Automate the STIG documentation

With the upcoming changes to rebase onto the RHEL 7 STIG controls,
there needs to be a new solution for documentation that is easier
to manage and filter. This patch automates the generation of the STIG
control documentation in the following way:

* A Sphinx extension runs early in the doc build process that writes
  all of the individual STIG control docs as well as ToC pages.
* ToC pages are now sorted by severity, tag, and implementation status.
* A giant listing of controls is easier to navigate now.
* Docs are generated from metadata in the /doc/metadata directory. New
  documentation only needs to be added there. (Will explain this in
  the developer notes in a subsequent patch.)

Implements: blueprint security-rhel7-stig
Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
This commit is contained in:
Major Hayden 2016-09-09 07:15:19 -05:00
parent b2c5dc0264
commit e57593dfd4
557 changed files with 5209 additions and 8618 deletions

3
.gitignore vendored
View File

@ -65,3 +65,6 @@ releasenotes/build
# Vagrant testing artifacts
.vagrant
# Automatically generated documentation
doc/source/auto_*

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,61 @@
#!/usr/bin/env python
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Import existing developer notes into base YAML format."""
import os
import jinja2
SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
METADATA_DIR = "{0}/rhel6".format(SCRIPT_DIR)
NOTES_DIR = "{0}/../source/stig-notes".format(SCRIPT_DIR)
yaml_tmp = """---
id: {{ note_data['id'] }}
status: {{ note_data['status'] }}
tag: {{ note_data['tag'] }}
---
{{ note_data['deployer_notes'] }}
"""
note_files = [x for x in os.listdir(NOTES_DIR) if 'developer' in x]
for note_file in note_files:
stig_id = note_file[0:7]
with open("{0}/{1}".format(NOTES_DIR, note_file), 'r') as f:
content = f.read()
first_line = content.splitlines()[0]
print(first_line)
if 'exception' in first_line.lower():
status = 'exception'
elif 'opt-in' in first_line.lower():
status = 'opt-in'
else:
status = 'implemented'
note_data = {
'id': stig_id,
'status': status,
'tag': 'misc',
'deployer_notes': content
}
with open("{0}/{1}.rst".format(METADATA_DIR, stig_id), 'w') as f:
template = jinja2.Template(yaml_tmp)
f.write(template.render(note_data=note_data))

View File

@ -1,3 +1,9 @@
---
id: V-38437
status: implemented
tag: misc
---
If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out
of this change, adjust the following variable:

View File

@ -1,7 +1,10 @@
The role will add ``audit=1`` to the ``GRUB_CMDLINE_LINUX_DEFAULT`` variable
in the GRUB configuration within ``/etc/default/grub.d/`` and it will also
update the active ``grub.cfg`` so that the change takes effect on the next
boot.
---
id: V-38438
status: exception
tag: misc
---
**Exception**
To opt-out of the change, set the following variable:

View File

@ -1,3 +1,9 @@
---
id: V-38439
status: exception
tag: misc
---
**Exception**
Although adding centralized authentication and carefully managing user

View File

@ -1,2 +1,8 @@
---
id: V-38443
status: implemented
tag: misc
---
The ``/etc/gshadow`` file is owned by root by default on Ubuntu 14.04, Ubuntu
16.04 and CentOS 7. The security role ensures that the file is owned by root.

View File

@ -1,3 +1,9 @@
---
id: V-38444
status: exception
tag: misc
---
**Exception**
See V-38551 for additional details. IPv6 configuration and filtering is left

View File

@ -1,3 +1,9 @@
---
id: V-38445
status: implemented
tag: misc
---
The logs generated by the audit daemon are owned by root in Ubuntu 14.04,
Ubuntu 16.04 and CentOS 7. The Ansible task for V-38445 ensures that the files
are owned by the root user.

View File

@ -1,3 +1,9 @@
---
id: V-38446
status: implemented
tag: misc
---
Forwarding root's email to another user is highly recommended, but the Ansible
tasks won't configure an email address to receive root's email unless that
email address is configured. Set ``security_root_forward_email`` to an email

View File

@ -1,3 +1,9 @@
---
id: V-38447
status: exception
tag: misc
---
**Exception**
Although Ubuntu provides the ``debsums`` command for checking the contents of

View File

@ -1,2 +1,8 @@
---
id: V-38448
status: implemented
tag: misc
---
Although the ``/etc/gshadow`` file is group-owned by root by default, the
Ansible tasks will ensure that it is configured that way.

