst b/doc/metadata/rhel7/V-72097.rst deleted file mode 100644 index 61f4454a..00000000 --- a/doc/metadata/rhel7/V-72097.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-72097 -status: opt-in -tag: auditd ---- - -The STIG requires that all ``chown`` syscalls are audited, but this -change creates a significant increase in logging on most systems. This increase -can cause some systems to run out of disk space for logs. - -.. warning:: - - This rule is disabled by default to avoid high CPU usage and disk space - exhaustion. Deployers should only enable this rule if they have tested it - thoroughly in a non-production environment with system health monitoring - enabled. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_chown: yes - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72099.rst b/doc/metadata/rhel7/V-72099.rst deleted file mode 100644 index d2df6598..00000000 --- a/doc/metadata/rhel7/V-72099.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-72099 -status: opt-in -tag: auditd ---- - -The STIG requires that all ``fchown`` syscalls are audited, but this -change creates a significant increase in logging on most systems. This increase -can cause some systems to run out of disk space for logs. - -.. warning:: - - This rule is disabled by default to avoid high CPU usage and disk space - exhaustion. Deployers should only enable this rule if they have tested it - thoroughly in a non-production environment with system health monitoring - enabled. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_fchown: yes - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72101.rst b/doc/metadata/rhel7/V-72101.rst deleted file mode 100644 index a1b3b75a..00000000 --- a/doc/metadata/rhel7/V-72101.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-72101 -status: opt-in -tag: auditd ---- - -The STIG requires that all ``lchown`` syscalls are audited, but this change -creates a significant increase in logging on most systems. This increase can -cause some systems to run out of disk space for logs. - -.. warning:: - - This rule is disabled by default to avoid high CPU usage and disk space - exhaustion. Deployers should only enable this rule if they have tested it - thoroughly in a non-production environment with system health monitoring - enabled. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_lchown: yes - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72103.rst b/doc/metadata/rhel7/V-72103.rst deleted file mode 100644 index a279c60c..00000000 --- a/doc/metadata/rhel7/V-72103.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-72103 -status: opt-in -tag: auditd ---- - -The STIG requires that all ``fchownat`` syscalls are audited, but this -change creates a significant increase in logging on most systems. This increase -can cause some systems to run out of disk space for logs. - -.. warning:: - - This rule is disabled by default to avoid high CPU usage and disk space - exhaustion. Deployers should only enable this rule if they have tested it - thoroughly in a non-production environment with system health monitoring - enabled. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_fchownat: yes - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72105.rst b/doc/metadata/rhel7/V-72105.rst deleted file mode 100644 index a7c946ac..00000000 --- a/doc/metadata/rhel7/V-72105.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-72105 -status: opt-in -tag: auditd ---- - -The STIG requires that all ``chmod`` syscalls are audited, but this -change creates a significant increase in logging on most systems. This increase -can cause some systems to run out of disk space for logs. - -.. warning:: - - This rule is disabled by default to avoid high CPU usage and disk space - exhaustion. Deployers should only enable this rule if they have tested it - thoroughly in a non-production environment with system health monitoring - enabled. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_chmod: yes - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72107.rst b/doc/metadata/rhel7/V-72107.rst deleted file mode 100644 index 8cc03dc4..00000000 --- a/doc/metadata/rhel7/V-72107.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-72107 -status: opt-in -tag: auditd ---- - -The STIG requires that all ``fchmod`` syscalls are audited, but this -change creates a significant increase in logging on most systems. This increase -can cause some systems to run out of disk space for logs. - -.. warning:: - - This rule is disabled by default to avoid high CPU usage and disk space - exhaustion. Deployers should only enable this rule if they have tested it - thoroughly in a non-production environment with system health monitoring - enabled. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_fchmod: yes - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72109.rst b/doc/metadata/rhel7/V-72109.rst deleted file mode 100644 index 638d0189..00000000 --- a/doc/metadata/rhel7/V-72109.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-72109 -status: opt-in -tag: auditd ---- - -The STIG requires that all ``fchmodat`` syscalls are audited, but this -change creates a significant increase in logging on most systems. This increase -can cause some systems to run out of disk space for logs. - -.. warning:: - - This rule is disabled by default to avoid high CPU usage and disk space - exhaustion. Deployers should only enable this rule if they have tested it - thoroughly in a non-production environment with system health monitoring - enabled. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_fchmodat: yes - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72111.rst b/doc/metadata/rhel7/V-72111.rst deleted file mode 100644 index c172d147..00000000 --- a/doc/metadata/rhel7/V-72111.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72111 -status: implemented -tag: auditd ---- - -Rules are added to audit all ``setxattr`` syscalls on the system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_setxattr: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72113.rst b/doc/metadata/rhel7/V-72113.rst deleted file mode 100644 index 4457fbb5..00000000 --- a/doc/metadata/rhel7/V-72113.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-72113 -status: opt-in -tag: auditd ---- - -The STIG requires that all ``fsetxattr`` syscalls are audited, but this -change creates a significant increase in logging on most systems. This increase -can cause some systems to run out of disk space for logs. - -.. warning:: - - This rule is disabled by default to avoid high CPU usage and disk space - exhaustion. Deployers should only enable this rule if they have tested it - thoroughly in a non-production environment with system health monitoring - enabled. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_fsetxattr: yes - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72115.rst b/doc/metadata/rhel7/V-72115.rst deleted file mode 100644 index 85fa4c11..00000000 --- a/doc/metadata/rhel7/V-72115.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-72115 -status: opt-in -tag: auditd ---- - -The STIG requires that all ``lsetxattr`` syscalls are audited, but this change -creates a significant increase in logging on most systems. This increase can -cause some systems to run out of disk space for logs. - -.. warning:: - - This rule is disabled by default to avoid high CPU usage and disk space - exhaustion. Deployers should only enable this rule if they have tested it - thoroughly in a non-production environment with system health monitoring - enabled. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_lsetxattr: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72117.rst b/doc/metadata/rhel7/V-72117.rst deleted file mode 100644 index 6daddbc1..00000000 --- a/doc/metadata/rhel7/V-72117.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72117 -status: implemented -tag: auditd ---- - -Rules are added to audit all ``removexattr`` syscalls on the system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_removexattr: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72119.rst b/doc/metadata/rhel7/V-72119.rst deleted file mode 100644 index db24e39c..00000000 --- a/doc/metadata/rhel7/V-72119.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-72119 -status: opt-in -tag: auditd ---- - -The STIG requires that all ``fremovexattr`` syscalls are audited, but this -change creates a significant increase in logging on most systems. This increase -can cause some systems to run out of disk space for logs. - -.. warning:: - - This rule is disabled by default to avoid high CPU usage and disk space - exhaustion. Deployers should only enable this rule if they have tested it - thoroughly in a non-production environment with system health monitoring - enabled. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_fremovexattr: yes - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72121.rst b/doc/metadata/rhel7/V-72121.rst deleted file mode 100644 index 3165a414..00000000 --- a/doc/metadata/rhel7/V-72121.rst +++ /dev/null @@ -1,24 +0,0 @@ ---- -id: V-72121 -status: opt-in -tag: auditd ---- - -The STIG requires that all ``lremovexattr`` syscalls are audited, but this -change creates a significant increase in logging on most systems. This increase -can cause some systems to run out of disk space for logs. - -.. warning:: - - This rule is disabled by default to avoid high CPU usage and disk space - exhaustion. Deployers should only enable this rule if they have tested it - thoroughly in a non-production environment with system health monitoring - enabled. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_lremovexattr: yes - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72123.rst b/doc/metadata/rhel7/V-72123.rst deleted file mode 100644 index 2e18006c..00000000 --- a/doc/metadata/rhel7/V-72123.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72123 -status: implemented -tag: auditd ---- - -Rules are added to audit all ``creat`` syscalls on the system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_creat: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72125.rst b/doc/metadata/rhel7/V-72125.rst deleted file mode 100644 index 390083ea..00000000 --- a/doc/metadata/rhel7/V-72125.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72125 -status: implemented -tag: auditd ---- - -Rules are added to audit all ``open`` syscalls on the system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_open: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72127.rst b/doc/metadata/rhel7/V-72127.rst deleted file mode 100644 index 43e72687..00000000 --- a/doc/metadata/rhel7/V-72127.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72127 -status: implemented -tag: auditd ---- - -Rules are added to audit all ``openat`` syscalls on the system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_openat: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72129.rst b/doc/metadata/rhel7/V-72129.rst deleted file mode 100644 index a26af223..00000000 --- a/doc/metadata/rhel7/V-72129.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72129 -status: implemented -tag: auditd ---- - -Rules are added to audit all ``open_by_handle_at`` syscalls on the system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_open_by_handle_at: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72131.rst b/doc/metadata/rhel7/V-72131.rst deleted file mode 100644 index 0967d0b2..00000000 --- a/doc/metadata/rhel7/V-72131.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72131 -status: implemented -tag: auditd ---- - -Rules are added to audit all ``truncate`` syscalls on the system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_truncate: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72133.rst b/doc/metadata/rhel7/V-72133.rst deleted file mode 100644 index 993fe55f..00000000 --- a/doc/metadata/rhel7/V-72133.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72133 -status: implemented -tag: auditd ---- - -Rules are added to audit all ``ftruncate`` syscalls on the system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_ftruncate: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72135.rst b/doc/metadata/rhel7/V-72135.rst deleted file mode 100644 index db460c2a..00000000 --- a/doc/metadata/rhel7/V-72135.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72135 -status: implemented -tag: auditd ---- - -Rules are added to audit any time the ``semanage`` command is used. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_semanage: no diff --git a/doc/metadata/rhel7/V-72137.rst b/doc/metadata/rhel7/V-72137.rst deleted file mode 100644 index e9babbdd..00000000 --- a/doc/metadata/rhel7/V-72137.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72137 -status: implemented -tag: auditd ---- - -Rules are added to audit any time the ``setsebool`` command is used. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_setsebool: no diff --git a/doc/metadata/rhel7/V-72139.rst b/doc/metadata/rhel7/V-72139.rst deleted file mode 100644 index e0218da6..00000000 --- a/doc/metadata/rhel7/V-72139.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72139 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``chcon`` command -is used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_chcon: no diff --git a/doc/metadata/rhel7/V-72141.rst b/doc/metadata/rhel7/V-72141.rst deleted file mode 100644 index 6bd294bd..00000000 --- a/doc/metadata/rhel7/V-72141.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72141 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``restorecon`` command -is used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_restorecon: no diff --git a/doc/metadata/rhel7/V-72143.rst b/doc/metadata/rhel7/V-72143.rst deleted file mode 100644 index 320ffa7a..00000000 --- a/doc/metadata/rhel7/V-72143.rst +++ /dev/null @@ -1,12 +0,0 @@ ---- -id: V-72143 -status: implemented -tag: auditd ---- - -Rules are added to audit all successful and unsuccessful account access events. -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_account_access: no diff --git a/doc/metadata/rhel7/V-72145.rst b/doc/metadata/rhel7/V-72145.rst deleted file mode 100644 index a8926586..00000000 --- a/doc/metadata/rhel7/V-72145.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72145 -status: implemented -tag: auditd ---- - -This control is implemented by the tasks for another control: - -* :ref:`stig-V-72143` diff --git a/doc/metadata/rhel7/V-72147.rst b/doc/metadata/rhel7/V-72147.rst deleted file mode 100644 index ae3e1ed6..00000000 --- a/doc/metadata/rhel7/V-72147.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72147 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time an account is accessed. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_account_access: no diff --git a/doc/metadata/rhel7/V-72149.rst b/doc/metadata/rhel7/V-72149.rst deleted file mode 100644 index d77161d5..00000000 --- a/doc/metadata/rhel7/V-72149.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72149 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``passwd`` command is -used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_passwd_command: no diff --git a/doc/metadata/rhel7/V-72151.rst b/doc/metadata/rhel7/V-72151.rst deleted file mode 100644 index a8af9fd6..00000000 --- a/doc/metadata/rhel7/V-72151.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72151 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``unix_chkpwd`` command -is used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_unix_chkpwd: no diff --git a/doc/metadata/rhel7/V-72153.rst b/doc/metadata/rhel7/V-72153.rst deleted file mode 100644 index b4b5eb65..00000000 --- a/doc/metadata/rhel7/V-72153.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72153 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``gpasswd`` command -is used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_gpasswd: no diff --git a/doc/metadata/rhel7/V-72155.rst b/doc/metadata/rhel7/V-72155.rst deleted file mode 100644 index 66ad3c58..00000000 --- a/doc/metadata/rhel7/V-72155.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72155 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``chage`` command -is used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_chage: no diff --git a/doc/metadata/rhel7/V-72157.rst b/doc/metadata/rhel7/V-72157.rst deleted file mode 100644 index e39493a5..00000000 --- a/doc/metadata/rhel7/V-72157.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72157 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``userhelper`` command -is used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_userhelper: no diff --git a/doc/metadata/rhel7/V-72159.rst b/doc/metadata/rhel7/V-72159.rst deleted file mode 100644 index 0b1d0347..00000000 --- a/doc/metadata/rhel7/V-72159.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72159 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``su`` command is used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_su: no diff --git a/doc/metadata/rhel7/V-72161.rst b/doc/metadata/rhel7/V-72161.rst deleted file mode 100644 index e45c9f36..00000000 --- a/doc/metadata/rhel7/V-72161.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72161 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``sudo`` command is -used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_sudo: no diff --git a/doc/metadata/rhel7/V-72163.rst b/doc/metadata/rhel7/V-72163.rst deleted file mode 100644 index 7f79c8b1..00000000 --- a/doc/metadata/rhel7/V-72163.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72163 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time a user manages the -configuration files for ``sudo``. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_sudo_config_changes: no diff --git a/doc/metadata/rhel7/V-72165.rst b/doc/metadata/rhel7/V-72165.rst deleted file mode 100644 index d67f1bb6..00000000 --- a/doc/metadata/rhel7/V-72165.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72165 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``newgrp`` command is -used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_newgrp: no diff --git a/doc/metadata/rhel7/V-72167.rst b/doc/metadata/rhel7/V-72167.rst deleted file mode 100644 index bee88198..00000000 --- a/doc/metadata/rhel7/V-72167.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72167 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``chsh`` command is -used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_chsh: no diff --git a/doc/metadata/rhel7/V-72169.rst b/doc/metadata/rhel7/V-72169.rst deleted file mode 100644 index 3d2bc233..00000000 --- a/doc/metadata/rhel7/V-72169.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72169 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``sudoedit`` command is -used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_sudoedit: no diff --git a/doc/metadata/rhel7/V-72171.rst b/doc/metadata/rhel7/V-72171.rst deleted file mode 100644 index e151cc0d..00000000 --- a/doc/metadata/rhel7/V-72171.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72171 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``mount`` command is -used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_mount: no diff --git a/doc/metadata/rhel7/V-72173.rst b/doc/metadata/rhel7/V-72173.rst deleted file mode 100644 index c400734e..00000000 --- a/doc/metadata/rhel7/V-72173.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72173 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``umount`` command is -used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_umount: no diff --git a/doc/metadata/rhel7/V-72175.rst b/doc/metadata/rhel7/V-72175.rst deleted file mode 100644 index 0c81c5fb..00000000 --- a/doc/metadata/rhel7/V-72175.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72175 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``postdrop`` command is -used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_postdrop: no diff --git a/doc/metadata/rhel7/V-72177.rst b/doc/metadata/rhel7/V-72177.rst deleted file mode 100644 index eed070f2..00000000 --- a/doc/metadata/rhel7/V-72177.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72177 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``postqueue`` command is -used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_postqueue: no diff --git a/doc/metadata/rhel7/V-72179.rst b/doc/metadata/rhel7/V-72179.rst deleted file mode 100644 index 3fdeb118..00000000 --- a/doc/metadata/rhel7/V-72179.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72179 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``ssh-keysign`` command -is used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_ssh_keysign: no diff --git a/doc/metadata/rhel7/V-72181.rst b/doc/metadata/rhel7/V-72181.rst deleted file mode 100644 index 00d69673..00000000 --- a/doc/metadata/rhel7/V-72181.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-72181 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``pt_chown`` command -is used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_pt_chown: no - -.. note:: - - No action is taken on Ubuntu 16.04 because ``pt_chown`` is not available. diff --git a/doc/metadata/rhel7/V-72183.rst b/doc/metadata/rhel7/V-72183.rst deleted file mode 100644 index 440d8413..00000000 --- a/doc/metadata/rhel7/V-72183.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72183 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``crontab`` command -is used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_crontab: no diff --git a/doc/metadata/rhel7/V-72185.rst b/doc/metadata/rhel7/V-72185.rst deleted file mode 100644 index d2af1fda..00000000 --- a/doc/metadata/rhel7/V-72185.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72185 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``pam_timestamp_check`` -command is used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_pam_timestamp_check: no diff --git a/doc/metadata/rhel7/V-72187.rst b/doc/metadata/rhel7/V-72187.rst deleted file mode 100644 index d4f528d7..00000000 --- a/doc/metadata/rhel7/V-72187.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72187 -status: implemented -tag: auditd ---- - -Rules are added to audit all ``init_module`` syscalls on the system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_init_module: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72189.rst b/doc/metadata/rhel7/V-72189.rst deleted file mode 100644 index 4db0d893..00000000 --- a/doc/metadata/rhel7/V-72189.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72189 -status: implemented -tag: auditd ---- - -Rules are added to audit all ``delete_module`` syscalls on the system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_delete_module: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72191.rst b/doc/metadata/rhel7/V-72191.rst deleted file mode 100644 index 4d59ffa1..00000000 --- a/doc/metadata/rhel7/V-72191.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72191 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``insmod`` command is -used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_insmod: no diff --git a/doc/metadata/rhel7/V-72193.rst b/doc/metadata/rhel7/V-72193.rst deleted file mode 100644 index 60e9b4ce..00000000 --- a/doc/metadata/rhel7/V-72193.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72193 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``rmmod`` command is -used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_rmmod: no diff --git a/doc/metadata/rhel7/V-72195.rst b/doc/metadata/rhel7/V-72195.rst deleted file mode 100644 index 4ecfdda9..00000000 --- a/doc/metadata/rhel7/V-72195.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72195 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``modprobe`` command is -used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_modprobe: no diff --git a/doc/metadata/rhel7/V-72197.rst b/doc/metadata/rhel7/V-72197.rst deleted file mode 100644 index 67e0120b..00000000 --- a/doc/metadata/rhel7/V-72197.rst +++ /dev/null @@ -1,20 +0,0 @@ ---- -id: V-72197 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time that an account is modified. -This includes changes to the following files: - -* ``/etc/group`` -* ``/etc/passwd`` -* ``/etc/gshadow`` -* ``/etc/shadow`` -* ``/etc/security/opasswd`` - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_account_actions: no diff --git a/doc/metadata/rhel7/V-72199.rst b/doc/metadata/rhel7/V-72199.rst deleted file mode 100644 index d23e7106..00000000 --- a/doc/metadata/rhel7/V-72199.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72199 -status: implemented -tag: auditd ---- - -Rules are added to audit all ``rename`` syscalls on the system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_rename: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72201.rst b/doc/metadata/rhel7/V-72201.rst deleted file mode 100644 index 4dd9420c..00000000 --- a/doc/metadata/rhel7/V-72201.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72201 -status: implemented -tag: auditd ---- - -Rules are added to audit all ``renameat`` syscalls on the system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_renameat: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72203.rst b/doc/metadata/rhel7/V-72203.rst deleted file mode 100644 index b6c14441..00000000 --- a/doc/metadata/rhel7/V-72203.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72203 -status: implemented -tag: auditd ---- - -Rules are added to audit all ``rmdir`` syscalls on the system. - -Deployers can opt out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_rmdir: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72205.rst b/doc/metadata/rhel7/V-72205.rst deleted file mode 100644 index 453cc97e..00000000 --- a/doc/metadata/rhel7/V-72205.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-72205 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``unlink`` command is -used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_unlink: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72207.rst b/doc/metadata/rhel7/V-72207.rst deleted file mode 100644 index a2f609c5..00000000 --- a/doc/metadata/rhel7/V-72207.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-72207 -status: implemented -tag: auditd ---- - -The tasks add a rule to auditd that logs each time the ``unlinkat`` command is -used. - -Deployers can opt-out of this change by setting an Ansible variable: - -.. code-block:: yaml - - security_rhel7_audit_unlinkat: no - -This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/V-72209.rst b/doc/metadata/rhel7/V-72209.rst deleted file mode 100644 index 2becaccd..00000000 --- a/doc/metadata/rhel7/V-72209.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-72209 -status: verification only -tag: misc ---- - -The tasks in the security role check for uncommented lines in the rsyslog -configuration that contain ``@`` or ``@@``, which signifies that a remote -logging configuration is in place. If these lines are not found, a warning -message is printed in the Ansible output. diff --git a/doc/metadata/rhel7/V-72211.rst b/doc/metadata/rhel7/V-72211.rst deleted file mode 100644 index c17df709..00000000 --- a/doc/metadata/rhel7/V-72211.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72211 -status: exception - manual intervention -tag: misc ---- - -Deployers must take manual steps to add or remove syslog reception -configuration lines depending on a server's role: - -* If the server is a log aggregation server, deployers must configure the - server to receive syslog output from the other servers via TCP connections. - -* If the server is not a log aggregation server, deployers must configure the - server so that it does not accept syslog output from other servers. diff --git a/doc/metadata/rhel7/V-72213.rst b/doc/metadata/rhel7/V-72213.rst deleted file mode 100644 index 15fc5de4..00000000 --- a/doc/metadata/rhel7/V-72213.rst +++ /dev/null @@ -1,20 +0,0 @@ ---- -id: V-72213 -status: opt-in -tag: misc ---- - -The STIG requires that a virus scanner is installed and running, but the value -of a virus scanner within an OpenStack control plane or on a hypervisor is -negligible in many cases. In addition, the disk I/O impact of a virus scanner -can impact a production environment negatively. - -The security role has tasks to deploy ClamAV with automatic updates, but the -tasks are disabled by default. - -Deployers can enable the ClamAV virus scanner by setting the following Ansible -variable: - -.. code-block:: yaml - - security_enable_virus_scanner: yes diff --git a/doc/metadata/rhel7/V-72215.rst b/doc/metadata/rhel7/V-72215.rst deleted file mode 100644 index 60a698c4..00000000 --- a/doc/metadata/rhel7/V-72215.rst +++ /dev/null @@ -1,11 +0,0 @@ ---- -id: V-72215 -status: implemented -tag: misc ---- - -By default, CentOS 7 and Red Hat Enterprise Linux 7 check for virus database -updates 12 times a day. Ubuntu servers have a default of 24 checks per day. - -The tasks in the security role do not adjust these defaults as they are more -secure than the STIG's requirement. diff --git a/doc/metadata/rhel7/V-72217.rst b/doc/metadata/rhel7/V-72217.rst deleted file mode 100644 index 0bce83fe..00000000 --- a/doc/metadata/rhel7/V-72217.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-72217 -status: opt-in -tag: auth ---- - -Although the STIG requires that each account is limited to 10 concurrent -connections, this change might be disruptive in some environments. Therefore, -this change is not applied by default. - -Deployers can opt in for this change by setting a concurrent connection limit -with this Ansible variable: - -.. code-block:: yaml - - security_rhel7_concurrent_session_limit: 10 diff --git a/doc/metadata/rhel7/V-72219.rst b/doc/metadata/rhel7/V-72219.rst deleted file mode 100644 index 559cc74b..00000000 --- a/doc/metadata/rhel7/V-72219.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-72219 -status: exception - manual intervention -tag: misc ---- - -Deployers should review each firewall rule on a regular basis to ensure that -each port is open for a valid reason. diff --git a/doc/metadata/rhel7/V-72221.rst b/doc/metadata/rhel7/V-72221.rst deleted file mode 100644 index 69e38a60..00000000 --- a/doc/metadata/rhel7/V-72221.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72221 -status: implemented -tag: sshd ---- - -The ``Ciphers`` configuration is set to ``aes128-ctr,aes192-ctr,aes256-ctr`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can change the list of ciphers by setting the following Ansible -variable: - -.. code-block:: yaml - - security_sshd_cipher_list: 'cipher1,cipher2,cipher3' diff --git a/doc/metadata/rhel7/V-72223.rst b/doc/metadata/rhel7/V-72223.rst deleted file mode 100644 index 14836821..00000000 --- a/doc/metadata/rhel7/V-72223.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72223 -status: implemented -tag: misc ---- - -The tasks in the security role set a 600 second (10 minute) timeout for network -connections associated with a communication session. Deployers can change the -timeout value by setting the following Ansible variable: - -.. code-block:: yaml - - # Example: shorten the timeout to 5 minutes (300 seconds) - security_rhel7_session_timeout: 300 diff --git a/doc/metadata/rhel7/V-72225.rst b/doc/metadata/rhel7/V-72225.rst deleted file mode 100644 index ff131710..00000000 --- a/doc/metadata/rhel7/V-72225.rst +++ /dev/null @@ -1,28 +0,0 @@ ---- -id: V-72225 -status: implemented -tag: sshd ---- - -The tasks in the security role deploy a standard notice and consent banner into -``/etc/motd`` on each server. Ubuntu, CentOS and Red Hat Enterprise Linux -display this banner after each successful login via ssh or the console. - -Deployers can choose a different destination for the banner by setting the -following Ansible variable: - -.. code-block:: yaml - - security_sshd_banner_file: /etc/motd - -The message is customized with the following Ansible variable: - -.. code-block:: yaml - - security_login_banner_text: | - ------------------------------------------------------------------------------ - * WARNING * - * You are accessing a secured system and your actions will be logged along * - * with identifying information. Disconnect immediately if you are not an * - * authorized user of this system. * - ------------------------------------------------------------------------------ diff --git a/doc/metadata/rhel7/V-72227.rst b/doc/metadata/rhel7/V-72227.rst deleted file mode 100644 index 8f267fbd..00000000 --- a/doc/metadata/rhel7/V-72227.rst +++ /dev/null @@ -1,13 +0,0 @@ ---- -id: V-72227 -status: exception - manual intervention -tag: auth ---- - -Deployers are strongly urged to utilize ``sssd`` for systems that authenticate -against LDAP or Active Directory (AD) servers. - -The ldap connector for ``sssd`` connects only to LDAP servers over -encrypted connections. Review the man page for -`sssd-ldap `_ for more details on this -requirement. diff --git a/doc/metadata/rhel7/V-72229.rst b/doc/metadata/rhel7/V-72229.rst deleted file mode 100644 index b480fafa..00000000 --- a/doc/metadata/rhel7/V-72229.rst +++ /dev/null @@ -1,23 +0,0 @@ ---- -id: V-72229 -status: exception - manual intervention -tag: auth ---- - -Deployers are strongly urged to utilize ``sssd`` for systems that authenticate -against LDAP or Active Directory (AD) servers. - -To meet this control, deployers must ensure that ``ldap_tls_cacert`` or -``ldap_tls_cacertdir`` are set in the ``/etc/sssd/sssd.conf`` file. The -``ldap_tls_cacert`` directive specifies a single certificate while -``ldap_tls_cacertdir`` specifies a directory where ``sssd`` can find CA -certificates. - -.. warning:: - - Use caution when adjusting these settings. If the correct CA certificates - are not already deployed to the servers that perform LDAP authentication, - their attempts to authenticate users might fail. - - Consult with administrators of the LDAP system and test all changes on - a non-production system first. diff --git a/doc/metadata/rhel7/V-72231.rst b/doc/metadata/rhel7/V-72231.rst deleted file mode 100644 index a9f28385..00000000 --- a/doc/metadata/rhel7/V-72231.rst +++ /dev/null @@ -1,23 +0,0 @@ ---- -id: V-72231 -status: exception - manual intervention -tag: auth ---- - -Deployers are strongly urged to utilize ``sssd`` for systems that authenticate -against LDAP or Active Directory (AD) servers. - -To meet this control, deployers must ensure that ``ldap_tls_cacert`` or -``ldap_tls_cacertdir`` are set in the ``/etc/sssd/sssd.conf`` file. The -``ldap_tls_cacert`` directive specifies a single certificate while -``ldap_tls_cacertdir`` specifies a directory where ``sssd`` can find CA -certificates. - -.. warning:: - - Use caution when adjusting these settings. If the correct CA certificates - are not already deployed to the servers that perform LDAP authentication, - their attempts to authenticate users might fail. - - Consult with administrators of the LDAP system and test all changes on - a non-production system first. diff --git a/doc/metadata/rhel7/V-72233.rst b/doc/metadata/rhel7/V-72233.rst deleted file mode 100644 index 758300fa..00000000 --- a/doc/metadata/rhel7/V-72233.rst +++ /dev/null @@ -1,11 +0,0 @@ ---- -id: V-72233 -status: implemented -tag: packages ---- - -The STIG requires that every system has an ssh client and server installed. The -role installs the following packages: - -* CentOS: ``openssh-clients``, ``openssh-server`` -* Ubuntu: ``openssh-client``, ``openssh-server`` diff --git a/doc/metadata/rhel7/V-72235.rst b/doc/metadata/rhel7/V-72235.rst deleted file mode 100644 index aec22aa8..00000000 --- a/doc/metadata/rhel7/V-72235.rst +++ /dev/null @@ -1,23 +0,0 @@ ---- -id: V-72235 -status: implemented -tag: sshd ---- - -The STIG has a requirement that the ``sshd`` daemon is running and enabled at -boot time. The tasks in the security role ensure that these requirements are -met. - -Some deployers may not have ``sshd`` enabled on highly specialized systems and -those deployers should opt out of this change by setting the following Ansible -variable: - -.. code-block:: yaml - - security_enable_sshd: no - -.. note:: - - Setting ``security_enable_sshd`` to ``no`` causes the tasks to ignore the - state of the service entirely. A setting of ``no`` does not stop or alter - the ``sshd`` service. diff --git a/doc/metadata/rhel7/V-72237.rst b/doc/metadata/rhel7/V-72237.rst deleted file mode 100644 index 41d3f18f..00000000 --- a/doc/metadata/rhel7/V-72237.rst +++ /dev/null @@ -1,30 +0,0 @@ ---- -id: V-72237 -status: implemented -tag: sshd ---- - -The ``ClientAliveInterval`` configuration is set to ``600`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can adjust the length of the interval by changing the following -Ansible variable: - -.. code-block:: yaml - - security_sshd_client_alive_interval: 600 - -.. note:: - - The STIG requires that ``ClientAliveInterval`` is set to 600 and - ``ClientAliveCountMax`` is set to zero, which sets a 10 minute session - timeout. If no data is transferred in a 10 minute period, the session is - disconnected. - - The ``ClientAliveInterval`` specifies how long the ssh daemon waits - before it sends a message to the client to see if it is still alive. The - ``ClientAliveCountMax`` specifies how many of these messages are sent - without receiving a response. - - Deployers should refer to :ref:`stig-V-72241` to customize the - ``ClientAliveCountMax`` setting. diff --git a/doc/metadata/rhel7/V-72239.rst b/doc/metadata/rhel7/V-72239.rst deleted file mode 100644 index 8461af0f..00000000 --- a/doc/metadata/rhel7/V-72239.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-72239 -status: implemented -tag: sshd ---- - -This STIG is already applied by the changes for :ref:`stig-V-72249`. diff --git a/doc/metadata/rhel7/V-72241.rst b/doc/metadata/rhel7/V-72241.rst deleted file mode 100644 index ea6263a0..00000000 --- a/doc/metadata/rhel7/V-72241.rst +++ /dev/null @@ -1,30 +0,0 @@ ---- -id: V-72241 -status: implemented -tag: sshd ---- - -The ``ClientAliveCountMax`` configuration is set to ``0`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can adjust the maximum amount of client alive intervals by changing -the following Ansible variable. - -.. code-block:: yaml - - security_sshd_client_alive_count_max: 0 - -.. note:: - - The STIG requires that ``ClientAliveInterval`` is set to 600 and - ``ClientAliveCountMax`` is set to zero, which sets a 10 minute session - timeout. If no data is transferred in a 10 minute period, the session is - disconnected. - - The ``ClientAliveInterval`` specifies how long the ssh daemon waits - before it sends a message to the client to see if it is still alive. The - ``ClientAliveCountMax`` specifies how many of these messages are sent - without receiving a response. - - Deployers should refer to :ref:`stig-V-72237` to customize the - ``ClientAliveInterval`` setting. diff --git a/doc/metadata/rhel7/V-72243.rst b/doc/metadata/rhel7/V-72243.rst deleted file mode 100644 index 03c547c4..00000000 --- a/doc/metadata/rhel7/V-72243.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72243 -status: implemented -tag: sshd ---- - -The ``IgnoreRhosts`` configuration is set to ``yes`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_sshd_disallow_rhosts_auth: no diff --git a/doc/metadata/rhel7/V-72245.rst b/doc/metadata/rhel7/V-72245.rst deleted file mode 100644 index b79a7af0..00000000 --- a/doc/metadata/rhel7/V-72245.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72245 -status: implemented -tag: sshd ---- - -The ``PrintLastLog`` configuration is set to ``yes`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_sshd_print_last_log: no diff --git a/doc/metadata/rhel7/V-72247.rst b/doc/metadata/rhel7/V-72247.rst deleted file mode 100644 index 07b29567..00000000 --- a/doc/metadata/rhel7/V-72247.rst +++ /dev/null @@ -1,21 +0,0 @@ ---- -id: V-72247 -status: implemented -tag: sshd ---- - -The ``PermitRootLogin`` configuration is set to ``no`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_sshd_permit_root_login: no - -.. warning:: - - Ensure that a regular user account exists with a pathway to root access - (preferably via ``sudo``) before applying the security role. This - configuration change disallows any direct logins with the ``root`` - user. diff --git a/doc/metadata/rhel7/V-72249.rst b/doc/metadata/rhel7/V-72249.rst deleted file mode 100644 index b9e6e39c..00000000 --- a/doc/metadata/rhel7/V-72249.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72249 -status: implemented -tag: sshd ---- - -The ``IgnoreUserKnownHosts`` configuration is set to ``yes`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_sshd_disallow_known_hosts_auth: no diff --git a/doc/metadata/rhel7/V-72251.rst b/doc/metadata/rhel7/V-72251.rst deleted file mode 100644 index 6d8d99de..00000000 --- a/doc/metadata/rhel7/V-72251.rst +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: V-72251 -status: implemented -tag: sshd ---- - -The ``Protocol`` configuration is set to ``2`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_sshd_protocol: 2 - -.. warning:: - - There is no reason to enable any other protocol than SSHv2. SSHv1 has - multiple vulnerabilities, and it is no longer widely used. diff --git a/doc/metadata/rhel7/V-72253.rst b/doc/metadata/rhel7/V-72253.rst deleted file mode 100644 index 5fc05918..00000000 --- a/doc/metadata/rhel7/V-72253.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72253 -status: implemented -tag: sshd ---- - -The ``MACs`` configuration is set to ``hmac-sha2-256,hmac-sha2-512`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can adjust the allowed Message Authentication Codes (MACs) by setting -the following Ansible variable: - -.. code-block:: yaml - - security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512' diff --git a/doc/metadata/rhel7/V-72255.rst b/doc/metadata/rhel7/V-72255.rst deleted file mode 100644 index 1c713e40..00000000 --- a/doc/metadata/rhel7/V-72255.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72255 -status: implemented -tag: sshd ---- - -The permissions on ssh public host keys is set to ``0644``. If the existing -permissions are more restrictive than ``0644``, the tasks do not make changes -to the files. diff --git a/doc/metadata/rhel7/V-72257.rst b/doc/metadata/rhel7/V-72257.rst deleted file mode 100644 index 10a1bccd..00000000 --- a/doc/metadata/rhel7/V-72257.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72257 -status: implemented -tag: sshd ---- - -The permissions on ssh private host keys is set to ``0600``. If the existing -permissions are more restrictive than ``0600``, the tasks do not make changes -to the files. diff --git a/doc/metadata/rhel7/V-72259.rst b/doc/metadata/rhel7/V-72259.rst deleted file mode 100644 index d4dd7aaf..00000000 --- a/doc/metadata/rhel7/V-72259.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72259 -status: implemented -tag: sshd ---- - -The ``GSSAPIAuthentication`` setting is set to ``no`` to meet the requirements -of the STIG. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_sshd_disallow_gssapi: no diff --git a/doc/metadata/rhel7/V-72261.rst b/doc/metadata/rhel7/V-72261.rst deleted file mode 100644 index 899b9004..00000000 --- a/doc/metadata/rhel7/V-72261.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72261 -status: implemented -tag: sshd ---- - -The ``KerberosAuthentication`` configuration is set to ``no`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_sshd_disable_kerberos_auth: no diff --git a/doc/metadata/rhel7/V-72263.rst b/doc/metadata/rhel7/V-72263.rst deleted file mode 100644 index 1a32d288..00000000 --- a/doc/metadata/rhel7/V-72263.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72263 -status: implemented -tag: sshd ---- - -The ``StrictModes`` configuration is set to ``yes`` in ``/etc/ssh/sshd_config`` -and sshd is restarted. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_sshd_enable_strict_modes: no diff --git a/doc/metadata/rhel7/V-72265.rst b/doc/metadata/rhel7/V-72265.rst deleted file mode 100644 index 23f75f60..00000000 --- a/doc/metadata/rhel7/V-72265.rst +++ /dev/null @@ -1,20 +0,0 @@ ---- -id: V-72265 -status: implemented -tag: sshd ---- - -The ``UsePrivilegeSeparation`` configuration is set to ``sandbox`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_sshd_enable_privilege_separation: no - -.. note:: - - Although the STIG requires this setting to be ``yes``, the ``sandbox`` - setting actually provides more security because it enables privilege - separation during the early authentication process. diff --git a/doc/metadata/rhel7/V-72267.rst b/doc/metadata/rhel7/V-72267.rst deleted file mode 100644 index 603507f9..00000000 --- a/doc/metadata/rhel7/V-72267.rst +++ /dev/null @@ -1,27 +0,0 @@ ---- -id: V-72267 -status: implemented -tag: sshd ---- - -The ``Compression`` configuration is set to ``delayed`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can choose another option by setting the following Ansible variable: - -.. code-block:: yaml - - security_sshd_compression: 'no' - -.. note:: - - The following are the available settings for ``Compression`` in the ssh - configuration file: - - * ``delayed``: Compression is enabled after authentication. - * ``no``: Compression is disabled. - * ``yes``: Compression is enabled during authentication and during the - session (not allowed by the STIG). - - The ``delayed`` option balances security with performance and is an - approved option in the STIG. diff --git a/doc/metadata/rhel7/V-72269.rst b/doc/metadata/rhel7/V-72269.rst deleted file mode 100644 index 874b32d2..00000000 --- a/doc/metadata/rhel7/V-72269.rst +++ /dev/null @@ -1,25 +0,0 @@ ---- -id: V-72269 -status: implemented -tag: misc ---- - -The tasks in the security role make the following changes on each host: - -* The ``chrony`` package is installed. -* The service (``chronyd`` on Red Hat and CentOS, ``chrony`` on Ubuntu) is - started and enabled at boot time. -* A configuration file template is deployed that includes ``maxpoll 10`` on - each server line. - -Deployers can opt out of these changes by setting the following Ansible -variable: - -.. code-block:: yaml - - security_rhel7_enable_chrony: no - -.. note:: - - Although the STIG mentions the traditional ``ntpd`` service, this role uses - ``chrony``, which is a more modern implementation. diff --git a/doc/metadata/rhel7/V-72271.rst b/doc/metadata/rhel7/V-72271.rst deleted file mode 100644 index ce0e5d69..00000000 --- a/doc/metadata/rhel7/V-72271.rst +++ /dev/null @@ -1,32 +0,0 @@ ---- -id: V-72271 -status: opt-in -tag: misc ---- - -Although the STIG requires that incoming TCP connections are rate limited with -``firewalld``, this setting can cause problems with certain applications which -handle large amounts of TCP connections. Therefore, the tasks in the security -role do not apply the rate limit by default. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_enable_firewalld_rate_limit: yes - -The STIG recommends a limit of 25 connection per minute and allowing bursts up -to 100 connections. Both of these options are adjustable with the following -Ansible variables: - -.. code-block:: yaml - - security_enable_firewalld_rate_limit_per_minute: 25 - security_enable_firewalld_rate_limit_burst: 100 - -.. warning:: - - Deployers should test rate limiting in a non-production environment first - before applying it to production systems. Ensure that the application - running on the system is receiving a large volume of requests so that the - rule can be thoroughly tested. diff --git a/doc/metadata/rhel7/V-72273.rst b/doc/metadata/rhel7/V-72273.rst deleted file mode 100644 index 89f99140..00000000 --- a/doc/metadata/rhel7/V-72273.rst +++ /dev/null @@ -1,23 +0,0 @@ ---- -id: V-72273 -status: opt-in -tag: misc ---- - -The STIG requires that a firewall is configured on each server. This might be -disruptive to some environments since the default firewall policy for -``firewalld`` is very restrictive. Therefore, the tasks in the security role -do not install or enable the ``firewalld`` daemon by default. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_enable_firewalld: yes - -.. warning:: - - Deployers must pre-configure ``firewalld`` or copy over a working XML file - in ``/etc/firewalld/zones/`` from another server. The default firewalld - restrictions on Ubuntu, CentOS and Red Hat Enterprise Linux are highly - restrictive. diff --git a/doc/metadata/rhel7/V-72275.rst b/doc/metadata/rhel7/V-72275.rst deleted file mode 100644 index 4cfb5c3e..00000000 --- a/doc/metadata/rhel7/V-72275.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72275 -status: verification only -tag: auth ---- - -The PAM configuration is checked for the presence of ``pam_lastlogin`` and a -warning message is printed if the directive is not found. The tasks in the -security role do not adjust PAM configurations since these changes might be -disruptive in some environments. - -Deployers should review their PAM configurations and add ``pam_lastlogin`` to -``/etc/pam.d/postlogin`` on CentOS and Red Hat Enterprise Linux or to -``/etc/pam.d/login`` on Ubuntu. diff --git a/doc/metadata/rhel7/V-72277.rst b/doc/metadata/rhel7/V-72277.rst deleted file mode 100644 index b80032b5..00000000 --- a/doc/metadata/rhel7/V-72277.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-72277 -status: opt-in -tag: auth ---- - -The tasks in the security role examine the filesystem for any ``.shosts`` or -``shosts.equiv`` files. If they are found, they are deleted. - -The search for these files will take a very long time on systems with slow -disks or systems with a large amount of files. Therefore, this task is skipped -by default. - -Deployers can opt in for this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_remove_shosts_files: yes diff --git a/doc/metadata/rhel7/V-72279.rst b/doc/metadata/rhel7/V-72279.rst deleted file mode 100644 index 80b7d7a4..00000000 --- a/doc/metadata/rhel7/V-72279.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72279 -status: implemented -tag: auth ---- - -This control is implemented by the tasks for another control: - -* :ref:`stig-V-72277` diff --git a/doc/metadata/rhel7/V-72281.rst b/doc/metadata/rhel7/V-72281.rst deleted file mode 100644 index f9513a68..00000000 --- a/doc/metadata/rhel7/V-72281.rst +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: V-72281 -status: implemented -tag: misc ---- - -If a server has fewer than two nameservers configured in ``/etc/resolv.conf``, -a warning is printed in the Ansible output. diff --git a/doc/metadata/rhel7/V-72283.rst b/doc/metadata/rhel7/V-72283.rst deleted file mode 100644 index 21113080..00000000 --- a/doc/metadata/rhel7/V-72283.rst +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: V-72283 -status: implemented -tag: kernel ---- - -The tasks in this role set ``net.ipv4.conf.all.accept_source_route`` and -``net.ipv4.conf.default.accept_source_route`` to ``0`` by default. This -prevents the system from forwarding source-routed IPv4 packets on all -new and existing interfaces. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_disallow_source_routed_packet_forward_ipv4: no - -For more details on source routed packets, refer to the -`Red Hat documentation `_. diff --git a/doc/metadata/rhel7/V-72285.rst b/doc/metadata/rhel7/V-72285.rst deleted file mode 100644 index a1328366..00000000 --- a/doc/metadata/rhel7/V-72285.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72285 -status: implemented -tag: kernel ---- - -This control is implemented by the tasks for another control: - -* :ref:`stig-V-72283` diff --git a/doc/metadata/rhel7/V-72287.rst b/doc/metadata/rhel7/V-72287.rst deleted file mode 100644 index 86f9f0f8..00000000 --- a/doc/metadata/rhel7/V-72287.rst +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: V-72287 -status: implemented -tag: kernel ---- - -The tasks in this role set ``net.ipv4.icmp_echo_ignore_broadcasts`` to ``1`` -by default. This prevents the system from responding to IPv4 ICMP echoes sent -to the broadcast address. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_disallow_echoes_broadcast_address: no diff --git a/doc/metadata/rhel7/V-72289.rst b/doc/metadata/rhel7/V-72289.rst deleted file mode 100644 index 97469a52..00000000 --- a/doc/metadata/rhel7/V-72289.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72289 -status: implemented -tag: sshd ---- - -This control is implemented by the tasks for another control: - -* :ref:`stig-V-73175` diff --git a/doc/metadata/rhel7/V-72291.rst b/doc/metadata/rhel7/V-72291.rst deleted file mode 100644 index 1d170624..00000000 --- a/doc/metadata/rhel7/V-72291.rst +++ /dev/null @@ -1,16 +0,0 @@ ---- -id: V-72291 -status: implemented -tag: kernel ---- - -The tasks in this role set ``net.ipv4.conf.default.send_redirects`` and -``net.ipv4.conf.all.send_redirects`` to ``0`` by default. This prevents a -system from sending IPv4 ICMP redirect packets on all new and existing -interfaces. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_disallow_icmp_redirects: no diff --git a/doc/metadata/rhel7/V-72293.rst b/doc/metadata/rhel7/V-72293.rst deleted file mode 100644 index 8d774403..00000000 --- a/doc/metadata/rhel7/V-72293.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72293 -status: implemented -tag: kernel ---- - -This control is implemented by the tasks for another control: - -* :ref:`stig-V-72291` diff --git a/doc/metadata/rhel7/V-72295.rst b/doc/metadata/rhel7/V-72295.rst deleted file mode 100644 index b4a171e8..00000000 --- a/doc/metadata/rhel7/V-72295.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72295 -status: verification only -tag: misc ---- - -All interfaces are examined to ensure they are not in promiscuous mode. A -warning message is printed in the Ansible output if any promiscuous interfaces -are found. diff --git a/doc/metadata/rhel7/V-72297.rst b/doc/metadata/rhel7/V-72297.rst deleted file mode 100644 index 2cb6f490..00000000 --- a/doc/metadata/rhel7/V-72297.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72297 -status: implemented -tag: misc ---- - -The ``smtpd_client_restrictions`` configuration in postfix is set to -``permit_mynetworks, reject`` to meet the STIG's requirements. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_restrict_mail_relaying: no diff --git a/doc/metadata/rhel7/V-72299.rst b/doc/metadata/rhel7/V-72299.rst deleted file mode 100644 index 392d262e..00000000 --- a/doc/metadata/rhel7/V-72299.rst +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: V-72299 -status: not implemented -tag: packages ---- - -This STIG is not yet implemented. diff --git a/doc/metadata/rhel7/V-72301.rst b/doc/metadata/rhel7/V-72301.rst deleted file mode 100644 index 917bb725..00000000 --- a/doc/metadata/rhel7/V-72301.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-72301 -status: implemented -tag: packages ---- - -The role will remove the TFTP server package from the system if it is -installed. The package name differs between Linux distributions: - -* CentOS: ``tftp-server`` -* Ubuntu: ``tftpd`` - -Deployers can opt-out of this change by setting the following Ansible variable: - - -.. code-block:: yaml - - security_rhel7_remove_tftp_server: no diff --git a/doc/metadata/rhel7/V-72303.rst b/doc/metadata/rhel7/V-72303.rst deleted file mode 100644 index 81f1006a..00000000 --- a/doc/metadata/rhel7/V-72303.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72303 -status: implemented -tag: sshd ---- - -The ``X11Forwarding`` configuration is set to ``yes`` in -``/etc/ssh/sshd_config`` and sshd is restarted. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_sshd_enable_x11_forwarding: no diff --git a/doc/metadata/rhel7/V-72305.rst b/doc/metadata/rhel7/V-72305.rst deleted file mode 100644 index e28869ff..00000000 --- a/doc/metadata/rhel7/V-72305.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-72305 -status: verification only -tag: misc ---- - -The tasks in the security role examine the TFTP server configuration file (if -it exists) to verify that the secure operation flag (``-s``) is listed on the -``server_args`` line. If it is missing, a warning message is printed in the -Ansible output. diff --git a/doc/metadata/rhel7/V-72307.rst b/doc/metadata/rhel7/V-72307.rst deleted file mode 100644 index b8a814b2..00000000 --- a/doc/metadata/rhel7/V-72307.rst +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: V-72307 -status: implemented -tag: packages ---- - -The role will remove the xorg server package from the system if it is -installed. The package name differs between Linux distributions: - -* CentOS: ``xorg-x11-server-Xorg`` -* Ubuntu: ``xorg-xserver`` - -Deployers can opt-out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_rhel7_remove_xorg: no diff --git a/doc/metadata/rhel7/V-72309.rst b/doc/metadata/rhel7/V-72309.rst deleted file mode 100644 index 4812e4ee..00000000 --- a/doc/metadata/rhel7/V-72309.rst +++ /dev/null @@ -1,22 +0,0 @@ ---- -id: V-72309 -status: opt-in -tag: kernel ---- - -Disabling IP forwarding on a system that routes packets or host virtual -machines might cause network interruptions. The tasks in this role do not -adjust the ``net.ipv4.ip_forward`` configuration by default. - -Deployers can opt in for this change and disable IP forwarding by setting the -following Ansible variable: - -.. code-block:: yaml - - security_disallow_ip_forwarding: yes - -.. warning:: - - IP forwarding is required in some environments. Always test in a - non-production environment before changing this setting on a production - system. diff --git a/doc/metadata/rhel7/V-72311.rst b/doc/metadata/rhel7/V-72311.rst deleted file mode 100644 index dfc95b0a..00000000 --- a/doc/metadata/rhel7/V-72311.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72311 -status: exception - manual intervention -tag: misc ---- - -Deployers using NFS should examine their mounts to ensure ``krb5:krb5i:krb5p`` -is provided with the ``sec`` option. Kerberos must be installed and configured -before making the change. diff --git a/doc/metadata/rhel7/V-72313.rst b/doc/metadata/rhel7/V-72313.rst deleted file mode 100644 index 2daf3f7e..00000000 --- a/doc/metadata/rhel7/V-72313.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-72313 -status: verification only -tag: misc ---- - -The tasks in the security role examine the contents of the -``/etc/snmp/snmpd.conf`` file (if it exists) and search for the default -community strings: ``public`` and ``private``. If either default string is -found, a message is printed in the Ansible output. diff --git a/doc/metadata/rhel7/V-72315.rst b/doc/metadata/rhel7/V-72315.rst deleted file mode 100644 index e2cd4f5c..00000000 --- a/doc/metadata/rhel7/V-72315.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-72315 -status: exception - manual intervention -tag: misc ---- - -The ``firewalld`` service is optionally enabled and configured in the tasks for -another STIG control: - -* :ref:`stig-V-72273` - -Deployers should review their ``firewalld`` ruleset regularly to ensure that -each firewall rule is specific as possible. Each rule should allow the smallest -number of hosts to access the smallest number of services. diff --git a/doc/metadata/rhel7/V-72317.rst b/doc/metadata/rhel7/V-72317.rst deleted file mode 100644 index 63a94dd6..00000000 --- a/doc/metadata/rhel7/V-72317.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72317 -status: exception - manual intervention -tag: misc ---- - -Deployers should review all tunneled connections on a regular basis to ensure -each is valid and properly secured. This requires careful verification that -cannot be done with automated Ansible tasks. diff --git a/doc/metadata/rhel7/V-72319.rst b/doc/metadata/rhel7/V-72319.rst deleted file mode 100644 index c6182fc2..00000000 --- a/doc/metadata/rhel7/V-72319.rst +++ /dev/null @@ -1,18 +0,0 @@ ---- -id: V-72319 -status: implemented -tag: kernel ---- - -The tasks in this role set ``net.ipv6.conf.all.accept_source_route`` to ``0`` -by default. This prevents the system from forwarding source-routed IPv6 -packets. - -Deployers can opt out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_disallow_source_routed_packet_forward_ipv6: no - -Refer to `"IPv6 source routing: history repeats itself" `_ -for more details on IPv6 source routed packets. diff --git a/doc/metadata/rhel7/V-72417.rst b/doc/metadata/rhel7/V-72417.rst deleted file mode 100644 index f3333da4..00000000 --- a/doc/metadata/rhel7/V-72417.rst +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: V-72417 -status: implemented -tag: packages ---- - -The STIG requires that the following multifactor authentication packages are -installed: - -* authconfig -* authconfig-gtk -* esc -* pam_pkcs11 - -These packages are benign if they are not needed on a system, but -``authconfig-gtk`` may cause some graphical dependencies to be installed -which may not be needed on some systems. The security role installs these -packages, but it skips the installation of ``authconfig-gtk``. Deployers can -install the graphical package manually if needed. diff --git a/doc/metadata/rhel7/V-72427.rst b/doc/metadata/rhel7/V-72427.rst deleted file mode 100644 index 6b8fc907..00000000 --- a/doc/metadata/rhel7/V-72427.rst +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: V-72427 -status: exception - manual intervention -tag: auth ---- - -Although the STIG requires that the ``sssd.conf`` contains both ``nss`` and -``pam`` authentication modules, this change can be disruptive in environments -that are already using LDAP or Active Directory for authentication. Deployers -should make these changes only if their environment is compatible. diff --git a/doc/metadata/rhel7/V-72433.rst b/doc/metadata/rhel7/V-72433.rst deleted file mode 100644 index 31008bda..00000000 --- a/doc/metadata/rhel7/V-72433.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72433 -status: exception - manual intervention -tag: auth ---- - -Any adjustment to PKI authentication can cause disruptions for users. Deployers -should verify that enabling OCSP validation is compatible with their existing -configuration. diff --git a/doc/metadata/rhel7/V-72435.rst b/doc/metadata/rhel7/V-72435.rst deleted file mode 100644 index 8a92b91c..00000000 --- a/doc/metadata/rhel7/V-72435.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-72435 -status: exception - manual intervention -tag: auth ---- - -Any adjustment to PKI authentication can cause disruptions for users. Deployers -should verify that their environment is compatible with smart cards before -requiring them for authentication. diff --git a/doc/metadata/rhel7/V-73155.rst b/doc/metadata/rhel7/V-73155.rst deleted file mode 100644 index 882640c0..00000000 --- a/doc/metadata/rhel7/V-73155.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-73155 -status: implemented -tag: graphical ---- - -This control is implemented by the tasks for another control: - -* :ref:`stig-V-71891` diff --git a/doc/metadata/rhel7/V-73157.rst b/doc/metadata/rhel7/V-73157.rst deleted file mode 100644 index a4493b77..00000000 --- a/doc/metadata/rhel7/V-73157.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-73157 -status: implemented -tag: graphical ---- - -This control is implemented by the tasks for another control: - -* :ref:`stig-V-71891` diff --git a/doc/metadata/rhel7/V-73159.rst b/doc/metadata/rhel7/V-73159.rst deleted file mode 100644 index 8749554c..00000000 --- a/doc/metadata/rhel7/V-73159.rst +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: V-73159 -status: opt-in -tag: accounts ---- - -The security role can require new or changed passwords to follow the pwquality -rules, but this change can be disruptive for users without proper -communication. Deployers must opt in for this change by setting the following -variable: - -.. code-block:: yaml - - security_enable_pwquality_password_set: yes diff --git a/doc/metadata/rhel7/V-73161.rst b/doc/metadata/rhel7/V-73161.rst deleted file mode 100644 index 76b85f25..00000000 --- a/doc/metadata/rhel7/V-73161.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-73161 -status: exception - manual intervention -tag: misc ---- - -Deployers should review their NFS mounts to ensure they are mounted with the -``noexec`` option. Deployers should skip this change if they execute -applications from NFS mounts. diff --git a/doc/metadata/rhel7/V-73163.rst b/doc/metadata/rhel7/V-73163.rst deleted file mode 100644 index 7f80be97..00000000 --- a/doc/metadata/rhel7/V-73163.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-73163 -status: implemented -tag: auditd ---- - -This control is implemented by the tasks for another control: - -* :ref:`stig-V-72087` diff --git a/doc/metadata/rhel7/V-73165.rst b/doc/metadata/rhel7/V-73165.rst deleted file mode 100644 index 36b3f6d0..00000000 --- a/doc/metadata/rhel7/V-73165.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-73165 -status: implemented -tag: auditd ---- - -This control is implemented by the tasks for another control: - -* :ref:`stig-V-72197` diff --git a/doc/metadata/rhel7/V-73167.rst b/doc/metadata/rhel7/V-73167.rst deleted file mode 100644 index 2e7db141..00000000 --- a/doc/metadata/rhel7/V-73167.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-73167 -status: implemented -tag: auditd ---- - -This control is implemented by the tasks for another control: - -* :ref:`stig-V-72197` diff --git a/doc/metadata/rhel7/V-73171.rst b/doc/metadata/rhel7/V-73171.rst deleted file mode 100644 index e71c1bfa..00000000 --- a/doc/metadata/rhel7/V-73171.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-73171 -status: implemented -tag: auditd ---- - -This control is implemented by the tasks for another control: - -* :ref:`stig-V-72197` diff --git a/doc/metadata/rhel7/V-73173.rst b/doc/metadata/rhel7/V-73173.rst deleted file mode 100644 index 3da26310..00000000 --- a/doc/metadata/rhel7/V-73173.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-73173 -status: implemented -tag: auditd ---- - -This control is implemented by the tasks for another control: - -* :ref:`stig-V-72197` diff --git a/doc/metadata/rhel7/V-73175.rst b/doc/metadata/rhel7/V-73175.rst deleted file mode 100644 index d965b2bc..00000000 --- a/doc/metadata/rhel7/V-73175.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-73175 -status: implemented -tag: kernel ---- - -This control is implemented by the tasks for another control: - -* :ref:`stig-V-72293` diff --git a/doc/metadata/rhel7/V-73177.rst b/doc/metadata/rhel7/V-73177.rst deleted file mode 100644 index de7ee5bd..00000000 --- a/doc/metadata/rhel7/V-73177.rst +++ /dev/null @@ -1,9 +0,0 @@ ---- -id: V-73177 -status: exception - manual intervention -tag: misc ---- - -Deployers should review the configuration of any wireless networking device -connected to the system to ensure it must be enabled. The STIG requires that -all wireless network devices are enabled unless required. diff --git a/doc/metadata/stig_to_rst.py b/doc/metadata/stig_to_rst.py deleted file mode 100755 index 87493a5e..00000000 --- a/doc/metadata/stig_to_rst.py +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env python -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Convert STIG XML to RST for easier reading.""" -import os -import xmltodict - -SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__)) -xml_file = 'U_Red_Hat_Enterprise_Linux_7_STIG_V1R1_Manual-xccdf.xml' -with open('{}/{}'.format(SCRIPT_DIR, xml_file), 'r') as f: - xmldict = xmltodict.parse(f.read()) - -for group in xmldict['Benchmark']['Group']: - rule = group['Rule'] - - print("\n{}\n{}\n".format(group['@id'], "=" * len(group['@id']))) - print("{}\n".format(rule['title'])) - print("{}\n".format(rule['version'])) - print("{}\n".format(rule['description'].encode('utf-8'))) diff --git a/doc/metadata/template_all.j2 b/doc/metadata/template_all.j2 deleted file mode 100644 index acff15d9..00000000 --- a/doc/metadata/template_all.j2 +++ /dev/null @@ -1,24 +0,0 @@ -{% set page_title = "Review All STIG Controls" %} -{{ "=" * page_title | length }} -{{ page_title }} -{{ "=" * page_title | length }} - -Navigating the list -=================== - -Use your browser's search function (usually CTRL-f or ⌘-f) to find the -security configuration in the full list shown here. You can search for STIG -ID numbers, such as ``V-38463``, or for particular topics, like ``audit``. - ----- - -{% for stig_id in stig_ids | sort %} -.. _stig-{{ stig_id }}: - -{% include "template_doc.j2" %} - -{% if not loop.last %} ----- -{% endif %} - -{% endfor %} diff --git a/doc/metadata/template_all_rhel7.j2 b/doc/metadata/template_all_rhel7.j2 deleted file mode 100644 index d0baec3d..00000000 --- a/doc/metadata/template_all_rhel7.j2 +++ /dev/null @@ -1,24 +0,0 @@ -{% set page_title = "Review All STIG Controls" %} -{{ "=" * page_title | length }} -{{ page_title }} -{{ "=" * page_title | length }} - -Navigating the list -=================== - -Use your browser's search function (usually CTRL-f or ⌘-f) to find the -security configuration in the full list shown here. You can search for STIG -ID numbers, such as ``V-38463``, or for particular topics, like ``audit``. - ----- - -{% for stig_id in stig_ids | sort %} -.. _stig-{{ stig_id }}: - -{% include "template_doc_rhel7.j2" %} - -{% if not loop.last %} ----- -{% endif %} - -{% endfor %} diff --git a/doc/metadata/template_doc.j2 b/doc/metadata/template_doc.j2 deleted file mode 100644 index ac98c285..00000000 --- a/doc/metadata/template_doc.j2 +++ /dev/null @@ -1,16 +0,0 @@ -{% set rule = all_deployer_notes[stig_id] %} -{% set page_title = rule['title'] | trim + ' (' + rule['id'] + ')'%} -{{ page_title }} -{{ "-" * page_title | length }} - -{{ rule['description']}} - -Details: `{{ rule['id'] }} in STIG Viewer`_ - -.. _{{ rule['id'] }} in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/{{ rule['id'] }} - -Notes for deployers and auditors -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -**Implementation Status:** {{ rule['deployer_notes']['status'] | title }} -{{ rule['deployer_notes']['content'] }} diff --git a/doc/metadata/template_doc_rhel7.j2 b/doc/metadata/template_doc_rhel7.j2 deleted file mode 100644 index a8feacf7..00000000 --- a/doc/metadata/template_doc_rhel7.j2 +++ /dev/null @@ -1,17 +0,0 @@ -{% set rule = all_deployer_notes[stig_id] %} -{% set page_title = rule['title'] | trim + ' (' + rule['id'] + ')'%} -{{ page_title }} -{{ "-" * page_title | length }} - -STIG Description -~~~~~~~~~~~~~~~~ - -**Severity:** {{ rule['severity'] | title }} - -{{ rule['description']['VulnDiscussion'] | addmonospace }} - -Deployer/Auditor notes -~~~~~~~~~~~~~~~~~~~~~~ - -**Implementation Status:** {{ rule['deployer_notes']['status'] | title }} -{{ rule['deployer_notes']['content'] }} diff --git a/doc/metadata/template_toc.j2 b/doc/metadata/template_toc.j2 deleted file mode 100644 index 3dac60fb..00000000 --- a/doc/metadata/template_toc.j2 +++ /dev/null @@ -1,31 +0,0 @@ -{% set page_title = "STIG Controls by " + toc_type | title %} -{{ "=" * page_title | length }} -{{ page_title }} -{{ "=" * page_title | length }} - -.. contents:: - :depth: 2 - :backlinks: none - -{% for section_header, stig_id_list in stig_dict.items() %} - -{% if toc_type == 'tag' %} -{% set section_title = section_header + " (" + stig_id_list | length | string + " controls)" %} -{% else %} -{% set section_title = section_header | title + " (" + stig_id_list | length | string + " controls)" %} -{% endif %} -.. _{{ toc_type | replace(' ', '-') }}-{{ section_header | replace(' ', '-') }}: - -{{ section_title }} -{{ "=" * section_title | length }} - -{% for stig_id in stig_id_list | sort %} - -{% include "template_doc.j2" %} - -{% if not loop.last %} ----- -{% endif %} - -{% endfor %} -{% endfor %} diff --git a/doc/metadata/template_toc_rhel7.j2 b/doc/metadata/template_toc_rhel7.j2 deleted file mode 100644 index 893ed763..00000000 --- a/doc/metadata/template_toc_rhel7.j2 +++ /dev/null @@ -1,31 +0,0 @@ -{% set page_title = "STIG Controls by " + toc_type | title %} -{{ "=" * page_title | length }} -{{ page_title }} -{{ "=" * page_title | length }} - -.. contents:: - :depth: 2 - :backlinks: none - -{% for section_header, stig_id_list in stig_dict.items() %} - -{% if toc_type == 'tag' %} -{% set section_title = section_header + " (" + stig_id_list | length | string + " controls)" %} -{% else %} -{% set section_title = section_header | title + " (" + stig_id_list | length | string + " controls)" %} -{% endif %} -.. _{{ toc_type | replace(' ', '-') }}-{{ section_header | replace(' ', '-') }}: - -{{ section_title }} -{{ "=" * section_title | length }} - -{% for stig_id in stig_id_list | sort %} - -{% include "template_doc_rhel7.j2" %} - -{% if not loop.last %} ----- -{% endif %} - -{% endfor %} -{% endfor %} diff --git a/doc/source/_exts/metadata-docs-rhel7.py b/doc/source/_exts/metadata-docs-rhel7.py deleted file mode 100644 index c806357f..00000000 --- a/doc/source/_exts/metadata-docs-rhel7.py +++ /dev/null @@ -1,274 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Build documentation from STIG and deployer notes.""" -from __future__ import print_function, unicode_literals -import os -import re - -from collections import OrderedDict, defaultdict - -import jinja2 -from lxml import etree -import yaml - - -SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__)) -METADATA_DIR = "{0}/../../metadata".format(SCRIPT_DIR) -DOC_SOURCE_DIR = "{0}/..".format(SCRIPT_DIR) -XCCDF_FILE = 'U_Red_Hat_Enterprise_Linux_7_STIG_V1R1_Manual-xccdf.xml' -XCCDF_NAMESPACE = {'x': 'http://checklists.nist.gov/xccdf/1.1'} - - -def add_monospace(text): - """Add monospace formatting to RST.""" - paragraphs = text.split('\n\n') - for key, value in enumerate(paragraphs): - - # Replace all quotes "" with backticks `` for monospacing - paragraphs[key] = re.sub(u'\u201c(.*?)\u201d', - r'``\1``', - value) - - # If our paragraph ends with a colon and the next line isn't a special - # note, let's make sure the next paragraph is monospaced. - if value.endswith(":"): - - if paragraphs[key + 1].startswith('Note:'): - - # Indent the paragraph AFTER the note. - paragraphs[key + 2] = '::\n\n ' + '\n '.join( - paragraphs[key + 2].split('\n') - ) - - else: - # Ensure the paragraph ends with double colon (::). - paragraphs[key] = re.sub(r':$', '::', value) - - # Indent the next paragraph. - paragraphs[key + 1] = ' ' + '\n '.join( - paragraphs[key + 1].split('\n') - ) - - # If we found a note in the description, let's format it like a note. - if value.startswith('Note:'): - paragraphs[key] = ".. note::\n\n {0}".format(value[6:]) - - # If we have a line that starts with a pound sign, this probably needs - # to be pre-formatted as well. - if value.startswith('#'): - paragraphs[key] = '::\n\n ' + '\n '.join(value.split('\n')) - - # If there's a command on a line by itself, we probably need to merge - # it with the next line. The STIG has terrible formatting in some - # places. - monospace_strings = ['grep', 'more'] - if ( - key + 1 < len(paragraphs) and - any(x in value for x in monospace_strings) and - '\n' not in value and - not paragraphs[key + 1].startswith('Password') - ): - value = "{0}\n{1}".format( - value, - '\n '.join(paragraphs[key + 1].split('\n')) - ) - del(paragraphs[key + 1]) - - return '\n\n'.join(paragraphs) - -JINJA_ENV = jinja2.Environment( - loader=jinja2.FileSystemLoader(METADATA_DIR), - trim_blocks=True, - keep_trailing_newline=False, -) -JINJA_ENV.filters['addmonospace'] = add_monospace - - -def element_flatten(element): - """Flatten the element into a single item if it's a single item list.""" - # If there's only one result in the list, then return that single result. - if isinstance(element, list) and len(element) == 1: - return element[0] - else: - return element - - -def filter_xpath(tree, xpath_string): - """Apply an xpath filter to the XML and return data.""" - element = tree.xpath(xpath_string, namespaces=XCCDF_NAMESPACE) - return element_flatten(element) - - -def filter_find(tree, xpath_string): - """Do a find on the tree to get specific data.""" - element = tree.find(xpath_string, namespaces=XCCDF_NAMESPACE) - return element_flatten(element) - - -def filter_findall(tree, xpath_string): - """Do a find on the tree to get specific data.""" - element = tree.findall(xpath_string, namespaces=XCCDF_NAMESPACE) - return element_flatten(element) - - -def get_deployer_notes(stig_id): - """Read deployer notes based on the STIG ID.""" - filename = "{0}/rhel7/{1}.rst".format(METADATA_DIR, stig_id) - - # Does this deployer note exist? - if not os.path.isfile(filename): - return False - - # Read the note and parse it with YAML - with open(filename, 'r') as f: - rst_file = f.read() - - # Split the RST into frontmatter and text - # NOTE(mhayden): Can't use the standard yaml.load_all() here at it will - # have scanner errors in documents that have colons (:). - yaml_boundary = re.compile(r'^-{3,}$', re.MULTILINE) - _, metadata, text = yaml_boundary.split(rst_file, 2) - - # Assemble the metadata and the text from the deployer note. - post = yaml.safe_load(metadata) - post['content'] = text - - return post - - -def read_xml(): - """Read XCCDF XML file and parse it into an etree.""" - with open("{0}/{1}".format(METADATA_DIR, XCCDF_FILE), 'r') as f: - tree = etree.parse(f) - return tree - - -def render_all(stig_ids, all_deployer_notes): - """Generate documentation RST for each STIG configuration.""" - template = JINJA_ENV.get_template('template_all_rhel7.j2') - return template.render( - stig_ids=stig_ids, - all_deployer_notes=all_deployer_notes, - ) - - -def render_doc(stig_rule, deployer_notes): - """Generate documentation RST for each STIG configuration.""" - template = JINJA_ENV.get_template('template_doc_rhel7.j2') - return template.render( - rule=stig_rule, - notes=deployer_notes - ) - - -def render_toc(toc_type, stig_dict, all_deployer_notes): - """Generate documentation RST for each STIG configuration.""" - template = JINJA_ENV.get_template('template_toc_rhel7.j2') - return template.render( - toc_type=toc_type, - stig_dict=stig_dict, - all_deployer_notes=all_deployer_notes, - ) - - -def write_file(filename, content): - """Write contents to files.""" - file_path = "{0}/{1}".format(DOC_SOURCE_DIR, filename) - - if not os.path.isdir(os.path.dirname(file_path)): - os.makedirs(os.path.dirname(file_path)) - - with open(file_path, 'w') as f: - f.write(content.encode('utf-8')) - - return True - - -def generate_docs(): - """The main function.""" - tree = read_xml() - - # Create a simple list to capture all of the STIGs - stig_ids = [] - - # Create defaultdicts to hold information to build our table of - # contents files for sphinx. - all_deployer_notes = defaultdict(list) - severity = defaultdict(list) - tag = defaultdict(list) - status = defaultdict(list) - - # Loop through the groups and extract rules - group_elements = filter_xpath(tree, "/x:Benchmark/x:Group") - for group_element in group_elements: - rule_element = filter_find(group_element, 'x:Rule') - - # Build a dictionary with all of our rule data. - rule = { - 'id': group_element.attrib['id'], - 'title': filter_find(rule_element, 'x:title').text, - 'severity': rule_element.attrib['severity'], - 'fix': filter_find(rule_element, 'x:fixtext').text, - 'check': filter_find(rule_element, - 'x:check/x:check-content').text, - 'ident': [x.text for x in filter_find(rule_element, 'x:ident')], - } - - # The description has badly formed XML in it, so we need to hack it up - # and turn those tags into a dictionary. - description = filter_find(rule_element, 'x:description').text - parser = etree.XMLParser(recover=True) - temp = etree.fromstring("{0}".format(description), parser) - rule['description'] = {x.tag: x.text for x in temp.iter()} - - # Get the deployer notes from YAML - print(rule['id']) - deployer_notes = get_deployer_notes(rule['id']) - rule['deployer_notes'] = deployer_notes - - all_deployer_notes[rule['id']] = rule - stig_ids.append(rule['id']) - severity[rule['severity']].append(rule['id']) - status[deployer_notes['status']].append(rule['id']) - tag[deployer_notes['tag']].append(rule['id']) - - keyorder = ['high', 'medium', 'low'] - severity = OrderedDict(sorted(severity.items(), - key=lambda x: keyorder.index(x[0]))) - status = OrderedDict(sorted(status.items(), key=lambda x: x[0])) - tag = OrderedDict(sorted(tag.items(), key=lambda x: x[0])) - - all_toc = render_all(stig_ids, all_deployer_notes) - severity_toc = render_toc('severity', - severity, - all_deployer_notes) - status_toc = render_toc('implementation status', - status, - all_deployer_notes) - tag_toc = render_toc('tag', - tag, - all_deployer_notes) - - write_file("rhel7/auto_controls-all.rst", all_toc) - write_file("rhel7/auto_controls-by-severity.rst", severity_toc) - write_file("rhel7/auto_controls-by-status.rst", status_toc) - write_file("rhel7/auto_controls-by-tag.rst", tag_toc) - - -def setup(app): - """Set up the Sphinx extension.""" - print("Generating RHEL7 STIG documentation...") - generate_docs() diff --git a/doc/source/_exts/metadata-docs.py b/doc/source/_exts/metadata-docs.py deleted file mode 100644 index c0cc6743..00000000 --- a/doc/source/_exts/metadata-docs.py +++ /dev/null @@ -1,216 +0,0 @@ -#!/usr/bin/env python -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Build documentation from STIG and deployer notes.""" -from __future__ import print_function, unicode_literals -from collections import defaultdict, OrderedDict -import os -import re -from textwrap import fill -import yaml - - -import jinja2 -from lxml import etree - - -SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__)) -METADATA_DIR = "{0}/../../metadata".format(SCRIPT_DIR) -DOC_SOURCE_DIR = "{0}/..".format(SCRIPT_DIR) -JINJA_ENV = jinja2.Environment( - loader=jinja2.FileSystemLoader(METADATA_DIR), - trim_blocks=True, - keep_trailing_newline=False, -) - -XCCDF_FILE = 'U_RedHat_6_V1R12_Manual-xccdf.xml' -XCCDF_NAMESPACE = {'x': 'http://checklists.nist.gov/xccdf/1.1'} - - -def read_xml(): - """Read XCCDF XML file and parse it into an etree.""" - with open("{0}/{1}".format(METADATA_DIR, XCCDF_FILE), 'r') as f: - tree = etree.parse(f) - return tree - - -def element_flatten(element): - """Flatten the element into a single item if it's a single item list.""" - # If there's only one result in the list, then return that single result. - if isinstance(element, list) and len(element) == 1: - return element[0] - else: - return element - - -def extract_description(description_text): - """Take the description text and extract the VulnDiscussion tag.""" - parser = etree.XMLParser(recover=True) - temp_string = "{0}".format(description_text) - temp = etree.fromstring(temp_string, parser) - return next(x.text for x in temp.iter() if x.tag == 'VulnDiscussion') - - -def filter_xpath(tree, xpath_string): - """Apply an xpath filter to the XML and return data.""" - element = tree.xpath(xpath_string, namespaces=XCCDF_NAMESPACE) - return element_flatten(element) - - -def filter_find(tree, xpath_string): - """Do a find on the tree to get specific data.""" - element = tree.find(xpath_string, namespaces=XCCDF_NAMESPACE) - return element_flatten(element) - - -def filter_findall(tree, xpath_string): - """Do a find on the tree to get specific data.""" - element = tree.findall(xpath_string, namespaces=XCCDF_NAMESPACE) - return element_flatten(element) - - -def get_deployer_notes(stig_id): - """Read deployer notes based on the STIG ID.""" - filename = "{0}/rhel6/{1}.rst".format(METADATA_DIR, stig_id) - - # Does this deployer note exist? - if not os.path.isfile(filename): - return False - - # Read the note and parse it with YAML - with open(filename, 'r') as f: - rst_file = f.read() - - # Split the RST into frontmatter and text - # NOTE(mhayden): Can't use the standard yaml.load_all() here at it will - # have scanner errors in documents that have colons (:). - yaml_boundary = re.compile(r'^-{3,}$', re.MULTILINE) - _, metadata, text = yaml_boundary.split(rst_file, 2) - - # Assemble the metadata and the text from the deployer note. - post = yaml.safe_load(metadata) - post['content'] = text - - return post - - -def render_all(stig_ids, all_deployer_notes): - """Generate documentation RST for each STIG configuration.""" - template = JINJA_ENV.get_template('template_all.j2') - return template.render( - stig_ids=stig_ids, - all_deployer_notes=all_deployer_notes, - ) - - -def render_doc(stig_rule, deployer_notes): - """Generate documentation RST for each STIG configuration.""" - template = JINJA_ENV.get_template('template_doc.j2') - return template.render( - rule=stig_rule, - notes=deployer_notes - ) - - -def render_toc(toc_type, stig_dict, all_deployer_notes): - """Generate documentation RST for each STIG configuration.""" - template = JINJA_ENV.get_template('template_toc.j2') - return template.render( - toc_type=toc_type, - stig_dict=stig_dict, - all_deployer_notes=all_deployer_notes, - ) - - -def write_file(filename, content): - """Write contents to files.""" - file_path = "{0}/{1}".format(DOC_SOURCE_DIR, filename) - with open(file_path, 'w') as f: - f.write(content.encode('utf-8')) - - return True - - -def generate_docs(): - """The main function.""" - tree = read_xml() - - # Create a simple list to capture all of the STIGs - stig_ids = [] - - # Create defaultdicts to hold information to build our table of - # contents files for sphinx. - all_deployer_notes = defaultdict(list) - severity = defaultdict(list) - tag = defaultdict(list) - status = defaultdict(list) - - # Loop through the groups and extract rules - group_elements = filter_xpath(tree, "/x:Benchmark/x:Group") - for group_element in group_elements: - rule_element = filter_find(group_element, 'x:Rule') - - # We have to extract a piece of the description since it contains - # multiple sections. We only want the VulnDiscussion section. - raw_description = filter_find(rule_element, - 'x:description').text - description = fill(extract_description(raw_description), width=78) - - # Build a dictionary with all of our rule data. - rule = { - 'id': group_element.attrib['id'], - 'title': filter_find(rule_element, 'x:title').text, - 'severity': rule_element.attrib['severity'], - 'description': description, - 'fix': filter_find(rule_element, 'x:fixtext').text, - 'check': filter_find(rule_element, - 'x:check/x:check-content').text, - } - - # Get the deployer notes from YAML - deployer_notes = get_deployer_notes(rule['id']) - rule['deployer_notes'] = deployer_notes - - all_deployer_notes[rule['id']] = rule - stig_ids.append(rule['id']) - severity[rule['severity']].append(rule['id']) - status[deployer_notes['status']].append(rule['id']) - tag[deployer_notes['tag']].append(rule['id']) - - keyorder = ['high', 'medium', 'low'] - severity = OrderedDict(sorted(severity.items(), - key=lambda x: keyorder.index(x[0]))) - status = OrderedDict(sorted(status.items(), key=lambda x: x[0])) - tag = OrderedDict(sorted(tag.items(), key=lambda x: x[0])) - - all_toc = render_all(stig_ids, all_deployer_notes) - severity_toc = render_toc('severity', - severity, - all_deployer_notes) - status_toc = render_toc('implementation status', - status, - all_deployer_notes) - tag_toc = render_toc('tag', - tag, - all_deployer_notes) - - write_file("auto_controls-all.rst", all_toc) - write_file("auto_controls-by-severity.rst", severity_toc) - write_file("auto_controls-by-status.rst", status_toc) - write_file("auto_controls-by-tag.rst", tag_toc) - - -def setup(app): - """Set up the Sphinx extension.""" - generate_docs() diff --git a/doc/source/_static/.gitkeep b/doc/source/_static/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/doc/source/_themes/openstack/layout.html b/doc/source/_themes/openstack/layout.html deleted file mode 100644 index 512ab3fa..00000000 --- a/doc/source/_themes/openstack/layout.html +++ /dev/null @@ -1,109 +0,0 @@ -{% extends "basic/layout.html" %} -{% set css_files = css_files + ['_static/tweaks.css'] %} - -{% block sidebar2 %} -
-
- {%- if not embedded %}{% if not theme_nosidebar|tobool %} - {%- block sidebarlogo %} - {%- if logo %} - - {%- endif %} - {%- endblock %} - {%- block sidebartoc %} - {%- if display_toc %} -

{{ _('Table Of Contents') }}

- {{ toc }} - {%- endif %} - {%- endblock %} - {%- block sidebarrel %} - {%- if prev %} -

{{ _('Previous topic') }}

-

{{ prev.title }}

- {%- endif %} - {%- if next %} -

{{ _('Next topic') }}

-

{{ next.title }}

- {%- endif %} - {%- endblock %} - {%- block projectsource %} - {%- if cgit_link %} -

{{ _('Project Source') }}

- - {%- endif %} - {%- endblock %} - {%- block sidebarsourcelink %} - {%- if show_source and has_source and sourcename %} -

{{ _('This Page') }}

- - {%- endif %} - {%- endblock %} - {%- if customsidebar %} - {% include customsidebar %} - {%- endif %} - {%- block sidebarsearch %} - {%- if pagename != "search" %} - - - {%- endif %} - {%- endblock %} - {%- endif %}{% endif %} -
-