View File

@ -1,2 +1,8 @@
---
id: V-38449
status: implemented
tag: misc
---
The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet
the requirements of the STIG.

View File

@ -1 +1,7 @@
---
id: V-38450
status: implemented
tag: misc
---
The ownership of ``/etc/passwd`` will be changed to root.

View File

@ -1 +1,7 @@
---
id: V-38451
status: implemented
tag: misc
---
The group ownership for ``/etc/passwd`` will be set to root.

View File

@ -1,3 +1,9 @@
---
id: V-38452
status: exception
tag: misc
---
**Exception**
Although Ubuntu provides the ``debsums`` command for checking the contents of

View File

@ -1,3 +1,9 @@
---
id: V-38453
status: exception
tag: misc
---
**Exception for Ubuntu**
Verifying ownership and permissions of installed packages isn't possible in the

View File

@ -1,3 +1,9 @@
---
id: V-38454
status: exception
tag: misc
---
**Exception**
Although Ubuntu provides the ``debsums`` command for checking the contents of

View File

@ -1,3 +1,9 @@
---
id: V-38455
status: exception
tag: misc
---
**Exception**
Configuring another mount for ``/tmp`` can disrupt a running system and this

View File

@ -1,3 +1,9 @@
---
id: V-38456
status: exception
tag: misc
---
**Exception**
Configuring another mount for ``/var`` can disrupt a running system and this

View File

@ -1 +1,7 @@
---
id: V-38457
status: implemented
tag: misc
---
The permissions for ``/etc/passwd`` will be set to ``0644``.

View File

@ -1,2 +1,8 @@
---
id: V-38458
status: implemented
tag: misc
---
The Ansible task will ensure that the ``/etc/group`` file is owned by the root
user.

View File

@ -1,2 +1,8 @@
---
id: V-38459
status: implemented
tag: misc
---
The tasks in file_perms.yml will ensure that "/etc/group" is owned by
the root account.

View File

@ -1,3 +1,9 @@
---
id: V-38460
status: implemented
tag: misc
---
The Ansible tasks will check for ``all_squash`` in ``/etc/exports`` (if it is
present). If found, a warning message will be printed. No configuration
changes will be made since neither Ubuntu or openstack-ansible configures

View File

@ -1,2 +1,8 @@
---
id: V-38461
status: implemented
tag: misc
---
Ubuntu sets the mode of ``/etc/group`` to ``0644`` by default and the Ansible
task will ensure that it is current set to those permissions.

View File

@ -1,3 +1,9 @@
---
id: V-38462
status: implemented
tag: misc
---
All versions of Ubuntu and CentOS supported by the role verify packages against
GPG signatures by default.

View File

@ -1,3 +1,9 @@
---
id: V-38463
status: exception
tag: misc
---
**Exception**
Configuring a separate partition for ``/var/log`` is currently left up to the

View File

@ -1,3 +1,9 @@
---
id: V-38464
status: implemented
tag: misc
---
The default configuration for ``disk_error_action`` is ``SUSPEND``, which
only suspends audit logging when there is a disk error on the system.
Suspending audit logging can lead to security problems because the system is no

View File

@ -1,3 +1,9 @@
---
id: V-38465
status: exception
tag: misc
---
**Exception**
Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set library files to have ``0755`` (or

View File

@ -1,3 +1,9 @@
---
id: V-38466
status: exception
tag: misc
---
**Exception**
As with V-38465, Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the ownership of

View File

@ -1,3 +1,9 @@
---
id: V-38467
status: exception
tag: misc
---
**Exception**
Storing audit logs on a separate partition is recommended, but this change

View File

@ -1,3 +1,9 @@
---
id: V-38468
status: implemented
tag: misc
---
The default configuration for ``disk_full_action`` is ``SUSPEND``, which only
suspends audit logging. Suspending audit logging can lead to security problems
because the system is no longer keeping track of which syscalls were made.