-{% endblock %} - -{% block relbar1 %}{% endblock relbar1 %} - -{% block header %} - -{% endblock %} - -{% block footer %} -{{ super() }} - - -{% endblock %} diff --git a/doc/source/_themes/openstack/static/basic.css b/doc/source/_themes/openstack/static/basic.css deleted file mode 100644 index 5542eea1..00000000 --- a/doc/source/_themes/openstack/static/basic.css +++ /dev/null @@ -1,419 +0,0 @@ -/** - * Sphinx stylesheet -- basic theme - * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - */ - -/* -- main layout ----------------------------------------------------------- */ - -div.clearer { - clear: both; -} - -/* -- relbar ---------------------------------------------------------------- */ - -div.related { - font-size: 90%; -} - -div.related h3 { - display: none; -} - -div.related ul { - margin: 0; - padding: 0 0 0 10px; - list-style: none; -} - -div.related li { - display: inline; -} - -div.related li.right { - float: right; - margin-right: 5px; -} - -/* -- sidebar --------------------------------------------------------------- */ - -div.sphinxsidebarwrapper { - padding: 10px 5px 0 10px; -} - -div.sphinxsidebar { - float: left; - width: 260px; - margin-left: -100%; - font-size: 90%; -} - -div.sphinxsidebar ul { - list-style: none; -} - -div.sphinxsidebar ul ul, -div.sphinxsidebar ul.want-points { - margin-left: 20px; - list-style: square; -} - -div.sphinxsidebar ul ul { - margin-top: 0; - margin-bottom: 0; -} - -div.sphinxsidebar form { - margin-top: 10px; -} - -div.sphinxsidebar input { - border: 1px solid #98dbcc; - font-family: sans-serif; - font-size: 1em; -} - -div.sphinxsidebar span.pre { - word-wrap: break-word; -} - -img { - border: 0; -} - -/* -- search page ----------------------------------------------------------- */ - -ul.search { - margin: 10px 0 0 20px; - padding: 0; -} - -ul.search li { - padding: 5px 0 5px 20px; - background-image: url(file.png); - background-repeat: no-repeat; - background-position: 0 7px; -} - -ul.search li a { - font-weight: bold; -} - -ul.search li div.context { - color: #888; - margin: 2px 0 0 30px; - text-align: left; -} - -ul.keywordmatches li.goodmatch a { - font-weight: bold; -} - -/* -- index page ------------------------------------------------------------ */ - -table.contentstable { - width: 90%; -} - -table.contentstable p.biglink { - line-height: 150%; -} - -a.biglink { - font-size: 1.3em; -} - -span.linkdescr { - font-style: italic; - padding-top: 5px; - font-size: 90%; -} - -/* -- general index --------------------------------------------------------- */ - -table.indextable td { - text-align: left; - vertical-align: top; -} - -table.indextable dl, table.indextable dd { - margin-top: 0; - margin-bottom: 0; -} - -table.indextable tr.pcap { - height: 10px; -} - -table.indextable tr.cap { - margin-top: 10px; - background-color: #f2f2f2; -} - -img.toggler { - margin-right: 3px; - margin-top: 3px; - cursor: pointer; -} - -/* -- general body styles --------------------------------------------------- */ - -a.headerlink { - visibility: hidden; -} - -h1:hover > a.headerlink, -h2:hover > a.headerlink, -h3:hover > a.headerlink, -h4:hover > a.headerlink, -h5:hover > a.headerlink, -h6:hover > a.headerlink, -dt:hover > a.headerlink { - visibility: visible; -} - -div.body p.caption { - text-align: inherit; -} - -div.body td { - text-align: left; -} - -.field-list ul { - padding-left: 1em; -} - -.first { -} - -p.rubric { - margin-top: 30px; - font-weight: bold; -} - -/* -- sidebars -------------------------------------------------------------- */ - -div.sidebar { - margin: 0 0 0.5em 1em; - border: 1px solid #ddb; - padding: 7px 7px 0 7px; - background-color: #ffe; - width: 40%; - float: right; -} - -p.sidebar-title { - font-weight: bold; -} - -/* -- topics ---------------------------------------------------------------- */ - -div.topic { - border: 1px solid #ccc; - padding: 7px 7px 0 7px; - margin: 10px 0 10px 0; -} - -p.topic-title { - font-size: 1.1em; - font-weight: bold; - margin-top: 10px; -} - -/* -- admonitions ----------------------------------------------------------- */ - -div.admonition { - margin-top: 10px; - margin-bottom: 10px; - padding: 7px; -} - -div.admonition dt { - font-weight: bold; -} - -div.admonition dl { - margin-bottom: 0; -} - -p.admonition-title { - margin: 0px 10px 5px 0px; - font-weight: bold; -} - -div.body p.centered { - text-align: center; - margin-top: 25px; -} - -/* -- tables ---------------------------------------------------------------- */ - -table.docutils { - border: 0; - border-collapse: collapse; -} - -table.docutils td, table.docutils th { - padding: 1px 8px 1px 0; - border-top: 0; - border-left: 0; - border-right: 0; - border-bottom: 1px solid #aaa; -} - -table.field-list td, table.field-list th { - border: 0 !important; -} - -table.footnote td, table.footnote th { - border: 0 !important; -} - -th { - text-align: left; - padding-right: 5px; -} - -/* -- other body styles ----------------------------------------------------- */ - -dl { - margin-bottom: 15px; -} - -dd p { - margin-top: 0px; -} - -dd ul, dd table { - margin-bottom: 10px; -} - -dd { - margin-top: 3px; - margin-bottom: 10px; - margin-left: 30px; -} - -dt:target, .highlight { - background-color: #fbe54e; -} - -dl.glossary dt { - font-weight: bold; - font-size: 1.1em; -} - -.field-list ul { - margin: 0; - padding-left: 1em; -} - -.field-list p { - margin: 0; -} - -.refcount { - color: #060; -} - -.optional { - font-size: 1.3em; -} - -.versionmodified { - font-style: italic; -} - -.system-message { - background-color: #fda; - padding: 5px; - border: 3px solid red; -} - -.footnote:target { - background-color: #ffa -} - -.line-block { - display: block; - margin-top: 1em; - margin-bottom: 1em; -} - -.line-block .line-block { - margin-top: 0; - margin-bottom: 0; - margin-left: 1.5em; -} - -/* -- code displays --------------------------------------------------------- */ - -pre { - overflow: auto; -} - -td.linenos pre { - padding: 5px 0px; - border: 0; - background-color: transparent; - color: #aaa; -} - -table.highlighttable { - margin-left: 0.5em; -} - -table.highlighttable td { - padding: 0 0.5em 0 0.5em; -} - -tt.descname { - background-color: transparent; - font-weight: bold; - font-size: 1.2em; -} - -tt.descclassname { - background-color: transparent; -} - -tt.xref, a tt { - background-color: transparent; - font-weight: bold; -} - -h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt { - background-color: transparent; -} - -/* -- math display ---------------------------------------------------------- */ - -img.math { - vertical-align: middle; -} - -div.body div.math p { - text-align: center; -} - -span.eqno { - float: right; -} - -/* -- printout stylesheet --------------------------------------------------- */ - -@media print { - div.document, - div.documentwrapper, - div.bodywrapper { - margin: 0 !important; - width: 100%; - } - - div.sphinxsidebar, - div.related, - div.footer, - #top-link { - display: none; - } -} diff --git a/doc/source/_themes/openstack/static/default.css b/doc/source/_themes/openstack/static/default.css deleted file mode 100644 index c8091ecb..00000000 --- a/doc/source/_themes/openstack/static/default.css +++ /dev/null @@ -1,230 +0,0 @@ -/** - * Sphinx stylesheet -- default theme - * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - */ - -@import url("basic.css"); - -/* -- page layout ----------------------------------------------------------- */ - -body { - font-family: sans-serif; - font-size: 100%; - background-color: #11303d; - color: #000; - margin: 0; - padding: 0; -} - -div.document { - background-color: #1c4e63; -} - -div.documentwrapper { - float: left; - width: 100%; -} - -div.bodywrapper { - margin: 0 0 0 230px; -} - -div.body { - background-color: #ffffff; - color: #000000; - padding: 0 20px 30px 20px; -} - -div.footer { - color: #ffffff; - width: 100%; - padding: 9px 0 9px 0; - text-align: center; - font-size: 75%; -} - -div.footer a { - color: #ffffff; - text-decoration: underline; -} - -div.related { - background-color: #133f52; - line-height: 30px; - color: #ffffff; -} - -div.related a { - color: #ffffff; -} - -div.sphinxsidebar { -} - -div.sphinxsidebar h3 { - font-family: 'Trebuchet MS', sans-serif; - color: #ffffff; - font-size: 1.4em; - font-weight: normal; - margin: 0; - padding: 0; -} - -div.sphinxsidebar h3 a { - color: #ffffff; -} - -div.sphinxsidebar h4 { - font-family: 'Trebuchet MS', sans-serif; - color: #ffffff; - font-size: 1.3em; - font-weight: normal; - margin: 5px 0 0 0; - padding: 0; -} - -div.sphinxsidebar p { - color: #ffffff; -} - -div.sphinxsidebar p.topless { - margin: 5px 10px 10px 10px; -} - -div.sphinxsidebar ul { - margin: 10px; - padding: 0; - color: #ffffff; -} - -div.sphinxsidebar a { - color: #98dbcc; -} - -div.sphinxsidebar input { - border: 1px solid #98dbcc; - font-family: sans-serif; - font-size: 1em; -} - -/* -- body styles ----------------------------------------------------------- */ - -a { - color: #355f7c; - text-decoration: none; -} - -a:hover { - text-decoration: underline; -} - -div.body p, div.body dd, div.body li { - text-align: left; - line-height: 130%; -} - -div.body h1, -div.body h2, -div.body h3, -div.body h4, -div.body h5, -div.body h6 { - font-family: 'Trebuchet MS', sans-serif; - background-color: #f2f2f2; - font-weight: normal; - color: #20435c; - border-bottom: 1px solid #ccc; - margin: 20px -20px 10px -20px; - padding: 3px 0 3px 10px; -} - -div.body h1 { margin-top: 0; font-size: 200%; } -div.body h2 { font-size: 160%; } -div.body h3 { font-size: 140%; } -div.body h4 { font-size: 120%; } -div.body h5 { font-size: 110%; } -div.body h6 { font-size: 100%; } - -a.headerlink { - color: #c60f0f; - font-size: 0.8em; - padding: 0 4px 0 4px; - text-decoration: none; -} - -a.headerlink:hover { - background-color: #c60f0f; - color: white; -} - -div.body p, div.body dd, div.body li { - text-align: left; - line-height: 130%; -} - -div.admonition p.admonition-title + p { - display: inline; -} - -div.admonition p { - margin-bottom: 5px; -} - -div.admonition pre { - margin-bottom: 5px; -} - -div.admonition ul, div.admonition ol { - margin-bottom: 5px; -} - -div.note { - background-color: #eee; - border: 1px solid #ccc; -} - -div.seealso { - background-color: #ffc; - border: 1px solid #ff6; -} - -div.topic { - background-color: #eee; -} - -div.warning { - background-color: #ffe4e4; - border: 1px solid #f66; -} - -p.admonition-title { - display: inline; -} - -p.admonition-title:after { - content: ":"; -} - -pre { - padding: 5px; - background-color: #eeffcc; - color: #333333; - line-height: 120%; - border: 1px solid #ac9; - border-left: none; - border-right: none; -} - -tt { - background-color: #ecf0f3; - padding: 0 1px 0 1px; - font-size: 0.95em; -} - -.warning tt { - background: #efc2c2; -} - -.note tt { - background: #d6d6d6; -} diff --git a/doc/source/_themes/openstack/static/header-line.gif b/doc/source/_themes/openstack/static/header-line.gif deleted file mode 100644 index 3601730e03488b7b5f92dc992d23ad753357c167..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 48 zcmZ?wbhEHbWMg1uXkcVG`smgF|Nj+#vM@3*Ff!;c00Bsbfr-7RpY8O^Kn4bD08FwB Aga7~l diff --git a/doc/source/_themes/openstack/static/header_bg.jpg b/doc/source/_themes/openstack/static/header_bg.jpg deleted file mode 100644 index f788c41c26481728fa4329c17c87bde36001adc1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3738 zcmd5-YdDna8vedHnM0NtYi6>>At7O=uyTsZup5R_40A9)aXQa}U(l^=gSg=J*&3mKp$aM0r>UIFDe9Zy(vs} zWf)kqO2Y_n0$>ZQ0D&hY4tWjpY?Ii5?V)h*kc0fz?%ZIj3|{;F8E5l%d0)&*Hx~ulvc_*73u8%R zsVMV~ne!JY);&pWott~QIZYJFTXliYc2};JEU{X7W6;ZPfz;)U;U4#mEuK@K*=SC3BR-m&x9(Nna@>b@%FS34|P^jtsXRb5>z9gtPp;_MI2F3o*k z>csA-?CX4b;~4P-*L$+Mmb|51F)eD*wCc`Jt(9}C${Zo=!Uin=u_yMC^;`X!x$##4 z+~}dkT`NF@Uhw0r+6g_)?e!h8IX+OE^C96>UOsv0GPMD6(kr#ljhXRnA=O>Qj@%iT zqBF7aQ*}BG)h@6r0%#azk!r9yrN6>9dq~>KadV$~cGG?Hjk>~it^5rd#zS4KE*p+4 z;;B)%oBK8PNTs=A)a-z`n?3zJ%+h{`=>ijk4sYKr*>`eN1H`~Lo|Tm!o6qN{S* zeNl=NcpGzD55)XnLC|>g)~w={=c#4*x^;mk4Zo_FOFlffP@!?1`c+TogTVR4kp9-q z`d5cMBzNxk6qjPRK9*WY3uHS=bnm_QJvSMBBS_A#3i=ywsg6^|9rfruW0MhdGwHDO z?1gJRMQVecKE^gV{%uo(b)zl^Hd&vmnwFh88h*-?FJ;y=Hdqvt!K|s<$>xlzR=G4{ zZgGOCF43IXS?62B)w*N&dXt%U8X^Bjx}^%Yf>VFpFoKSGP%k?ems;&&J)|Dx(qtQD zu2tS)<_Qz4#LhBKYkl@Og}G)^5+F4P($Fk>)}{uMVv|;Sz2i4$XJ_WTw*;n>3N805rnXhbC52SC={E3rXRlrs|I6f;o|Cn%eje59{axu9sivy4oYmg=j|fLt3<3 zFce84aNb8GbK;y>RbBu71YBcYKL3@M3N25yoE%BtG z^K!`WTQ|fb-Ysa7T)mEw&4_b)PWYgc!)3W)H+neR9o^f|AXdgY1`gN+pvgzbbk`M z*Ts6${7M`2)9XIPy^MoXTiiP2GTp_OtgWMshnH)M&ZSO0)cet!oWo_0_&hV(0?Qdb zdo(sw{I#{hI`SWPM`N=U^#+MgN-*rZ#J7Cm7Jj89`5ehd_{z&9->Jc7$F(X4)&|`K z5rEgd;@dhi-IzJnSVpMd!Gf_G-QW+ zjVMrIas1)g%)GJ;(=oaK};O^)NYdS1`XR?K_;I7qj zhii5}x^he{U3M+GF+WpYws#=Pt#S9xB_X5QE7W+_rQdwMhukJnQj}5cnCz_sIJ#r0 zJa5drkRPI$X(4YdpCswJe#5aN4Jjw3V3Nzt&`lcKBI~#;!>jq7j8y# zvHrFg_#P376A45^hp-KU*P=R;DVdPK*w7D@Gw+`XsSpm^L-VkCooZF61sPAnnjsT# zND4C{>G#P10F_&txEoE!rX%Iy*L}Kna=Q%fDLJ_rF*LujRITZ)$g!?UYLkCXOoz-S z_p`Hny*Rh--l)aYQC&-2dd%;%VKGC1<1DJm_n~`nk4^yS`}&P zM}5bOypW0hwtvrwnE>}g1Mq+B>09qPp1b$hn6kC_iqF`tX#G-t7D$n}Ky9t}sUqiI zOe@odQ?JueZ+sg`-zoQ}J4if6vv1c9x{BDme+F6z{8esU^Kio zK_oPy9}@nlGywSOZy9`^- zzBg>C9|rgWF{pcCogEV@;d}VHrgeBl=5Dr*th4V!1`Z9Zrz9le1zHC#sM3{j#G2R?WMhl6b_yyoEAxX>Zixl$16`+^d$ihNtuIBUafyiCEv#oksNL<4= z*oDXsc7-(ww^9-b-6_|bITySG1N2C-7p0L4+V@R%j=4@ygc=89bmSNy38$S=ZiDyP z0SrqrVA;zi8kYBZ2@Mx(2Lx~-*bc@d1#4R($RJv$9ZTfx_t7Kc|HIHnd&@I386P?& z?d6Vd(48n${cTNFFCoSIUj#O{mmt%M&xCIFmR9Y3f{2UnF4e9@uFZOaYiY|CLdbDa z%xS9x4SHi7Fr-1?CnDqRK?)n&$TTBW5J?O&o{TnNCnLw*{QmT7{c}flSbp9&xi*zF z1TdUn&_!$_WxQbMKGkgsl}B%+N5ZV%Hy6_zJ>dejD89yCBMw9(d}z2fWjYH_nV6!F zqe_rI2H5Pi0^~S6)jjnu%lqZN*eQq6!||a24+edpSH_{C8Ew^g8dw2qdrH!@*E7K* z)00Bb8uUsai%v6Oa^L@3E02r|EG%EdV>q;=#2Q9Wjv3l?dAur$4bzyOl3M6 z1hf%&o*#2R&xnS1z4&R`Uq%`Ut0_P{BOwt;FuDbCW75Qp#l)U;+N6jaIz6Nf$t6dNV>^>ETzcpQ=%tMaf0k|rg72+IW`z$FyfE+D{1@tt$t5DmX)*;QV?c;%+5Z&egAgfXTQJq-mZkC z>pFAHu}U=Axde_?s!99ZfDg_+9TYzDa6N1R3adhx&2Mb7>9w`KpMNz!>U5t2XQ8lZ zu+!+H7(PRwF@jAkwvI;|8|=Z_dfzV`Kpi;I!e=|Ql+HAdEag?VZ^Ilw9XJj9N1#1a z?UFC!)X62`CRIe^9YCLKbJ` z&O@f0zt{Z1YDF1utg2$F+rzvrncys+g37Xsd8)idSW(=}t#~qF#qBo29*@^ZCs<$W zpa144=o4g0z63h_ttPfIpH-FyG^MAH+6B~r$(4qw+Uv{2d#h`$lq+i+#Tf%CAzDFUh!pzX(6nW{EASJAQkhm!+}aGpHc z;(+N`S*@tYmump1T37E}J;!$0#F>^M*mT_X1x~bvnp&qP9IHI#bj-0z8FR+=p+e#*w3ugV#wX``sR-CI1!YiQsfc@Om<;1MBw zlfqH9z4Q|m*C?URU1OG(`UYn>Q8<|I!mby#FlN5MMFE8;Pyh$skbR?ngFLt?%nWSkS-#W5umy>@^DyAERP~{E&`M%0(qi&((^ahqL}u^jT<2dcf)p< z%Fxc9J$nh_`>_oNYC?oy`rIDY46Yrw4si3Qn~oXV%dJ}IlUD-40>QipyGa_dV0Z%J ztcEXm5yxR0gySJ04{nnbm#vP=Hq&GI<8VxcZ34pRjt6m%pE2H|!+HBJQrdBdyKHJR z2O_}hp!5bXuwniQYTF>yI|=cjT+2l`9T3|H+l4%ryPxWQm(ODW#8Ctj_CplcO=)qj zD#d~V6BahR9NY1kE5rF)_j<|!Cqnpq0uOKhL%w z>y8OyeTM1?REXc{0|3b=#WPZneh80PxL=Ljau1~+CgtMgg-vccMDX-L z9^7An_;!lFAi`#G_1F*OdM|Z$EVQs0m0$?mY}(baOZ%Zpd62#Pyg!3Jd4d zD^8+lSir&T6Y9-p9L#Wz6$5nXLjdOl?7Lv!TeMr}F14ranauW9=L>ubu*x>Bcrgwp zjrT@{rL*2Fc}Ilwn07QvdJfMOO2=(1Px)6&ih7lg839!Bx&}lQER~T`^7_x@fXo({ zCZMeZYt*!VgMTg>PR)PBaIwubzRY%jjE`-s zG;B}>2!lD=QLOTfQOEZKIEz*;yTJ9(Af0zNv;IDq7#Fr#W{Ap+7Sq1N3TL21X|h2t z=Dk>^bGSsRX-u+cZ23mMB_Ioc0yNIfcfLWB>$hVU3W3>d&a?IM+bGRGt+t}aiv(eh z(D6Z9N>U2|Qxle(!UVTeEKE6W))3WI5z48Rs8d5v0GwmyC8iQiUJO8KS?QwHl2abL zNW+hadDdPc8z%MSOG$l&WR@!!&M{WLmrnS=-0G#&`a)chX>mN9W1>|yqve@lL8a`f zXRmn$B8P=dLxE!2rIi}a*gh%FI4j?C;b@L=WgypiTRf==n6DKr9mUExo6a@{wLM-I z9%V9{!;5G!<8fMYikfEbrGXRQN-9*24}kIIpP&dEg@fiLqAY5|jjv}$P3x0avZODU zdX`c|G>h`1f=3uEu)L9C)H5%frni#HZXcX`TD{iQ-e2qXxj_f%|WW;byDMc%7+uBy}Y?KLC?jp%yyyeBNkqQ-*osw2ex&97Q{#C7%CdSDMNIV zTdC(LEm?&qPcNOjM)h9Grs|M(gsuhV8@96?m4WkQ>j{bJIs)m^neL%ua!i+N8>Lh+ zKu#7rF~VOH@hb{zGXYwys!Um4Vkf+H8Hj6?^eI%kT%j+HA0K=6qdQ@nfR57Q`Jm9T zc)Yg9-`e~BRE!xoKZ z=mP|0Kihr}V1$5sHw$QekmoL)lQ;~@H$S)}s3xuwypiubB?1%OyBpwC08TH!=?BrQ zhOp`PTu;%u0}Q=XKGb7d$g8*;de8c1UI|Re2R;;Radh_D!FIZg+JP`oJg>5 z;&B7eVAomZe>j~hOOIVRO_Q7eSGz37hxmnsG!n%HX`C6gSqFcg(RLmikn%EPR*wel zrsc;>!vQ<>2ZW`lk`MbNLopFd#_9mh8iKPH;KbjC@xJU${pdxuTF{uO(eG#9t*>XP z_4Seh`r_#q$^xeiuy(=eSouv66cpS!t3n`|j`6xnmSs1q@;0!I)m<6eYHHGMRdB87 ziruozT=gn@yp`B9oGxD-b7PqhZum|oJCfLB38&8v51ijj-Pb`qvCr3FtJ0aFms2h3(n0-}3jJ~J$ zCzep7-MIZFbo$(m8zWm?SoRl__blLE+!fFBVVk1&XLg+vmVNcTk9O2+q?x#F0LZUN zu6oM~C)(7^0|az4nM}@aZf<@RkH0CR8<-Yn-fZe+Dbr#iJWSt#tnR4^h<@ePXWmeHIO4q^X zCbiy(=k3R1o1}0E+7x*OOe-qnIXG{#N_rqK*1NH}Qz6aumTR`YTgo5K=q=61;5@b- zrgUA_Qz=)(TPN!tCZE|{?B0*r9ov5Fcip6xQ2;Yqs*2_o7TFKGp0|~bcP@6+a(rz^ zXXmmyBfT}ucw_t(6s+f^t_)nc>RKW<-q_&J35vN+RPLsR?VAsQeHLyCR7AWvxFOVc zAg-xl=j*RipzaKWx3lAf?ei`PoM;bbAL>svH?JqQwjSulb9bghytRt%*5x-no>xlf zh7qj0LYRXVDU})?Btsy7^71*ujsEP_ACyd)P)*ULWBCXox@PUfwmQ#)Vl&oeIqpQY zHMgU+xe0EhQ)RmjdB3JHGdrsvJ9?A=WwOrn)J?BH{+D&O_@SKdrj2|8Z{hS1T(k>&Zlt;p=tqw*mVY1aLt=u^eAHkW>8cb#@q& z4-SLa@ii zCt7NGrLv)1Scy9ew-sOwwLYn2a6T#KzJgnbacm7Z20q6tcs~C!0DI+r(=$l+x{=W0A}~0&W)ll4*&oF07*qoM6N<$f~n6U7ytkO diff --git a/doc/source/_themes/openstack/static/tweaks.css b/doc/source/_themes/openstack/static/tweaks.css deleted file mode 100644 index 5bd5ff2a..00000000 --- a/doc/source/_themes/openstack/static/tweaks.css +++ /dev/null @@ -1,128 +0,0 @@ -body { - background: #fff url(../_static/header_bg.jpg) top left no-repeat; -} - -#header { - width: 950px; - margin: 0 auto; - height: 102px; -} - -#header h1#logo { - background: url(../_static/openstack_logo.png) top left no-repeat; - display: block; - float: left; - text-indent: -9999px; - width: 175px; - height: 55px; -} - -#navigation { - background: url(../_static/header-line.gif) repeat-x 0 bottom; - display: block; - float: left; - margin: 27px 0 0 25px; - padding: 0; -} - -#navigation li{ - float: left; - display: block; - margin-right: 25px; -} - -#navigation li a { - display: block; - font-weight: normal; - text-decoration: none; - background-position: 50% 0; - padding: 20px 0 5px; - color: #353535; - font-size: 14px; -} - -#navigation li a.current, #navigation li a.section { - border-bottom: 3px solid #cf2f19; - color: #cf2f19; -} - -div.related { - background-color: #cde2f8; - border: 1px solid #b0d3f8; -} - -div.related a { - color: #4078ba; - text-shadow: none; -} - -div.sphinxsidebarwrapper { - padding-top: 0; -} - -pre { - color: #555; -} - -div.documentwrapper h1, div.documentwrapper h2, div.documentwrapper h3, div.documentwrapper h4, div.documentwrapper h5, div.documentwrapper h6 { - font-family: 'PT Sans', sans-serif !important; - color: #264D69; - border-bottom: 1px dotted #C5E2EA; - padding: 0; - background: none; - padding-bottom: 5px; -} - -div.documentwrapper h3 { - color: #CF2F19; -} - -a.headerlink { - color: #fff !important; - margin-left: 5px; - background: #CF2F19 !important; -} - -div.body { - margin-top: -25px; - margin-left: 260px; -} - -div.document { - width: 960px; - margin: 0 auto; -} - -div.sphinxsidebar h3.highlighted { - background-color: #cf2f19; - color: #EEE; - text-shadow: 1px 1px 0 #740101; -} - -div.sphinxsidebar h3.highlighted a { - color: #EEE; -} - -/** provide visual separation for sidebar for increased readability. */ -div.sphinxsidebar ul li { - margin-top: 1em; - font-weight: bold; -} - -div.sphinxsidebar ul li ul li { - margin-top: 0; - font-weight: normal; -} - -/** Provide the sidebar to allow long words to go to the next line - making them easier to read.*/ -div.sphinxsidebar a { - display: block; - text-indent: -1em; - margin-left: 1em; - word-wrap: break-word; -} - -div.sphinxsidebar ul { - margin: 10px 10px; -} \ No newline at end of file diff --git a/doc/source/_themes/openstack/theme.conf b/doc/source/_themes/openstack/theme.conf deleted file mode 100644 index e2b8bfe6..00000000 --- a/doc/source/_themes/openstack/theme.conf +++ /dev/null @@ -1,7 +0,0 @@ -[theme] -inherit = basic -stylesheet = nature.css -pygments_style = tango - -[options] -incubating = false diff --git a/doc/source/conf.py b/doc/source/conf.py deleted file mode 100644 index 381eb9a2..00000000 --- a/doc/source/conf.py +++ /dev/null @@ -1,323 +0,0 @@ -#!/usr/bin/env python3 -"""Documentation configuration for the openstack-ansible-security role.""" -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This file is execfile()d with the current directory set to its -# containing dir. -# -# Note that not all possible configuration values are present in this -# autogenerated file. -# -# All configuration values have a default; values that are commented out -# serve to show the default. -import os -import sys - - -import openstackdocstheme -import pbr.version - -# If extensions (or modules to document with autodoc) are in another directory, -# add these directories to sys.path here. If the directory is relative to the -# documentation root, use os.path.abspath to make it absolute, like shown here. -sys.path.insert(0, os.path.join(os.path.abspath('.'), '_exts')) - -# NOTE(mhayden): Since the security role docs are fairly lengthy and deeply -# nested in places, sphinx occasionally throws a pickling error as shown in -# Launchpad bug 1627732. Sphinx 1.4 now prints a recommendation in these -# situations to increase Python's recursion limit a bit higher to avoid the -# pickling error. -sys.setrecursionlimit(4000) - -# -- General configuration ------------------------------------------------ - -# If your documentation needs a minimal Sphinx version, state it here. -# needs_sphinx = '1.0' - -# Add any Sphinx extension module names here, as strings. They can be -# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom -# ones. -extensions = [ - 'metadata-docs', - 'metadata-docs-rhel7', -] - -# Add any paths that contain templates here, relative to this directory. -# templates_path = ['_templates'] - -# The suffix(es) of source filenames. -source_suffix = '.rst' - -# The encoding of source files. -# source_encoding = 'utf-8-sig' - -# The master toctree document. -master_doc = 'index' - -# General information about the project. -author = 'OpenStack-Ansible Contributors' -category = 'Miscellaneous' -copyright = '2014-2016, OpenStack-Ansible Contributors' -description = 'OpenStack-Ansible deploys OpenStack environments using Ansible.' -project = 'OpenStack-Ansible' -role_name = 'security' -target_name = 'openstack-ansible-' + role_name -title = 'OpenStack-Ansible Documentation: ' + role_name + 'role' - -# The version info for the project you're documenting, acts as replacement for -# |version| and |release|, also used in various other places throughout the -# built documents. -# -# The short X.Y version. -version_info = pbr.version.VersionInfo(target_name) -# The full version, including alpha/beta/rc tags. -release = version_info.version_string_with_vcs() -# The short X.Y version. -version = version_info.canonical_version_string() - -# A few variables have to be set for the log-a-bug feature. -# giturl: The location of conf.py on Git. Must be set manually. -# gitsha: The SHA checksum of the bug description. Automatically extracted -# from git log. -# bug_tag: Tag for categorizing the bug. Must be set manually. -# These variables are passed to the logabug code via html_context. -giturl = ("https://git.openstack.org/cgit/openstack/{0}" - "/tree/doc/source").format(target_name) -git_cmd = "/usr/bin/git log | head -n1 | cut -f2 -d' '" -gitsha = os.popen(git_cmd).read().strip('\n') -bug_title = "Documentation bug" -bug_project = project.lower() -html_context = {"gitsha": gitsha, "giturl": giturl, - "bug_tag": "docs", "bug_title": bug_title, - "bug_project": bug_project} - - -# The language for content autogenerated by Sphinx. Refer to documentation -# for a list of supported languages. -# -# This is also used if you do content translation via gettext catalogs. -# Usually you set "language" from the command line for these cases. -language = None - -# There are two options for replacing |today|: either, you set today to some -# non-false value, then it is used: -# today = '' -# Else, today_fmt is used as the format for a strftime call. -# today_fmt = '%B %d, %Y' - -# List of patterns, relative to source directory, that match files and -# directories to ignore when looking for source files. -exclude_patterns = [ - 'developer-notes/*.rst', - 'stig-notes/*.rst', - 'auto_V-*.rst' -] - -# The reST default role (used for this markup: `text`) to use for all -# documents. -# default_role = None - -# If true, '()' will be appended to :func: etc. cross-reference text. -# add_function_parentheses = True - -# If true, the current module name will be prepended to all description -# unit titles (such as .. function::). -# add_module_names = True - -# If true, sectionauthor and moduleauthor directives will be shown in the -# output. They are ignored by default. -# show_authors = False - -# The name of the Pygments (syntax highlighting) style to use. -pygments_style = 'sphinx' - -# A list of ignored prefixes for module index sorting. -# modindex_common_prefix = [] - -# If true, keep warnings as "system message" paragraphs in the built documents. -# keep_warnings = False - -# -- Options for HTML output ---------------------------------------------- - -# The theme to use for HTML and HTML Help pages. See the documentation for -# a list of builtin themes. -html_theme = 'openstackdocs' - -# Theme options are theme-specific and customize the look and feel of a theme -# further. For a list of options available for each theme, see the -# documentation. -html_theme_options = { - "display_toc": False -} - -# Add any paths that contain custom themes here, relative to this directory. -html_theme_path = [openstackdocstheme.get_html_theme_path()] - -# The name for this set of Sphinx documents. If None, it defaults to -# " v documentation". -# html_title = None - -# A shorter title for the navigation bar. Default is the same as html_title. -# html_short_title = None - -# The name of an image file (relative to this directory) to place at the top -# of the sidebar. -# html_logo = None - -# The name of an image file (within the static path) to use as favicon of the -# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 -# pixels large. -# html_favicon = None - -# Add any paths that contain custom static files (such as style sheets) here, -# relative to this directory. They are copied after the builtin static files, -# so a file named "default.css" will overwrite the builtin "default.css". -# html_static_path = [] - -# Add any extra paths that contain custom files (such as robots.txt or -# .htaccess) here, relative to this directory. These files are copied -# directly to the root of the documentation. -# html_extra_path = [] - -# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, -# using the given strftime format. -html_last_updated_fmt = '%Y-%m-%d %H:%M' - -# If true, SmartyPants will be used to convert quotes and dashes to -# typographically correct entities. -# html_use_smartypants = True - -# Custom sidebar templates, maps document names to template names. -# html_sidebars = {} - -# Additional templates that should be rendered to pages, maps page names to -# template names. -# html_additional_pages = {} - -# If false, no module index is generated. -# html_domain_indices = True - -# If false, no index is generated. -html_use_index = False - -# If true, the index is split into individual pages for each letter. -# html_split_index = False - -# If true, links to the reST sources are added to the pages. -html_show_sourcelink = False - -# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. -# html_show_sphinx = True - -# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. -# html_show_copyright = True - -# If true, an OpenSearch description file will be output, and all pages will -# contain a tag referring to it. The value of this option must be the -# base URL from which the finished HTML is served. -# html_use_opensearch = '' - -# This is the file name suffix for HTML files (e.g. ".xhtml"). -# html_file_suffix = None - -# Output file base name for HTML help builder. -htmlhelp_basename = target_name + '-docs' - -# If true, publish source files -html_copy_source = False - -# -- Options for LaTeX output --------------------------------------------- - -latex_elements = { - # The paper size ('letterpaper' or 'a4paper'). - # 'papersize': 'letterpaper', - - # The font size ('10pt', '11pt' or '12pt'). - # 'pointsize': '10pt', - - # Additional stuff for the LaTeX preamble. - # 'preamble': '', -} - -# Grouping the document tree into LaTeX files. List of tuples -# (source start file, target name, title, -# author, documentclass [howto, manual, or own class]). -latex_documents = [ - (master_doc, target_name + '.tex', - title, author, 'manual'), -] - -# The name of an image file (relative to this directory) to place at the top of -# the title page. -# latex_logo = None - -# For "manual" documents, if this is true, then toplevel headings are parts, -# not chapters. -# latex_use_parts = False - -# If true, show page references after internal links. -# latex_show_pagerefs = False - -# If true, show URL addresses after external links. -# latex_show_urls = False - -# Documents to append as an appendix to all manuals. -# latex_appendices = [] - -# If false, no module index is generated. -# latex_domain_indices = True - - -# -- Options for manual page output --------------------------------------- - -# One entry per manual page. List of tuples -# (source start file, name, description, authors, manual section). -man_pages = [ - (master_doc, target_name, - title, [author], 1) -] - -# If true, show URL addresses after external links. -# man_show_urls = False - - -# -- Options for Texinfo output ------------------------------------------- - -# Grouping the document tree into Texinfo files. List of tuples -# (source start file, target name, title, author, -# dir menu entry, description, category) -texinfo_documents = [ - (master_doc, target_name, - title, author, project, - description, category), -] - -# Documents to append as an appendix to all manuals. -# texinfo_appendices = [] - -# If false, no module index is generated. -# texinfo_domain_indices = True - -# How to display URL addresses: 'footnote', 'no', or 'inline'. -# texinfo_show_urls = 'footnote' - -# If true, do not generate a @detailmenu in the "Top" node's menu. -# texinfo_no_detailmenu = False - -# -- Options for PDF output -------------------------------------------------- - -pdf_documents = [ - (master_doc, target_name, - title, author) -] diff --git a/doc/source/controls-rhel7.rst b/doc/source/controls-rhel7.rst deleted file mode 100644 index 90d27178..00000000 --- a/doc/source/controls-rhel7.rst +++ /dev/null @@ -1,68 +0,0 @@ -Security hardening controls in detail (RHEL 7 STIG) -=================================================== - -The openstack-ansible-security role follows the Red Hat Enteprise Linux 7 -`Security Technical Implementation Guide (STIG)`_. The guide has over 200 -controls that apply to various parts of a Linux system, and it is updated -regularly by the Defense Information Systems Agency (DISA). DISA is part of the -United States Department of Defense. The current version of the openstack- -ansible-security role is based on release 1, version 0.2 of the Red Hat -Enterprise Linux 7 STIG. - -Controls are divided into groups based on the following properties: - -* **Severity:** - - * *High severity* controls have a large impact on the security of a - system. They also have the largest operational impact to a system and - deployers should test them thoroughly in non-production environments. - - * *Low severity* controls have a smaller impact on overall security, but they - are generally easier to implement with a much lower operational impact. - -* **Implementation Status:** - - * *Implemented* controls are automatically implemented with automated tasks. - Deployers can often opt out of these controls by adjusting Ansible - variables. These variables are documented with each control below. - - * *Exceptions* denote controls that cannot be completed via automated tasks. - Some of these controls must be applied during the initial provisioning - process for new servers while others require manual inspection of the - system. - - * *Opt in* controls have automated tasks written, but these tasks are - disabled by default. These controls are often disabled because they could - cause disruptions on a production system, or they do not provide a - significant security benefit. Each control can be enabled with Ansible - variables and these variables are documented with each control below. - - * *Verification only* controls have tasks that verify that a control is met. - These tasks do not take any action on the system, but they often display - debug output with additional instructions for deployers. - -* **Tag:** - - * Each control has a tag applied, and the tags allow deployers to select - specific groups of controls to apply. For example, deployers can apply the - controls for the ssh daemon by using ``--tags sshd`` on the Ansible command - line. - - * Tags also make it easier to navigate through the Ansible tasks in the code - itself. For example, all tasks tagged with ``auditd`` are found within - ``tasks/rhel7stig/auditd.yml``. - -.. _Security Technical Implementation Guide (STIG): http://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx - -Although the STIG is specific to Red Hat Enterprise Linux 7, it also applies to -CentOS 7 systems. In addition, almost all of the controls are easily translated -for Ubuntu 16.04. Any deviations during translation are noted within the -documentation below. - -.. toctree:: - :maxdepth: 2 - - rhel7/auto_controls-by-severity.rst - rhel7/auto_controls-by-status.rst - rhel7/auto_controls-by-tag.rst - rhel7/auto_controls-all.rst diff --git a/doc/source/controls.rst b/doc/source/controls.rst deleted file mode 100644 index ee114f6d..00000000 --- a/doc/source/controls.rst +++ /dev/null @@ -1,46 +0,0 @@ -Security hardening controls in detail (RHEL 6 STIG) -=================================================== - -The Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux -6 contains over 200 security controls. The links below will allow you to review -each control based on a certain set of criteria. - -Controls are divided into groups based on certain properties: - -* **Severity:** Normally high, medium and low. High severity items are the ones - which should be completed first, since they pose the greatest threat to the - security of a system. - *(These severity levels are set within the STIG.)* - -* **Implementation status:** Each control is assessed thoroughly before Ansible - tasks are written. Some controls may be listed as *exceptions* since they - can't be implemented with automation, or they could cause damage to an - existing system. Other controls are listed as *opt-in* when they are - implemented, but they require a deployer to enable them. - *(This categorization comes from openstack-ansible-security, not the STIG.)* - -* **Tag:** The controls are also separated based on which parts of the system - they act upon. Something that secures ``grub`` would be tagged with *boot* - while controls for ``sshd`` would be tagged with *auth*. - *(This categorization comes from openstack-ansible-security, not the STIG.)* - -You can also review the STIG controls in one very large page. This can be -helpful when you need to search using your web browser. - -.. note:: - - The RHEL 6 STIG content is deprecated in the Ocata release and will be - removed in a future release. Deployers can choose to deploy the RHEL 6 - STIG content by setting the ``stig_version`` Ansible variable: - - .. code-block:: console - - ansible-playbook -i hosts playbook.yml -e stig_version=rhel7 - -.. toctree:: - :maxdepth: 2 - - auto_controls-by-severity.rst - auto_controls-by-status.rst - auto_controls-by-tag.rst - auto_controls-all.rst diff --git a/doc/source/developer-guide.rst b/doc/source/developer-guide.rst deleted file mode 100644 index 0349fac0..00000000 --- a/doc/source/developer-guide.rst +++ /dev/null @@ -1,84 +0,0 @@ -.. contents:: - :local: - :backlinks: none - -Developer Guide -=============== - -Building a development environment ----------------------------------- - -The OpenStack gate runs the tox tests found within ``tox.ini``. Developers -should use these tox tests to verify that their changes will work when the gate -jobs run. Some systems may need additional packages for these tests to run -properly. - -To install all of the prerequisites and run the functional tests, use the -``run_tests.sh`` script: - -.. code-block:: console - - ./run_tests.sh - -.. note:: - - This script will apply the default security hardening configurations to the - local host. Avoid running this script on production servers which have not - been properly tested with the security role. - -Writing documentation ---------------------- - -Documentation consists of two parts: metadata and deployer notes. The metadata -exists as `YAML frontmatter `_ for each -STIG configuration. The frontmatter is followed by the text of the deployer -note itself. - -All of the notes are found within ``doc/metadata/rhel7``. Here is an example -of V-71989: - -.. literalinclude:: ../metadata/rhel7/V-71989.rst - :language: yaml - -The block after the first three dashes (``---``) is the metadata. The metadata -must include: - -* ``id``: The ID of the STIG configuration item. -* ``status``: The implementation status of the STIG configuration, such as - ``implemented``, ``exception``, or ``opt-in``. -* ``tag``: The Ansible tag associated with the task(s) that make changes based - on the STIG requirement, such as ``auditd``, ``kernel``, or ``lsm``. - -The next block is the deployer note. The note should be brief, but it must -answer a few critical questions: - -* What does the change do to a system? -* What is the value of making this change? -* How can a deployer opt out or opt in for a particular change? -* Is there additional documentation available online that may help a deployer - decide whether or not this change is valuable to them? - -Run ``tox -e docs`` to rebuild the documentation from the metadata and review -your changes. - -Release notes -------------- - -Adding release notes helps deployers and other developers discover the new -additions to the role in a concise format. Release notes should be added to -incoming patches if they would change something noticeable in the role, such as -bug fixes, new functionality, or variable name changes. - -To add a release note, use ``reno``: - -.. code-block:: console - - reno new i-made-a-new-feature-that-does-something-awesome - -Once you run the ``reno new`` command with a release note slug, a new file -appears in ``releasenotes/notes``. Edit that file and adjust the relevant -section to explain the changes found within your patch. Delete any unused -sections and submit the release note with your patch. - -For more details, refer to the documentation on release notes found in the -`OpenStack-Ansible developer documentation `_ diff --git a/doc/source/faq.rst b/doc/source/faq.rst deleted file mode 100644 index c6dbaa4f..00000000 --- a/doc/source/faq.rst +++ /dev/null @@ -1,65 +0,0 @@ -Frequently Asked Questions -========================== - -Does this role work only with OpenStack environments? ------------------------------------------------------ - -No -- it works on almost any Linux host! - -The openstack-ansible-security role first began as a component of the -OpenStack-Ansible project and it was designed to deploy into an existing -OpenStack environment without causing disruptions. However, the role now works -well in OpenStack and non-OpenStack environments. - -See *Which systems are covered?* below for more details. - -Why should this role be applied to a system? --------------------------------------------- - -There are three main reasons to apply this role to production Linux systems: - -Improve security posture - The configurations from the STIG add security and rigor around multiple - components of a Linux system, including user authentication, service - configurations, and package management. All of these configurations add up - to an environment that is more difficult for an attacker to penetrate and use - for lateral movement. - -Meet compliance requirements - Some deployers may be subject to industry compliance programs, such as - PCI-DSS, ISO 27001/27002, or NIST 800-53. Many of these programs require - hardening standards to be applied to critical systems, such as OpenStack - infrastructure components. - -Deployment without disruption - Security is often at odds with usability. The role provides the greatest - security benefit without disrupting production systems. Deployers have the - option to opt out or opt in for most configurations depending on how their - environments are configured. - -Which systems are covered? --------------------------------------------------------- - -The openstack-ansible-security role provides security hardening for physical -servers running the following Linux distributions: - -* Ubuntu 14.04 -* Ubuntu 16.04 -* CentOS 7 -* Red Hat Enterprise Linux 7 - -The OpenStack gating system tests the role against each of these distributions -regularly except for Red Hat Enterprise Linux 7, since it is a non-free -Linux distribution. CentOS 7 is very similar to Red Hat Enterprise Linux 7 and -the existing test coverage for CentOS is very thorough. - -Which systems are not covered? ------------------------------- - -The containers that run various OpenStack services on physical servers in -OpenStack-Ansible deployments are currently out of scope and are not changed -by the role. - -Virtual machines that are created within the OpenStack environment are also -not affected by this role, although this role could be applied within those -VM's if a deployer chooses to do so. diff --git a/doc/source/getting-started.rst b/doc/source/getting-started.rst deleted file mode 100644 index d888595a..00000000 --- a/doc/source/getting-started.rst +++ /dev/null @@ -1,68 +0,0 @@ -Getting started -=============== - -The openstack-ansible-security role can be used along with the -`OpenStack-Ansible`_ project or as a standalone role that can be used along -with other Ansible playbooks. - -.. _OpenStack-Ansible: https://git.openstack.org/cgit/openstack/openstack-ansible/ - -.. contents:: - :local: - :backlinks: none - -Prepare your system -------------------- - -Start by installing ansible and then install the role itself using -``ansible-galaxy``: - -.. code-block:: console - - pip install ansible - ansible-galaxy install git+https://git.openstack.org/openstack/openstack-ansible-security - -The role will be installed into -``/etc/ansible/roles/openstack-ansible-security``. - -Initial configuration ---------------------- - -The role's default configuration is suitable for most Linux hosts. Deployers -should review the :ref:`special_notes` section to learn more about how to -provide custom configuration for the Ansible tasks in the role. - -Using as a standalone role --------------------------- - -Adding the openstack-ansible-security role to existing playbooks is -straightforward. Here is an example of an existing role for deploying web -servers with the security hardening role added: - -.. code-block:: yaml - - --- - - - name: Deploy web servers - hosts: webservers - become: yes - roles: - - common - - webserver - - openstack-ansible-security - -Using with OpenStack-Ansible ----------------------------- - -The openstack-ansible-security role is automatically enabled and applied in the -Newton release of OpenStack-Ansible. Set the following Ansible variable to -enable the role in the Mitaka release of OpenStack-Ansible: - -.. code-block:: yaml - - apply_security_hardening: true - -For more information, refer to the OpenStack-Ansible documentation on -`configuring security hardening`_. - -.. _configuring security hardening: http://docs.openstack.org/project-deploy-guide/openstack-ansible/draft/app-advanced-config-security.html#security-hardening diff --git a/doc/source/index.rst b/doc/source/index.rst deleted file mode 100644 index e7b69f05..00000000 --- a/doc/source/index.rst +++ /dev/null @@ -1,134 +0,0 @@ -============================================ -Automated security hardening for Linux hosts -============================================ - -.. warning:: - - The openstack-ansible-security role is deprecated and will be retired soon. - Consumers of this role must consume the - `ansible-hardening `_ - role to receive the latest updates. - -The openstack-ansible-security Ansible role uses industry-standard security -hardening guides to secure Linux hosts. Although the role is designed to work -well in OpenStack environments that are deployed with OpenStack-Ansible, it can -be used with almost any Linux system. - -What does the role do? ----------------------- - -It all starts with the `Security Technical Implementation Guide (STIG)`_ from -the `Defense Information Systems Agency (DISA)`_, part of the United States -Department of Defense. The guide is released with a public domain license and -it is commonly used to secure systems at public and private organizations -around the world. - -Each configuration from the STIG is analyzed to determine what impact it could -have on a live production environment and how to implement it in Ansible. Tasks -are added to the role that configure a host to meet the configuration -requirement. Each task is documented to explain what was changed, why it was -changed, and what deployers need to understand about the change. - -Deployers have the option to pick and choose which configurations are applied -using Ansible variables and tags. Some tasks allow deployers to provide custom -configurations to tighten down or relax certain requirements. - -For more details, review the *Documentation* section below. - -.. _Security Technical Implementation Guide (STIG): http://iase.disa.mil/stigs/Pages/index.aspx -.. _Defense Information Systems Agency (DISA): http://www.disa.mil/ - -Documentation -------------- - -The following documentation applies to the Pike release. Documentation from -previous releases are available in the *Releases* section below. - -.. toctree:: - :maxdepth: 2 - - getting-started.rst - faq.rst - special-notes.rst - controls-rhel7.rst - developer-guide.rst - -Special Notes: STIG Content ---------------------------- - -The RHEL 7 STIG content was first added in the Ocata release using the -pre-release STIG content (version 0.2). The Pike release contains the final -STIG release content which also included a numbering change from the -``RHEL-xx-xxxxxx`` style to the traditional ``V-xxxxx`` style. - -The original RHEL 6 STIG content was deprecated in the Ocata release and will -be removed in the Queens release (early 2018). The documentation for the -RHEL 6 STIG content is still available: - -.. toctree:: - :maxdepth: 2 - - controls.rst - -Releases --------- - -Deployers should use the latest stable release for all production deployments. - -Pike -~~~~ - -* **Status:** Active development *(anticipated release: September 2017)* - -* **Supported Operating Systems:** - - * Ubuntu 14.04 Trusty *(Deprecated)* - * Ubuntu 16.04 Xenial - * CentOS 7 - * Red Hat Enterprise Linux 7 *(partial automated test coverage)* - -* **Documentation:** - - * `openstack-ansible-security Pike Release Notes`_ - -.. _openstack-ansible-security Pike Release Notes: http://docs.openstack.org/releasenotes/openstack-ansible-security/unreleased.html - -Ocata -~~~~~ - -* **Status:** Latest stable release *(released February 2017)* - -* **Supported Operating Systems:** - - * Ubuntu 14.04 Trusty *(Deprecated)* - * Ubuntu 16.04 Xenial - * CentOS 7 - * Red Hat Enterprise Linux 7 *(partial automated test coverage)* - -* **Documentation:** - - * `openstack-ansible-security Ocata Documentation`_ - * `openstack-ansible-security Ocata Release Notes`_ - -.. _openstack-ansible-security Ocata Documentation: http://docs.openstack.org/developer/openstack-ansible-security/ocata/ -.. _openstack-ansible-security Ocata Release Notes: http://docs.openstack.org/releasenotes/openstack-ansible-security/ocata.html - -Newton -~~~~~~ - -* **Status:** Previous stable release *(released October 2016)* - -* **Supported Operating Systems:** - - * Ubuntu 14.04 Trusty - * Ubuntu 16.04 Xenial - * CentOS 7 - * Red Hat Enterprise Linux 7 *(partial automated test coverage)* - -* **Documentation:** - - * `openstack-ansible-security Newton Documentation`_ - * `openstack-ansible-security Newton Release Notes`_ - -.. _openstack-ansible-security Newton Documentation: http://docs.openstack.org/developer/openstack-ansible-security/newton/ -.. _openstack-ansible-security Newton Release Notes: http://docs.openstack.org/releasenotes/openstack-ansible-security/newton.html diff --git a/doc/source/special-notes.rst b/doc/source/special-notes.rst deleted file mode 100644 index f3959895..00000000 --- a/doc/source/special-notes.rst +++ /dev/null @@ -1,154 +0,0 @@ -.. _special_notes: - -Deviations & Special Notes -========================== - -The Security Technical Implementation Guide (STIG) provides over 200 controls -to secure a Linux system, but some of these configurations can cause problems -with production environments. - -.. contents:: - :local: - :backlinks: none - :depth: 2 - -Reviewing deviations --------------------- - -The openstack-ansible-security role deviates from some of the STIG's -requirements when a security control could cause significant issues with -production systems. The role classifies each control into an implementation -status and provides notes on why a certain control is skipped or altered. - -The following provides a brief overview of each implementation status: - -Exception - If a control requires manual intervention outside the host, or if it could - cause significant harm to a host, it will be skipped and listed as an - exception. All controls in this category are not implemented in Ansible. - -Configuration Required - These controls require some type of initial configuration before they can - be applied. Review the notes for each control to determine how to configure - each of them. - -Implemented - These controls are fully implemented and they may have configurations which - can be adjusted. The notes for each control will identify which configuration - options are available. - -Opt-In - The controls in the opt-in list are implemented in Ansible, but are disabled - by default. They are often disabled because they could cause harm to a subset - of systems. Each control has notes that explains the caveats of the control - and how to enable it if needed. - -Deployers should review the full list of controls -`sorted by implementation status `_. - -.. note:: - - All of the default configurations are found within ``defaults/main.yml``. - -AIDE initialization -------------------- - -The STIG sets requirements for integrity monitoring of the system and the role -will install AIDE to meet these requirements. - -By default AIDE will examine and monitor all of the files on a host unless -directories are added to its exclusion list. The security role sets directories -to exclude from AIDE monitoring via the ``aide_exclude_dirs`` variable. this -list excludes the most common directories that change very often via automated -methods. - -Even with the excluded directories, the first AIDE initialization can take a -long time on some systems. During this time, the CPU and disks are **very -busy**. - -The security role will skip the AIDE initialization step by default. Deployers -must set the following Ansible variable to initialize the database: - -.. code-block:: yaml - - security_rhel7_initialize_aide: true - -auditd ------- - -The audit daemon (``auditd``) is required by the STIG and it provides useful -logging of critical events on a Linux server. The audit daemon monitors -syscalls on a Linux system and logs alerts based on sets of auditing rules. - -Rules for auditd - Each set of rules is controlled by Ansible variables that begin with - ``security_audit__rhel7``. To omit a set of rules on a host, set the variable - to ``no``. To include a set of rules on a host, set the variable to ``yes``. - - For example, setting ``security_rhel7_audit_mount`` to ``yes`` will - ensure that the rules for auditing filesystem mounts are included on each - host. Setting ``security_rhel7_audit_mount`` to ``no`` will omit that - group of rules on each host. - - To review the full list of rules and variables, refer to - ``templates/osas-auditd-rhel7.j2``. - -Handling audit emergencies - There are several configurations for auditd which are critical for deployers - to review in detail. The options beneath the ``## Audit daemon (auditd)`` - comment will change how auditd handles log files and what it should do in - case of emergencies. - - .. note:: - - Some of these configuration options can cause serious issues on - production systems, ranging from a reduction in security to servers going - offline unexpectedly. There is extensive documentation in the developer - notes for each STIG requirement. - -Linux Security Modules (LSM) ----------------------------- - -The STIG requires that SELinux is in enforcing mode to provide additional -security against attacks. The security role will enable SELinux on CentOS -systems and enable AppArmor on Ubuntu systems. - -For more information on how these changes are applied, refer to the -documentation for :ref:`V-71989 `. - -SSH server ----------- - -The STIG has some requirements for ssh server configuration and these -requirements are applied by default by the role. To opt-out or change these -requirements, see the section under the ``## ssh server (sshd)`` comment in -``defaults/main.yml``. - -Deviation for PermitRootLogin - There is one deviation from the STIG for the ``PermitRootLogin`` - configuration option. The STIG requires that direct root logins are - disabled, and this is the recommended setting for secure production - environments. - - However, this can cause problems in some existing environments and the - default for the role is to set it to ``yes`` (direct root logins allowed). - -Time synchronization --------------------- - -Reliable time synchronization is a requirement in the STIG and the ``chrony`` -package will be installed to handle NTP for systems secured with the -openstack-ansible-security role. - -The default settings will work for most environments, but some deployers may -prefer to use NTP servers which are geographically closer to their servers. - -The role configures the chrony daemon to listen only on ``localhost``. To allow -chrony to listen on all addresses (the upstream default for chrony), -set the ``security_ntp_bind_local_interfaces_only`` variable to ``False``. - -The default configuration allows `RFC1918`_ addresses to reach the NTP server -running on each host. That could be changed by using the -``security_allowed_ntp_subnets`` parameter. - -.. _RFC1918: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces diff --git a/files/20auto-upgrades b/files/20auto-upgrades deleted file mode 100644 index 8d6d7c82..00000000 --- a/files/20auto-upgrades +++ /dev/null @@ -1,2 +0,0 @@ -APT::Periodic::Update-Package-Lists "1"; -APT::Periodic::Unattended-Upgrade "1"; diff --git a/files/V-38682-modprobe.conf b/files/V-38682-modprobe.conf deleted file mode 100644 index 5e2ffbc3..00000000 --- a/files/V-38682-modprobe.conf +++ /dev/null @@ -1,4 +0,0 @@ -# File managed by openstack-ansible-security -# Fixes RHEL 6 STIG V-38682 -install net-pf-31 /bin/true -install bluetooth /bin/true diff --git a/files/dconf-profile-gdm b/files/dconf-profile-gdm deleted file mode 100644 index 817afc52..00000000 --- a/files/dconf-profile-gdm +++ /dev/null @@ -1,3 +0,0 @@ -user-db:user -system-db:gdm -file-db:/usr/share/gdm/greeter-dconf-defaults diff --git a/files/dconf-user-profile b/files/dconf-user-profile deleted file mode 100644 index aca0641f..00000000 --- a/files/dconf-user-profile +++ /dev/null @@ -1,2 +0,0 @@ -user-db:user -system-db:local diff --git a/files/login_banner.txt b/files/login_banner.txt deleted file mode 100644 index 057856ee..00000000 --- a/files/login_banner.txt +++ /dev/null @@ -1,6 +0,0 @@ ------------------------------------------------------------------------------- -* WARNING * -* You are accessing a secured system and your actions will be logged along * -* with identifying information. Disconnect immediately if you are not an * -* authorized user of this system. * ------------------------------------------------------------------------------- diff --git a/handlers/main.yml b/handlers/main.yml deleted file mode 100644 index 41e7a222..00000000 --- a/handlers/main.yml +++ /dev/null @@ -1,94 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Restarting services ######################################################## -# -# NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS -# since it's a special service. Using the old service scripts is required. -- name: restart auditd - command: service auditd restart - args: - warn: no - -- name: restart chrony - service: - name: "{{ chrony_service }}" - state: restarted - -- name: restart fail2ban - service: - name: fail2ban - state: restarted - -- name: restart postfix - service: - name: postfix - state: restarted - -- name: restart rsyslog - service: - name: rsyslog - state: restarted - -- name: restart samba - service: - name: smbd - state: restarted - -- name: restart ssh - service: - name: "{{ ssh_service }}" - state: restarted - -- name: restart vsftpd - service: - name: vsftpd - state: restarted - -- name: restart clamav - service: - name: "{{ clamav_service }}" - state: restarted - -# Miscellaneous ############################################################## -- name: generate auditd rules - command: augenrules --load - notify: restart auditd - -- name: rehash aliases - command: newaliases - -- name: update grub config - command: "{{ grub_update_cmd }}" - when: - - security_enable_grub_update | bool - - grub_update_binary.stat.exists | bool - - grub_update_binary.stat.executable | bool - notify: - - set bootloader file permissions after updating grub config - -# NOTE(mhayden): Running `update-grub` causes the bootloader permissions to -# change, which breaks V-38583. -- name: set bootloader file permissions after updating grub config - file: - path: "{{ grub_config_file_boot }}" - mode: 0644 - -- name: dconf update - command: dconf update - -- name: reload systemd - systemd: - daemon-reload: yes diff --git a/library/get_users b/library/get_users deleted file mode 100755 index 72675898..00000000 --- a/library/get_users +++ /dev/null @@ -1,122 +0,0 @@ -#!/usr/bin/env python -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Get user facts.""" - -import grp -import pwd -import spwd -from ansible.module_utils.basic import AnsibleModule - - -DOCUMENTATION = """ ---- -module: get_users -short_description: - - A module for gathering facts about Linux users. -description: - - This module gathers facts about the Linux users and groups that exist - on the system. -author: major@mhtx.net -""" - -EXAMPLES = ''' -- get_users: - min_uid: 1000 - max_uid: 2000 -''' - -RETURN = ''' -users: - description: users matching arguments provided - returned: success - type: list -''' - - -def make_user_dict(user_record): - """Create a dictionary of user attributes.""" - user_dict = { - 'name': user_record.pw_name, - 'uid': user_record.pw_uid, - 'gid': user_record.pw_gid, - 'gecos': user_record.pw_gecos, - 'dir': user_record.pw_dir, - 'shell': user_record.pw_shell, - 'group': make_group_dict(user_record.pw_gid), - 'shadow': make_shadow_dict(user_record.pw_name) - } - return user_dict - - -def make_group_dict(gid): - """Create dictionary from group record.""" - try: - group_record = grp.getgrgid(gid) - except KeyError: - return False - - group_dict = { - 'name': group_record.gr_name, - 'passwd': group_record.gr_passwd, - 'gid': group_record.gr_gid, - } - return group_dict - - -def make_shadow_dict(username): - """Create a dictionary of user shadow password database attributes.""" - try: - shadow_record = spwd.getspnam(username) - except KeyError: - return False - - shadow_dict = { - 'last_changed': shadow_record.sp_lstchg, - 'min_days': shadow_record.sp_min, - 'max_days': shadow_record.sp_max, - 'warn_days': shadow_record.sp_warn, - 'inact_days': shadow_record.sp_inact, - 'expire_days': shadow_record.sp_expire, - } - return shadow_dict - - -def main(): - """Ansible calls this function.""" - module = AnsibleModule( - argument_spec=dict( - min_uid=dict(default=0, type='int'), - max_uid=dict(default=65535, type='int'), - ), - supports_check_mode=True, - ) - - # Get all of the users on the system into a list of dicts. The 'pwd' module - # returns them in a struct. - all_users = [make_user_dict(x) for x in pwd.getpwall()] - - # Get the users that match our criteria. - user_list = [x for x in all_users - if (x['uid'] >= module.params['min_uid'] and - x['uid'] <= module.params['max_uid'])] - - # Return the user data to the Ansible task. - module.exit_json( - changed=False, - users=user_list - ) - -if __name__ == '__main__': - main() diff --git a/manual-test.rc b/manual-test.rc deleted file mode 100644 index 7016c453..00000000 --- a/manual-test.rc +++ /dev/null @@ -1,33 +0,0 @@ -export VIRTUAL_ENV=$(pwd) -export ANSIBLE_HOST_KEY_CHECKING=False -export ANSIBLE_SSH_CONTROL_PATH=/tmp/%%h-%%r - -# TODO (odyssey4me) These are only here as they are non-standard folder -# names for Ansible 1.9.x. We are using the standard folder names for -# Ansible v2.x. We can remove this when we move to Ansible 2.x. -export ANSIBLE_ACTION_PLUGINS=${HOME}/.ansible/plugins/action -export ANSIBLE_CALLBACK_PLUGINS=${HOME}/.ansible/plugins/callback -export ANSIBLE_FILTER_PLUGINS=${HOME}/.ansible/plugins/filter -export ANSIBLE_LOOKUP_PLUGINS=${HOME}/.ansible/plugins/lookup - -# This is required as the default is the current path or a path specified -# in ansible.cfg -export ANSIBLE_LIBRARY=${HOME}/.ansible/plugins/library - -# This is required as the default is '/etc/ansible/roles' or a path -# specified in ansible.cfg -export ANSIBLE_ROLES_PATH=${HOME}/.ansible/roles:$(pwd)/.. - -export ANSIBLE_SSH_ARGS="-o ControlMaster=no \ - -o UserKnownHostsFile=/dev/null \ - -o StrictHostKeyChecking=no \ - -o ServerAliveInterval=64 \ - -o ServerAliveCountMax=1024 \ - -o Compression=no \ - -o TCPKeepAlive=yes \ - -o VerifyHostKeyDNS=no \ - -o ForwardX11=no \ - -o ForwardAgent=yes" - -echo "Run manual functional tests by executing the following:" -echo "# ./.tox/functional/bin/ansible-playbook -i tests/inventory tests/test.yml" diff --git a/meta/main.yml b/meta/main.yml deleted file mode 100644 index da1c750f..00000000 --- a/meta/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -galaxy_info: - author: OpenStack - description: Security hardening role for OpenStack-Ansible - company: OpenStack - license: Apache - min_ansible_version: 2.3 - platforms: - - name: EL - versions: - - 7 - - name: Ubuntu - versions: - - trusty - - xenial - categories: - - cloud - - security - - system -dependencies: [] diff --git a/releasenotes/notes/.placeholder b/releasenotes/notes/.placeholder deleted file mode 100644 index e69de29b..00000000 diff --git a/releasenotes/notes/add-v38438-3f7e905892be4b4f.yaml b/releasenotes/notes/add-v38438-3f7e905892be4b4f.yaml deleted file mode 100644 index 9793bf13..00000000 --- a/releasenotes/notes/add-v38438-3f7e905892be4b4f.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -features: - - | - The role now enables auditing during early boot to comply with the - requirements in V-38438. By default, the GRUB configuration variables in - ``/etc/default/grub.d/`` will be updated and the active ``grub.cfg`` will - be updated. - - Deployers can opt-out of the change entirely by setting a variable: - - .. code-block:: yaml - - security_enable_audit_during_boot: no - - Deployers may opt-in for the change without automatically updating the - active ``grub.cfg`` file by setting the following Ansible variables: - - .. code-block:: yaml - - security_enable_audit_during_boot: yes - security_enable_grub_update: no diff --git a/releasenotes/notes/adding-v38526-381a407caa566b14.yaml b/releasenotes/notes/adding-v38526-381a407caa566b14.yaml deleted file mode 100644 index e495fac7..00000000 --- a/releasenotes/notes/adding-v38526-381a407caa566b14.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -features: - - | - A task was added to disable secure ICMP redirects per the requirements in - V-38526. This change can cause problems in some environments, so it is - disabled by default. Deployers can enable the task (which disables secure - ICMP redirects) by setting ``security_disable_icmpv4_redirects_secure`` to - ``yes``. diff --git a/releasenotes/notes/adding-v38548-9c51b30bf9780ff3.yaml b/releasenotes/notes/adding-v38548-9c51b30bf9780ff3.yaml deleted file mode 100644 index 297ab134..00000000 --- a/releasenotes/notes/adding-v38548-9c51b30bf9780ff3.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -features: - - | - A new task was added to disable ICMPv6 redirects per the requirements in - V-38548. However, since this change can cause problems in running OpenStack - environments, it is disabled by default. Deployers who wish to enable this - task (and disable ICMPv6 redirects) should set - ``security_disable_icmpv6_redirects`` to ``yes``. diff --git a/releasenotes/notes/aide-exclude-run-4d3c97a2d08eb373.yaml b/releasenotes/notes/aide-exclude-run-4d3c97a2d08eb373.yaml deleted file mode 100644 index 0674f351..00000000 --- a/releasenotes/notes/aide-exclude-run-4d3c97a2d08eb373.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -fixes: - - | - The ``/run`` directory is excluded from AIDE checks since the files and - directories there are only temporary and often change when services - start and stop. diff --git a/releasenotes/notes/aide-initialization-fix-16ab0223747d7719.yaml b/releasenotes/notes/aide-initialization-fix-16ab0223747d7719.yaml deleted file mode 100644 index cb5eb950..00000000 --- a/releasenotes/notes/aide-initialization-fix-16ab0223747d7719.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -features: - - | - AIDE is configured to skip the entire ``/var`` directory when it does the - database initialization and when it performs checks. This reduces disk - I/O and allows these jobs to complete faster. - - This also allows the initialization to become a blocking process and - Ansible will wait for the initialization to complete prior to running the - next task. -fixes: - - | - AIDE initialization is now always run on subsequent playbook runs when - ``security_initialize_aide`` is set to ``yes``. The initialization will - be skipped if AIDE isn't installed or if the AIDE database already exists. - - See `bug 1616281 `_ for more details. diff --git a/releasenotes/notes/auditing-mac-policy-changes-fb83e0260a6431ed.yaml b/releasenotes/notes/auditing-mac-policy-changes-fb83e0260a6431ed.yaml deleted file mode 100644 index 0c20701f..00000000 --- a/releasenotes/notes/auditing-mac-policy-changes-fb83e0260a6431ed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -upgrade: - - | - The variable ``security_audit_apparmor_changes`` is now renamed to - ``security_audit_mac_changes`` and is enabled by default. Setting - ``security_audit_mac_changes`` to ``no`` will disable syscall auditing for - any changes to AppArmor policies (in Ubuntu) or SELinux policies (in - CentOS). -features: - - | - The auditd rules template included a rule that audited changes to the - AppArmor policies, but the SELinux policy changes were not being audited. - Any changes to SELinux policies in ``/etc/selinux`` are now being logged - by auditd. diff --git a/releasenotes/notes/augenrules-restart-39fe3e1e2de3eaba.yaml b/releasenotes/notes/augenrules-restart-39fe3e1e2de3eaba.yaml deleted file mode 100644 index 45311efd..00000000 --- a/releasenotes/notes/augenrules-restart-39fe3e1e2de3eaba.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -fixes: - - The role previously did not restart the audit daemon after generating a - new rules file. The `bug `_ has been - fixed and the audit daemon will be restarted after any audit rule changes. diff --git a/releasenotes/notes/chrony-config-variable-7a1a7862c05c9675.yaml b/releasenotes/notes/chrony-config-variable-7a1a7862c05c9675.yaml deleted file mode 100644 index 9677b7e0..00000000 --- a/releasenotes/notes/chrony-config-variable-7a1a7862c05c9675.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -features: - - | - The installation of ``chrony`` is still enabled by default, but it is now - controlled by the ``security_enable_chrony`` variable. diff --git a/releasenotes/notes/configurable-martian-logging-370ede40b036db0b.yaml b/releasenotes/notes/configurable-martian-logging-370ede40b036db0b.yaml deleted file mode 100644 index e55b8e82..00000000 --- a/releasenotes/notes/configurable-martian-logging-370ede40b036db0b.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -features: - - | - Although the STIG requires martian packets to be logged, the logging is - now disabled by default. The logs can quickly fill up a syslog server or - make a physical console unusable. - - Deployers that need this logging enabled will need to set the following - Ansible variable: - - .. code-block:: yaml - - security_sysctl_enable_martian_logging: yes diff --git a/releasenotes/notes/customizable-login-banner-string-d8d5ae874e8e49f3.yaml b/releasenotes/notes/customizable-login-banner-string-d8d5ae874e8e49f3.yaml deleted file mode 100644 index 08fefdd0..00000000 --- a/releasenotes/notes/customizable-login-banner-string-d8d5ae874e8e49f3.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -features: - - | - Deployers can provide a customized login banner via a new Ansible variable: - ``security_login_banner_text``. This banner text is used for non-graphical - logins, which includes console and ssh logins. diff --git a/releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml b/releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml deleted file mode 100644 index 6386acaa..00000000 --- a/releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -fixes: - - The dictionary-based variables in ``defaults/main.yml`` are now individual - variables. The dictionary-based variables could not be changed as the - documentation instructed. Instead it was required to override the entire - dictionary. Deployers must use the new variable names to enable or disable - the security configuration changes applied by the security role. For more - information, see - `Launchpad Bug 1577944 `_. diff --git a/releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml b/releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml deleted file mode 100644 index e6038500..00000000 --- a/releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -fixes: - - Failed access logging is now disabled by default and can be enabled by - changing ``security_audit_failed_access`` to ``yes``. The rsyslog daemon - checks for the existence of log files regularly and this audit rule was - triggered very frequently, which led to very large audit logs. diff --git a/releasenotes/notes/disable-graphical-interface-5db89cd1bef7e12d.yaml b/releasenotes/notes/disable-graphical-interface-5db89cd1bef7e12d.yaml deleted file mode 100644 index 879fc9c8..00000000 --- a/releasenotes/notes/disable-graphical-interface-5db89cd1bef7e12d.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -features: - - | - The security role now has tasks that will disable the graphical interface - on a server using upstart (Ubuntu 14.04) or systemd (Ubuntu 16.04 and - CentOS 7). These changes take effect after a reboot. - - Deployers that need a graphical interface will need to set the following - Ansible variable: - - .. code-block:: yaml - - security_disable_x_windows: no diff --git a/releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml b/releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml deleted file mode 100644 index 406ca5aa..00000000 --- a/releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml +++ /dev/null @@ -1,7 +0,0 @@ -fixes: - - | - An Ansible task was added to disable the ``netconsole`` service on CentOS - systems if the service is installed on the system. - - Deployers can opt-out of this change by setting - ``security_disable_netconsole`` to ``no``. diff --git a/releasenotes/notes/disable-rpm-perms-fix-by-default-b164e39717f0ada7.yaml b/releasenotes/notes/disable-rpm-perms-fix-by-default-b164e39717f0ada7.yaml deleted file mode 100644 index 2d0a96e6..00000000 --- a/releasenotes/notes/disable-rpm-perms-fix-by-default-b164e39717f0ada7.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -security: - - | - The security role will no longer fix file permissions and ownership based - on the contents of the RPM database by default. Deployers can opt in for - these changes by setting ``security_reset_perm_ownership`` to ``yes``. diff --git a/releasenotes/notes/disabling-rdisc-centos-75115b3509941bfa.yaml b/releasenotes/notes/disabling-rdisc-centos-75115b3509941bfa.yaml deleted file mode 100644 index 0c579b57..00000000 --- a/releasenotes/notes/disabling-rdisc-centos-75115b3509941bfa.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -features: - - | - An Ansible was added to disable the ``rdisc`` service on CentOS systems if - the service is installed on the system. - - Deployers can opt-out of this change by setting ``security_disable_rdisc`` - to ``no``. diff --git a/releasenotes/notes/enable-lsm-bae903e463079a3f.yaml b/releasenotes/notes/enable-lsm-bae903e463079a3f.yaml deleted file mode 100644 index 64b945dd..00000000 --- a/releasenotes/notes/enable-lsm-bae903e463079a3f.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -features: - - | - The Linux Security Module (LSM) that is appropriate for the Linux - distribution in use will be automatically enabled by the security role by - default. Deployers can opt out of this change by setting the following - Ansible variable: - - .. code-block:: yaml - - security_enable_linux_security_module: False - - The documentation for STIG V-51337 has more information about how each - LSM is enabled along with special notes for SELinux. diff --git a/releasenotes/notes/enable-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml b/releasenotes/notes/enable-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml deleted file mode 100644 index 768ce47e..00000000 --- a/releasenotes/notes/enable-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -upgrade: - - | - The variable ``security_sysctl_enable_tcp_syncookies`` has replaced - ``security_sysctl_tcp_syncookies`` and it is now a boolean instead of an - integer. It is still enabled by default, but deployers can disable TCP - syncookies by setting the following Ansible variable: - - .. code-block:: yaml - - security_sysctl_enable_tcp_syncookies: no diff --git a/releasenotes/notes/fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml b/releasenotes/notes/fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml deleted file mode 100644 index 61b05693..00000000 --- a/releasenotes/notes/fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -fixes: - - | - The security role previously set the permissions on all audit log files in - ``/var/log/audit`` to ``0400``, but this prevents the audit daemon from - writing to the active log file. This will prevent ``auditd`` from - starting or restarting cleanly. - - The task now removes any permissions that are not allowed by the STIG. Any - log files that meet or exceed the STIG requirements will not be modified. diff --git a/releasenotes/notes/fix-check-mode-with-tags-bf798856a27c53eb.yaml b/releasenotes/notes/fix-check-mode-with-tags-bf798856a27c53eb.yaml deleted file mode 100644 index ee8e78d2..00000000 --- a/releasenotes/notes/fix-check-mode-with-tags-bf798856a27c53eb.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -fixes: - - | - When the security role was run in Ansible's check mode and a tag was - provided, the ``check_mode`` variable was not being set. Any tasks which - depend on that variable would fail. This `bug is fixed `_ - and the ``check_mode`` variable is now set properly on every playbook run. diff --git a/releasenotes/notes/handling-sshd-match-stanzas-fa40b97689004e46.yaml b/releasenotes/notes/handling-sshd-match-stanzas-fa40b97689004e46.yaml deleted file mode 100644 index d562381b..00000000 --- a/releasenotes/notes/handling-sshd-match-stanzas-fa40b97689004e46.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -fixes: - - The security role now handles ``ssh_config`` files that contain - ``Match`` stanzas. A marker is added to the configuration file and any new - configuration items will be added below that marker. In addition, the - configuration file is validated for each change to the ssh configuration - file. diff --git a/releasenotes/notes/implemented-v38524-b357edec95128307.yaml b/releasenotes/notes/implemented-v38524-b357edec95128307.yaml deleted file mode 100644 index 24ebec9f..00000000 --- a/releasenotes/notes/implemented-v38524-b357edec95128307.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -features: - - | - A task was added that restricts ICMPv4 redirects to meet the requirements - of V-38524 in the STIG. This configuration is disabled by default since - it could cause issues with LXC in some environments. - - Deployers can enable this configuration by setting an Ansible variable: - - .. code-block:: yaml - - security_disable_icmpv4_redirects: yes diff --git a/releasenotes/notes/improved-audit-rule-keys-9fa85f758386446c.yaml b/releasenotes/notes/improved-audit-rule-keys-9fa85f758386446c.yaml deleted file mode 100644 index 497de35a..00000000 --- a/releasenotes/notes/improved-audit-rule-keys-9fa85f758386446c.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -features: - - The audit rules added by the security role now have key fields that make - it easier to link the audit log entry to the audit rule that caused it to - appear. diff --git a/releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml b/releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml deleted file mode 100644 index 464d5f76..00000000 --- a/releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -features: - - A new configuration parameter ``security_ntp_bind_local_interfaces`` was - added to the security role to restrict the network interface to which - chronyd will listen for NTP requests. \ No newline at end of file diff --git a/releasenotes/notes/package-state-6684c5634bdf127a.yaml b/releasenotes/notes/package-state-6684c5634bdf127a.yaml deleted file mode 100644 index dbc9aefc..00000000 --- a/releasenotes/notes/package-state-6684c5634bdf127a.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -features: - - The security role now supports the ability to configure whether - apt/yum tasks install the latest available package, or just ensure - that the package is present. The default action is to ensure that - the latest package is present. The action taken may be changed to - only ensure that the package is present by setting - ``security_package_state`` to ``present``. -upgrade: - - The security role always checks whether the latest package is - installed when executed. If a deployer wishes to change the check to - only validate the presence of the package, the option - ``security_package_state`` should be set to ``present``. diff --git a/releasenotes/notes/package-state-present-951161faa5384abd.yaml b/releasenotes/notes/package-state-present-951161faa5384abd.yaml deleted file mode 100644 index 70c6eaed..00000000 --- a/releasenotes/notes/package-state-present-951161faa5384abd.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -upgrade: - - The security role will accept the currently installed version of a package - rather than attempting to update it. This reduces unexpected changes on - the system from subsequent runs of the security role. Deployers can still - set ``security_package_state`` to ``latest`` to ensure that all packages - installed by the security role are up to date. diff --git a/releasenotes/notes/reduce-auditd-logging-633677a74aee5481.yaml b/releasenotes/notes/reduce-auditd-logging-633677a74aee5481.yaml deleted file mode 100644 index eac68638..00000000 --- a/releasenotes/notes/reduce-auditd-logging-633677a74aee5481.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -upgrade: - - | - All of the discretionary access control (DAC) auditing is now disabled by - default. This reduces the amount of logs generated during deployments and - minor upgrades. The following variables are now set to ``no``: - - .. code-block:: yaml - - security_audit_DAC_chmod: no - security_audit_DAC_chown: no - security_audit_DAC_lchown: no - security_audit_DAC_fchmod: no - security_audit_DAC_fchmodat: no - security_audit_DAC_fchown: no - security_audit_DAC_fchownat: no - security_audit_DAC_fremovexattr: no - security_audit_DAC_lremovexattr: no - security_audit_DAC_fsetxattr: no - security_audit_DAC_lsetxattr: no - security_audit_DAC_setxattr: no -fixes: - - The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly - labeled in the auditd logs with the key of ``export-V-38568``. They are - now correctly logged with the key ``filesystem_mount-V-38568``. diff --git a/releasenotes/notes/rhel-gpg-check-0b483a824314d1b3.yaml b/releasenotes/notes/rhel-gpg-check-0b483a824314d1b3.yaml deleted file mode 100644 index 3ad7f458..00000000 --- a/releasenotes/notes/rhel-gpg-check-0b483a824314d1b3.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -features: - - | - The GPG key checks for package verification in V-38476 are now working for - Red Hat Enterprise Linux 7 in addition to CentOS 7. The checks only look - for GPG keys from Red Hat and any other GPG keys, such as ones imported - from the EPEL repository, are skipped. diff --git a/releasenotes/notes/rhel7-stig-default-f6c7c97498a8b2e7.yaml b/releasenotes/notes/rhel7-stig-default-f6c7c97498a8b2e7.yaml deleted file mode 100644 index e9f06c16..00000000 --- a/releasenotes/notes/rhel7-stig-default-f6c7c97498a8b2e7.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -features: - - | - The Red Hat Enterprise Linux (RHEL) 7 STIG content is now deployed by - default. Deployers can continue using the RHEL 7 STIG content by setting - the following Ansible variable: - - .. code-block:: yaml - - stig_version: rhel6 -upgrade: - - | - Deployers should review the new RHEL 7 STIG variables in - ``defaults/main.yml`` to provide custom configuration for the Ansible - tasks. -deprecations: - - | - The Red Hat Enteprise Linux 6 STIG content has been deprecated. The tasks - and variables for the RHEL 6 STIG will be removed in a future release. diff --git a/releasenotes/notes/search-for-unlabeled-devices-cb047c5f767e93ce.yaml b/releasenotes/notes/search-for-unlabeled-devices-cb047c5f767e93ce.yaml deleted file mode 100644 index 15742b3f..00000000 --- a/releasenotes/notes/search-for-unlabeled-devices-cb047c5f767e93ce.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -features: - - | - Tasks were added to search for any device files without a proper SELinux - label on CentOS systems. If any of these device labels are found, the - playbook execution will stop with an error message. diff --git a/releasenotes/notes/shosts-file-search-opt-in-887f600a79eef07e.yaml b/releasenotes/notes/shosts-file-search-opt-in-887f600a79eef07e.yaml deleted file mode 100644 index bee7e0a2..00000000 --- a/releasenotes/notes/shosts-file-search-opt-in-887f600a79eef07e.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -security: - - | - The tasks that search for ``.shosts`` and ``shosts.equiv`` files - (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a - long time to complete on systems with lots of files and it also causes a - significant amount of disk I/O while it runs. diff --git a/releasenotes/notes/stig-rhel7-version-1-renumbering-fiesta-aa047fea3ea35e74.yaml b/releasenotes/notes/stig-rhel7-version-1-renumbering-fiesta-aa047fea3ea35e74.yaml deleted file mode 100644 index b725d543..00000000 --- a/releasenotes/notes/stig-rhel7-version-1-renumbering-fiesta-aa047fea3ea35e74.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -prelude: > - The first release of the Red Hat Enterprise Linux 7 STIG was entirely - renumbered from the pre-release versions. Many of the STIG configurations - simply changed numbers, but some were removed or changed. A few new - configurations were added as well. -security: - - | - The latest version of the RHEL 7 STIG requires that a standard login banner - is presented to users when they log into the system (V-71863). The - security role now deploys a login banner that is used for console and ssh - sessions. - - | - The ``cn_map`` permissions and ownership adjustments included as part of - RHEL-07-040070 and RHEL-07-040080 has been removed. This STIG - configuration was removed in the most recent release of the RHEL 7 STIG. - - | - The PKI-based authentication checks for RHEL-07-040030, RHEL-07-040040, - and RHEL-07-040050 are no longer included in the RHEL 7 STIG. The tasks - and documentation for these outdated configurations are removed. diff --git a/releasenotes/notes/support-for-centos-xenial-2b89c318cc3df4b0.yaml b/releasenotes/notes/support-for-centos-xenial-2b89c318cc3df4b0.yaml deleted file mode 100644 index 41d4c710..00000000 --- a/releasenotes/notes/support-for-centos-xenial-2b89c318cc3df4b0.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -features: - - The openstack-ansible-security role supports the application of the Red - Hat Enterprise Linux 6 STIG configurations to systems running CentOS 7 and - Ubuntu 16.04 LTS. diff --git a/releasenotes/notes/unique-variable-migration-c0639030b495438f.yaml b/releasenotes/notes/unique-variable-migration-c0639030b495438f.yaml deleted file mode 100644 index 0fa7d814..00000000 --- a/releasenotes/notes/unique-variable-migration-c0639030b495438f.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -upgrade: - - | - All variables in the security role are now prepended with ``security_`` to - avoid collisions with variables in other roles. All deployers who have - used the security role in previous releases will need to prepend all - security role variables with ``security_``. - - For example, a deployer could have disabled direct root ssh logins with the - following variable: - - .. code-block:: yaml - - ssh_permit_root_login: yes - - That variable would become: - - .. code-block:: yaml - - security_ssh_permit_root_login: yes diff --git a/releasenotes/source/_static/.placeholder b/releasenotes/source/_static/.placeholder deleted file mode 100644 index e69de29b..00000000 diff --git a/releasenotes/source/_templates/.placeholder b/releasenotes/source/_templates/.placeholder deleted file mode 100644 index e69de29b..00000000 diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py deleted file mode 100644 index a5e0b836..00000000 --- a/releasenotes/source/conf.py +++ /dev/null @@ -1,284 +0,0 @@ -#!