View File

@ -1,3 +1,9 @@
---
id: V-38469
status: exception
tag: misc
---
**Exception**
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the permissions for system

View File

@ -1,3 +1,9 @@
---
id: V-38470
status: implemented
tag: misc
---
The default configuration for ``security_space_left_action`` is ``SUSPEND``,
which actually only suspends audit logging. Suspending audit logging can lead
to security problems because the system is no longer keeping track of which

View File

@ -1,3 +1,9 @@
---
id: V-38471
status: implemented
tag: misc
---
An Ansible task will adjust ``active`` from `no` to `yes` in
``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to
syslog automatically. The auditd daemon will be restarted if the configuration

View File

@ -1,3 +1,9 @@
---
id: V-38472
status: exception
tag: misc
---
**Exception**
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set system commands to be owned by

View File

@ -1,3 +1,9 @@
---
id: V-38473
status: exception
tag: misc
---
**Exception**
Creating ``/home`` on a different partition is highly recommended but it is

View File

@ -1,3 +1,9 @@
---
id: V-38474
status: exception
tag: misc
---
**Exception**
The openstack-ansible roles don't install X by default, so there is no

View File

@ -1,3 +1,9 @@
---
id: V-38475
status: implemented
tag: misc
---
**Configuration required**
The STIG recommends passwords to be a minimum of 14 characters in length. To

View File

@ -1,3 +1,9 @@
---
id: V-38476
status: implemented
tag: misc
---
The security role verifies that the GPG keys that correspond to each supported
Linux distribution are installed on each host. If the GPG keys are not found,
or if they differ from the list of trusted GPG keys, the playbook execution

View File

@ -1,3 +1,9 @@
---
id: V-38477
status: implemented
tag: misc
---
**Configuration required**
The STIG recommends setting a limit of one password change per day. To enable

View File

@ -1,3 +1,9 @@
---
id: V-38478
status: exception
tag: misc
---
**Exception**
Ubuntu and CentOS do not use the Red Hat Network Service. However, there are

View File

@ -1,3 +1,9 @@
---
id: V-38479
status: implemented
tag: misc
---
**Configuration required**
The STIG recommends setting a limit of 60 days before a password must

View File

@ -1,3 +1,9 @@
---
id: V-38480
status: implemented
tag: misc
---
**Configuration required**
After enabling password age limits in V-38479, be sure to configure

View File

@ -1,3 +1,9 @@
---
id: V-38481
status: opt-in
tag: misc
---
**Opt-in required**
Operating system patching policies vary from organization to organization and

View File

@ -1,3 +1,9 @@
---
id: V-38482
status: exception
tag: misc
---
**Exception**
Password complexity requirements are left up to the deployer. Deployers are

View File

@ -1,3 +1,9 @@
---
id: V-38483
status: implemented
tag: misc
---
The Ansible task for V-38462 already checks for configurations that would
disable any GPG checks when installing packages. However, it is possible for
the root user to override these configurations via command line parameters.

View File

@ -1,3 +1,9 @@
---
id: V-38484
status: implemented
tag: misc
---
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last
successful login for a user immediately after login. An Ansible task ensures
this setting is applied and restarts the ssh daemon if necessary.

View File

@ -1,3 +1,9 @@
---
id: V-38486
status: exception
tag: misc
---
**Exception**
System backups are left to the deployer to configure. Deployers are stringly

View File

@ -1,3 +1,9 @@
---
id: V-38487
status: implemented
tag: misc
---
The Ansible task for V-38462 already checks for apt configurations that would
disable any GPG checks when installing packages. However, it's possible for
the root user to override these configurations via command line parameters.

View File

@ -1,3 +1,9 @@
---
id: V-38488
status: exception
tag: misc
---
**Exception**
System backups are left to the deployer to configure. Deployers are stringly

View File

@ -1,2 +1,8 @@
---
id: V-38489
status: implemented
tag: misc
---
The security role installs and configures the ``aide`` package to provide file
integrity monitoring on the host.

View File

@ -1,3 +1,9 @@
---
id: V-38490
status: exception
tag: misc
---
**Exception**
Disabling the ``usb-storage`` module can add extra security, but it's not

View File

@ -1,3 +1,9 @@
---
id: V-38491
status: implemented
tag: misc
---
The Ansible task will check for the presence of ``/etc/hosts.equiv`` and
``/root/.rhosts``. Both of those files could potentially be used with ``rsh``
for host access.

View File

@ -1,3 +1,9 @@
---
id: V-38492
status: exception
tag: misc
---
**Exception**
Virtual consoles are helpful during an emergency and they can only be reached

View File

@ -1,3 +1,9 @@
---
id: V-38493
status: implemented
tag: misc
---
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the mode of ``/var/log/audit/`` to
``0750`` by default. The Ansible task for this requirement ensures that the
mode is ``0750`` (which is more strict than the STIG requirement).