/usr/bin/env python3 - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This file is execfile()d with the current directory set to its -# containing dir. -# -# Note that not all possible configuration values are present in this -# autogenerated file. -# -# All configuration values have a default; values that are commented out -# serve to show the default. - -import pbr.version - -# If extensions (or modules to document with autodoc) are in another directory, -# add these directories to sys.path here. If the directory is relative to the -# documentation root, use os.path.abspath to make it absolute, like shown here. -# sys.path.insert(0, os.path.abspath('.')) - -# -- General configuration ------------------------------------------------ - -# If your documentation needs a minimal Sphinx version, state it here. -# needs_sphinx = '1.0' - -# Add any Sphinx extension module names here, as strings. They can be -# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom -# ones. -extensions = [ - 'oslosphinx', - 'reno.sphinxext', -] - -# Add any paths that contain templates here, relative to this directory. -templates_path = ['_templates'] - -# The suffix of source filenames. -source_suffix = '.rst' - -# The encoding of source files. -# source_encoding = 'utf-8-sig' - -# The master toctree document. -master_doc = 'index' - -# General information about the project. -author = 'OpenStack-Ansible Contributors' -category = 'Miscellaneous' -copyright = '2014-2016, OpenStack-Ansible Contributors' -description = 'OpenStack-Ansible deploys OpenStack environments using Ansible.' -project = 'OpenStack-Ansible' -role_name = 'security' -target_name = 'openstack-ansible-' + role_name -title = 'OpenStack-Ansible Release Notes: ' + role_name + 'role' - -# The link to the browsable source code (for the left hand menu) -oslosphinx_cgit_link = 'https://git.openstack.org/cgit/openstack/' + target_name - -# The version info for the project you're documenting, acts as replacement for -# |version| and |release|, also used in various other places throughout the -# built documents. -# -# The short X.Y version. -version_info = pbr.version.VersionInfo(target_name) -# The full version, including alpha/beta/rc tags. -release = version_info.version_string_with_vcs() -# The short X.Y version. -version = version_info.canonical_version_string() - -# The language for content autogenerated by Sphinx. Refer to documentation -# for a list of supported languages. -# language = None - -# There are two options for replacing |today|: either, you set today to some -# non-false value, then it is used: -# today = '' -# Else, today_fmt is used as the format for a strftime call. -# today_fmt = '%B %d, %Y' - -# List of patterns, relative to source directory, that match files and -# directories to ignore when looking for source files. -exclude_patterns = [] - -# The reST default role (used for this markup: `text`) to use for all -# documents. -# default_role = None - -# If true, '()' will be appended to :func: etc. cross-reference text. -# add_function_parentheses = True - -# If true, the current module name will be prepended to all description -# unit titles (such as .. function::). -# add_module_names = True - -# If true, sectionauthor and moduleauthor directives will be shown in the -# output. They are ignored by default. -# show_authors = False - -# The name of the Pygments (syntax highlighting) style to use. -pygments_style = 'sphinx' - -# A list of ignored prefixes for module index sorting. -# modindex_common_prefix = [] - -# If true, keep warnings as "system message" paragraphs in the built documents. -# keep_warnings = False - - -# -- Options for HTML output ---------------------------------------------- - -# The theme to use for HTML and HTML Help pages. See the documentation for -# a list of builtin themes. -html_theme = 'default' - -# Theme options are theme-specific and customize the look and feel of a theme -# further. For a list of options available for each theme, see the -# documentation. -# html_theme_options = {} - -# Add any paths that contain custom themes here, relative to this directory. -# html_theme_path = [] - -# The name for this set of Sphinx documents. If None, it defaults to -# " v documentation". -# html_title = None - -# A shorter title for the navigation bar. Default is the same as html_title. -# html_short_title = None - -# The name of an image file (relative to this directory) to place at the top -# of the sidebar. -# html_logo = None - -# The name of an image file (within the static path) to use as favicon of the -# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 -# pixels large. -# html_favicon = None - -# Add any paths that contain custom static files (such as style sheets) here, -# relative to this directory. They are copied after the builtin static files, -# so a file named "default.css" will overwrite the builtin "default.css". -html_static_path = ['_static'] - -# Add any extra paths that contain custom files (such as robots.txt or -# .htaccess) here, relative to this directory. These files are copied -# directly to the root of the documentation. -# html_extra_path = [] - -# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, -# using the given strftime format. -html_last_updated_fmt = '%Y-%m-%d %H:%M' - -# If true, SmartyPants will be used to convert quotes and dashes to -# typographically correct entities. -# html_use_smartypants = True - -# Custom sidebar templates, maps document names to template names. -# html_sidebars = {} - -# Additional templates that should be rendered to pages, maps page names to -# template names. -# html_additional_pages = {} - -# If false, no module index is generated. -# html_domain_indices = True - -# If false, no index is generated. -# html_use_index = True - -# If true, the index is split into individual pages for each letter. -# html_split_index = False - -# If true, links to the reST sources are added to the pages. -# html_show_sourcelink = True - -# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. -# html_show_sphinx = True - -# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. -# html_show_copyright = True - -# If true, an OpenSearch description file will be output, and all pages will -# contain a tag referring to it. The value of this option must be the -# base URL from which the finished HTML is served. -# html_use_opensearch = '' - -# This is the file name suffix for HTML files (e.g. ".xhtml"). -# html_file_suffix = None - -# Output file base name for HTML help builder. -htmlhelp_basename = target_name + '-docs' - - -# -- Options for LaTeX output --------------------------------------------- - -latex_elements = { - # The paper size ('letterpaper' or 'a4paper'). - # 'papersize': 'letterpaper', - - # The font size ('10pt', '11pt' or '12pt'). - # 'pointsize': '10pt', - - # Additional stuff for the LaTeX preamble. - # 'preamble': '', -} - -# Grouping the document tree into LaTeX files. List of tuples -# (source start file, target name, title, -# author, documentclass [howto, manual, or own class]). -latex_documents = [ - (master_doc, target_name + '.tex', - title, author, 'manual'), -] - -# The name of an image file (relative to this directory) to place at the top of -# the title page. -# latex_logo = None - -# For "manual" documents, if this is true, then toplevel headings are parts, -# not chapters. -# latex_use_parts = False - -# If true, show page references after internal links. -# latex_show_pagerefs = False - -# If true, show URL addresses after external links. -# latex_show_urls = False - -# Documents to append as an appendix to all manuals. -# latex_appendices = [] - -# If false, no module index is generated. -# latex_domain_indices = True - - -# -- Options for manual page output --------------------------------------- - -# One entry per manual page. List of tuples -# (source start file, name, description, authors, manual section). -man_pages = [ - (master_doc, target_name, - title, [author], 1) -] - -# If true, show URL addresses after external links. -# man_show_urls = False - - -# -- Options for Texinfo output ------------------------------------------- - -# Grouping the document tree into Texinfo files. List of tuples -# (source start file, target name, title, author, -# dir menu entry, description, category) -texinfo_documents = [ - (master_doc, target_name, - title, author, project, - description, category), -] - -# Documents to append as an appendix to all manuals. -# texinfo_appendices = [] - -# If false, no module index is generated. -# texinfo_domain_indices = True - -# How to display URL addresses: 'footnote', 'no', or 'inline'. -# texinfo_show_urls = 'footnote' - -# If true, do not generate a @detailmenu in the "Top" node's menu. -# texinfo_no_detailmenu = False - -# -- Options for Internationalization output ------------------------------ -locale_dirs = ['locale/'] diff --git a/releasenotes/source/index.rst b/releasenotes/source/index.rst deleted file mode 100644 index f5871933..00000000 --- a/releasenotes/source/index.rst +++ /dev/null @@ -1,12 +0,0 @@ -================================ - OpenStack-Ansible Release Notes -================================ - -.. toctree:: - :maxdepth: 1 - - liberty - mitaka - newton - unreleased - ocata diff --git a/releasenotes/source/liberty.rst b/releasenotes/source/liberty.rst deleted file mode 100644 index 2c5d8327..00000000 --- a/releasenotes/source/liberty.rst +++ /dev/null @@ -1,6 +0,0 @@ -============================== - Liberty Series Release Notes -============================== - -.. release-notes:: - :branch: origin/liberty diff --git a/releasenotes/source/mitaka.rst b/releasenotes/source/mitaka.rst deleted file mode 100644 index 0dc585c8..00000000 --- a/releasenotes/source/mitaka.rst +++ /dev/null @@ -1,6 +0,0 @@ -============================= - Mitaka Series Release Notes -============================= - -.. release-notes:: - :branch: origin/stable/mitaka diff --git a/releasenotes/source/newton.rst b/releasenotes/source/newton.rst deleted file mode 100644 index 97036ed2..00000000 --- a/releasenotes/source/newton.rst +++ /dev/null @@ -1,6 +0,0 @@ -=================================== - Newton Series Release Notes -=================================== - -.. release-notes:: - :branch: origin/stable/newton diff --git a/releasenotes/source/ocata.rst b/releasenotes/source/ocata.rst deleted file mode 100644 index ebe62f42..00000000 --- a/releasenotes/source/ocata.rst +++ /dev/null @@ -1,6 +0,0 @@ -=================================== - Ocata Series Release Notes -=================================== - -.. release-notes:: - :branch: origin/stable/ocata diff --git a/releasenotes/source/unreleased.rst b/releasenotes/source/unreleased.rst deleted file mode 100644 index cd22aabc..00000000 --- a/releasenotes/source/unreleased.rst +++ /dev/null @@ -1,5 +0,0 @@ -============================== - Current Series Release Notes -============================== - -.. release-notes:: diff --git a/run_tests.sh b/run_tests.sh deleted file mode 100755 index 44b0404d..00000000 --- a/run_tests.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/usr/bin/env bash -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -xeuo pipefail - -FUNCTIONAL_TEST=${FUNCTIONAL_TEST:-true} - -# Install pip. -if ! which pip; then - curl --silent --show-error --retry 5 \ - https://bootstrap.pypa.io/get-pip.py | sudo python2.7 -fi - -# Install bindep and tox with pip. -sudo pip install bindep tox - -# CentOS 7 requires two additional packages: -# redhat-lsb-core - for bindep profile support -# epel-release - required to install python-ndg_httpsclient/python2-pyasn1 -if which yum; then - sudo yum -y install redhat-lsb-core epel-release -fi - -# Get a list of packages to install with bindep. If packages need to be -# installed, bindep exits with an exit code of 1. -BINDEP_PKGS=$(bindep -b -f bindep.txt test || true) -echo "Packages to install: ${BINDEP_PKGS}" - -# Install a list of OS packages provided by bindep. -if which apt-get; then - sudo apt-get update - DEBIAN_FRONTEND=noninteractive \ - sudo apt-get -q --option "Dpkg::Options::=--force-confold" \ - --assume-yes install $BINDEP_PKGS -elif which yum; then - # Don't run yum with an empty list of packages. - # It will fail and cause the script to exit with an error. - if [[ ${#BINDEP_PKGS} > 0 ]]; then - sudo yum install -y $BINDEP_PKGS - fi -fi - -# Loop through each tox environment and run tests. -for tox_env in $(awk -F= '/envlist/ { gsub(",", " "); print $2 }' tox.ini); do - echo "Executing tox environment: ${tox_env}" - if [[ ${tox_env} == ansible-functional ]]; then - if ${FUNCTIONAL_TEST}; then - tox -e ${tox_env} - fi - else - tox -e ${tox_env} - fi -done diff --git a/setup.cfg b/setup.cfg deleted file mode 100644 index 75bbe25c..00000000 --- a/setup.cfg +++ /dev/null @@ -1,24 +0,0 @@ -[metadata] -name = openstack-ansible-security -summary = OpenStack-Ansible: Host security hardening -description-file = - README.rst -author = OpenStack -author-email = openstack-dev@lists.openstack.org -home-page = http://www.openstack.org/ -classifier = - Intended Audience :: Developers - Intended Audience :: System Administrators - License :: OSI Approved :: Apache Software License - Operating System :: POSIX :: Linux - -[build_sphinx] -all_files = 1 -build-dir = doc/build -source-dir = doc/source - -[pbr] -warnerrors = True - -[wheel] -universal = 1 diff --git a/setup.py b/setup.py deleted file mode 100644 index 566d8443..00000000 --- a/setup.py +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright (c) 2013 Hewlett-Packard Development Company, L.P. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# THIS FILE IS MANAGED BY THE GLOBAL REQUIREMENTS REPO - DO NOT EDIT -import setuptools - -# In python < 2.7.4, a lazy loading of package `pbr` will break -# setuptools if some other modules registered functions in `atexit`. -# solution from: http://bugs.python.org/issue15881#msg170215 -try: - import multiprocessing # noqa -except ImportError: - pass - -setuptools.setup( - setup_requires=['pbr>=2.0.0'], - pbr=True) diff --git a/tasks/main.yml b/tasks/main.yml deleted file mode 100644 index 83e812f0..00000000 --- a/tasks/main.yml +++ /dev/null @@ -1,97 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - - name: Print warning about role deprecation - debug: - msg: | - ********************************************************************* - ____ _ _ - | _ \ ___ _ __ _ __ ___ ___ __ _| |_ ___ __| | - | | | |/ _ \ '_ \| '__/ _ \/ __/ _` | __/ _ \/ _` | - | |_| | __/ |_) | | | __/ (_| (_| | || __/ (_| | - |____/ \___| .__/|_| \___|\___\__,_|\__\___|\__,_| - |_| - ********************************************************************* - - The openstack-ansible-security role is deprecated and will be retired - soon. Please consume the ansible-hardening role to receive the latest - updates: - - https://github.com/openstack/ansible-hardening - - ********************************************************************* - ____ _ _ - | _ \ ___ _ __ _ __ ___ ___ __ _| |_ ___ __| | - | | | |/ _ \ '_ \| '__/ _ \/ __/ _` | __/ _ \/ _` | - | |_| | __/ |_) | | | __/ (_| (_| | || __/ (_| | - |____/ \___| .__/|_| \___|\___\__,_|\__\___|\__,_| - |_| - ********************************************************************* - tags: - - always - - - name: Pause the playbook run to highlight the deprecation warning - pause: - seconds: 30 - tags: - - always - - - name: Gather variables for each operating system - include_vars: "{{ item }}" - with_first_found: - - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" - - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" - - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" - - "{{ ansible_distribution | lower }}.yml" - - "{{ ansible_os_family | lower }}.yml" - tags: - - always - - - name: Check for check/audit mode - command: /bin/true - register: noop_result - changed_when: False - tags: - - always - - - name: Check to see if we are booting with EFI or UEFI - set_fact: - booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}" - tags: - - always - - - name: Set facts - set_fact: - check_mode: "{{ noop_result | skipped }}" - linux_security_module: "{{ (ansible_os_family == 'Debian') | ternary('apparmor','selinux') }}" - grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}" - tags: - - always - - - name: Check if grub is present on the remote node - stat: - path: "{{ grub_update_cmd.split(' ')[0] }}" - register: grub_update_binary - tags: - - always - - - name: Install EPEL repository - yum: - name: epel-release - state: "{{ security_package_state }}" - when: - - ansible_pkg_mgr == 'yum' - - - include: "{{ stig_version }}stig/main.yml" diff --git a/tasks/rhel6stig/aide.yml b/tasks/rhel6stig/aide.yml deleted file mode 100644 index f5da669f..00000000 --- a/tasks/rhel6stig/aide.yml +++ /dev/null @@ -1,94 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Verify that AIDE configuration directory exists - stat: - path: /etc/aide/aide.conf.d - register: aide_conf - check_mode: no - tags: - - always - -- name: V-38489 - Exclude certain directories from AIDE - template: - src: ZZ_aide_exclusions.j2 - dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions - when: aide_conf.stat.exists | bool - tags: - - aide - - cat2 - - V-38489 - -- name: Check to see if AIDE database is already in place - stat: - path: "{{ aide_database_file }}" - register: aide_database - check_mode: no - tags: - - always - -- name: V-38489 - Initialize AIDE (this will take a few minutes) - command: "aideinit" - changed_when: false - register: aide_init - when: - - aide_conf.stat.exists | bool - - not aide_database.stat.exists | bool - - security_initialize_aide | bool - tags: - - aide - - cat2 - - V-38489 - -# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since Ubuntu -# copies the new AIDE database into place automatically with its AIDE wrapper -# script. -- name: V-38489 - Move AIDE database into place - command: "mv /var/lib/aide/aide.db.new.gz {{ aide_database_file }}" - changed_when: false - when: - - aide_init | changed - - ansible_os_family | lower == 'redhat' - tags: - - aide - - cat2 - - V-38489 - -# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since the AIDE -# package doesn't come with a cron job file. Ubuntu packages a cron job for -# AIDE checks already. -- name: Create AIDE cron job (for V-38670) - cron: - name: aide - cron_file: aide - user: root - special_time: daily - job: "aide --check" - when: - - ansible_os_family | lower == 'redhat' - tags: - - aide - - cat2 - - V-38670 - -- name: Check for AIDE cron job (for V-38670) - stat: - path: "{{ aide_cron_job_path }}" - register: v38670_result - changed_when: False - tags: - - aide - - cat2 - - V-38670 diff --git a/tasks/rhel6stig/apt.yml b/tasks/rhel6stig/apt.yml deleted file mode 100644 index 77b46039..00000000 --- a/tasks/rhel6stig/apt.yml +++ /dev/null @@ -1,129 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Update apt if needed - apt: - update_cache: yes - cache_valid_time: "{{ cache_timeout }}" - tags: - - auditd-apt-packages - -# Notes for V-38476 ########################################################### -# -# These GPG keys are valid as of Ubuntu 14.04 in late 2015, but they could -# change or additional keys may be added in the future. -# -- name: Gather current GPG keys for apt (for V-38476) - command: apt-key list - register: v38476_result - changed_when: "v38476_result.rc != 0" - check_mode: no - -- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. - fail: - msg: "Missing Ubuntu Archive signing keys" - when: "'437D05B5' not in v38476_result.stdout or 'C0B21F32' not in v38476_result.stdout" - tags: - - package - - cat1 - - V-38476 - -# Notes for V-38462 ########################################################### -# -# Ubuntu checks packages against GPG signatures by default. It can be turned -# off for all package installations by a setting in /etc/apt/apt.conf.d and we -# search for that here. Users can pass an argument on the apt command line -# to bypass the checks as well, but that's outside the scope of this check -# and remediation. -# -- name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/ (for V-38462) - command: grep -r '^[^#].*AllowUnauthenticated \"true\"' /etc/apt/apt.conf.d/ - register: v38462_result - changed_when: False - failed_when: False - check_mode: no - tags: - - package - - cat1 - - V-38462 - -- name: V-38462 - Package management tool must verify authenticity of packages - fail: - msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified." - when: "v38462_result.rc == 0" - tags: - - package - - cat1 - - V-38462 - -- name: Install unattended-upgrades package (for V-38481) - apt: - name: unattended-upgrades - state: "{{ security_package_state }}" - when: security_unattended_upgrades_enabled | bool - tags: - - package - - cat2 - - V-38481 - -- name: V-38481 - System security patches and updates must be installed and up-to-date - copy: - src: 20auto-upgrades - dest: /etc/apt/apt.conf.d/20auto-upgrades - when: security_unattended_upgrades_enabled | bool - tags: - - package - - cat2 - - V-38481 - -- name: Enable unattended upgrades notifications (for V-38481) - lineinfile: - dest: /etc/apt/apt.conf.d/50unattended-upgrades - regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";' - line: 'Unattended-Upgrade::Mail "root";' - create: yes - when: - - security_unattended_upgrades_enabled | bool - - security_unattended_upgrades_notifications | bool - tags: - - package - - cat2 - - V-38481 - -- name: Add or remove packages based on STIG requirements - apt: - name: "{{ stig_packages | selectattr('enabled') | selectattr('state', 'equalto', item) | sum(attribute='packages', start=[]) }}" - state: "{{ item }}" - with_items: - - "{{ stig_packages | selectattr('enabled') | map(attribute='state') | unique | list }}" - tags: - - cat1 - - auth - - services - - V-38439 # install: aide, aide-common - - V-38620 # install: chrony - - V-38624 # install: logrotate - - V-38631 # install: auditd_pkg - - V-38632 # install: auditd_pkg - - V-38637 # install: debsums - - V-38669 # install: postfix - - V-51337 # install: apparmor - - V-38583 # remove: xinetd - - V-38587 # remove: telnet-server - - V-38591 # remove: rsh-server - - V-38603 # remove: ypserv - - V-38606 # remove: tftp-server - - V-38627 # remove: openldap-servers - - V-38671 # remove: sendmail diff --git a/tasks/rhel6stig/auditd.yml b/tasks/rhel6stig/auditd.yml deleted file mode 100644 index 7eed5769..00000000 --- a/tasks/rhel6stig/auditd.yml +++ /dev/null @@ -1,290 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: V-38631/38632 - The operating system must produce audit records (start auditd) - service: - name: auditd - state: started - enabled: true - when: not check_mode - tags: - - auditd - - cat2 - - V-38632 - - V-38631 - -- name: Verify that auditd.conf exists - stat: - path: /etc/audit/auditd.conf - register: auditd_conf - check_mode: no - tags: - - auditd - - always - -- name: V-38633 - The system must set a maximum audit log file size - lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^(#)?max_log_file(?!_action)" - line: "max_log_file = {{ security_max_log_file }}" - when: auditd_conf.stat.exists | bool - notify: - - restart auditd - tags: - - auditd - - cat2 - - V-38633 - -- name: V-38634 - The system must rotate audit log files that reach the max file size - lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^(#)?max_log_file_action =" - line: "max_log_file_action = {{ security_max_log_file_action }}" - when: auditd_conf.stat.exists | bool - notify: - - restart auditd - tags: - - auditd - - cat2 - - V-38634 - -- name: V-38636 - The system must retain enough rotated audit logs to cover the required log retention period. - lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^(#)?num_logs =" - line: "num_logs = {{ security_num_logs }}" - when: auditd_conf.stat.exists | bool - notify: - - restart auditd - tags: - - auditd - - cat2 - - V-38636 - -# The debsums command returns 0 if the files haven't been altered but it -# returns 2 otherwise. We also will check to see if auditd has been installed -# and fail if it's not installed. -- name: Checking auditd package contents for alterations with debsums (for V-38637) - command: debsums auditd -c - register: v38637_result - changed_when: False - failed_when: "'not installed' in v38637_result.stdout" - when: ansible_pkg_mgr == 'apt' - tags: - - auditd - - cat2 - - V-38637 - -- name: V-38637 - Contents of auditd package must be verified - fail: - msg: "Could not verify that files from auditd package are unaltered" - when: - - not check_mode - - ansible_pkg_mgr == 'apt' - - v38637_result.rc == 2 - tags: - - auditd - - cat2 - - V-38637 - -- name: Check audit package contents for alterations with rpm (for V-38637) - shell: "rpmverify audit audit-libs | grep -v '\\.conf$' | wc -l" - register: v38637_result - changed_when: False - when: ansible_pkg_mgr == 'yum' - tags: - - auditd - - cat2 - - V-38637 - -- name: V-38637 - Contents of auditd package must be verified - fail: - msg: "Could not verify that files from auditd package are unaltered" - when: - - not check_mode - - ansible_pkg_mgr == 'yum' - - v38637_result.stdout != "0" - tags: - - auditd - - cat2 - - V-38637 - -- name: Verify that auditd log directory exists (for V-38445) - stat: - path: /var/log/audit/ - register: auditd_log_dir - check_mode: no - tags: - - auditd - - always - -- name: V-38445 - Audit log files must be group-owned by root - file: - dest: /var/log/audit/ - group: root - recurse: true - when: auditd_log_dir.stat.exists | bool - tags: - - auditd - - cat2 - - V-38445 - -- name: V-38464 - The audit system must take action for disk errors - lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^(#)?disk_error_action" - line: "disk_error_action = {{ security_disk_error_action }}" - when: auditd_conf.stat.exists | bool - notify: - - restart auditd - tags: - - auditd - - cat2 - - V-38464 - -- name: V-38468 - The audit system must take action when the disk is full - lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^(#)?disk_full_action" - line: "disk_full_action = {{ security_disk_full_action }}" - when: auditd_conf.stat.exists | bool - notify: - - restart auditd - tags: - - auditd - - cat2 - - V-38468 - -- name: V-38678 - Lower limit of available disk space when auditd triggers space_left_action - lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^(#)?space_left(?!_action)" - line: "space_left = {{ security_space_left }}" - when: auditd_conf.stat.exists | bool - notify: - - restart auditd - tags: - - auditd - - cat2 - - V-38678 - -- name: V-38470 - The audit system must take action when the disk is almost full - lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^(#)?space_left_action" - line: "space_left_action = {{ security_space_left_action }}" - when: auditd_conf.stat.exists | bool - notify: - - restart auditd - tags: - - auditd - - cat2 - - V-38470 - -- name: V-38680 - Audit system must send email notifications when storage capacity is low - lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^(#)?action_mail_acct" - line: "action_mail_acct = {{ security_action_mail_acct }}" - when: auditd_conf.stat.exists | bool - notify: - - restart auditd - tags: - - auditd - - cat2 - - V-38680 - -- name: V-38495 - Audit log files must be owned by root - file: - dest: /var/log/audit/ - owner: root - recurse: true - when: auditd_log_dir.stat.exists | bool - tags: - - auditd - - cat2 - - V-38495 - -# TODO: Ansible 2.0 offers the find module and that will allow this task to -# avoid using the shell module to get a list of logs. This task should be -# adjusted to use the find module when Ansible 2.0 is fully released. -- name: Get a list of audit logs in the auditd directory (for V-38498) - command: ls /var/log/audit/ - register: v38498_result - changed_when: false - when: auditd_log_dir.stat.exists | bool - tags: - - auditd - - cat2 - - V-38498 - -# On most systems, the active log file is 0600 and the older logs are 0400. -# This task ensures that all logs meet or exceed the STIG requirement. -- name: V-38498 - Audit log files must have mode 0640 or less - file: - dest: "/var/log/audit/{{ item }}" - mode: "u-x,g-wx,o-rwx" - with_items: "{{ v38498_result.stdout_lines | default([]) }}" - when: auditd_log_dir.stat.exists | bool - tags: - - auditd - - cat2 - - V-38498 - -- name: Remove system default audit.rules file - file: - path: /etc/audit/rules.d/audit.rules - state: absent - notify: - - generate auditd rules - tags: - - always - -- name: Auditd rules (includes several STIGs) - template: - src: osas-auditd.j2 - dest: /etc/audit/rules.d/osas-auditd.rules - notify: - - generate auditd rules - tags: - - auditd - - cat3 - -- name: V-38471 - Forward auditd records to syslog - lineinfile: - dest: /etc/audisp/plugins.d/syslog.conf - regexp: "^(#)?active" - line: "active = yes" - state: present - when: auditd_conf.stat.exists | bool - notify: - - restart auditd - tags: - - auditd - - cat3 - - V-38471 - -- name: V-54381 - The audit system must switch to single user mode when disk space is low - lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^(#)?admin_space_left_action" - line: "admin_space_left_action = {{ security_admin_space_left_action }}" - when: auditd_conf.stat.exists | bool - notify: - - restart auditd - tags: - - auditd - - cat2 - - V-54381 diff --git a/tasks/rhel6stig/auth.yml b/tasks/rhel6stig/auth.yml deleted file mode 100644 index 9511029d..00000000 --- a/tasks/rhel6stig/auth.yml +++ /dev/null @@ -1,408 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: V-38475 - Set minimum length for passwords - lineinfile: - dest: /etc/login.defs - regexp: "^(#)?PASS_MIN_LEN" - line: "PASS_MIN_LEN {{ security_password_minimum_length }}" - when: security_password_minimum_length is defined - tags: - - auth - - cat2 - - V-38475 - -- name: V-38477 - Set minimum time for password changes - lineinfile: - dest: /etc/login.defs - regexp: "^(#)?PASS_MIN_DAYS" - line: "PASS_MIN_DAYS {{ security_password_minimum_days }}" - when: security_password_minimum_days is defined - tags: - - auth - - cat2 - - V-38477 - -- name: V-38479 - Set maximum age for passwords - lineinfile: - dest: /etc/login.defs - regexp: "^(#)?PASS_MAX_DAYS" - line: "PASS_MAX_DAYS {{ security_password_maximum_days }}" - when: security_password_maximum_days is defined - tags: - - auth - - cat2 - - V-38479 - -- name: V-38480 - Warn users prior to password expiration - lineinfile: - dest: /etc/login.defs - regexp: "^(#)?PASS_WARN_AGE" - line: "PASS_WARN_AGE {{ security_password_warn_age }}" - when: security_password_warn_age is defined - tags: - - auth - - cat3 - - V-38480 - -- name: V-38496 - Get all system accounts - shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd" - register: v38496_system_users - changed_when: False - check_mode: no - tags: - - auth - - cat2 - - V-38496 - -- name: V-38496 - Loop through system accounts to find unlocked accounts - shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow" - register: v38496_unlocked_system_users - changed_when: False - check_mode: no - with_items: "{{ v38496_system_users.stdout_lines | default([]) }}" - tags: - - auth - - cat2 - - V-38496 - -# We need to loop through our list of accounts and get the ones that were -# returned by the awk command in the previous task. -- name: V-38496 - Gather problematic system accounts - set_fact: - v38496_violations: "{{ v38496_unlocked_system_users.results | map(attribute='stdout') | reject('equalto', '') | join(', ') }}" - tags: - - auth - - cat2 - - V-38496 - -# The playbook will fail here if any default system accounts besides root are -# not locked. -- name: V-38496 - Default operating system accounts (other than root) must be locked - fail: - msg: "System accounts are unlocked: {{ v38496_violations }}" - when: v38496_violations | length > 0 - tags: - - auth - - cat2 - - V-38496 - -- name: V-38497 - The system must not have accounts configured with blank or null passwords. (Ubuntu) - lineinfile: - dest: "{{ pam_auth_file }}" - state: present - regexp: "^(.*)nullok_secure(.*)$" - line: '\1\2' - backup: yes - backrefs: yes - when: - - ansible_os_family == 'Debian' - - security_pam_remove_nullok | bool - tags: - - auth - - cat1 - - V-38497 - -- name: V-38497 - The system must not have accounts configured with blank or null passwords. (CentOS) - lineinfile: - dest: "{{ pam_auth_file }}" - state: present - regexp: "^({{ item }}.*sufficient.*)nullok(.*)$" - line: '\1\2' - backup: yes - backrefs: yes - with_items: - - auth - - password - when: - - ansible_os_family == 'RedHat' - - security_pam_remove_nullok | bool - tags: - - auth - - cat1 - - V-38497 - -- name: Check if /etc/hosts.equiv exists (for V-38491) - stat: - path: /etc/hosts.equiv - register: v38491_equiv_check - changed_when: v38491_equiv_check.stat.exists == True - tags: - - auth - - cat1 - - V-38491 - -- name: Check if root has a .rhosts file (for V-38491) - stat: - path: /root/.rhosts - register: v38491_rhosts_check - changed_when: v38491_rhosts_check.stat.exists == True - tags: - - auth - - cat1 - - V-38491 - -- name: V-38491 - No .rhosts or hosts.equiv present on system - fail: - msg: "Remove all .rhosts and hosts.equiv files" - when: v38491_equiv_check.stat.exists == True or v38491_rhosts_check.stat.exists == True - tags: - - auth - - cat1 - - V-38491 - -- name: Check for accounts with UID 0 other than root (for V-38500) - shell: "awk -F: '($1 != \"root\") && ($3 == 0) {print}' /etc/passwd | wc -l" - register: v38500_result - changed_when: v38500_result.stdout != '0' - check_mode: no - tags: - - auth - - cat2 - - V-38500 - -- name: V-38500 - The root account must be the only account with UID 0 - fail: - msg: "Another account besides root has UID 0" - when: v38500_result.stdout != '0' - tags: - - auth - - cat2 - - V-38500 - -# Ban the offending IP for 15 minutes to meet the spirit of the STIG. -# Yes, the bantime we want to modify has two spaces before the equal sign. -- name: V-38501 - The system must disable accounts after excessive login failures (configure fail2ban) - template: - src: jail.local.j2 - dest: /etc/fail2ban/jail.d/jail.local - when: security_install_fail2ban | bool - notify: - - restart fail2ban - tags: - - auth - - cat2 - - V-38501 - -- name: Search /etc/passwd for password hashes (for V-38499) - shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l" - register: v38499_result - changed_when: False - check_mode: no - tags: - - auth - - cat2 - - V-38499 - -- name: V-38499 - The /etc/passwd file must not contain password hashes - fail: - msg: "Remove password hashes from /etc/password to remediate" - when: "v38499_result.stdout != '0'" - tags: - - auth - - cat2 - - V-38499 - -- name: V-38450 - The /etc/passwd file must be owned by root - file: - path: /etc/passwd - owner: root - tags: - - auth - - cat2 - - V-38450 - -- name: V-38451 - The /etc/passwd file must be group-owned by root - file: - path: /etc/passwd - group: root - tags: - - auth - - cat2 - - V-38451 - -# Ubuntu's default is 0644 already -- name: V-38457 - The /etc/passwd file must have mode 0644 or less permissive - file: - path: /etc/passwd - mode: 0644 - tags: - - auth - - cat2 - - V-38457 - -# SHA512 is the minimum requirement and it happens to be Ubuntu 14.04's default -# hashing algorithm as well. -- name: Check password hashing algorithm used by PAM (for V-38574) - command: "grep '^\\s*password.*pam_unix.*sha512' {{ pam_password_file }}" - register: v38574_result - changed_when: False - failed_when: False - check_mode: no - tags: - - auth - - cat2 - - V-38574 - -# If SHA512 isn't in use for some reason, we should fail and display an error. -- name: V-38574 - System must use FIPS 140-2 approved hashing algorithm for passwords (PAM) - fail: - msg: "Must use SHA512 for password hashing (via PAM)" - when: v38574_result.rc != 0 - tags: - - auth - - cat2 - - V-38574 - -- name: Check password hashing algorithm used in login.defs (for V-38576) - command: "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs" - register: v38576_result - changed_when: v38576_result.rc != 0 - check_mode: no - tags: - - auth - - cat2 - - V-38576 - -# If SHA512 isn't in use for some reason, we should fail and display an error. -- name: V-38576 - System must use FIPS 140-2 approved hashing algorithm for passwords (login.defs) - fail: - msg: "Must use SHA512 for password hashing (in /etc/login.defs)" - when: v38576_result.rc != 0 - tags: - - auth - - cat2 - - V-38576 - -# Neither Ubuntu or openstack-ansible installs libuser by default, so there's -# no need to install it here unless the deployer has it installed for some -# reason. -- name: Check if libuser is installed (for V-38577) - shell: "dpkg --status libuser | grep '^Status.*ok installed'" - register: v38577_libuser_check - changed_when: False - failed_when: False - check_mode: no - tags: - - auth - - cat2 - - V-38577 - -# Only look at libuser.conf when we are sure that libuser is installed -- name: If libuser is installed, verify hashing algorithm in use (for V-38577) - command: "grep '^crypt_style = sha512' /etc/libuser.conf" - register: v38577_result - when: v38577_libuser_check.rc == 0 - changed_when: v38577_result.rc != 0 - tags: - - auth - - cat2 - - V-38577 - -# If libuser is installed *AND* it's using unacceptable password hashing -# algorithms, throw an error and a failure. -- name: V-38577 - System must use FIPS 140-2 approved hashing algorithm for passwords (libuser) - fail: - msg: "libuser isn't configured to use SHA512 hashing for passwords" - when: v38577_libuser_check.rc == 0 and v38577_result.rc != 0 - tags: - - auth - - cat2 - - V-38577 - -- name: V-38681 - Check for missing GID's in /etc/group - shell: "pwck -r | grep 'no group'" - register: v38681_result - changed_when: False - failed_when: v38681_result.rc > 1 - check_mode: no - tags: - - auth - - cat3 - - V-38681 - -- name: V-38681 - All GID's in /etc/passwd must be defined in /etc/group - fail: - msg: "GID's in /etc/passwd aren't in /etc/group" - when: v38681_result.rc != 1 - tags: - - auth - - cat3 - - V-38681 - -- name: V-38692 - Lock inactive accounts - lineinfile: - dest: /etc/default_useradd - regexp: "^(#)?INACTIVE" - line: "INACTIVE {{ security_inactive_account_lock_days }}" - when: security_inactive_account_lock_days is defined - tags: - - auth - - cat3 - - V-38692 - -- name: Checking for accounts with non-unique usernames (for V-38683) - shell: pwck -rq | wc -l - register: v38683_result - changed_when: False - check_mode: no - tags: - - auth - - cat3 - - V-38683 - -- name: V-38683 - All accounts on the system must have unique user/account names - fail: - msg: "Found accounts without unique usernames" - when: v38683_result.stdout != '0' - tags: - - auth - - cat3 - - V-38683 - -- name: Search for sudoers files (for V-58901) - find: - paths: "/etc/sudoers*" - file_type: file - register: v58901_result - check_mode: no - tags: - - auth - - cat2 - - V-58901 - -# The lineinfile module can't be used here since we may need to comment out -# multiple lines. -- name: Comment out sudoers lines with NOPASSWD present (for V-58901) - command: "sed -e '/NOPASSWD/ s/^#*/#/' -i {{ item.path }}" - changed_when: false - with_items: "{{ v58901_result.files | default([]) }}" - when: security_sudoers_remove_nopasswd | bool - tags: - - auth - - cat2 - - V-58901 - -# The lineinfile module can't be used here since we may need to comment out -# multiple lines. -- name: Comment out sudoers lines with !authenticate present (for V-58901) - command: "sed -e '/!authenticate/ s/^#*/#/' -i {{ item.path }}" - changed_when: false - with_items: "{{ v58901_result.files | default([]) }}" - when: security_sudoers_remove_authenticate | bool - tags: - - auth - - cat2 - - V-58901 diff --git a/tasks/rhel6stig/boot.yml b/tasks/rhel6stig/boot.yml deleted file mode 100644 index c74e05be..00000000 --- a/tasks/rhel6stig/boot.yml +++ /dev/null @@ -1,66 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Check to see if grub.cfg exists - stat: - path: "{{ grub_conf_file }}" - register: grub_cfg - check_mode: no - -- name: V-38438 - Auditing must be enabled at boot by setting a kernel parameter - lineinfile: - dest: /etc/default/grub.d/99-enable-auditd.cfg - line: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT audit=1"' - create: yes - notify: - - update grub config - tags: - - boot - - cat1 - - V-38438 - when: - - security_enable_audit_during_boot | bool - -- name: V-38579 - Bootloader configuration files must be owned by root - file: - path: "{{ grub_conf_file }}" - owner: root - tags: - - boot - - cat2 - - V-38579 - when: - - grub_cfg.stat.exists - -- name: V-38581 - Bootloader configuration files must be group-owned by root - file: - path: "{{ grub_conf_file }}" - group: root - tags: - - boot - - cat2 - - V-38581 - when: - - grub_cfg.stat.exists - -- name: V-38583 - Bootloader configuration files must have mode 0644 or less - file: - path: "{{ grub_conf_file }}" - mode: 0644 - tags: - - boot - - cat2 - - V-38583 - when: grub_cfg.stat.exists diff --git a/tasks/rhel6stig/console.yml b/tasks/rhel6stig/console.yml deleted file mode 100644 index 3754a6c8..00000000 --- a/tasks/rhel6stig/console.yml +++ /dev/null @@ -1,61 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled (init) - lineinfile: - dest: /etc/init/control-alt-delete.conf - regexp: '^(#)?exec shutdown -r now "Control-Alt-Delete pressed"' - line: '#exec shutdown -r now "Control-Alt-Delete pressed"' - state: present - when: - - ansible_service_mgr != 'systemd' - tags: - - console - - cat1 - - V-38668 - -# This returns an exit code of 0 if it's running, 3 if it's masked. -- name: Check if ctrl-alt-del.target is already masked (systemd) - command: systemctl status ctrl-alt-del.target - register: cad_mask_check - changed_when: False - check_mode: no - failed_when: False - when: - - ansible_service_mgr == 'systemd' - tags: - - always - - console - - cat1 - - V-38668 - -- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled (systemd) - command: systemctl mask ctrl-alt-del.target - when: - - ansible_service_mgr == 'systemd' - - "'masked' in cad_mask_check.stdout" - tags: - - console - - cat1 - - V-38668 - -- name: V-38593 - Display a login banner for console prompts - copy: - src: login_banner.txt - dest: /etc/issue.net - tags: - - console - - cat2 - - V-38593 diff --git a/tasks/rhel6stig/file_perms.yml b/tasks/rhel6stig/file_perms.yml deleted file mode 100644 index 23b634a0..00000000 --- a/tasks/rhel6stig/file_perms.yml +++ /dev/null @@ -1,188 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: V-38443 - The /etc/gshadow file must be owned by root - file: - dest: /etc/gshadow - owner: root - tags: - - file_perms - - cat2 - - V-38443 - -- name: V-38448 - The /etc/gshadow file must be group-owned by root - file: - dest: /etc/gshadow - group: root - tags: - - file_perms - - cat2 - - V-38448 - -- name: V-38449 - The /etc/gshadow file must have mode 0000 - file: - dest: /etc/gshadow - mode: 0000 - tags: - - file_perms - - cat2 - - V-38449 - -- name: V-38458 - The /etc/group file must be owned by root - file: - dest: /etc/group - owner: root - tags: - - file_perms - - cat2 - - V-38458 - -- name: V-38459 - The /etc/group file must be group-owned by root - file: - dest: /etc/group - group: root - tags: - - file_perms - - cat2 - - V-38459 - -- name: V-38461 - The /etc/group file must have mode 0644 or less - file: - dest: /etc/group - mode: 0644 - tags: - - file_perms - - cat2 - - V-38461 - -# NOTE(mhayden): The log directory permissions change each time auditd is -# restarted. This causes the idempotent checks to fail and that's why there is -# a 'changed_when: False' on this task. -- name: V-38493 - Audit log directories must have mode 0755 or less - file: - dest: /var/log/audit/ - state: directory - mode: 0750 - changed_when: False - tags: - - file_perms - - cat2 - - V-38493 - -- name: V-38502 - The /etc/shadow file must be owned by root - file: - dest: /etc/shadow - owner: root - tags: - - file_perms - - cat2 - - V-38502 - -- name: V-38503 - The /etc/shadow file must be group-owned by root - file: - dest: /etc/shadow - group: root - tags: - - file_perms - - cat2 - - V-38503 - -- name: V-38504 - The /etc/shadow file must have mode 0000 - file: - dest: /etc/shadow - mode: 0000 - tags: - - file_perms - - cat2 - - V-38504 - -# This change will go into effect on the next log rotation. -- name: V-38623 - All rsyslog-generated files must have mode 0600 or less - lineinfile: - dest: /etc/rsyslog.conf - regexp: "^(#)?\\$FileCreateMode" - line: "$FileCreateMode 0600" - notify: - - restart rsyslog - tags: - - file_perms - - cat2 - - V-38623 - -# BEGIN: UMASK ADJUSTMENTS #################################################### -# Please read the documentation and the comments in defaults/main.yml prior -# to making any umask-related changes. - -# Ubuntu 14.04 and CentOS 7 both have a default umask set to 022 already. -- name: V-38642 - System default umask for daemons must be 027 or 022 - lineinfile: - dest: "{{ daemon_init_params_file }}" - regexp: "^umask " - line: "umask {{ security_umask_daemons_init }}" - when: security_umask_daemons_init is defined - tags: - - file_perms - - cat3 - - V-38642 - -# Ubuntu 14.04's default umask in /etc/login.defs is 022 -- name: V-38645 - System default umask in /etc/login.defs must be 077 - lineinfile: - dest: /etc/login.defs - regexp: "^UMASK" - line: "UMASK {{ security_umask_login_defs }}" - when: security_umask_login_defs is defined - tags: - - file_perms - - cat3 - - V-38645 - -# Ubuntu 14.04 and openstack-ansible don't install csh by default. We will -# check if csh is installed and then apply the umask setting if needed. -- name: Check if csh is installed (for V-38649) - shell: dpkg --status csh | grep ^Status | grep "ok installed" - register: v38649_result - changed_when: False - failed_when: False - when: security_umask_csh is defined - tags: - - file_perms - - cat3 - - V-38649 - -- name: V-38649 - System default umask for csh must be 077 - lineinfile: - dest: /etc/csh.cshrc - regexp: "^(#)?umask" - line: "umask {{ security_umask_csh }}" - create: yes - when: security_umask_csh is defined and v38649_result.rc == 0 - tags: - - file_perms - - cat3 - - V-38649 - -- name: V-38651 - System default umask for bash must be 077 - lineinfile: - dest: /etc/bash.bashrc - regexp: "^(#)?umask" - line: "umask {{ security_umask_bash }}" - when: security_umask_bash is defined - tags: - - file_perms - - cat3 - - V-38651 - -# END: UMASK ADJUSTMENTS ###################################################### diff --git a/tasks/rhel6stig/kernel.yml b/tasks/rhel6stig/kernel.yml deleted file mode 100644 index dc7c23d0..00000000 --- a/tasks/rhel6stig/kernel.yml +++ /dev/null @@ -1,222 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: V-38528 - The system must log martian packets - sysctl: - name: net.ipv4.conf.all.log_martians - value: "{{ (security_sysctl_enable_martian_logging | bool) | ternary('1', '0') }}" - state: present - sysctl_set: yes - tags: - - kernel - - cat3 - - V-38528 - -# This is the default in Ubuntu 14.04 -- name: V-38537 - The system must ignore ICMPv4 bogus error responses - sysctl: - name: net.ipv4.icmp_ignore_bogus_error_responses - value: 1 - state: present - sysctl_set: yes - tags: - - kernel - - cat3 - - V-38537 - -# This is the default in Ubuntu 14.04 -- name: V-38535 - The system must not respond to ICMPv4 sent to the broadcast address - sysctl: - name: net.ipv4.icmp_echo_ignore_broadcasts - value: 1 - state: present - sysctl_set: yes - tags: - - kernel - - cat3 - - V-38535 - -- name: V-38539 - Enable TCP syncookies - sysctl: - name: net.ipv4.tcp_syncookies - value: "{{ (security_sysctl_enable_tcp_syncookies | bool) | ternary('1', '0') }}" - state: present - sysctl_set: yes - tags: - - kernel - - cat2 - - V-38539 - -# This is the default in Ubuntu 14.04 -- name: V-38596 - Enable virtual address space randomization - sysctl: - name: kernel.randomize_va_space - value: 2 - state: present - sysctl_set: yes - tags: - - kernel - - cat2 - - V-38596 - -- name: V-38600 - Disable sending ICMPv4 redirects - sysctl: - name: net.ipv4.conf.default.send_redirects - value: 0 - state: present - sysctl_set: yes - tags: - - kernel - - cat2 - - V-38600 - -- name: V-38601 - Disable sending ICMPv4 redirects on all interfaces - sysctl: - name: net.ipv4.conf.all.send_redirects - value: 0 - state: present - sysctl_set: yes - tags: - - kernel - - cat2 - - V-38601 - -- name: V-38490 - Disable usb-storage module - lineinfile: - dest: /etc/modprobe.d/V-38490-disable-usb-storage.conf - line: "install usb-storage /bin/true" - create: yes - when: security_disable_module_usb_storage | bool - tags: - - kernel - - cat2 - - V-38490 - -- name: V-38514 - Disable DCCP - lineinfile: - dest: /etc/modprobe.d/V-38514-disable-dccp.conf - line: "install dccp /bin/true" - create: yes - when: security_disable_module_dccp | bool - tags: - - kernel - - cat2 - - V-38514 - -- name: V-38515 - Disable SCTP - lineinfile: - dest: /etc/modprobe.d/V-38515-disable-sctp.conf - line: "install sctp /bin/true" - create: yes - when: security_disable_module_sctp | bool - tags: - - kernel - - cat2 - - V-38515 - -- name: V-38516 - Disable RDS - lineinfile: - dest: /etc/modprobe.d/V-38516-disable-rds.conf - line: "install rds /bin/true" - create: yes - when: security_disable_module_rds | bool - tags: - - kernel - - cat3 - - V-38516 - -- name: V-38517 - Disable TIPC - lineinfile: - dest: /etc/modprobe.d/V-38517-disable-tipc.conf - line: "install tipc /bin/true" - create: yes - when: security_disable_module_tipc | bool - tags: - - kernel - - cat2 - - V-38517 - -- name: Disable IPv6 - sysctl: - name: "{{ item }}" - value: 1 - state: present - sysctl_set: yes - with_items: - - net.ipv6.conf.all.disable_ipv6 - - net.ipv6.conf.default.disable_ipv6 - when: security_disable_ipv6 | bool - tags: - - kernel - - cat2 - - V-38546 - -- name: V-38682 - Disable bluetooth module - copy: - src: V-38682-modprobe.conf - dest: /etc/modprobe.d/disable-bluetooth.conf - when: security_disable_module_bluetooth | bool - tags: - - kernel - - cat2 - - V-38682 - -- name: V-38524 - The system must not accept ICMPv4 redirect packets on any interface - sysctl: - name: net.ipv4.conf.all.accept_redirects - value: 0 - state: present - sysctl_set: yes - when: security_disable_icmpv4_redirects | bool - tags: - - kernel - - cat2 - - V-38524 - -- name: CVE-2016-5696 - Sets the global challenge ACK counter to a large value - sysctl: - name: net.ipv4.tcp_challenge_ack_limit - value: 1073741823 - state: present - sysctl_set: yes - when: security_set_tcp_challenge_ack_limit | bool - tags: - - kernel - - cat3 - - CVE-2016-5696 - -- name: V-38526 - The system must not accept ICMPv4 secure redirect packets on any interface - sysctl: - name: net.ipv4.conf.all.secure_redirects - value: 0 - state: present - sysctl_set: yes - when: security_disable_icmpv4_redirects_secure | bool - tags: - - kernel - - cat2 - - V-38526 - -- name: V-38548 - The system must ignore ICMPv6 redirects by default - sysctl: - name: net.ipv6.conf.all.accept_redirects - value: 0 - state: present - sysctl_set: yes - when: security_disable_icmpv6_redirects | bool - tags: - - kernel - - cat2 - - V-38548 diff --git a/tasks/rhel6stig/lsm.yml b/tasks/rhel6stig/lsm.yml deleted file mode 100644 index f3832b0d..00000000 --- a/tasks/rhel6stig/lsm.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Ensure AppArmor is running (for V-51337) - service: - name: apparmor - state: started - enabled: yes - when: - - ansible_os_family == "Debian" - - security_enable_linux_security_module | bool - - not check_mode - tags: - - cat2 - - V-51337 - -- name: Ensure SELinux is in enforcing mode on the next reboot (for V-51337) - selinux: - state: enforcing - policy: targeted - register: selinux_status_change - when: - - ansible_os_family == "RedHat" - - security_enable_linux_security_module | bool - - not check_mode - tags: - - cat2 - - V-51337 - -- name: Relabel files on next boot if SELinux mode changed (for V-51337) - file: - path: /.autorelabel - state: touch - when: - - ansible_os_family == "RedHat" - - security_enable_linux_security_module | bool - - selinux_status_change | changed - tags: - - cat2 - - V-51337 diff --git a/tasks/rhel6stig/mail.yml b/tasks/rhel6stig/mail.yml deleted file mode 100644 index a5f58f59..00000000 --- a/tasks/rhel6stig/mail.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: V-38669 - The postfix service must be enabled for mail delivery (enable postfix) - service: - name: postfix - state: started - enabled: yes - when: not check_mode - tags: - - mail - - cat3 - - V-38669 - -- name: V-38669 - Use only IPv4 addresses in mynetworks if IPv6 is disabled - lineinfile: - dest: /etc/postfix/main.cf - regexp: "^(#)?mynetworks" - line: "mynetworks = 127.0.0.0/8" - when: security_disable_ipv6 | bool - tags: - - mail - - cat3 - - V-38669 - -# Be sure to set security_root_forward_email so that this task is executed. See -# the documentation for more details. -- name: V-38446 - Mail system must forward root's email - lineinfile: - dest: /etc/aliases - regexp: "^root" - line: "root: {{ security_root_forward_email }}" - when: security_root_forward_email is defined - notify: - - rehash aliases - tags: - - mail - - cat2 - - V-38446 - -- name: Verify that Postfix's main.cf exists - stat: - path: /etc/postfix/main.cf - register: postfix_main_cf - check_mode: no - tags: - - always - -- name: V-38622 - Mail relaying must be restricted - lineinfile: - dest: /etc/postfix/main.cf - regexp: "^(#)?inet_interfaces" - line: "inet_interfaces = {{ security_postfix_inet_interfaces }}" - when: postfix_main_cf.stat.exists | bool - notify: - - restart postfix - tags: - - mail - - cat2 - - V-38622 diff --git a/tasks/rhel6stig/main.yml b/tasks/rhel6stig/main.yml deleted file mode 100644 index 1144473c..00000000 --- a/tasks/rhel6stig/main.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - - include: apt.yml - static: no - when: ansible_pkg_mgr == 'apt' - tags: - - apt - - package - - - include: rpm.yml - static: no - when: ansible_pkg_mgr == 'yum' or ansible_pkg_mgr == 'dnf' - tags: - - package - - rpm - - - include: aide.yml - - include: auditd.yml - - include: auth.yml - - include: boot.yml - - include: console.yml - - include: file_perms.yml - - include: kernel.yml - - include: lsm.yml - - include: mail.yml - - include: misc.yml - - include: nfsd.yml - - include: services.yml - - include: sshd.yml diff --git a/tasks/rhel6stig/misc.yml b/tasks/rhel6stig/misc.yml deleted file mode 100644 index 1d178542..00000000 --- a/tasks/rhel6stig/misc.yml +++ /dev/null @@ -1,339 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: V-38670 - System must detect unauthorized changes to software and information - fail: - msg: "AIDE cron job is missing" - when: - - not check_mode - - v38670_result.stat.exists == False - tags: - - cat2 - - V-38670 - -- name: Search for .netrc files (for V-38619) - shell: find /root /home -xdev -name .netrc | wc -l - register: v38619_result - changed_when: False - check_mode: no - tags: - - cat2 - - V-38619 - -- name: V-38619 - There must be no .netrc files on the system - fail: - msg: ".netrc files found -- they must be removed" - when: v38619_result.stdout != '0' - tags: - - cat2 - - V-38619 - -- name: V-38620 - Synchronize system clock (enable chrony) - service: - name: "{{ chrony_service }}" - state: started - enabled: yes - when: - - not check_mode - - security_enable_chrony | bool - tags: - - cat2 - - V-38620 - -- name: V-38620 - Synchronize system clock (configuration file) - template: - src: chrony.conf.j2 - dest: "{{ chrony_conf_file }}" - when: - - not check_mode - - security_enable_chrony | bool - notify: - - restart chrony - tags: - - cat2 - - V-38620 - -- name: Check for logrotate cron job (for V-38624) - stat: - path: /etc/cron.daily/logrotate - register: v38624_result - tags: - - cat3 - - V-38624 - -- name: V-38624 - System logs must be rotated daily (verify cron job) - fail: - msg: "Cron job for logrotate is missing" - when: - - not check_mode - - not v38624_result.stat.exists | bool - tags: - - cat3 - - V-38624 - -- name: Check if samba is installed (for V-38656) - stat: - path: /etc/samba/smb.conf - register: v38656_result - changed_when: false - tags: - - cat3 - - V-38656 - -- name: V-38656 - System must use SMB client signing - lineinfile: - dest: /etc/samba/smb.conf - regexp: "^(;)?client signing" - line: "client signing = mandatory" - insertafter: "############ Misc ############" - when: v38656_result.stat.exists | bool - notify: - - restart samba - tags: - - cat3 - - V-38656 - -- name: Check if SNMP daemon is installed using dpkg (for V-38660) - shell: "dpkg --status snmpd | grep \"^Status:.*ok installed\"" - register: v38660_snmpd_apt - changed_when: False - failed_when: False - check_mode: no - when: ansible_pkg_mgr == 'apt' - tags: - - cat2 - - V-38660 - -- name: Check if SNMP daemon is installed using rpm (for V-38660) - shell: "rpm -qi net-snmp" - register: v38660_snmpd_rpm - changed_when: False - failed_when: False - check_mode: no - when: ansible_pkg_mgr == 'yum' - tags: - - cat2 - - V-38660 - - skip_ansible_lint - -- name: Set fact for SNMP being installed - set_fact: - snmpd_installed: True - when: | - (v38660_snmpd_apt.rc is defined and v38660_snmpd_apt.rc == 0) or - (v38660_snmpd_rpm.rc is defined and v38660_snmpd_rpm.rc == 0) - tags: - - cat2 - - V-38660 - -# We shouldn't get any output from this grep since it looks for configuration -# lines for the SNMP v1 and v2c protocols. -- name: Check for insecure SNMP protocols (for V-38660) - shell: "egrep 'v1|v2c|com2sec|community' /etc/snmp/snmpd.conf | grep -v '^\\s*#'" - register: v38660_result - changed_when: False - failed_when: False - check_mode: no - when: - - snmpd_installed is defined - - snmpd_installed | bool - tags: - - cat2 - - V-38660 - -- name: V-38660 - The snmpd service must only use SNMPv3 or newer - fail: - msg: "Insecure SNMP configuration found -- use SNMPv3 only" - when: - - not check_mode - - snmpd_installed is defined - - snmpd_installed | bool - - v38660_result.rc == 0 - tags: - - cat2 - - V-38660 - -- name: V-38675 - Process core dump must be disabled - lineinfile: - dest: /etc/security/limits.d/V-38675-coredump.conf - line: "* hard core 0" - create: yes - when: security_disable_core_dumps is defined - tags: - - cat3 - - V-38675 - -- name: V-38684 - Maximum simultaneous logins per user - lineinfile: - dest: /etc/security/limits.d/V-38684-maxlogins.conf - line: "* hard maxlogins {{ security_max_simultaneous_logins }}" - create: yes - when: security_max_simultaneous_logins is defined - tags: - - cat3 - - V-38684 - -- name: Check if vsftpd installed using dpkg (for V-38599 and V-38702) - shell: "dpkg --status vsftpd | grep \"^Status:.*ok installed\"" - register: v38599_vsftpd_apt - changed_when: False - failed_when: False - check_mode: no - when: ansible_pkg_mgr == 'apt' - tags: - - cat2 - - cat3 - - V-38599 - - V-38702 - -- name: Check if vsftpd installed using rpm (for V-38599 and V-38702) - shell: "rpm -qi vsftpd" - register: v38599_vsftpd_rpm - changed_when: False - failed_when: False - check_mode: no - when: ansible_pkg_mgr == 'yum' - tags: - - cat2 - - cat3 - - V-38599 - - V-38702 - - skip_ansible_lint - -- name: Set fact for vsftpd being installed - set_fact: - vsftpd_installed: True - when: | - (v38599_vsftpd_apt.rc is defined and v38599_vsftpd_apt.rc == 0) or - (v38599_vsftpd_rpm.rc is defined and v38599_vsftpd_rpm.rc == 0) - tags: - - cat2 - - cat3 - - V-38599 - - V-38702 - -- name: Copy login banner (for V-38599) - copy: - src: login_banner.txt - dest: /etc/issue.net - when: - - vsftpd_installed is defined - - vsftpd_installed | bool - notify: - - restart vsftpd - tags: - - cat2 - - V-38599 - -- name: V-38599 - Set warning banner for FTPS/FTP logins - lineinfile: - dest: "{{ vsftpd_conf_file }}" - regexp: "^(#)?banner_file" - line: "banner_file=/etc/issue.net" - when: - - vsftpd_installed is defined - - vsftpd_installed | bool - notify: - - restart vsftpd - tags: - - cat2 - - V-38599 - -- name: V-38702 - Enable xferlog - lineinfile: - dest: "{{ vsftpd_conf_file }}" - regexp: "^(#)?xferlog_enable" - line: "xferlog_enable=YES" - when: - - vsftpd_installed is defined - - vsftpd_installed | bool - notify: - - restart vsftpd - tags: - - cat3 - - V-38702 - -- name: V-38702 - Disable xferlog_std_format - lineinfile: - dest: "{{ vsftpd_conf_file }}" - regexp: "^(#)?xferlog_std_format" - line: "xferlog_std_format=NO" - when: - - vsftpd_installed is defined - - vsftpd_installed | bool - notify: - - restart vsftpd - tags: - - cat3 - - V-38702 - -- name: V-38702 - Enable log_ftp_protocol - lineinfile: - dest: "{{ vsftpd_conf_file }}" - regexp: "^(#)?log_ftp_protocol" - line: "log_ftp_protocol=YES" - when: - - vsftpd_installed is defined - - vsftpd_installed | bool - notify: - - restart vsftpd - tags: - - cat3 - - V-38702 - -- name: V-38674 - X Windows must not be enabled (upstart) - lineinfile: - dest: /etc/init/rc-sysinit.conf - regexp: "^env DEFAULT_RUNLEVEL" - line: "env DEFAULT_RUNLEVEL=2" - when: - - security_disable_x_windows | bool - - ansible_service_mgr != 'systemd' - tags: - - cat2 - - V-38674 - -- name: V-38674 - X Windows must not be enabled (systemd) - command: "systemctl set-default multi-user.target" - register: systemctl_default_target - changed_when: "'Created symlink' in systemctl_default_target.stdout" - when: - - security_disable_x_windows | bool - - ansible_service_mgr == 'systemd' - tags: - - cat2 - - V-38674 - -- name: Check for unlabeled device files (for V-51379) - command: "find /dev -context '*unlabeled_t*'" - register: v51379_unlabeled_devices - changed_when: False - check_mode: no - when: - - ansible_os_family == 'RedHat' - tags: - - cat1 - - V-51379 - -- name: V-51379 - All device files must be monitored by the Linux Security Module - fail: - msg: "Devices were found without SELinux labels: {{ v51379_unlabeled_devices.stdout_lines | join(', ') }}" - when: - - ansible_os_family == 'RedHat' - - v51379_unlabeled_devices.stdout is defined - - v51379_unlabeled_devices.stdout | length > 0 - tags: - - cat1 - - V-51379 diff --git a/tasks/rhel6stig/nfsd.yml b/tasks/rhel6stig/nfsd.yml deleted file mode 100644 index d6c816b6..00000000 --- a/tasks/rhel6stig/nfsd.yml +++ /dev/null @@ -1,74 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Generate a list of services -- name: Check if /etc/exports exists - stat: - path: /etc/exports - register: exports - check_mode: no - tags: - - nfs - - cat1 - - cat2 - - cat3 - -- name: Check if 'all_squash' appears in /etc/exports (for V-38460) - command: grep all_squash /etc/exports - register: v38460_result - changed_when: v38460_result | success - failed_when: False - when: exports.stat.exists - tags: - - nfs - - cat3 - - V-38460 - -- name: V-38460 - The NFS server must not have the all_squash option enabled - fail: - msg: "Remove all_squash from /etc/exports" - changed_when: v38460_result | success - when: - - exports.stat.exists - - v38460_result | success - - not check_mode - tags: - - nfs - - cat3 - - V-38460 - -- name: Check if 'insecure_locks' appears in /etc/exports (for V-38677) - command: grep insecure_locks /etc/exports - register: v38677_result - changed_when: v38677_result | success - failed_when: False - when: exports.stat.exists - tags: - - nfs - - cat3 - - V-38677 - -- name: V-38677 - The NFS server must not have the insecure_locks option enabled - fail: - msg: "Remove insecure_locks from /etc/exports" - changed_when: v38677_result | success - when: - - exports.stat.exists - - v38677_result | success - - not check_mode - tags: - - nfs - - cat3 - - V-38677 diff --git a/tasks/rhel6stig/rpm.yml b/tasks/rhel6stig/rpm.yml deleted file mode 100644 index 03b6d8fa..00000000 --- a/tasks/rhel6stig/rpm.yml +++ /dev/null @@ -1,125 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Check if CentOS 7 GPG keys are installed (for V-38476) - command: rpm -qi gpg-pubkey-f4a80eb5-53a7ff4b - register: v38476_result - changed_when: v38476_result | failed - failed_when: False - check_mode: no - when: - - ansible_distribution == 'CentOS' - tags: - - package - - cat1 - - V-38476 - - skip_ansible_lint - -- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. (CentOS) - fail: - msg: "Missing CentOS 7 GPG keys" - when: - - ansible_distribution == 'CentOS' - - v38476_result | failed - tags: - - package - - cat1 - - V-38476 - -- name: Check if Red Hat Enterprise Linux 7 GPG keys are installed (for V-38476) - command: "rpm -qi {{ item }}" - register: v38476_result - changed_when: v38476_result | failed - failed_when: False - check_mode: no - with_items: - - gpg-pubkey-fd431d51-4ae0493b - - gpg-pubkey-2fa658e0-45700c69 - when: - - ansible_distribution == 'RedHat' - tags: - - package - - cat1 - - V-38476 - - skip_ansible_lint - -- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. (Red Hat Enterprise Linux) - fail: - msg: "Missing Red Hat Enterprise Linux 7 GPG keys" - when: - - ansible_distribution == 'RedHat' - - v38476_result | failed - tags: - - package - - cat1 - - V-38476 - -- name: Search for yum repositories with GPG checks disabled - command: grep -r "gpgcheck=0" /etc/yum.repos.d/ - register: v38462_result - changed_when: False - failed_when: False - check_mode: no - tags: - - package - - cat1 - - V-38462 - -- name: V-38462 - Package management tool must verify authenticity of packages - fail: - msg: "Ensure all repo files in /etc/yum.repos.d/ have 'gpgcheck=1' set." - when: "v38462_result.rc == 0" - tags: - - package - - cat1 - - V-38462 - -- name: V-38481 - System security patches and updates must be installed and up-to-date - lineinfile: - dest: /etc/yum/yum-cron.conf - regexp: "^apply_updates" - line: "apply_updates = yes" - state: present - when: security_unattended_upgrades_enabled | bool - tags: - - package - - cat2 - - V-38481 - -- name: Add or remove packages based on STIG requirements - yum: - name: "{{ stig_packages | selectattr('enabled') | selectattr('state', 'equalto', item) | sum(attribute='packages', start=[]) }}" - state: "{{ item }}" - with_items: - - "{{ stig_packages | selectattr('enabled') | map(attribute='state') | unique | list }}" - tags: - - cat1 - - auth - - services - - V-38439 # install: aide, aide-common - - V-38481 # install: yum-cron - - V-38620 # install: chrony - - V-38624 # install: logrotate - - V-38631 # install: auditd_pkg - - V-38632 # install: auditd_pkg - - V-38669 # install: postfix - - V-51337 # install: SELinux - - V-38583 # remove: xinetd - - V-38587 # remove: telnet-server - - V-38591 # remove: rsh-server - - V-38603 # remove: ypserv - - V-38606 # remove: tftp-server - - V-38627 # remove: openldap-servers - - V-38671 # remove: sendmail diff --git a/tasks/rhel6stig/services.yml b/tasks/rhel6stig/services.yml deleted file mode 100644 index 55ca6f35..00000000 --- a/tasks/rhel6stig/services.yml +++ /dev/null @@ -1,167 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Generate list of services_installed - command: "find /etc/init.d/ -printf '%f\n'" - register: sysv_services_installed - changed_when: false - check_mode: no - tags: - - services - - cat1 - - cat2 - - cat3 - -- name: Generate a list of systemd service unit files - shell: "systemctl list-units --type=service --no-legend | awk '{print $1}'" - register: systemd_services_installed - changed_when: false - check_mode: no - tags: - - services - - cat1 - - cat2 - - cat3 - -- name: Register which services are installed depending on platform - set_fact: - services_installed: "{{ (ansible_service_mgr == 'systemd') | ternary (systemd_services_installed, sysv_services_installed)}}" - -- name: V-38437 - Automated file system mounting tools must be disabled - service: - name: autofs - state: stopped - enabled: no - when: - - security_disable_autofs | bool - - "'autofs' in services_installed.stdout" - tags: - - services - - cat3 - - V-38437 - -- name: V-38640 - The abrt service must be disabled - service: - name: abrtd - state: stopped - enabled: no - when: - - security_disable_abrtd | bool - - "'abrtd' in services_installed.stdout" - tags: - - services - - cat3 - - V-38640 - -- name: V-38641 - The atd service must be disabled - service: - name: atd - state: stopped - enabled: no - when: - - security_disable_atd | bool - - "'atd' in services_installed.stdout" - tags: - - services - - cat3 - - V-38641 - -- name: V-38648 - The qpidd service must be disabled - service: - name: qpidd - state: stopped - enabled: no - when: - - security_disable_qpidd | bool - - "'qpidd' in services_installed.stdout" - tags: - - services - - cat3 - - V-38648 - -- name: V-38691 - The bluetooth service must be disabled - service: - name: bluetooth - state: stopped - enabled: no - when: - - security_disable_bluetooth | bool - - "'bluetooth' in services_installed.stdout" - tags: - - services - - cat2 - - V-38691 - -- name: V-38582 - xinetd must be disabled if not in use - service: - name: xinetd - state: stopped - enabled: no - when: - - security_disable_xinetd | bool - - "'xinetd' in services_installed.stdout" - tags: - - services - - cat2 - - V-38582 - -- name: V-38605 - The cron service must be running - service: - name: "{{ cron_service }}" - state: started - enabled: yes - tags: - - services - - cat2 - - V-38605 - -- name: V-38618 - avahi must be disabled - service: - name: avahi-daemon - state: stopped - enabled: no - when: - - security_disable_avahi | bool - - "'avahi' in services_installed.stdout" - tags: - - services - - cat3 - - V-38618 - -- name: V-38650 - rdisc must be disabled - service: - name: rdisc - state: stopped - enabled: no - when: - - security_disable_rdisc | bool - - "'rdisc' in services_installed.stdout" - tags: - - services - - cat3 - - V-38650 - -- name: V-38672 - netconsole must be disabled - service: - name: netconsole - state: stopped - enabled: no - when: - - security_disable_netconsole | bool - - "'netconsole' in services_installed.stdout" - tags: - - services - - cat3 - - V-38672 diff --git a/tasks/rhel6stig/sshd.yml b/tasks/rhel6stig/sshd.yml deleted file mode 100644 index f00ade82..00000000 --- a/tasks/rhel6stig/sshd.yml +++ /dev/null @@ -1,234 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Adding additional sshd configuration options is usually easy, but if a -# configuration file ends with certain configurations, like a "Match" stanza, -# we need a blank line to separate those configurations from the ones that -# are added by the security role. For that reason, we check for the existence -# of a marker line here and add a marker line to the file if it doesn't exist. -- name: Check for security role marker in sshd_config - command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config" - register: sshd_marker_check - changed_when: False - check_mode: no - failed_when: False - tags: - - ssh - -# Check for "Match" stanzas in the sshd_config. -- name: Check for Match stanzas in sshd_config - command: "grep '^Match' /etc/ssh/sshd_config" - register: sshd_match_check - changed_when: False - check_mode: no - failed_when: False - tags: - - ssh - -# If the marker is missing, and "Match" stanzas are present, we must carefully -# add a marker line above any "Match" stanzas in the configuration file. This -# is done by finding the first match with sed and then adding a marker -# line above it. -- name: Add security role marker with sed above Match stanza - shell: | - sed -i '0,/^Match/s/^Match/\n# openstack-ansible-security configurations\n\n&/' /etc/ssh/sshd_config - when: - - sshd_marker_check.rc != 0 - - sshd_match_check.rc == 0 - tags: - - ssh - -# If the marker is missing, but there are no "Match" stanzas present, we can -# simply add the security role marker to the bottom of the sshd_config. -- name: Add security role marker to the end of the sshd_config - lineinfile: - dest: /etc/ssh/sshd_config - line: "\n# openstack-ansible-security configurations" - state: present - insertbefore: EOF - validate: '/usr/sbin/sshd -T -f %s' - when: - - sshd_marker_check.rc != 0 - - sshd_match_check.rc != 0 - tags: - - ssh - -- name: V-38484 - User must get date/time of last successful login - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?PrintLastLog' - line: 'PrintLastLog yes' - insertafter: "^# openstack-ansible-security configurations" - validate: '/usr/sbin/sshd -T -f %s' - notify: - - restart ssh - tags: - - ssh - - cat2 - - V-38484 - -- name: V-38607 - The SSH daemon must be configured to use only the SSHv2 protocol - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?Protocol \d' - line: 'Protocol 2' - insertafter: "^# openstack-ansible-security configurations" - validate: '/usr/sbin/sshd -T -f %s' - notify: - - restart ssh - tags: - - ssh - - cat1 - - V-38607 - -- name: V-38614 - The SSH daemon must not allow authentication using an empty password - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?PermitEmptyPasswords' - line: 'PermitEmptyPasswords no' - insertafter: "^# openstack-ansible-security configurations" - validate: '/usr/sbin/sshd -T -f %s' - notify: - - restart ssh - tags: - - ssh - - cat1 - - V-38614 - -- name: V-38612 - The SSH daemon must not allow host-based authentication - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?HostbasedAuthentication' - line: 'HostbasedAuthentication no' - insertafter: "^# openstack-ansible-security configurations" - validate: '/usr/sbin/sshd -T -f %s' - notify: - - restart ssh - tags: - - ssh - - cat2 - - V-38612 - -- name: V-38608 - Set a timeout interval for idle ssh sessions - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?ClientAliveInterval' - line: 'ClientAliveInterval {{ security_ssh_client_alive_interval }}' - insertafter: "^# openstack-ansible-security configurations" - validate: '/usr/sbin/sshd -T -f %s' - notify: - - restart ssh - tags: - - ssh - - cat2 - - V-38608 - -- name: V-38610 - Set a timeout count on idle ssh sessions - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?ClientAliveCountMax' - line: 'ClientAliveCountMax {{ security_ssh_client_alive_count_max }}' - insertafter: "^# openstack-ansible-security configurations" - validate: '/usr/sbin/sshd -T -f %s' - notify: - - restart ssh - tags: - - ssh - - cat2 - - V-38610 - -- name: V-38611 - The sshd daemon must ignore .rhosts files - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?IgnoreRhosts' - line: 'IgnoreRhosts yes' - insertafter: "^# openstack-ansible-security configurations" - validate: '/usr/sbin/sshd -T -f %s' - notify: - - restart ssh - tags: - - ssh - - cat2 - - V-38611 - -- name: V-38613 - The ssh daemon must not permit root logins - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?PermitRootLogin' - line: 'PermitRootLogin {{ security_ssh_permit_root_login }}' - insertafter: "^# openstack-ansible-security configurations" - validate: '/usr/sbin/sshd -T -f %s' - notify: - - restart ssh - tags: - - ssh - - cat2 - - V-38613 - -- name: Copy the login banner for sshd (for V-38615) - copy: - src: login_banner.txt - dest: /etc/issue.net - tags: - - ssh - - cat2 - - V-38615 - -- name: V-38615 - The ssh daemon must display a login banner - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?Banner' - line: 'Banner /etc/issue.net' - insertafter: "^# openstack-ansible-security configurations" - validate: '/usr/sbin/sshd -T -f %s' - tags: - - ssh - - cat2 - - V-38615 - -- name: V-38616 - The ssh daemon must not permit user environment settings - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?PermitUserEnvironment' - line: 'PermitUserEnvironment no' - insertafter: "^# openstack-ansible-security configurations" - validate: '/usr/sbin/sshd -T -f %s' - tags: - - ssh - - cat3 - - V-38616 - -- name: V-38617 - The ssh daemon must be configured to use approved ciphers - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?Ciphers' - line: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' - insertafter: "^# openstack-ansible-security configurations" - validate: '/usr/sbin/sshd -T -f %s' - tags: - - ssh - - cat2 - - V-38617 diff --git a/tasks/rhel7stig/accounts.yml b/tasks/rhel7stig/accounts.yml deleted file mode 100644 index 73baf6c5..00000000 --- a/tasks/rhel7stig/accounts.yml +++ /dev/null @@ -1,255 +0,0 @@ ---- -# Copyright 2017, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Check if /etc/security/pwquality.conf exists - stat: - path: /etc/security/pwquality.conf - check_mode: no - register: pwquality_config_check - tags: - - always - -- name: Set password quality requirements - blockinfile: - dest: /etc/security/pwquality.conf - backup: yes - insertbefore: EOF - marker: "# {mark} Added by openstack-ansible-security role" - state: present - block: "{{ lookup('template', 'pwquality.conf.j2') }}" - when: - - pwquality_config_check.stat.exists - tags: - - accounts - - medium - - V-71903 - - V-71905 - - V-71907 - - V-71909 - - V-71911 - - V-71913 - - V-71915 - - V-71917 - - V-71935 - -- name: Check for SHA512 password storage in PAM - command: "grep pam_unix.so {{ pam_password_file }}" - register: password_sha512_check - changed_when: False - check_mode: no - tags: - - always - -- name: Print warning if PAM is not using SHA512 for password storage - debug: - msg: > - PAM is not using SHA512 for password storage. This is a security issue. - when: - - password_sha512_check is defined - - "'sha512' not in password_sha512_check.stdout" - tags: - - accounts - - medium - - V-71919 - -- name: Ensure libuser is storing passwords using SHA512 - ini_file: - dest: /etc/libuser.conf - section: defaults - option: crypt_style - value: sha512 - backup: yes - when: - - security_libuser_crypt_style_sha512 | bool - - ansible_os_family | lower == 'redhat' - tags: - - accounts - - medium - - V-71923 - -- name: Get all user accounts with a password lifetime limit under 24 hours - shell: "awk -F: '$4 < 1 {print $1}' /etc/shadow" - check_mode: no - changed_when: False - register: password_lifetime_check - tags: - - accounts - - medium - - V-71927 - - skip_ansible_lint - -- name: Print warning about accounts with password lifetimes under 24 hours - debug: - msg: | - Accounts were found with a minimum password lifetime limit under 24 hours: - {{ password_lifetime_check.stdout_lines | join(', ') }} - when: - - password_lifetime_check.stdout_lines is defined - tags: - - accounts - - medium - - V-71927 - -- name: Print warning for accounts with a password lifetime over 60 days - debug: - msg: | - The following user accounts have an existing password with a lifetime of - greater than 60 days: - {%- for user in user_list.users %} - {% if user['shadow']['max_days'] > 60 %} - {{ user['name'] }} has an expiration of {{ user['shadow']['max_days'] }} days - {% endif %} - {% endfor %} - tags: - - accounts - - medium - - V-71931 - -- name: Ensure that users cannot reuse one of their last 5 passwords - lineinfile: - dest: "{{ pam_password_file }}" - regexp: '^(password\s+[a-z0-9\=\[\] ]+\s+pam_unix\.so.+?)\s+(?:remember=\d+)?$' - line: '\1 remember={{ security_password_remember_password }}' - backrefs: yes - state: present - when: - - security_password_remember_password is defined - tags: - - accounts - - medium - - V-71933 - -- name: Ensure accounts are disabled if the password expires - lineinfile: - dest: /etc/default/useradd - regexp: '^[#\s]*INACTIVE' - line: 'INACTIVE=0' - when: - - security_disable_account_if_password_expires | bool - tags: - - accounts - - medium - - V-71941 - -- name: Apply shadow-utils configurations - lineinfile: - dest: /etc/login.defs - regexp: "^{{ item.parameter }}" - line: "{{ item.parameter }} {{ item.value }}" - state: present - when: - - item.value != '' - - item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family - with_items: "{{ shadow_utils_rhel7 }}" - tags: - - accounts - - medium - - V-71921 - - V-71925 - - V-71929 - - V-71951 - - V-71995 - - V-72013 - -- name: Print warning for groups in /etc/passwd that are not in /etc/group - debug: - msg: > - The following users have GIDs in /etc/passwd that do not exist in /etc/group: - {{ user_list.users | selectattr('group', 'equalto', False) | map(attribute='name') | join(', ') }} - when: - - user_list is defined - - user_list.users | selectattr('group', 'equalto', False) | list | length > 0 - tags: - - accounts - - low - - V-72003 - -- name: Get all accounts with UID 0 - shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd" - changed_when: False - check_mode: no - register: root_user_check - tags: - - accounts - - high - - V-72005 - - skip_ansible_lint - -- name: Print warnings for non-root users with UID 0 - fail: - msg: | - Only the 'root' user should have UID 0. Other users were found: - {{ root_user_check.stdout_lines | join(', ') }}" - when: - - root_user_check.stdout != 'root' - tags: - - accounts - - high - - V-72005 - -- name: Print warning for local interactive users without a home directory assigned - debug: - msg: | - The following users do not have a home directory assigned: - {{ user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | join(', ') }} - when: - - user_list is defined - - user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | list | length > 0 - tags: - - accounts - - medium - - V-72011 - -- name: Check each user to see if its home directory exists on the filesystem - stat: - path: "{{ item['dir'] }}" - when: - - item['dir'] != '' - with_items: "{{ user_list.users }}" - register: home_directory_checks - tags: - - accounts - - medium - - V-72015 - -- name: Print warning for users with an assigned home directory that does not exist - debug: - msg: | - These users have a home directory assigned, but the directory does not exist: - {% for check in home_directory_checks.results %} - {% if not check.stat.exists %} - {{ check.item.name }} ({{ check.item.dir }} does not exist) - {% endif %} - {% endfor %} - when: - - home_directory_checks.results | selectattr('stat.exists', 'sameas', false) | list | length > 0 - tags: - - accounts - - medium - - V-72015 - -- name: Use pwquality when passwords are changed or created - lineinfile: - dest: /etc/pam.d/passwd - line: "password required pam_pwquality.so retry=3" - state: present - when: - - security_enable_pwquality_password_set | bool - tags: - - accounts - - medium - - V-73159 - - diff --git a/tasks/rhel7stig/aide.yml b/tasks/rhel7stig/aide.yml deleted file mode 100644 index 96999e5b..00000000 --- a/tasks/rhel7stig/aide.yml +++ /dev/null @@ -1,115 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Verify that AIDE configuration directory exists - stat: - path: /etc/aide/aide.conf.d - register: aide_conf - check_mode: no - tags: - - always - -- name: Exclude certain directories from AIDE - template: - src: ZZ_aide_exclusions.j2 - dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions - when: aide_conf.stat.exists | bool - tags: - - medium - - aide - - V-71973 - -# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration -# that meets the requirements of V-72069 and V-72071. That config -# is borrowed for Ubuntu 16.04 here. -- name: Configure AIDE to verify additional properties - blockinfile: - dest: "{{ aide_conf }}" - insertbefore: EOF - marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY" - block: | - # Rules borrowed from CentOS/RHEL AIDE configuration - # (SELinux was removed for Ubuntu compatibility.) - FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256 - NORMAL = FIPSR+sha512 - - # The following two lines apply the NORMAL rule (above this line) to the - # /bin and /sbin directories to meet the requirements of two STIG controls: - # - # V-72069 - Verify ACLs - # V-72071 - Verify extended attributes - # - /bin NORMAL - /sbin NORMAL - when: - - ansible_os_family | lower == 'ubuntu' - tags: - - low - - aide - - V-72069 - - V-72071 - - V-72073 - -- name: Check to see if AIDE database is already in place - stat: - path: "{{ aide_database_file }}" - register: aide_database - check_mode: no - tags: - - always - -- name: Initialize AIDE (this will take a few minutes) - command: "aideinit" - changed_when: false - register: aide_init - when: - - aide_conf.stat.exists | bool - - not aide_database.stat.exists | bool - - security_rhel7_initialize_aide | bool - tags: - - medium - - aide - - V-71973 - -# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since Ubuntu -# copies the new AIDE database into place automatically with its AIDE wrapper -# script. -- name: Move AIDE database into place - command: "mv /var/lib/aide/aide.db.new.gz {{ aide_database_file }}" - changed_when: false - when: - - aide_init | changed - - ansible_os_family | lower == 'redhat' - tags: - - medium - - aide - - V-71973 - -# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since the AIDE -# package doesn't come with a cron job file. Ubuntu packages a cron job for -# AIDE checks already. -- name: Create AIDE cron job - cron: - name: aide - cron_file: aide - user: root - special_time: daily - job: "aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root" - when: - - ansible_os_family | lower == 'redhat' - tags: - - medium - - aide - - V-71975 diff --git a/tasks/rhel7stig/apt.yml b/tasks/rhel7stig/apt.yml deleted file mode 100644 index d4781c08..00000000 --- a/tasks/rhel7stig/apt.yml +++ /dev/null @@ -1,92 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Ensure debsums is installed - apt: - name: debsums - state: installed - -- name: Gather debsums report - shell: "debsums > {{ temp_dir }}/debsums.txt" - changed_when: False - failed_when: False - when: - - not check_mode | bool - -- name: V-71855 - Get files with invalid checksums (apt) - shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'" - register: invalid_checksum_files - changed_when: False - when: - - not check_mode | bool - - ansible_os_family | lower == 'debian' - tags: - - high - - V-71855 - -- name: V-71855 - Create comma-separated list - set_fact: - invalid_checksum_files_violations: "{{ invalid_checksum_files.stdout_lines | default([]) | join(', ') }}" - when: - - invalid_checksum_files is defined - - invalid_checksum_files.stdout is defined - tags: - - high - - V-71855 - -- name: V-71855 - The cryptographic hash of system files and commands must match vendor values (apt) - debug: - msg: > - The following files have checksums that differ from the checksum provided - with their package. Each of these should be verified manually to ensure - they have not been modified by an unauthorized user: - {{ invalid_checksum_files_violations }} - when: - - ansible_os_family | lower == 'debian' - - invalid_checksum_files is defined - - invalid_checksum_files.stdout is defined - tags: - - high - - V-71855 - -# See the documentation for V-71977 for more details on this check. -- name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/ - command: grep -r '^[^#].*AllowUnauthenticated \"true\"' /etc/apt/apt.conf.d/ - register: gpgcheck_result - changed_when: False - failed_when: False - check_mode: no - -- name: V-71977 - Package management tool must verify authenticity of packages - debug: - msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified." - when: - - security_enable_gpgcheck_packages | bool - - gpgcheck_result.rc == 0 - tags: - - high - - V-71977 - -- name: V-71979 - Package management tool must verify authenticity of locally-installed packages - lineinfile: - dest: /etc/dpkg/dpkg.cfg - regexp: "^(#)?no-debsig" - line: "#no-debsig" - state: present - when: - - security_enable_gpgcheck_packages_local | bool - tags: - - high - - V-71979 diff --git a/tasks/rhel7stig/auditd.yml b/tasks/rhel7stig/auditd.yml deleted file mode 100644 index bdf393a3..00000000 --- a/tasks/rhel7stig/auditd.yml +++ /dev/null @@ -1,186 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Verify that auditd.conf exists - stat: - path: /etc/audit/auditd.conf - register: auditd_conf - check_mode: no - tags: - - always - -- name: Verify that audisp-remote.conf exists - stat: - path: /etc/audisp/audisp-remote.conf - register: audisp_remote_conf - check_mode: no - tags: - - always - -- name: V-72083 - The operating system must off-load audit records onto a different system or media from the system being audited - lineinfile: - dest: /etc/audisp/audisp-remote.conf - regexp: "^(#)?remote_server" - line: "remote_server = {{ security_audisp_remote_server }}" - when: - - security_audisp_remote_server is defined - - auditd_conf.stat.exists - notify: - - restart auditd - tags: - - medium - - auditd - - V-72083 - -- name: V-72085 - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited - lineinfile: - dest: /etc/audisp/audisp-remote.conf - regexp: "^(#)?enable_krb5" - line: "enable_krb5 = yes" - when: - - security_audisp_enable_krb5 is defined - - auditd_conf.stat.exists - notify: - - restart auditd - tags: - - medium - - auditd - - V-72085 - -- name: Get valid system architectures for audit rules - set_fact: - auditd_architectures: "{{ (ansible_architecture == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}" - check_mode: no - tags: - - always - -- name: Remove system default audit.rules file - file: - path: /etc/audit/rules.d/audit.rules - state: absent - when: - - auditd_conf.stat.exists - notify: - - generate auditd rules - tags: - - always - -- name: Remove old RHEL 6 audit rules file - file: - path: /etc/audit/rules.d/osas-auditd.rules - state: absent - when: - - auditd_conf.stat.exists - notify: - - generate auditd rules - tags: - - always - -- name: Deploy rules for auditd based on STIG requirements - template: - src: osas-auditd-rhel7.j2 - dest: /etc/audit/rules.d/osas-auditd-rhel7.rules - when: - - auditd_conf.stat.exists - notify: - - generate auditd rules - tags: - - auditd - - V-72167 - - V-72155 - - V-72139 - - V-72105 - - V-72097 - - V-72123 - - V-72183 - - V-72189 - - V-72107 - - V-72109 - - V-72099 - - V-72103 - - V-72119 - - V-72113 - - V-72133 - - V-72187 - - V-72153 - - V-72101 - - V-72121 - - V-72115 - - V-72171 - - V-72165 - - V-72125 - - V-72127 - - V-72129 - - V-72185 - - V-72149 - - V-72175 - - V-72177 - - V-72181 - - V-72117 - - V-72199 - - V-72201 - - V-72141 - - V-72203 - - V-72135 - - V-72137 - - V-72111 - - V-72179 - - V-72159 - - V-72161 - - V-72169 - - V-72131 - - V-72173 - - V-72151 - - V-72205 - - V-72207 - - V-72157 - - V-72143 - - V-72163 - - V-72191 - - V-72193 - - V-72195 - - V-72197 - - V-72081 - -- name: Adjust auditd/audispd configurations - lineinfile: - dest: "{{ item.config }}" - regexp: '^#?{{ item.parameter }}\s*=' - line: "{{ item.parameter }} = {{ item.value }}" - with_items: "{{ auditd_config }}" - when: - - auditd_conf.stat.exists - - audisp_remote_conf.stat.exists - notify: - - restart auditd - tags: - - high - - auditd - - V-72087 - - V-72089 - - V-72091 - - V-72093 - -- name: Ensure auditd is running and enabled at boot time - service: - name: auditd - state: started - enabled: yes - when: - - auditd_conf.stat.exists - tags: - - high - - auditd - - V-72079 diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml deleted file mode 100644 index fb337323..00000000 --- a/tasks/rhel7stig/auth.yml +++ /dev/null @@ -1,228 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# NOTE(mhayden): pam_faildelay expects the `delay` parameter to be in -# microseconds. -- name: Set pam_faildelay configuration on Ubuntu - lineinfile: - dest: /etc/pam.d/login - regexp: '^(auth[\s]+optional[\s]+pam_faildelay.so).*$' - line: '\1 delay={{ security_shadow_utils_fail_delay * 10**6 }}' - state: present - backrefs: yes - when: - - security_shadow_utils_fail_delay is defined - - ansible_os_family | lower == 'debian' - tags: - - auth - - medium - - V-71951 - -- name: Prevent users with blank or null passwords from authenticating (Debian/Ubuntu) - lineinfile: - dest: "{{ pam_auth_file }}" - state: present - regexp: "^(.