View File

@ -1,3 +1,9 @@
---
id: V-38494
status: exception
tag: misc
---
**Exception**
Removing serial consoles from ``/etc/securetty`` can make troubleshooting

View File

@ -1,2 +1,8 @@
---
id: V-38495
status: implemented
tag: misc
---
The Ansible tasks will ensure that files in ``/var/log/audit`` are owned
by the root user.

View File

@ -1,3 +1,9 @@
---
id: V-38496
status: exception
tag: misc
---
**Exception**
The Ansible tasks will check for default system accounts (other than root)

View File

@ -1,3 +1,9 @@
---
id: V-38497
status: implemented
tag: misc
---
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to
authenticate via PAM by default. This STIG requires that those login attempts
are blocked.

View File

@ -1,3 +1,9 @@
---
id: V-38498
status: implemented
tag: misc
---
Ubuntu and CentOS set the current audit log (the one that is actively being
written to) to ``0600`` so that only the root user can read and write to it.
The older, rotated logs are set to ``0400`` since they should not receive

View File

@ -1,2 +1,8 @@
---
id: V-38499
status: implemented
tag: misc
---
The Ansible task will search for password hashes in ``/etc/passwd`` using
awk and report a failure if any are found.

View File

@ -1,3 +1,9 @@
---
id: V-38500
status: implemented
tag: misc
---
The Ansible tasks will search for accounts in ``/etc/passwd`` that have UID 0
that aren't the normal root account. If any matching accounts are found, a
warning is printed to stdout and the Ansible play will fail.

View File

@ -1,3 +1,9 @@
---
id: V-38501
status: exception
tag: misc
---
**Exception and opt-in alternative**
Adjusting PAM configurations is very risky since it affects how all users

View File

@ -1,2 +1,8 @@
---
id: V-38502
status: implemented
tag: misc
---
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible
task will ensure that the default is maintained.

View File

@ -1,2 +1,8 @@
---
id: V-38503
status: implemented
tag: misc
---
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible
task will ensure that the default is maintained.

View File

@ -1,3 +1,9 @@
---
id: V-38504
status: implemented
tag: misc
---
Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but
CentOS 7 sets it to ``000``. The STIG requires the mode to be ``000`` and the
Ansible tasks in the security role ensure that the mode meets the requirement.

View File

@ -1,3 +1,9 @@
---
id: V-38511
status: implemented
tag: misc
---
**Special Case**
Running virtual infrastructure requires IP forwarding to be enabled on various

View File

@ -1,3 +1,9 @@
---
id: V-38512
status: exception
tag: misc
---
**Exception**
Although a minimal set of iptables rules are configured on openstack-ansible

View File

@ -1,3 +1,9 @@
---
id: V-38513
status: exception
tag: misc
---
**Exception**
Although a minimal set of iptables rules are configured on openstack-ansible

View File

@ -1,3 +1,9 @@
---
id: V-38514
status: implemented
tag: misc
---
The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not
needed. Although this protocol is occasionally used in some OpenStack
environments for quality of service functions, it is not in the default

View File

@ -1,3 +1,9 @@
---
id: V-38515
status: implemented
tag: misc
---
The Stream Control Transmission Protocol (SCTP) must be disabled. To opt-out of
this change, set the following variable to ``no``:

View File

@ -1,3 +1,9 @@
---
id: V-38516
status: implemented
tag: misc
---
The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. The Ansible
tasks in this role will disable the module.

View File

@ -1,3 +1,9 @@
---
id: V-38517
status: implemented
tag: misc
---
The `Transparent Inter-Process Communication (TIPC)`_ protocol must be
disabled. To opt-out of this change, set the following variable to ``no``:

View File

@ -1,3 +1,9 @@
---
id: V-38518
status: exception
tag: misc
---
**Exception**
Different systems may have different log files populated depending on the type

View File

@ -1,3 +1,9 @@
---
id: V-38519
status: exception
tag: misc
---
**Exception**
Different systems may have different log files populated depending on the type

View File

@ -1,3 +1,9 @@
---
id: V-38520
status: exception
tag: misc
---
**Exception**
At the moment, openstack-ansible already sends logs to the rsyslog container

View File

@ -1,3 +1,9 @@
---
id: V-38521
status: exception
tag: misc
---
**Exception**
At the moment, openstack-ansible already sends logs to the rsyslog container

View File

@ -1 +1,7 @@
---
id: V-38522
status: implemented
tag: misc
---
Rules are added for auditing changes to system time made via ``settimeofday``.