*)nullok_secure(.*)$" - line: '\1\2' - backup: yes - backrefs: yes - when: - - ansible_os_family == 'Debian' - - security_disallow_blank_password_login | bool - tags: - - auth - - high - - V-71937 - -- name: Prevent users with blank or null passwords from authenticating (Red Hat) - lineinfile: - dest: "{{ pam_auth_file }}" - state: present - regexp: "^({{ item }}.*sufficient.*)nullok(.*)$" - line: '\1\2' - backup: yes - backrefs: yes - with_items: - - auth - - password - when: - - ansible_os_family == 'RedHat' - - security_disallow_blank_password_login | bool - tags: - - auth - - high - - V-71937 - -- name: Lock accounts after three failed login attempts a 15 minute period - blockinfile: - dest: "{{ pam_password_file }}" - state: present - marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY" - insertbefore: EOF - block: "{{ lookup('template', 'pam_faillock.j2') }}" - when: - - ansible_os_family | lower == 'redhat' - - security_pam_faillock_enable | bool - tags: - - auth - - medium - - V-71943 - - V-71945 - -- name: Check for 'nopasswd' in sudoers files - shell: grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ || echo 'not found' - register: sudoers_nopasswd_check - changed_when: False - tags: - - auth - - medium - - V-71947 - -- name: V-71947 - Users must provide a password for privilege escalation. - debug: - msg: > - The 'NOPASSWD' directive was found in the sudoers configuration files. - Remove the directive to ensure that all users must provide a password to - run commands as the root user. - when: - - not sudoers_nopasswd_check | skipped - - sudoers_nopasswd_check.stdout != 'not found' - tags: - - auth - - medium - - V-71947 - - skip_ansible_lint - -- name: Check for '!authenticate' in sudoers files - shell: grep -ir '\!authenticate' /etc/sudoers /etc/sudoers.d/ || echo 'not found' - register: sudoers_authenticate_check - changed_when: False - tags: - - auth - - medium - - V-71949 - -- name: V-71949 - Users must re-authenticate for privilege escalation. - debug: - msg: > - The '!authenticate' directive was found in the sudoers configuration - files. Remove the directive to ensure that all users must provide a - password to run commands as the root user each time they use sudo. - when: - - not sudoers_authenticate_check | skipped - - sudoers_authenticate_check.stdout != 'not found' - tags: - - auth - - medium - - V-71949 - - skip_ansible_lint - -- name: Check if sssd.conf exists - stat: - path: /etc/sssd/sssd.conf - register: sssd_conf_check - check_mode: no - tags: - - always - -# NOTE(mhayden): Some systems, such as ARM, don't have grub at all. This task -# should be skipped on those systems. -- name: Check if GRUB defaults file exists - stat: - path: "{{ grub_defaults_file }}" - register: grub_defaults_file_check - check_mode: no - tags: - - always - -- name: Set a GRUB 2 password for single-user/maintenance modes - lineinfile: - dest: "{{ grub_defaults_file }}" - regexp: '^(#)?GRUB_PASSWORD' - line: 'GRUB_PASSWORD="{{ security_grub_password_hash }}"' - state: present - when: - - grub_defaults_file_check.stat.exists | bool - - security_require_grub_authentication | bool - notify: - - update grub config - tags: - - auth - - high - - V-71961 - - V-71963 - -- name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. - blockinfile: - dest: /etc/security/limits.d/openstack-ansible-security-maxlogins.conf - create: yes - block: | - # Deployed by the openstack-ansible-security role - # V-72217 - Limit concurrent sessions for all accounts/types - * hard maxlogins {{ security_rhel7_concurrent_session_limit }} - when: - - security_rhel7_concurrent_session_limit is defined - tags: - - auth - - low - - V-72217 - -- name: Check for pam_lastlog in PAM configuration - command: "grep pam_lastlog {{ pam_postlogin_file }}" - register: pam_lastlog_check - changed_when: False - failed_when: False - check_mode: no - tags: - - always - -- name: V-72275 - Display date/time of last logon after logon - debug: - msg: > - The 'pam_lastlog' directive is missing in {{ pam_postlogin_file }}. - This is required by V-72275. - when: - - pam_lastlog_check.rc != 0 - tags: - - low - - auth - - V-72275 - -- name: Check for .shosts or shosts.equiv files - find: - paths: / - recurse: yes - hidden: yes - patterns: '.shosts,shosts.equiv' - register: shosts_find - when: - - security_rhel7_remove_shosts_files | bool - tags: - - always - -- name: Remove .shosts or shosts.equiv files - file: - path: "{{ item.path }}" - state: absent - with_items: "{{ shosts_find.files }}" - when: - - security_rhel7_remove_shosts_files | bool - - shosts_find is defined - - shosts_find.files is defined - tags: - - high - - auth - - V-72277 - - V-72279 diff --git a/tasks/rhel7stig/file_perms.yml b/tasks/rhel7stig/file_perms.yml deleted file mode 100644 index 7f4e7de6..00000000 --- a/tasks/rhel7stig/file_perms.yml +++ /dev/null @@ -1,160 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: V-71849 - Get packages with incorrect file permissions or ownership - shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" - args: - warn: no - register: rpmverify_package_list - changed_when: False - when: - - not check_mode | bool - - ansible_os_family | lower == 'redhat' - - security_reset_perm_ownership | bool - tags: - - file_perms - - high - - V-71849 - -- name: V-71849 - Reset file permissions/ownership to vendor values - shell: "rpm {{ item[0] }} `rpm -qf {{ item[1] }}`" - args: - warn: no - changed_when: false - with_nested: - - ['--setperms', '--setugids'] - - "{{ rpmverify_package_list.stdout_lines | default([]) }}" - when: - - not check_mode | bool - - ansible_os_family | lower == 'redhat' - - rpmverify_package_list is defined - - rpmverify_package_list.stdout_lines | length > 0 - async: 300 - poll: 0 - tags: - - file_perms - - high - - V-71849 - # don't trigger ANSIBLE0013 - - skip_ansible_lint - -- name: Search for files/directories with an invalid owner - command: find / -xdev -nouser -fstype local - args: - warn: no - register: invalid_owner_files - changed_when: false - when: - - security_search_for_invalid_owner | bool - tags: - - always - -- name: V-72007 - All files and directories must have a valid owner. - debug: - msg: | - Files and directories were found that are owned by an invalid user: - {{ invalid_owner_files.stdout_lines | join('\n') }} - when: - - invalid_owner_files is defined - - invalid_owner_files.stdout_lines is defined - - invalid_owner_files.stdout_lines | length > 0 - tags: - - file_perms - - medium - - V-72007 - -- name: Search for files/directories with an invalid group owner - command: find / -xdev -nogroup -fstype local - args: - warn: no - register: invalid_group_owner_files - changed_when: false - when: - - security_search_for_invalid_group_owner | bool - tags: - - always - -- name: V-72009 - All files and directories must have a valid group owner. - debug: - msg: | - Files and directories were found that are owned by an invalid group: - {{ invalid_group_owner_files.stdout_lines | join('\n') }} - when: - - invalid_group_owner_files is defined - - invalid_group_owner_files.stdout_lines is defined - - invalid_group_owner_files.stdout_lines | length > 0 - tags: - - file_perms - - medium - - V-72009 - -- name: Set proper owner, group owner, and permissions on home directories - file: - dest: "{{ item.dir }}" - owner: "{{ item.name }}" - group: "{{ item.group.name }}" - mode: "u-X,g-ws,o-rwxt" - when: - - item.uid >= 1000 - - security_set_home_directory_permissions_and_owners | bool - with_items: "{{ user_list.users | selectattr('uid', 'greaterthan', 999) | list }}" - tags: - - medium - - file_perms - - V-72017 - - V-72019 - - V-72021 - -- name: Find all world-writable directories - shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root" - register: world_writable_dirs - changed_when: False - failed_when: False - check_mode: no - tags: - - always - -- name: V-72047 - All world-writable directories must be group-owned by root, sys, bin, or an application group. - debug: - msg: | - The group owners on the following world-writable directories should be examined: - {{ world_writable_dirs.stdout }} - when: - - world_writable_dirs is defined - tags: - - medium - - file_perms - - V-72047 - -- name: Check if /etc/cron.allow exists - stat: - path: /etc/cron.allow - register: cron_allow_check - tags: - - always - -- name: Set owner/group owner on /etc/cron.allow - file: - path: /etc/cron.allow - owner: root - group: root - when: - - cron_allow_check is defined - - cron_allow_check.stat.exists - tags: - - medium - - file_perms - - V-72053 - - V-72055 diff --git a/tasks/rhel7stig/graphical.yml b/tasks/rhel7stig/graphical.yml deleted file mode 100644 index b86ae02a..00000000 --- a/tasks/rhel7stig/graphical.yml +++ /dev/null @@ -1,143 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Check if gdm is installed and configured - stat: - path: /etc/gdm/custom.conf - register: gdm_conf_check - check_mode: no - -- name: V-71953 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface - lineinfile: - dest: /etc/gdm/custom.conf - line: "^AutomaticLoginEnable=true" - state: absent - when: - - gdm_conf_check.stat.exists - - security_disable_gdm_automatic_login | bool - tags: - - graphical - - high - - V-71953 - -- name: V-71955 - The operating system must not allow guest logon to the system. - lineinfile: - dest: /etc/gdm/custom.conf - line: "^TimedLoginEnable=true" - state: absent - when: - - gdm_conf_check.stat.exists - - security_disable_gdm_timed_login | bool - tags: - - graphical - - high - - V-71955 - -- name: Check for dconf profiles - stat: - path: /etc/dconf/profile - register: dconf_check - tags: - - always - -- name: Create a user profile in dconf - copy: - src: dconf-user-profile - dest: /etc/dconf/profile/user - when: - - dconf_check.stat.exists - tags: - - graphical - - medium - - V-71891 - - V-71893 - - V-71901 - -- name: Create dconf directories - file: - path: "{{ item }}" - state: directory - with_items: - - /etc/dconf/db/local.d/ - - /etc/dconf/db/local.d/locks - - /etc/dconf/db/gdm.d/ - when: - - dconf_check.stat.exists - tags: - - graphical - - medium - - V-71859 - - V-71891 - - V-71893 - - V-71901 - -- name: Configure graphical session locking - template: - src: dconf-screensaver-lock.j2 - dest: /etc/dconf/db/local.d/00-screensaver - when: - - dconf_check.stat.exists - notify: - - dconf update - tags: - - graphical - - medium - - V-71891 - - V-71893 - - V-71901 - -- name: Prevent users from changing graphical session locking configurations - template: - src: dconf-session-user-config-lockout.j2 - dest: /etc/dconf/db/local.d/locks/session - when: - - dconf_check.stat.exists - notify: - - dconf update - tags: - - graphical - - medium - - V-71891 - - V-71893 - - V-71901 - -- name: Create a GDM profile for displaying a login banner - copy: - src: dconf-profile-gdm - dest: /etc/dconf/profile/gdm - when: - - dconf_check.stat.exists - notify: - - dconf update - tags: - - graphical - - medium - - V-71859 - -- name: Create a GDM keyfile for machine-wide settings - template: - src: dconf-gdm-banner-message.j2 - dest: "{{ item }}" - with_items: - - /etc/dconf/db/gdm.d/01-banner-message - - /etc/dconf/db/local.d/01-banner-message - when: - - dconf_check.stat.exists - notify: - - dconf update - tags: - - graphical - - medium - - V-71859 diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml deleted file mode 100644 index c2097394..00000000 --- a/tasks/rhel7stig/kernel.yml +++ /dev/null @@ -1,95 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: V-71983 - USB mass storage must be disabled. - lineinfile: - dest: /etc/modprobe.d/openstack-ansible-security-disable-usb-storage.conf - line: install usb-storage /bin/true - create: yes - when: - - security_rhel7_disable_usb_storage | bool - tags: - - kernel - - medium - - V-71983 - -- name: Set sysctl configurations - sysctl: - name: "{{ item.name }}" - value: "{{ item.value }}" - state: "{{ item.enabled | ternary('present', 'absent') }}" - reload: yes - with_items: "{{ sysctl_settings_rhel7 }}" - tags: - - medium - - kernel - - V-72283 - - V-72285 - - V-72287 - - V-72289 - - V-73175 - - V-72291 - - V-72293 - - V-72309 - - V-72319 - -- name: Check kdump service - command: systemctl status kdump - register: kdump_service_check - failed_when: kdump_service_check.rc not in [0,3,4] - changed_when: False - check_mode: no - tags: - - kernel - - medium - - V-72057 - -- name: V-72057 - Kernel core dumps must be disabled unless needed. - service: - name: kdump - state: stopped - enabled: no - when: - - kdump_service_check.rc not in [3,4] - - security_disable_kdump - tags: - - kernel - - medium - - V-72057 - -- name: Check if FIPS is enabled - command: cat /proc/sys/crypto/fips_enabled - register: fips_check - changed_when: False - failed_when: False - check_mode: no - when: - - ansible_os_family | lower == 'redhat' - tags: - - always - -- name: Print a warning if FIPS isn't enabled - debug: - msg: > - FIPS is not enabled at boot time on this server. - The STIG requires FIPS to be enabled at boot time. - when: - - ansible_os_family | lower == 'redhat' - - fips_check is defined - - fips_check.stdout != '1' - tags: - - high - - misc - - V-72067 diff --git a/tasks/rhel7stig/lsm.yml b/tasks/rhel7stig/lsm.yml deleted file mode 100644 index 13b29b73..00000000 --- a/tasks/rhel7stig/lsm.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Check if AppArmor is disabled at boot time - shell: "dmesg | grep -i apparmor || true" - register: dmesg_apparmor_output - changed_when: False - check_mode: no - when: - - ansible_os_family == "Debian" - tags: - - high - - V-71989 - -- name: Ensure AppArmor is running - service: - name: apparmor - state: started - enabled: yes - when: - - ansible_os_family == "Debian" - - security_rhel7_enable_linux_security_module | bool - - not check_mode - - '"AppArmor disabled by boot time parameter" not in dmesg_apparmor_output.stdout' - tags: - - high - - V-71989 - -# NOTE(mhayden): The "changed_when" is required here because this task will -# always show as changed when SELinux is completely disabled. It's not possible -# to switch to permissive/enforcing in an online way when SELinux is completely -# disabled at boot time. -- name: Ensure SELinux is in enforcing mode on the next reboot - selinux: - state: enforcing - policy: targeted - register: selinux_status_change - changed_when: selinux_status_change | changed and ansible_selinux.status != 'disabled' - when: - - ansible_os_family == "RedHat" - - security_rhel7_enable_linux_security_module | bool - tags: - - high - - V-71989 - - V-71991 - -- name: Relabel files on next boot if SELinux mode changed - file: - path: /.autorelabel - state: touch - when: - - ansible_os_family == "RedHat" - - security_rhel7_enable_linux_security_module | bool - - selinux_status_change | changed - tags: - - high - - V-71989 - - V-71991 - -# NOTE(mhayden): Ansible's find module doesn't support searching for files -# based on SELinux contexts yet. -- name: Check for unlabeled device files - command: "find /dev -context '*unlabeled_t*'" - register: unlabeled_devices - changed_when: False - check_mode: no - when: - - ansible_os_family == 'RedHat' - - ansible_selinux.status is defined - - ansible_selinux.status != 'disabled' - tags: - - lsm - - medium - - V-72039 - -- name: V-72039 - All system device files must be correctly labeled to prevent unauthorized modification. - debug: - msg: | - Devices were found without SELinux labels: - {% for device in unlabeled_devices.stdout_lines %} - {{ device }} - {% endfor %} - when: - - ansible_os_family == 'RedHat' - - unlabeled_devices.stdout is defined - - unlabeled_devices.stdout | length > 0 - tags: - - lsm - - medium - - V-72039 diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml deleted file mode 100644 index 2f18253f..00000000 --- a/tasks/rhel7stig/main.yml +++ /dev/null @@ -1,94 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Create temporary directory to hold any temporary files - command: "mktemp -d" - register: mktemp_result - changed_when: False - when: - - not check_mode | bool - tags: - - always - -- name: Set a fact for the temporary directory - set_fact: - temp_dir: "{{ mktemp_result.stdout }}" - changed_when: False - when: - - not check_mode | bool - tags: - - always - -# Multiple tasks will need the output of RPM verification, so let's do the -# lookup one time and then grep over the output in subsequent tasks. -- name: Verify all installed RPM packages - shell: "rpm -Va > {{ temp_dir }}/rpmverify.txt" - args: - warn: no - failed_when: False - changed_when: False - register: rpmverify_task - async: 300 - poll: 0 - when: - - not check_mode | bool - - ansible_os_family | lower == 'redhat' - tags: - - always - - skip_ansible_lint - -- name: Get a list of users on the system to use throughout the auth tasks - action: get_users - register: user_list - check_mode: no - tags: - - always - -# Package installations and removals must come first so that configuration -# changes can be made later. -- include: packages.yml - -# Package managers are managed first since the changes in these tasks will -# affect the remainder of the tasks in the role. -- include: apt.yml - when: ansible_os_family | lower == 'debian' - -- include: rpm.yml - when: ansible_os_family | lower == 'redhat' - -# The bulk of the security changes are applied in these tasks. The tasks in -# each file are tagged with the same name (for example, tasks in `auth.yml` -# are tagged with `auth`). Also, the tag name matches up with the "STIG -# Controls by Tag" section of the role documentation. -- include: accounts.yml -- include: aide.yml -- include: auditd.yml -- include: auth.yml -- include: file_perms.yml -- include: graphical.yml -- include: kernel.yml -- include: lsm.yml -- include: misc.yml -- include: sshd.yml - -- name: Remove the temporary directory - file: - path: "{{ temp_dir }}" - state: absent - changed_when: False - when: - - not check_mode | bool - tags: - - always diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml deleted file mode 100644 index 30a26e21..00000000 --- a/tasks/rhel7stig/misc.yml +++ /dev/null @@ -1,409 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Check autofs service - command: systemctl status autofs - register: autofs_check - failed_when: autofs_check.rc not in [0,3,4] - changed_when: False - check_mode: no - tags: - - always - -- name: V-71985 - File system automounter must be disabled unless required. - service: - name: autofs - state: stopped - enabled: no - when: - - autofs_check.rc not in [3,4] - - security_rhel7_disable_autofs | bool - tags: - - medium - - misc - - V-71985 - -# This returns an exit code of 0 if it's running, 3 if it's masked. -- name: Check if ctrl-alt-del.target is already masked - command: systemctl status ctrl-alt-del.target - register: cad_mask_check - check_mode: no - changed_when: False - failed_when: cad_mask_check.rc not in [0,3] - tags: - - always - -- name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled - command: systemctl mask ctrl-alt-del.target - when: - - security_rhel7_disable_ctrl_alt_delete | bool - - cad_mask_check.rc != 3 - notify: - - reload systemd - tags: - - high - - misc - - V-71993 - -- name: Check for /home on mounted filesystem - debug: - msg: | - The STIG requires that /home is on its own filesystem, but this system - does not appear to be following the requirement. - when: - - ansible_mounts | selectattr('mount', 'equalto', '/home') | list | length == 0 - tags: - - low - - misc - - V-72059 - -- name: Check for /var on mounted filesystem - debug: - msg: | - The STIG requires that /var is on its own filesystem, but this system - does not appear to be following the requirement. - when: - - ansible_mounts | selectattr('mount', 'equalto', '/var') | list | length == 0 - tags: - - low - - misc - - V-72067 - -- name: Check for /var/log/audit on mounted filesystem - debug: - msg: | - The STIG requires that /var/log/audit is on its own filesystem, but this system - does not appear to be following the requirement. - when: - - ansible_mounts | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0 - tags: - - low - - misc - - V-72063 - -- name: Check for /tmp on mounted filesystem - debug: - msg: | - The STIG requires that /tmp is on its own filesystem, but this system - does not appear to be following the requirement. - when: - - ansible_mounts | selectattr('mount', 'equalto', '/tmp') | list | length == 0 - tags: - - low - - misc - - V-72065 - -- name: Check if syslog output is being sent to another server - command: 'grep "^[^#].*@" /etc/rsyslog.conf' - register: rsyslog_transmit_check - changed_when: False - failed_when: False - check_mode: no - tags: - - always - -- name: V-72209 - The system must send rsyslog output to a log aggregation server. - debug: - msg: Output from syslog must be sent to another server. - when: - - rsyslog_transmit_check is defined - - rsyslog_transmit_check.rc != 0 - tags: - - medium - - misc - - V-72209 - -- name: Check if ClamAV is installed - stat: - path: /usr/bin/clamdscan - register: clamav_install_check - changed_when: False - tags: - - always - -- name: Remove 'Example' line from ClamAV configuration files - lineinfile: - dest: "{{ item }}" - regexp: "^Example" - state: absent - with_items: - - /etc/freshclam.conf - - /etc/clamd.d/scan.conf - when: - - clamav_install_check.stat.exists - - security_enable_virus_scanner | bool - - ansible_os_family | lower == 'redhat' - notify: - - restart clamav - tags: - - misc - - V-72213 - -- name: Set ClamAV server type as socket - lineinfile: - dest: /etc/clamd.d/scan.conf - regexp: "^(#)?LocalSocket (.*)$" - line: 'LocalSocket \2' - backrefs: yes - when: - - clamav_install_check.stat.exists - - security_enable_virus_scanner | bool - - ansible_os_family | lower == 'redhat' - notify: - - restart clamav - tags: - - misc - - V-72213 - -- name: Allow automatic freshclam updates - lineinfile: - dest: /etc/sysconfig/freshclam - regexp: "^FRESHCLAM_DELAY" - state: absent - when: - - clamav_install_check.stat.exists - - security_enable_virus_scanner | bool - - ansible_os_family | lower == 'redhat' - notify: - - restart clamav - tags: - - misc - - V-72213 - -- name: Update ClamAV database - command: freshclam - changed_when: False - when: - - clamav_install_check.stat.exists - - security_enable_virus_scanner | bool - - security_run_virus_scanner_update | bool - async: 300 - poll: 5 - tags: - - misc - - V-72213 - -- name: Ensure ClamAV is running - service: - name: "{{ clamav_service }}" - state: started - enabled: yes - when: - - clamav_install_check.stat.exists - - security_enable_virus_scanner | bool - tags: - - misc - - V-72213 - -- name: V-72223 - Set 10 minute timeout on communication sessions - blockinfile: - dest: /etc/profile - insertbefore: EOF - marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY" - block: | - # Set a {{ security_rhel7_session_timeout }} second timeout for sessions - TMOUT={{ security_rhel7_session_timeout }} - readonly TMOUT - export TMOUT - tags: - - medium - - misc - - V-72223 - -- name: Start and enable chrony - service: - name: "{{ chrony_service }}" - state: started - enabled: yes - when: - - not check_mode - - security_rhel7_enable_chrony | bool - tags: - - medium - - misc - - V-72269 - -- name: Check if chrony configuration file exists - stat: - path: "{{ chrony_conf_file }}" - register: chrony_conf_check - tags: - - always - -- name: V-72269 - Synchronize system clock (configuration file) - template: - src: chrony.conf.j2 - dest: "{{ chrony_conf_file }}" - when: - - chrony_conf_check.stat.exists - - security_rhel7_enable_chrony | bool - notify: - - restart chrony - tags: - - medium - - misc - - V-72269 - -# Returns 0 if installed, 3 if not installed -- name: Check firewalld status - command: systemctl status firewalld - register: firewalld_status_check - failed_when: firewalld_status_check.rc not in [0,3,4] - changed_when: False - check_mode: no - tags: - - always - -- name: Ensure firewalld is running and enabled - service: - name: firewalld - state: started - enabled: yes - when: - - firewalld_status_check.rc not in [3,4] - - security_enable_firewalld | bool - tags: - - medium - - misc - - V-72273 - -- name: Limit new TCP connections to 25/minute and allow bursting to 100 - command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT" - register: add_rate_limit_firewalld_rule - changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout" - when: - - firewalld_status_check.rc != 3 - - security_enable_firewalld_rate_limit | bool - tags: - - medium - - misc - - V-72271 - -# Linting checks need to be skipped because this command doesn't create any -# files. -- name: Count nameserver entries in /etc/resolv.conf - command: grep nameserver /etc/resolv.conf - register: nameserver_check - check_mode: no - changed_when: False - failed_when: False - tags: - - always - - skip_ansible_lint - -- name: V-72281 - For systems using DNS resolution, at least two name servers must be configured. - debug: - msg: | - Two or more nameservers must be configured in /etc/resolv.conf. - Nameservers found: {{ nameserver_check.stdout_lines | length }} - when: - - nameserver_check is defined - - nameserver_check.stdout_lines | length < 2 - tags: - - low - - misc - - V-72281 - -- name: Check for interfaces in promiscuous mode - shell: "ip link | grep -i promisc" - register: promiscuous_interface_check - changed_when: False - failed_when: False - check_mode: no - tags: - - always - -- name: V-72295 - Network interfaces must not be in promiscuous mode. - debug: - msg: > - One or more network interfaces were found to be in promiscuous mode. - Review all interfaces and disable promiscuous mode. - when: - - promiscuous_interface_check.rc == 0 - tags: - - medium - - misc - - V-72295 - -- name: Check for postfix configuration file - stat: - path: /etc/postfix/main.cf - register: postfix_conf_check - tags: - - always - -- name: V-72297 - Prevent unrestricted mail relaying - lineinfile: - dest: /etc/postfix/main.cf - regexp: '^smtpd_client_restrictions' - line: 'smtpd_client_restrictions = permit_mynetworks, reject' - when: - - postfix_conf_check.stat.exists - - security_rhel7_restrict_mail_relaying | bool - tags: - - medium - - misc - - V-72297 - -- name: Check for TFTP server configuration file - stat: - path: /etc/xinetd.d/tftp - register: tftp_config_check - check_mode: no - tags: - - always - -- name: Check TFTP configuration mode - command: 'grep server_args /etc/xinetd.d/tftp' - register: tftp_secure_check - changed_when: False - failed_when: False - check_mode: no - when: - - tftp_config_check.stat.exists - tags: - - always - -- name: V-72305 - TFTP must be configured to operate in secure mode - debug: - msg: TFTP must be configured to run in secure mode with the '-s' flag. - when: - - tftp_config_check.stat.exists - - "'-s' not in tftp_secure_check.stdout" - tags: - - medium - - misc - - V-72305 - -- name: Check to see if snmpd config contains public/private - shell: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf' - register: snmp_public_private_check - changed_when: False - failed_when: False - check_mode: no - tags: - - always - -- name: V-72313 - Change SNMP community strings from default. - debug: - msg: > - Change the SNMP community strings from the defaults of 'public' and - 'private' to meet the requirements of V-72313. - when: - - snmp_public_private_check.rc == 0 - tags: - - high - - misc - - V-72313 diff --git a/tasks/rhel7stig/packages.yml b/tasks/rhel7stig/packages.yml deleted file mode 100644 index 9e9e2a2a..00000000 --- a/tasks/rhel7stig/packages.yml +++ /dev/null @@ -1,99 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Add or remove packages based on STIG requirements - package: - name: "{{ stig_packages_rhel7 | selectattr('enabled') | selectattr('state', 'equalto', item) | sum(attribute='packages', start=[]) }}" - state: "{{ item }}" - with_items: - - "{{ stig_packages_rhel7 | selectattr('enabled') | map(attribute='state') | unique | list }}" - tags: - - cat1 - - auth - - packages - - services - - V-71897 - - V-71967 - - V-71969 - - V-72067 - - V-72077 - - V-72213 - - V-72233 - - V-72301 - - V-72307 - -- name: V-71987 - Clean requirements/dependencies when removing packages (rpm) - lineinfile: - dest: /etc/yum.conf - regexp: "^(#)?clean_requirements_on_remove" - line: "clean_requirements_on_remove=1" - state: present - when: - - security_package_clean_on_remove | bool - - ansible_os_family | lower == 'redhat' - tags: - - low - - packages - - V-71987 - -- name: V-71987 - Clean requirements/dependencies when removing packages (dpkg) - lineinfile: - dest: /etc/apt/apt.conf.d/security-autoremove - regexp: "^(#)?APT::Get::AutomaticRemove" - line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";" - state: present - create: yes - when: - - security_package_clean_on_remove | bool - - ansible_os_family | lower == 'debian' - tags: - - low - - packages - - V-71987 - -- name: Check if /etc/yum/yum-cron.conf exists - stat: - path: /etc/yum/yum-cron.conf - check_mode: no - register: yum_cron_config_check - tags: - - always - -- name: V-71999 - System security patches and updates must be installed and up to date. (yum) - lineinfile: - dest: /etc/yum/yum-cron.conf - regexp: "^apply_updates" - line: "apply_updates = yes" - state: present - when: - - ansible_os_family | lower == 'redhat' - - yum_cron_config_check.stat.exists | bool - - security_rhel7_automatic_package_updates | bool - tags: - - packages - - medium - - V-71999 - -- name: V-71999 - System security patches and updates must be installed and up to date. (apt) - copy: - src: 20auto-upgrades - dest: /etc/apt/apt.conf.d/20auto-upgrades - when: - - ansible_os_family | lower == 'debian' - - security_rhel7_automatic_package_updates | bool - tags: - - packages - - cat2 - - V-71999 diff --git a/tasks/rhel7stig/rpm.yml b/tasks/rhel7stig/rpm.yml deleted file mode 100644 index d5d4228a..00000000 --- a/tasks/rhel7stig/rpm.yml +++ /dev/null @@ -1,71 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Ensure RPM verification task has finished - async_status: - jid: "{{ rpmverify_task.ansible_job_id }}" - failed_when: False - changed_when: False - register: job_result - until: job_result.finished - retries: 30 - when: - - not rpmverify_task | skipped - -- name: V-71855 - Get files with invalid checksums (rpm) - shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" - register: invalid_checksum_files - changed_when: False - when: - - not check_mode | bool - - ansible_os_family | lower == 'redhat' - tags: - - rpm - - high - - V-71855 - -- name: V-71855 - The cryptographic hash of system files and commands must match vendor values (rpm) - debug: - msg: | - The following files have checksums that differ from the checksum provided - with their package. Each of these should be verified manually to ensure - they have not been modified by an unauthorized user. - - {% for filename in invalid_checksum_files.stdout_lines %} - {{ filename }} - {% endfor %} - when: - - not check_mode | bool - - ansible_os_family | lower == 'redhat' - - invalid_checksum_files is defined - - invalid_checksum_files.stdout is defined - tags: - - rpm - - high - - V-71855 - -- name: V-71977 - Require digital signatures for all packages - lineinfile: - dest: /etc/yum.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - with_items: "{{ rpm_gpgchecks | default([]) }}" - tags: - - rpm - - high - - V-71977 - - V-71979 - - V-71981 diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml deleted file mode 100644 index 6bafe142..00000000 --- a/tasks/rhel7stig/sshd.yml +++ /dev/null @@ -1,107 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Adding additional sshd configuration options is usually easy, but if a -# configuration file ends with certain configurations, like a "Match" stanza, -# we need a blank line to separate those configurations from the ones that -# are added by the security role. For that reason, we check for the existence -# of a marker line here and add a marker line to the file if it doesn't exist. - -- name: Find first 'Match' line in sshd_config (if it exists) - shell: "grep '^Match' /etc/ssh/sshd_config || echo 'EOF'" - register: sshd_match_check - changed_when: False - check_mode: no - tags: - - always - - sshd - -- name: Copy login warning banner - copy: - content: "{{ security_login_banner_text }}" - dest: "{{ security_sshd_banner_file }}" - owner: root - group: root - tags: - - high - - sshd - - V-71861 - - V-72225 - -- name: Adjust ssh server configuration based on STIG requirements - blockinfile: - dest: /etc/ssh/sshd_config - state: present - marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY" - insertbefore: "{{ sshd_match_check.stdout_lines[0] }}" - validate: '/usr/sbin/sshd -T -f %s' - block: "{{ lookup('template', 'sshd_config_block.j2') }}" - notify: - - restart ssh - tags: - - high - - sshd - - V-71939 - - V-71957 - - V-71959 - - V-72221 - - V-72225 - - V-72237 - - V-72241 - - V-72245 - - V-72247 - - V-72249 - - V-72243 - - V-72243 - - V-72303 - - V-72251 - - V-72253 - - V-72265 - - V-72267 - - V-72261 - - V-72263 - -- name: Ensure sshd is enabled at boot time - service: - name: "{{ ssh_service }}" - enabled: yes - when: - - security_enable_sshd | bool - tags: - - medium - - sshd - - V-72235 - -- name: Public host key files must have mode 0644 or less - file: - path: "{{ item }}" - mode: "u-xX,g-wxs,o-wxt" - with_fileglob: - - /etc/ssh/*.pub - tags: - - medium - - sshd - - V-72255 - -- name: Private host key files must have mode 0600 or less - file: - path: "{{ item }}" - mode: "u-xX,g-rwxs,o-rwxt" - with_fileglob: - - /etc/ssh/*_key - tags: - - medium - - sshd - - V-72257 diff --git a/templates/ZZ_aide_exclusions.j2 b/templates/ZZ_aide_exclusions.j2 deleted file mode 100644 index cea081b1..00000000 --- a/templates/ZZ_aide_exclusions.j2 +++ /dev/null @@ -1,8 +0,0 @@ -# {{ ansible_managed }} -# -# These excluded paths prevent AIDE from wandering into directories where it -# shouldn't be hashing/monitoring files. - -{% for dir in security_aide_exclude_dirs %} -!{{ dir }} -{% endfor %} diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2 deleted file mode 100644 index 1870f6ab..00000000 --- a/templates/chrony.conf.j2 +++ /dev/null @@ -1,104 +0,0 @@ -# {{ ansible_managed }} -# -# This the default chrony.conf file for the Debian chrony package. After -# editing this file use the command 'invoke-rc.d chrony restart' to make -# your changes take effect. John Hasler 1998-2008 - -# See www.pool.ntp.org for an explanation of these servers. Please -# consider joining the project if possible. If you can't or don't want to -# use these servers I suggest that you try your ISP's nameservers. We mark -# the servers 'offline' so that chronyd won't try to connect when the link -# is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc -# commands to switch it on when a dialup link comes up and off when it goes -# down. Code in /etc/init.d/chrony attempts to determine whether or not -# the link is up at boot time and set the online status accordingly. If -# you have an always-on connection such as cable omit the 'offline' -# directive and chronyd will default to online. -# -# Note that if Chrony tries to go "online" and dns lookup of the servers -# fails they will be discarded. Thus under some circumstances it is -# better to use IP numbers than host names. - -{% for ntp_server in security_ntp_servers %} -server {{ ntp_server }} offline maxpoll 10 minpoll 8 -{% endfor %} - -# Look here for the admin password needed for chronyc. The initial -# password is generated by a random process at install time. You may -# change it if you wish. - -keyfile /etc/chrony/chrony.keys - -# Set runtime command key. Note that if you change the key (not the -# password) to anything other than 1 you will need to edit -# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony -# and /etc/cron.weekly/chrony as these scripts use it to get the password. - -commandkey 1 - -# I moved the driftfile to /var/lib/chrony to comply with the Debian -# filesystem standard. - -driftfile /var/lib/chrony/chrony.drift - -# Comment this line out to turn off logging. - -log tracking measurements statistics -logdir /var/log/chrony - -# Stop bad estimates upsetting machine clock. - -maxupdateskew 100.0 - -# Dump measurements when daemon exits. - -dumponexit - -# Specify directory for dumping measurements. - -dumpdir /var/lib/chrony - -# Let computer be a server when it is unsynchronised. - -local stratum 10 - -# Allow computers on the unrouted nets to use the server. - -{% for subnet in security_allowed_ntp_subnets %} -allow {{ subnet }} -{% endfor %} - -# This directive forces `chronyd' to send a message to syslog if it -# makes a system clock adjustment larger than a threshold value in seconds. - -logchange 0.5 - -# This directive defines an email address to which mail should be sent -# if chronyd applies a correction exceeding a particular threshold to the -# system clock. - -# mailonchange root@localhost 0.5 - -# This directive tells chrony to regulate the real-time clock and tells it -# Where to store related data. It may not work on some newer motherboards -# that use the HPET real-time clock. It requires enhanced real-time -# support in the kernel. I've commented it out because with certain -# combinations of motherboard and kernel it is reported to cause lockups. - -# rtcfile /var/lib/chrony/chrony.rtc - -# If the last line of this file reads 'rtconutc' chrony will assume that -# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent -# chrony will assume local time. The line (if any) was written by the -# chrony postinst based on what it found in /etc/default/rcS. You may -# change it if necessary. -rtconutc - -{% if security_ntp_bind_local_interfaces_only | bool %} -# Listen for NTP requests only on local interfaces. -port 0 -bindcmdaddress 127.0.0.1 -{% if not security_disable_ipv6 | bool %} -bindcmdaddress ::1 -{% endif %} -{% endif %} diff --git a/templates/dconf-gdm-banner-message.j2 b/templates/dconf-gdm-banner-message.j2 deleted file mode 100644 index 1d8854ea..00000000 --- a/templates/dconf-gdm-banner-message.j2 +++ /dev/null @@ -1,3 +0,0 @@ -[org/gnome/login-screen] -banner-message-enable={{ security_enable_graphical_login_message | bool | ternary('true', 'false') }} -banner-message-text='{{ security_enable_graphical_login_message_text | trim }}' diff --git a/templates/dconf-screensaver-lock.j2 b/templates/dconf-screensaver-lock.j2 deleted file mode 100644 index 825befe8..00000000 --- a/templates/dconf-screensaver-lock.j2 +++ /dev/null @@ -1,24 +0,0 @@ -{% if security_lock_session | bool %} -[org/gnome/desktop/session] -# V-71893 - The operating system must initiate a screensaver after a -# 15-minute period of inactivity for graphical user -# interfaces. -idle-delay={{ security_lock_session_inactive_delay }} - -[org/gnome/desktop/screensaver] -# V-71891 - The operating system must enable a user session lock until -# that user re-establishes access using established -# identification and authentication procedures. -lock-enabled=true - -# V-71901 - The operating system must initiate a session lock for -# graphical user interfaces when the screensaver is activated. -lock-delay={{ security_lock_session_screensaver_lock_delay }} - -{% if security_lock_session_when_inactive | bool %} -# V-71893 - The operating system must initiate a session lock for the -# screensaver after a period of inactivity for graphical user -# interfaces. -idle-activation-enabled=true -{% endif %} -{% endif %} diff --git a/templates/dconf-session-user-config-lockout.j2 b/templates/dconf-session-user-config-lockout.j2 deleted file mode 100644 index 64260d91..00000000 --- a/templates/dconf-session-user-config-lockout.j2 +++ /dev/null @@ -1,8 +0,0 @@ -{% if security_lock_session | bool %} -/org/gnome/desktop/session/idle-delay -/org/gnome/desktop/screensaver/lock-enabled -/org/gnome/desktop/screensaver/lock-delay -{% if security_lock_session_when_inactive | bool %} -/org/gnome/desktop/screensaver/idle-activation-enabled -{% endif %} -{% endif %} diff --git a/templates/jail.local.j2 b/templates/jail.local.j2 deleted file mode 100644 index b80b9dba..00000000 --- a/templates/jail.local.j2 +++ /dev/null @@ -1,7 +0,0 @@ -# {{ ansible_managed }} -# -# added for RHEL 6 STIG V-38501 - -[DEFAULT] -# "bantime" is the number of seconds that a host is banned. -bantime = {{ security_fail2ban_bantime }} diff --git a/templates/osas-auditd-rhel7.j2 b/templates/osas-auditd-rhel7.j2 deleted file mode 100644 index ab138622..00000000 --- a/templates/osas-auditd-rhel7.j2 +++ /dev/null @@ -1,97 +0,0 @@ -## Rules for auditd deployed by openstack-ansible-security -# Do not edit any of these rules directly. The contents of this file are -# controlled by Ansible variables and each variable is explained in detail -# within the role documentation: -# -# http://docs.openstack.org/developer/openstack-ansible-security/ -# - -# Delete all existing auditd rules prior to loading this ruleset. --D - -# Increase the buffers to survive stress events. --b 320 - -# Set the auditd failure flag. --f {{ security_rhel7_audit_failure_flag }} - -{# #} -{# The following loop takes a variable called audited_commands (a list of #} -{# dictionaries) and creates audit rules for each audited command or #} -{# syscall. #} -{# #} -# Audited commands and syscalls -{% for audited_command in audited_commands %} -{# #} -{# We replace any dashes in the command with underscores. The variables that #} -{# control the deployment of each rule can only contain underscores. #} -{# #} -{% set command_sanitized = audited_command['command'] | replace('-', '_') %} -{# #} -{# Verify that the variable controlling the rule is enabled and any distro- #} -{# specific requirements are met. #} -{# #} -{% if vars['security_rhel7_audit_' + command_sanitized ] | bool and (audited_command['distro'] | default(ansible_os_family | lower) == ansible_os_family | lower) %} -# {{ audited_command['stig_id'] }} - All uses of the {{ audited_command['command'] }} command must be audited. -{# #} -{# Some audit rules are specific to syscalls. Different rules are needed for #} -{# x86 and ppc64 systems. #} -{# #} -{% if audited_command['arch_specific'] %} -{% for arch in auditd_architectures %} --a always,exit -F arch={{ arch }} -S {{ audited_command['command'] }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k {{ audited_command['stig_id'] }} -{% endfor %} -{% else %} --a always,exit -F path={{ audited_command['path'] | default('/usr/bin') }}/{{ audited_command['command'] }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k {{ audited_command['stig_id'] }} -{% endif %} -{% endif %} - -{% endfor %} - -# Other audited events -{# #} -{# These events are more specific and require static templating. #} -{# #} -{% if security_rhel7_audit_account_access | bool %} -# V-72143 - The operating system must generate audit records for all -# successful/unsuccessful account access count events. --w /var/log/tallylog -p wa -k V-72143 -# V-72145 - The operating system must generate audit records for all -# unsuccessful account access events. --w /var/run/faillock -p wa -k V-72145 -# V-72147 - The operating system must generate audit records for all -# successful account access events. --w /var/log/lastlog -p wa -k V-72147 -{% endif %} - -{% if security_rhel7_audit_sudo_config_changes | bool %} -# V-72163 - The operating system must generate audit records containing -# the full-text recording of modifications to sudo configuration files. --w /etc/sudoers -p wa -k V-72163 --w /etc/sudoers.d/ -p wa -k V-72163 -{% endif %} - -{% if security_rhel7_audit_insmod | bool %} -# V-72191 - All uses of the insmod command must be audited. --w /sbin/insmod -p x -F auid!=4294967295 -k V-72191 -{% endif %} - -{% if security_rhel7_audit_rmmod | bool %} -# V-72193 - All uses of the rmmod command must be audited. --w /sbin/rmmod -p x -F auid!=4294967295 -k V-72193 -{% endif %} - -{% if security_rhel7_audit_modprobe | bool %} -# V-72195 - All uses of the modprobe command must be audited. --w /sbin/modprobe -p x -F auid!