View File

@ -1,3 +1,9 @@
---
id: V-38523
status: exception
tag: misc
---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these

View File

@ -1,3 +1,9 @@
---
id: V-38524
status: implemented
tag: misc
---
This patch disables ICMPv4 redirects feature on the host.
Accepting ICMP redirects has few legitimate uses.
It should be disabled unless it is absolutely required.

View File

@ -1 +1,7 @@
---
id: V-38525
status: implemented
tag: misc
---
Rules are added for auditing changes to system time done via ``stime``.

View File

@ -1,3 +1,9 @@
---
id: V-38526
status: opt-in
tag: misc
---
**Opt-in required**
The STIG requires that secure ICMP redirects are disabled, but this can cause

View File

@ -1,2 +1,8 @@
---
id: V-38527
status: implemented
tag: misc
---
Rules are added for auditing changes to system time done via
``clock_settime``.

View File

@ -1,3 +1,9 @@
---
id: V-38528
status: exception
tag: misc
---
**Exception**
The STIG requires that all martian packets are logged by setting the sysctl

View File

@ -1,3 +1,9 @@
---
id: V-38529
status: exception
tag: misc
---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these

View File

@ -1,2 +1,8 @@
---
id: V-38530
status: implemented
tag: misc
---
Rules are added to auditd to log all attempts to change the system time using
``/etc/localtime``.

View File

@ -1,3 +1,9 @@
---
id: V-38531
status: exception
tag: misc
---
**Exception**
The audit rules from V-38534 already cover all account modifications.

View File

@ -1,3 +1,9 @@
---
id: V-38532
status: exception
tag: misc
---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these

View File

@ -1,3 +1,9 @@
---
id: V-38533
status: exception
tag: misc
---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these

View File

@ -1,3 +1,9 @@
---
id: V-38534
status: implemented
tag: misc
---
Audit rules are added in a task so that any events associated with
account modifications are logged. The new audit rule will be loaded immediately
with ``augenrules --load``.

View File

@ -1,3 +1,9 @@
---
id: V-38535
status: implemented
tag: misc
---
By default, Ubuntu 14.04 rejects ICMPv4 packets sent to a broadcast address.
The Ansible tasks for this STIG configuration ensures that the secure default
setting is maintained.

View File

@ -1,3 +1,9 @@
---
id: V-38536
status: exception
tag: misc
---
**Exception**
The audit rules from V-38534 already cover all account modifications.

View File

@ -1,2 +1,8 @@
---
id: V-38537
status: implemented
tag: misc
---
Ubuntu already ignores ICMPv4 bogus error messages by default. The role will
ensure that this default setting is maintained.

View File

@ -1,3 +1,9 @@
---
id: V-38538
status: exception
tag: misc
---
**Exception**
The audit rules from V-38534 already cover all account modifications.

View File

@ -1,3 +1,9 @@
---
id: V-38539
status: implemented
tag: misc
---
The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.
Note that high-traffic environments may require TCP SYN cookies to be disabled.

View File

@ -1,3 +1,9 @@
---
id: V-38540
status: implemented
tag: misc
---
Rules are added for auditing network configuration changes. The path to
Ubuntu's standard network configuration location has replaced the path
to Red Hat's default network configuration location.

View File

@ -1,3 +1,9 @@
---
id: V-38541
status: implemented
tag: misc
---
For Ubuntu, rules are added to auditd that will log any changes made in the
``/etc/apparmor`` directory.

View File

@ -0,0 +1,19 @@
---
id: V-38542
status: exception
tag: misc
---
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these
restrictions can impact certain network interfaces and cause service
disruptions. Some security configurations make sense for certain types of
network interfaces, like bridges, but other restrictions cause the network
interface to stop passing valid traffic between hosts, containers, or virtual
machines.
The default network scripts and LXC userspace tools already configure various
network devices to their most secure setting. Since some hosts will act as
routers, enabling security configurations that restrict network traffic can
cause service disruptions for OpenStack environments.

View File

@ -1,3 +1,9 @@
---
id: V-38543
status: exception
tag: misc
---
**Exception**
The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``

Some files were not shown because too many files have changed in this diff Show More