=4294967295 -k V-72195 -{% endif %} - -{% if security_rhel7_audit_account_actions | bool %} -# V-72197 - The operating system must generate audit records for all -# account creations, modifications, disabling, and termination events. --w /etc/group -p wa -k V-72197 --w /etc/passwd -p wa -k V-72197 --w /etc/gshadow -p wa -k V-72197 --w /etc/shadow -p wa -k V-72197 --w /etc/security/opasswd -p wa -k V-72197 -{% endif %} diff --git a/templates/osas-auditd.j2 b/templates/osas-auditd.j2 deleted file mode 100644 index 00920d84..00000000 --- a/templates/osas-auditd.j2 +++ /dev/null @@ -1,335 +0,0 @@ -# {{ ansible_managed }} - -# Delete all existing auditd rules prior to loading this ruleset. --D - -# Increase the buffers to survive stress events. --b 320 - -{% if security_audit_clock_settimeofday | bool %} -# RHEL 6 STIG V-38522 -# Audits changes to system time via settimeofday -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S settimeofday -k audit_time_rules-V-38522 -{% else %} --a always,exit -F arch=b32 -S settimeofday -k audit_time_rules-V-38522 --a always,exit -F arch=b64 -S settimeofday -k audit_time_rules-V-38522 -{% endif %} -{% endif %} - -{% if security_audit_clock_stime | bool %} -# RHEL 6 STIG V-38525 -# Audits changes to system time via stime -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules-V-38525 -{% else %} --a always,exit -F arch=b32 -S stime -k audit_time_rules-V-38525 --a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules-V-38525 -{% endif %} -{% endif %} - -{% if security_audit_clock_settime | bool %} -# RHEL 6 STIG V-38527 -# Audits changes to system time via clock_settime -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S clock_settime -k audit_time_rules-V-38527 -{% else %} --a always,exit -F arch=b32 -S clock_settime -k audit_time_rules-V-38527 --a always,exit -F arch=b64 -S clock_settime -k audit_time_rules-V-38527 -{% endif %} -{% endif %} - -{% if security_audit_change_localtime | bool %} -# RHEL 6 STIG V-38530 -# Audits clock changes made via /etc/localtime --w /etc/localtime -p wa -k audit_time_rules-V-38530 -{% endif %} - -{% if security_audit_account_modification | bool %} -# RHEL 6 STIG V-38531, V-38534, V-38536, V-38538 -# Audits account modifications and terminations --w /etc/group -p wa -k audit_account_changes-V-38531 --w /etc/passwd -p wa -k audit_account_changes-V-38531 --w /etc/gshadow -p wa -k audit_account_changes-V-38531 --w /etc/shadow -p wa -k audit_account_changes-V-38531 --w /etc/security/opasswd -p wa -k audit_account_changes-V-38531 -{% endif %} - -{% if security_audit_network_changes | bool %} -# RHEL 6 STIG V-38540 -# Audits network configuration changes -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S sethostname -S setdomainname -k audit_network_modifications-V-38540 -{% else %} --a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications-V-38540 --a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications-V-38540 -{% endif %} --w /etc/issue -p wa -k audit_network_modifications-V-38540 --w /etc/issue.net -p wa -k audit_network_modifications-V-38540 --w /etc/hosts -p wa -k audit_network_modifications-V-38540 -{% if ansible_os_family == "RedHat" %} --w /etc/sysconfig/network -p wa -k audit_network_modifications-V-38540 -{% elif ansible_os_family == "Debian" %} --w /etc/network -p wa -k audit_network_modifications-V-38540 -{% endif %} -{% endif %} - -{% if linux_security_module == 'apparmor' and security_audit_mac_changes | bool %} -# RHEL 6 STIG V-38541 -# Audits changes to AppArmor policies --w /etc/apparmor/ -p wa -k MAC-policy-V-38541 --w /etc/apparmor.d/ -p wa -k MAC-policy-V-38541 -{% endif %} - -{% if linux_security_module == 'selinux' and security_audit_mac_changes | bool %} -# RHEL 6 STIG V-38541 -# Audits changes to SELinux policies --w /etc/selinux/ -p wa -k MAC-policy-V-38541 -{% endif %} - -{% if security_audit_DAC_chmod | bool %} -# RHEL 6 STIG V-38543 -# Audits DAC changes via chmod -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38543 --a always,exit -F arch=ppc64 -S removexattr -F auid=0 -k perm_mod-V-38543 -{% else %} --a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38543 --a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod-V-38543 --a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38543 --a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod-V-38543 -{% endif %} -{% endif %} - -{% if security_audit_DAC_chown | bool %} -# RHEL 6 STIG V-38545 -# Audits DAC changes via chown -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38545 --a always,exit -F arch=ppc64 -S chown -F auid=0 -k perm_mod-V-38545 -{% else %} --a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38545 --a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod-V-38545 --a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38545 --a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod-V-38545 -{% endif %} -{% endif %} - -{% if security_audit_DAC_fchmod | bool %} -# RHEL 6 STIG V-38547 -# Audits DAC changes via fchmod -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38547 --a always,exit -F arch=ppc64 -S fchmod -F auid=0 -k perm_mod-V-38547 -{% else %} --a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38547 --a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod-V-38547 --a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38547 --a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod-V-38547 -{% endif %} -{% endif %} - -{% if security_audit_DAC_fchmodat | bool %} -# RHEL 6 STIG V-38550 -# Audits DAC changes via fchmodat -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38550 --a always,exit -F arch=ppc64 -S fchmodat -F auid=0 -k perm_mod-V-38550 -{% else %} --a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38550 --a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod-V-38550 --a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38550 --a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod-V-38550 -{% endif %} -{% endif %} - -{% if security_audit_DAC_fchown | bool %} -# RHEL 6 STIG V-38552 -# Audits DAC changes via fchown -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38552 --a always,exit -F arch=ppc64 -S fchown -F auid=0 -k perm_mod-V-38552 -{% else %} --a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38552 --a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod-V-38552 --a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38552 --a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod-V-38552 -{% endif %} -{% endif %} - -{% if security_audit_DAC_fchownat | bool %} -# RHEL 6 STIG V-38554 -# Audits DAC changes via fchownat -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38554 --a always,exit -F arch=ppc64 -S fchownat -F auid=0 -k perm_mod-V-38554 -{% else %} --a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38554 --a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod-V-38554 --a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38554 --a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod-V-38554 -{% endif %} -{% endif %} - -{% if security_audit_DAC_fremovexattr | bool %} -# RHEL 6 STIG V-38556 -# Audits DAC changes via fremovexattr -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38556 --a always,exit -F arch=ppc64 -S fremovexattr -F auid=0 -k perm_mod-V-38556 -{% else %} --a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38556 --a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod-V-38556 --a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38556 --a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod-V-38556 -{% endif %} -{% endif %} - -{% if security_audit_DAC_fsetxattr | bool %} -# RHEL 6 STIG V-38557 -# Audits DAC changes via fsetxattr -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38557 --a always,exit -F arch=ppc64 -S fsetxattr -F auid=0 -k perm_mod-V-38557 -{% else %} --a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38557 --a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod-V-38557 --a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38557 --a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod-V-38557 -{% endif %} -{% endif %} - -{% if security_audit_DAC_lchown | bool %} -# RHEL 6 STIG V-38558 -# Audits DAC changes via lchown -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558 --a always,exit -F arch=ppc64 -S lchown -F auid=0 -k perm_mod-V-38558 -{% else %} --a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558 --a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod-V-38558 --a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558 --a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod-V-38558 -{% endif %} -{% endif %} - -{% if security_audit_DAC_lremovexattr | bool %} -# RHEL 6 STIG V-38559 -# Audits DAC changes via lremovexattr -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38559 --a always,exit -F arch=ppc64 -S lremovexattr -F auid=0 -k perm_mod-V-38559 -{% else %} --a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_modV-38559 --a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod-V-38559 --a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38559 --a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod-V-38559 -{% endif %} -{% endif %} - -{% if security_audit_DAC_lsetxattr | bool %} -# RHEL 6 STIG V-38561 -# Audits DAC changes via lsetxattr -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38561 --a always,exit -F arch=ppc64 -S lsetxattr -F auid=0 -k perm_mod-V-38561 -{% else %} --a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38561 --a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod-V-38561 --a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38561 --a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod-V-38561 -{% endif %} -{% endif %} - -{% if security_audit_DAC_setxattr | bool %} -# RHEL 6 STIG V-38565 -# Audits DAC changes via setxattr -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38565 --a always,exit -F arch=ppc64 -S setxattr -F auid=0 -k perm_mod-V-38565 -{% else %} --a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38565 --a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod-V-38565 --a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38565 --a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod-V-38565 -{% endif %} -{% endif %} - -{% if security_audit_failed_access | bool %} -# RHEL 6 STIG V-38566 -# Audits failed attempts to access files and programs -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access-V-38566 --a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access-V-38566 --a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access-V-38566 --a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access-V-38566 -{% else %} --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access-V-38566 --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access-V-38566 --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access-V-38566 --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access-V-38566 --a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access-V-38566 --a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access-V-38566 --a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access-V-38566 --a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access-V-38566 -{% endif %} -{% endif %} - -{% if security_audit_filesystem_mounts | bool %} -# RHEL 6 STIG V-38568 -# Audits filesystem mounts -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568 --a always,exit -F arch=ppc64 -S mount -F auid=0 -k filesystem_mount-V-38568 -{% else %} --a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568 --a always,exit -F arch=b32 -S mount -F auid=0 -k filesystem_mount-V-38568 --a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568 --a always,exit -F arch=b64 -S mount -F auid=0 -k filesystem_mount-V-38568 -{% endif %} -{% endif %} - -{% if security_audit_deletions | bool %} -# RHEL 6 STIG V-38575 -# Audits deletion of files and programs -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-V-38575 --a always,exit -F arch=ppc64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-V-38575 -{% else %} --a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-V-38575 --a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-V-38575 --a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-V-38575 --a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-V-38575 -{% endif %} -{% endif %} - -{% if security_audit_sudoers | bool %} -# RHEL 6 STIG V-38578 -# Audits /etc/sudoers changes --w /etc/sudoers -p wa -k actions-V-38578 -{% endif %} - -{% if security_audit_kernel_modules | bool %} -# RHEL 6 STIG V-38580 -# Audits kernel module loading/unloading --w /sbin/insmod -p x -k modules-V-38580 --w /sbin/rmmod -p x -k modules-V-38580 --w /sbin/modprobe -p x -k modules-V-38580 -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S init_module -S delete_module -k modules-V-38580 -{% else %} --a always,exit -F arch=b32 -S init_module -S delete_module -k modules-V-38580 --a always,exit -F arch=b64 -S init_module -S delete_module -k modules-V-38580 -{% endif %} -{% endif %} - -{% if security_audit_change_system_time | bool %} -# RHEL 6 STIG V-38635 -# Audits system time changes -{% if ansible_architecture == 'ppc64le' %} --a always,exit -F arch=ppc64 -S adjtimex -k audit_time_rules-V-38635 -{% else %} --a always,exit -F arch=b32 -S adjtimex -k audit_time_rules-V-38635 --a always,exit -F arch=b64 -S adjtimex -k audit_time_rules-V-38635 -{% endif %} -{% endif %} diff --git a/templates/pam_faillock.j2 b/templates/pam_faillock.j2 deleted file mode 100644 index 7fd6f5ac..00000000 --- a/templates/pam_faillock.j2 +++ /dev/null @@ -1,3 +0,0 @@ -# V-71945 - If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked. -auth required pam_faillock.so preauth silent audit deny="{{ security_pam_faillock_attempts }}" "{{ security_pam_faillock_deny_root | bool | ternary('even_deny_root','') }}" fail_interval="{{ security_pam_faillock_interval }}" unlock_time="{{ security_pam_faillock_unlock_time }}" -auth [default=die] pam_faillock.so authfail audit deny="{{ security_pam_faillock_attempts }}" "{{ security_pam_faillock_deny_root | bool | ternary('even_deny_root','') }}" fail_interval="{{ security_pam_faillock_interval }}" unlock_time="{{ security_pam_faillock_unlock_time }}" diff --git a/templates/pwquality.conf.j2 b/templates/pwquality.conf.j2 deleted file mode 100644 index d0301c77..00000000 --- a/templates/pwquality.conf.j2 +++ /dev/null @@ -1,8 +0,0 @@ -{% if security_pwquality_apply_rules | bool %} -{% for rule in password_quality_rhel7 %} -{% if rule.value is defined and rule.enabled | bool %} -# {{ rule.stig_id }} - {{ rule.description }} -{{ rule.parameter}} = {{ rule.value }} -{% endif %} -{% endfor %} -{% endif %} diff --git a/templates/sshd_config_block.j2 b/templates/sshd_config_block.j2 deleted file mode 100644 index 49e14259..00000000 --- a/templates/sshd_config_block.j2 +++ /dev/null @@ -1,58 +0,0 @@ -{% if security_sshd_disallow_empty_password | bool %} -# V-71939 / RHEL-07-010440 -PermitEmptyPasswords no -{% endif %} -{% if security_sshd_disallow_environment_override | bool %} -# V-71957 -PermitUserEnvironment no -{% endif %} -{% if security_sshd_disallow_host_based_auth | bool %} -# V-71959 -HostbasedAuthentication no -{% endif %} -# V-72221 -Ciphers {{ security_sshd_cipher_list }} -# V-72225 -Banner {{ security_sshd_banner_file }} -# V-72237 -ClientAliveInterval {{ security_sshd_client_alive_interval }} -# V-72241 -ClientAliveCountMax {{ security_sshd_client_alive_count_max }} -{% if security_sshd_print_last_log | bool %} -# V-72245 -PrintLastLog yes -{% endif %} -{% if security_sshd_permit_root_login | bool %} -# V-72247 -PermitRootLogin no -{% endif %} -{% if security_sshd_disallow_known_hosts_auth | bool %} -# V-72249 / V-72239 -IgnoreUserKnownHosts yes -{% endif %} -{% if security_sshd_disallow_rhosts_auth | bool %} -# V-72243 -IgnoreRhosts yes -{% endif %} -{% if security_sshd_enable_x11_forwarding | bool %} -# V-72303 -X11Forwarding yes -{% endif %} -# V-72251 -Protocol {{ security_sshd_protocol }} -# V-72253 -MACs {{security_sshd_allowed_macs }} -{% if security_sshd_enable_privilege_separation | bool %} -# V-72265 -UsePrivilegeSeparation sandbox -{% endif %} -# V-72267 -Compression {{ security_sshd_compression }} -{% if security_sshd_disable_kerberos_auth | bool %} -# V-72261 -KerberosAuthentication no -{% endif %} -{% if security_sshd_enable_strict_modes| bool %} -# V-72263 -StrictModes yes -{% endif %} diff --git a/test-requirements.txt b/test-requirements.txt deleted file mode 100644 index a52179fa..00000000 --- a/test-requirements.txt +++ /dev/null @@ -1,18 +0,0 @@ -# The order of packages is significant, because pip processes them in the order -# of appearance. Changing the order has an impact on the overall integration -# process, which may cause wedges in the gate later. -bashate>=0.2 # Apache-2.0 -flake8<2.6.0,>=2.5.4 # MIT -pyasn1!=0.2.3 # BSD -pyOpenSSL>=0.14 # Apache-2.0 -requests>=2.14.2 # Apache-2.0 -ndg-httpsclient>=0.4.2;python_version<'3.0' # BSD - -# this is required for the docs build jobs -sphinx>=1.6.2 # BSD -oslosphinx>=4.7.0 # Apache-2.0 -openstackdocstheme>=1.11.0 # Apache-2.0 -doc8 # Apache-2.0 -reno!=2.3.1,>=1.8.0 # Apache-2.0 -Jinja2!=2.9.0,!=2.9.1,!=2.9.2,!=2.9.3,!=2.9.4,>=2.8 # BSD License (3 clause) -lxml!=3.7.0,>=2.3 # BSD diff --git a/tests/inventory b/tests/inventory deleted file mode 100644 index 6c0833a9..00000000 --- a/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -[all] -localhost ansible_connection=local ansible_become=True diff --git a/tests/test.yml b/tests/test.yml deleted file mode 100644 index 76421f9f..00000000 --- a/tests/test.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Playbook for role testing - hosts: localhost - pre_tasks: - - name: Ensure apt cache is updated before testing - apt: - update_cache: yes - cache_valid_time: "{{ cache_timeout }}" - when: ansible_pkg_mgr == 'apt' - changed_when: False - - name: Ensure OpenStack CI image has a logrotate cron job - file: - path: /etc/cron.daily/logrotate - state: touch - when: ansible_os_family == 'RedHat' - changed_when: False - - name: Install dconf package to test graphical session locks - package: - name: dconf - state: installed - when: ansible_os_family == 'RedHat' - changed_when: False - post_tasks: - - name: Stat 20auto-upgrades file - stat: - path: /etc/apt/apt.conf.d/20auto-upgrades - register: auto_upgrades_file - when: - - not check_mode - - stig_version == 'rhel6' - - ansible_pkg_mgr == 'apt' - - name: Slurp contents of 50unattended-upgrades file - slurp: - src: /etc/apt/apt.conf.d/50unattended-upgrades - register: unattended_upgrades_file_encoded - when: - - not check_mode - - stig_version == 'rhel6' - - ansible_pkg_mgr == 'apt' - - name: Decode slurp'd 50-unattended-upgrades file - set_fact: - unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}" - when: - - not check_mode - - stig_version == 'rhel6' - - ansible_pkg_mgr == 'apt' - - name: Ensure auto updates has been enabled - assert: - that: - - auto_upgrades_file.stat.exists - when: - - not check_mode - - stig_version == 'rhel6' - - ansible_pkg_mgr == 'apt' - - name: Ensure that auto update notifications has been enabled - assert: - that: - - "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file" - when: - - not check_mode - - stig_version == 'rhel6' - - ansible_pkg_mgr == 'apt' - roles: - - role: "openstack-ansible-security" - vars: - security_disable_account_if_password_expires: yes - security_enable_firewalld: yes - security_pwquality_apply_rules: yes - security_enable_pwquality_password_set: yes - security_lock_session: yes - security_pwquality_require_minimum_password_length: yes - security_package_clean_on_remove: yes - security_pam_faillock_enable: yes - security_password_remember_password: 5 - security_reset_perm_ownership: yes - security_require_grub_authentication: yes - security_rhel7_automatic_package_updates: yes - security_rhel7_initialize_aide: yes - security_rhel7_remove_shosts_files: yes - security_search_for_invalid_owner: yes - security_search_for_invalid_group_owner: yes - security_unattended_upgrades_enabled: yes - security_unattended_upgrades_notifications: yes - # NOTE(mhayden): clamav is only available if EPEL is installed. There needs - # to be some work done to figure out how to install EPEL for use with - # this role without causing disruptions on the system. - security_enable_virus_scanner: no - security_run_virus_scanner_update: no diff --git a/tests/tests-repo-clone.sh b/tests/tests-repo-clone.sh deleted file mode 100755 index 9c793c59..00000000 --- a/tests/tests-repo-clone.sh +++ /dev/null @@ -1,99 +0,0 @@ -#!/bin/bash -# Copyright 2017, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# PURPOSE: -# This script clones the openstack-ansible-tests repository to the -# tests/common folder in order to be able to re-use test components -# for role testing. - -# WARNING: -# This file is maintained in the openstack-ansible-tests repository: -# https://git.openstack.org/cgit/openstack/openstack-ansible-tests -# If you need to change this script, then propose the change there. -# Once it merges, the change will be replicated to the other repositories. - -## Shell Opts ---------------------------------------------------------------- - -set -e - -## Vars ---------------------------------------------------------------------- - -export TESTING_HOME=${TESTING_HOME:-$HOME} -export WORKING_DIR=${WORKING_DIR:-$(pwd)} -export CLONE_UPGRADE_TESTS=${CLONE_UPGRADE_TESTS:-no} - -## Functions ----------------------------------------------------------------- - -function create_tests_clonemap { - -# Prepare the clonemap for zuul-cloner to use -cat > ${TESTING_HOME}/tests-clonemap.yaml << EOF -clonemap: - - name: openstack/openstack-ansible-tests - dest: ${WORKING_DIR}/tests/common -EOF - -} - -## Main ---------------------------------------------------------------------- - -# If zuul-cloner is present, use it so that we -# also include any dependent patches from the -# tests repo noted in the commit message. -if [[ -x /usr/zuul-env/bin/zuul-cloner ]]; then - - # Prepare the clonemap for zuul-cloner to use - create_tests_clonemap - - # Execute the clone - /usr/zuul-env/bin/zuul-cloner \ - --cache-dir /opt/git \ - --map ${TESTING_HOME}/tests-clonemap.yaml \ - git://git.openstack.org \ - openstack/openstack-ansible-tests - - # Clean up the clonemap. - rm -f ${TESTING_HOME}/tests-clonemap.yaml - -# Alternatively, use a simple git-clone. We do -# not re-clone if the directory exists already -# to prevent overwriting any local changes which -# may have been made. -elif [[ ! -d tests/common ]]; then - - # The tests repo doesn't need a clone, we can just - # symlink it. - if [[ "$(basename ${WORKING_DIR})" == "openstack-ansible-tests" ]]; then - ln -s ${WORKING_DIR} ${WORKING_DIR}/tests/common - else - git clone \ - https://git.openstack.org/openstack/openstack-ansible-tests \ - ${WORKING_DIR}/tests/common - fi -fi - -# If this test set includes an upgrade test, the -# previous stable release tests repo must also be -# cloned. -# Note: -# Dependent patches to the previous stable release -# tests repo are not supported. -if [[ "${CLONE_UPGRADE_TESTS}" == "yes" ]]; then - if [[ ! -d "${WORKING_DIR}/tests/common/previous" ]]; then - git clone -b stable/ocata \ - https://git.openstack.org/openstack/openstack-ansible-tests \ - ${WORKING_DIR}/tests/common/previous - fi -fi diff --git a/tests/vagrant.yml b/tests/vagrant.yml deleted file mode 100644 index 040006ba..00000000 --- a/tests/vagrant.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# Copyright 2016, HPE, VMWare -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Playbook for role testing - hosts: all - roles: - - role: "../../../openstack-ansible-security" diff --git a/tox.ini b/tox.ini deleted file mode 100644 index 5dff1f55..00000000 --- a/tox.ini +++ /dev/null @@ -1,130 +0,0 @@ -[tox] -minversion = 2.0 -skipsdist = True -envlist = docs,linters,functional - - -[testenv] -usedevelop = True -install_command = - pip install -c{env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt} {opts} {packages} -deps = - -r{toxinidir}/test-requirements.txt -commands = - /usr/bin/find . -type f -name "*.pyc" -delete -passenv = - HOME - http_proxy - HTTP_PROXY - https_proxy - HTTPS_PROXY - no_proxy - NO_PROXY -whitelist_externals = - bash -setenv = - PYTHONUNBUFFERED=1 - ROLE_NAME=openstack-ansible-security - TEST_CHECK_MODE=true - TEST_IDEMPOTENCE=true - VIRTUAL_ENV={envdir} - WORKING_DIR={toxinidir} - - -[testenv:docs] -commands= - bash -c "rm -rf doc/build" - doc8 doc - python setup.py build_sphinx - - -[doc8] -# Settings for doc8: -extensions = .rst -allow-long-titles=1 - - -[testenv:releasenotes] -commands = - sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html - - -# environment used by the -infra templated docs job -[testenv:venv] -commands = - {posargs} - - -[testenv:pep8] -commands = - bash -c "{toxinidir}/tests/tests-repo-clone.sh" - bash -c "{toxinidir}/tests/common/test-pep8.sh" - - -[flake8] -# Ignores the following rules due to how ansible modules work in general -# F403 'from ansible.module_utils.basic import *' used; -# unable to detect undefined names -ignore=F403 - - -[testenv:bashate] -commands = - bash -c "{toxinidir}/tests/tests-repo-clone.sh" - bash -c "{toxinidir}/tests/common/test-bashate.sh" - - -[testenv:ansible] -deps = - {[testenv]deps} - -rhttps://git.openstack.org/cgit/openstack/openstack-ansible/plain/global-requirement-pins.txt - -rhttps://git.openstack.org/cgit/openstack/openstack-ansible-tests/plain/test-ansible-deps.txt - - -[testenv:ansible-syntax] -deps = - {[testenv:ansible]deps} -commands = - bash -c "{toxinidir}/tests/tests-repo-clone.sh" - bash -c "{toxinidir}/tests/common/test-ansible-syntax.sh" - - -[testenv:ansible-lint] -deps = - {[testenv:ansible]deps} -commands = - bash -c "{toxinidir}/tests/tests-repo-clone.sh" - bash -c "{toxinidir}/tests/common/test-ansible-lint.sh" - - -[testenv:functional] -deps = - {[testenv:ansible]deps} -setenv = - {[testenv]setenv} - # NOTE(mhayden): Disabling chrony since it causes conflicts in CI. - ANSIBLE_PARAMETERS=-e security_rhel7_enable_chrony=no -commands = - bash -c "{toxinidir}/tests/tests-repo-clone.sh" - bash -c "{toxinidir}/tests/common/test-ansible-functional.sh" - -[testenv:func_rhel6] -deps = - {[testenv:ansible]deps} -setenv = - {[testenv]setenv} - # NOTE(mhayden): Disabling chrony since it causes conflicts in CI. - ANSIBLE_PARAMETERS=-e stig_version=rhel6 --skip-tags V-38462,V-38660 -e security_enable_chrony=no -commands = - bash -c "{toxinidir}/tests/tests-repo-clone.sh" - bash -c "{toxinidir}/tests/common/test-ansible-functional.sh" - -[testenv:linters] -deps = - {[testenv:ansible]deps} -commands = - {[testenv:pep8]commands} - {[testenv:bashate]commands} - {[testenv:ansible-lint]commands} - {[testenv:ansible-syntax]commands} - {[testenv:docs]commands} diff --git a/vars/debian.yml b/vars/debian.yml deleted file mode 100644 index 0b7b56b0..00000000 --- a/vars/debian.yml +++ /dev/null @@ -1,161 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## Variables for Ubuntu and Debian -# The following variables apply only to Ubuntu 14.04 (trusty), Ubuntu 16.04 -# (xenial), and Debian 8 (jessie). Deployers should not need to override these -# variables. -# -# For more details, see 'vars/main.yml'. - -# Maximum age of the apt cache before a refresh is required -cache_timeout: 600 - -# Configuration file paths -pam_auth_file: /etc/pam.d/common-auth -pam_password_file: /etc/pam.d/common-password -pam_postlogin_file: /etc/pam.d/login -vsftpd_conf_file: /etc/vsftpd.conf -grub_conf_file: /boot/grub/grub.cfg -grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg -grub_defaults_file: /etc/default/grub -aide_cron_job_path: /etc/cron.daily/aide -aide_database_file: /var/lib/aide/aide.db -chrony_conf_file: /etc/chrony/chrony.conf -daemon_init_params_file: /etc/init.d/rc - -# Service name -cron_service: cron -ssh_service: ssh -chrony_service: chrony -clamav_service: clamav-daemon - -# Commands -grub_update_cmd: "/usr/sbin/update-grub" -ssh_keysign_path: /usr/lib/openssh - -# RHEL 6 STIG: Packages to add/remove -stig_packages: - - packages: - - auditd - - audispd-plugins - - aide - - aide-common - - chrony - - debsums - - logrotate - - postfix - state: "{{ security_package_state }}" - enabled: True - - packages: - - apparmor - - apparmor-profiles - - apparmor-utils - state: "{{ security_package_state }}" - enabled: "{{ security_enable_linux_security_module }}" - - packages: - - fail2ban - state: "{{ security_package_state }}" - enabled: "{{ security_install_fail2ban }}" - - packages: - - xinetd - state: absent - enabled: "{{ security_remove_xinetd }}" - - packages: - - nis - state: absent - enabled: "{{ security_remove_ypserv }}" - - packages: - - tftpd - state: absent - enabled: "{{ security_remove_tftp_server }}" - - packages: - - slapd - state: absent - enabled: "{{ security_remove_ldap_server }}" - - packages: - - sendmail - state: absent - enabled: "{{ security_remove_sendmail }}" - - packages: - - xorg-xserver - state: absent - enabled: "{{ security_remove_xorg }}" - - packages: - - rsh-server - state: absent - enabled: "{{ security_remove_rsh_server }}" - - packages: - - telnetd - state: absent - enabled: "{{ security_remove_telnet_server }}" - -# RHEL 7 STIG: Packages to add/remove -stig_packages_rhel7: - - packages: - - auditd - - audispd-plugins - - aide - - aide-common - - libpwquality-common - - openssh-client - - openssh-server - - screen - state: "{{ security_package_state }}" - enabled: True - - packages: - - apparmor - - apparmor-profiles - - apparmor-utils - state: "{{ security_package_state }}" - enabled: "{{ security_rhel7_enable_linux_security_module }}" - - packages: - - chrony - state: "{{ security_package_state }}" - enabled: "{{ security_rhel7_enable_chrony }}" - - packages: - - clamav - - clamav-daemon - - clamav-freshclam - state: "{{ security_package_state }}" - enabled: "{{ security_enable_virus_scanner }}" - - packages: - - firewalld - state: "{{ security_package_state }}" - enabled: "{{ security_enable_firewalld }}" - - packages: - - unattended-upgrades - state: "{{ security_package_state }}" - enabled: "{{ security_rhel7_automatic_package_updates }}" - - packages: - - rsh-server - state: absent - enabled: "{{ security_rhel7_remove_rsh_server }}" - - packages: - - telnetd - state: absent - enabled: "{{ security_rhel7_remove_telnet_server }}" - - packages: - - tftpd - state: absent - enabled: "{{ security_rhel7_remove_tftp_server }}" - - packages: - - xorg-xserver - state: absent - enabled: "{{ security_rhel7_remove_xorg }}" - - packages: - - nis - state: absent - enabled: "{{ security_rhel7_remove_ypserv }}" diff --git a/vars/main.yml b/vars/main.yml deleted file mode 100644 index cc647269..00000000 --- a/vars/main.yml +++ /dev/null @@ -1,346 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## Common variables for all distributions -# This file contains variables that apply to all distributions that the -# security role supports. Distribution-specific variables should be placed in: -# -# - vars/redhat.yml -# - vars/ubuntu.yml - -## auditd configuration -auditd_config: - - parameter: disk_full_action - value: "{{ security_rhel7_auditd_disk_full_action }}" - config: /etc/audisp/audisp-remote.conf - - parameter: network_failure_action - value: "{{ security_rhel7_auditd_network_failure_action }}" - config: /etc/audisp/audisp-remote.conf - - parameter: space_left - value: "{{ security_rhel7_auditd_space_left }}" - config: /etc/audit/auditd.conf - - parameter: space_left_action - value: "{{ security_rhel7_auditd_space_left_action }}" - config: /etc/audit/auditd.conf - - parameter: action_mail_acct - value: "{{ security_rhel7_auditd_action_mail_acct }}" - config: /etc/audit/auditd.conf - -## auditd rules -# This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules -# for various commands and syscalls. -# -# Each dictionary has this structure: -# -# command: the command/syscall to audit (required) -# stig_id: the number/ID from the STIG (required) -# arch_specific: 'yes' if the rule depends on the architecture type, -# otherwise 'no' (required) -# path: the path to the command (optional, default is '/usr/bin') -# distro: restrict deployment to a single Linux distribution (optional, -# should be equal to 'ansible_os_family | lower', such as 'redhat' -# or 'ubuntu') -# -audited_commands: - - command: chsh - stig_id: V-72167 - arch_specific: no - - command: chage - stig_id: V-72155 - arch_specific: no - - command: chcon - stig_id: V-72139 - arch_specific: no - - command: chmod - stig_id: V-72105 - arch_specific: yes - - command: chown - stig_id: V-72097 - arch_specific: yes - - command: creat - stig_id: V-72123 - arch_specific: yes - - command: crontab - stig_id: V-72183 - arch_specific: no - - command: delete_module - stig_id: V-72189 - arch_specific: yes - - command: fchmod - stig_id: V-72107 - arch_specific: yes - - command: fchmodat - stig_id: V-72109 - arch_specific: yes - - command: fchown - stig_id: V-72099 - arch_specific: yes - - command: fchownat - stig_id: V-72103 - arch_specific: yes - - command: fremovexattr - stig_id: V-72119 - arch_specific: yes - - command: fsetxattr - stig_id: V-72113 - arch_specific: yes - - command: ftruncate - stig_id: V-72133 - arch_specific: yes - - command: init_module - stig_id: V-72187 - arch_specific: yes - - command: gpasswd - stig_id: V-72153 - arch_specific: no - - command: lchown - stig_id: V-72101 - arch_specific: yes - - command: lremovexattr - stig_id: V-72121 - arch_specific: yes - - command: lsetxattr - stig_id: V-72115 - arch_specific: yes - - command: mount - path: /bin - stig_id: V-72171 - arch_specific: no - - command: newgrp - stig_id: V-72165 - arch_specific: no - - command: open - stig_id: V-72125 - arch_specific: yes - - command: openat - stig_id: V-72127 - arch_specific: yes - - command: open_by_handle_at - stig_id: V-72129 - arch_specific: yes - - command: pam_timestamp_check - path: /sbin - stig_id: V-72185 - arch_specific: no - - command: passwd - stig_id: V-72149 - arch_specific: no - - command: postdrop - path: /usr/sbin - stig_id: V-72175 - arch_specific: no - - command: postqueue - path: /usr/sbin - stig_id: V-72177 - arch_specific: no - - command: pt_chown - path: /usr/libexec - stig_id: V-72181 - arch_specific: no - distro: redhat - - command: removexattr - stig_id: V-72117 - arch_specific: yes - - command: rename - stig_id: V-72199 - arch_specific: yes - - command: renameat - stig_id: V-72201 - arch_specific: yes - - command: restorecon - path: /usr/sbin - stig_id: V-72141 - arch_specific: no - - command: rmdir - stig_id: V-72203 - arch_specific: yes - - command: semanage - path: /usr/sbin - stig_id: V-72135 - arch_specific: no - - command: setsebool - path: /usr/sbin - stig_id: V-72137 - arch_specific: no - - command: setxattr - stig_id: V-72111 - arch_specific: yes - - command: ssh-keysign - path: "{{ ssh_keysign_path }}" - stig_id: V-72179 - arch_specific: no - - command: su - path: /bin - stig_id: V-72159 - arch_specific: no - - command: sudo - stig_id: V-72161 - arch_specific: no - - command: sudoedit - path: /bin - stig_id: V-72169 - arch_specific: no - - command: truncate - stig_id: V-72131 - arch_specific: yes - - command: umount - path: /bin - stig_id: V-72173 - arch_specific: no - - command: unix_chkpwd - path: /sbin - stig_id: V-72151 - arch_specific: no - - command: unlink - stig_id: V-72205 - arch_specific: yes - - command: unlinkat - stig_id: V-72207 - arch_specific: yes - - command: userhelper - path: /usr/sbin - stig_id: V-72157 - arch_specific: no - -## Password quality settings -# This variable is used in main/rhel7stig/auth.yml to set password quality -# requirements. -# -# Each dictionary has this structure: -# -# parameter: the pwquality parameter to set -# value: the value of the parameter -# stig_id: the STIG id number -# description: description of the control from the STIG -# enabled: whether the change should be applied -# -password_quality_rhel7: - - parameter: ucredit - value: -1 - stig_id: V-71903 - description: "Password must contain at least one upper-case character" - enabled: "{{ security_pwquality_require_uppercase }}" - - parameter: lcredit - value: -1 - stig_id: V-71905 - description: "Password must contain at least one lower-case character" - enabled: "{{ security_pwquality_require_lowercase }}" - - parameter: dcredit - value: -1 - stig_id: V-71907 - description: "Password must contain at least one numeric character" - enabled: "{{ security_pwquality_require_numeric }}" - - parameter: ocredit - value: -1 - stig_id: V-71909 - description: "Password must contain at least one special character" - enabled: "{{ security_pwquality_require_special }}" - - parameter: difok - value: 8 - stig_id: V-71911 - description: "Password must have at least eight characters changed" - enabled: "{{ security_pwquality_require_characters_changed }}" - - parameter: minclass - value: 4 - stig_id: V-71913 - description: "Password must have at least four character classes changed" - enabled: "{{ security_pwquality_require_character_classes_changed }}" - - parameter: maxrepeat - value: 4 - stig_id: V-71915 - description: "Password must have at most four characters repeated consecutively" - enabled: "{{ security_pwquality_limit_repeated_characters }}" - - parameter: maxclassrepeat - value: 4 - stig_id: V-71917 - description: "Password must have at most four characters in the same character class repeated consecutively" - enabled: "{{ security_pwquality_limit_repeated_character_classes }}" - - parameter: minlen - value: 15 - stig_id: V-71935 - description: "Passwords must be a minimum of 15 characters in length" - enabled: "{{ security_pwquality_require_minimum_password_length }}" - -## shadow-utils settings -# This variable is used in main/rhel7stig/auth.yml to set shadow file-related -# configurations in /etc/login.defs. -# -# Each dictionary has this structure: -# -# parameter: the parameter to set -# value: the value for the parameter -# stig_id: the STIG ID number for the requirement -# -shadow_utils_rhel7: - - parameter: ENCRYPT_METHOD - value: "{{ security_password_encrypt_method | default('') }}" - stig_id: V-71921 - ansible_os_family: all - - parameter: PASS_MIN_DAYS - value: "{{ security_password_min_lifetime_days | default('') }}" - stig_id: V-71925 - ansible_os_family: all - - parameter: PASS_MAX_DAYS - value: "{{ security_password_max_lifetime_days | default('') }}" - stig_id: V-71929 - ansible_os_family: all - - parameter: FAIL_DELAY - value: "{{ security_shadow_utils_fail_delay | default('') }}" - stig_id: V-71951 - ansible_os_family: RedHat - - parameter: UMASK - value: "{{ security_shadow_utils_umask | default('') }}" - stig_id: V-71995 - ansible_os_family: all - - parameter: CREATE_HOME - value: "{{ security_shadow_utils_create_home | default('') }}" - stig_id: V-72013 - ansible_os_family: all - -## sysctl settings -# This variable is used in main/rhel7stig/kernel.yml to set sysctl -# configurations on hosts. -# -# Each dictionary has this structure: -# -# name: the sysctl configuration name -# value: the value to set for the sysctl configuration -# enabled: whether the variable should be set or not -# -sysctl_settings_rhel7: - - name: net.ipv4.conf.all.accept_source_route - value: 0 - enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}" - - name: net.ipv4.conf.default.accept_source_route - value: 0 - enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}" - - name: net.ipv4.icmp_echo_ignore_broadcasts - value: 1 - enabled: "{{ security_disallow_echoes_broadcast_address | bool }}" - - name: net.ipv4.conf.all.send_redirects - value: 0 - enabled: "{{ security_disallow_icmp_redirects | bool }}" - - name: net.ipv4.conf.default.send_redirects - value: 0 - enabled: "{{ security_disallow_icmp_redirects | bool }}" - - name: net.ipv4.ip_forward - value: 0 - enabled: "{{ security_disallow_ip_forwarding | bool }}" - - name: net.ipv6.conf.all.accept_source_route - value: 0 - enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}" - - name: net.ipv4.conf.default.accept_redirects - value: 0 - enabled: "{{ security_disallow_icmp_redirects | bool }}" diff --git a/vars/redhat.yml b/vars/redhat.yml deleted file mode 100644 index c3424218..00000000 --- a/vars/redhat.yml +++ /dev/null @@ -1,177 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## Variables for CentOS 7 and Red Hat Enterprise Linux 7 -# The following variables apply only to CentOS 7 and Red Hat Enterprise Linux 7 -# and deployers should not override them. -# -# For more details, see 'vars/main.yml'. - -# Configuration file paths -pam_auth_file: /etc/pam.d/system-auth -pam_password_file: /etc/pam.d/password-auth -pam_postlogin_file: /etc/pam.d/postlogin -vsftpd_conf_file: /etc/vsftpd/vsftpd.conf -grub_conf_file: /boot/grub2/grub.cfg -grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg" -grub_defaults_file: /etc/sysconfig/grub -aide_cron_job_path: /etc/cron.d/aide -aide_database_file: /var/lib/aide/aide.db.gz -chrony_conf_file: /etc/chrony.conf -daemon_init_params_file: /etc/init.d/functions - -# Service names -cron_service: crond -ssh_service: sshd -chrony_service: chronyd -clamav_service: 'clamd@scan' - -# Commands -grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}" -ssh_keysign_path: /usr/libexec/openssh - -# RHEL 6 STIG: Packages to add/remove -stig_packages: - - packages: - - audit - - audispd-plugins - - aide - - chrony - - logrotate - - postfix - state: "{{ security_package_state }}" - enabled: True - - packages: - - esc - - pam_pkcs11 - - authconfig - state: "{{ security_package_state }}" - enabled: "{{ security_install_multifactor_auth_packages }}" - - packages: - - libselinux-python - - policycoreutils-python - - selinux-policy - - selinux-policy-targeted - state: "{{ security_package_state }}" - enabled: "{{ security_enable_linux_security_module }}" - - packages: - - yum-cron - state: "{{ security_package_state }}" - enabled: "{{ security_unattended_upgrades_enabled }}" - - packages: - - xinetd - state: absent - enabled: "{{ security_remove_xinetd }}" - - packages: - - ypserv - state: absent - enabled: "{{ security_remove_ypserv }}" - - packages: - - tftp-server - state: absent - enabled: "{{ security_remove_tftp_server }}" - - packages: - - openldap-servers - state: absent - enabled: "{{ security_remove_ldap_server }}" - - packages: - - sendmail - state: absent - enabled: "{{ security_remove_sendmail }}" - - packages: - - xorg-x11-server-Xorg - state: absent - enabled: "{{ security_remove_xorg }}" - - packages: - - rsh-server - state: absent - enabled: "{{ security_remove_rsh_server }}" - - packages: - - telnet-server - state: absent - enabled: "{{ security_remove_telnet_server }}" - -# RHEL 7 STIG: Packages to add/remove -stig_packages_rhel7: - - packages: - - audispd-plugins - - audit - - aide - - dracut-fips - - dracut-fips-aesni - - openssh-clients - - openssh-server - - screen - state: "{{ security_package_state }}" - enabled: True - - packages: - - libselinux-python - - policycoreutils-python - - selinux-policy - - selinux-policy-targeted - state: "{{ security_package_state }}" - enabled: "{{ security_rhel7_enable_linux_security_module }}" - - packages: - - chrony - state: "{{ security_package_state }}" - enabled: "{{ security_rhel7_enable_chrony }}" - - packages: - - clamav - - clamav-data - - clamav-devel - - clamav-filesystem - - clamav-lib - - clamav-scanner-systemd - - clamav-server-systemd - - clamav-server - - clamav-update - state: "{{ security_package_state }}" - enabled: "{{ security_enable_virus_scanner }}" - - packages: - - firewalld - state: "{{ security_package_state }}" - enabled: "{{ security_enable_firewalld }}" - - packages: - - yum-cron - state: "{{ security_package_state }}" - enabled: "{{ security_rhel7_automatic_package_updates }}" - - packages: - - rsh-server - state: absent - enabled: "{{ security_rhel7_remove_rsh_server }}" - - packages: - - telnet-server - state: absent - enabled: "{{ security_rhel7_remove_telnet_server }}" - - packages: - - tftp-server - state: absent - enabled: "{{ security_rhel7_remove_tftp_server }}" - - packages: - - xorg-x11-server-Xorg - state: absent - enabled: "{{ security_rhel7_remove_xorg }}" - - packages: - - ypserv - state: absent - enabled: "{{ security_rhel7_remove_ypserv }}" - -rpm_gpgchecks: - - regexp: "^gpgcheck.*" - line: "gpgcheck={{ security_enable_gpgcheck_packages | bool | ternary('1', 0) }}" - - regexp: "^localpkg_gpgcheck.*" - line: "localpkg_gpgcheck={{ security_enable_gpgcheck_packages_local | bool | ternary('1', 0) }}" - - regexp: "^repo_gpgcheck.*" - line: "repo_gpgcheck={{ security_enable_gpgcheck_repo | bool | ternary('1', 0) }}"