From e954ff5c64fe4228903df740c387cbabeb385ffd Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Fri, 20 May 2016 14:52:09 -0500 Subject: [PATCH] Docs: Update dev notes for Cat 1 controls This patch updates the documentation for the developer notes associated with the Cat 1 (Low) controls applied by the security role. Partial-bug: 1583744 Change-Id: I19cab15d1bc7ce6e8604d63bf8184b9569207991 --- doc/source/developer-notes/V-38447.rst | 25 +++++++++++++++++-------- doc/source/developer-notes/V-38452.rst | 6 +----- doc/source/developer-notes/V-38453.rst | 6 +----- doc/source/developer-notes/V-38454.rst | 7 +------ doc/source/developer-notes/V-38478.rst | 6 ++++-- doc/source/developer-notes/V-38516.rst | 3 +-- doc/source/developer-notes/V-38629.rst | 1 - doc/source/developer-notes/V-38640.rst | 8 +++++++- doc/source/developer-notes/V-38641.rst | 8 +++++++- doc/source/developer-notes/V-38642.rst | 6 +++--- doc/source/developer-notes/V-38644.rst | 9 ++------- doc/source/developer-notes/V-38645.rst | 10 +++++----- doc/source/developer-notes/V-38646.rst | 6 +++--- doc/source/developer-notes/V-38647.rst | 8 ++++++-- doc/source/developer-notes/V-38649.rst | 6 ++---- doc/source/developer-notes/V-38655.rst | 5 ++--- doc/source/developer-notes/V-38656.rst | 7 +++---- doc/source/developer-notes/V-38657.rst | 5 ++--- doc/source/developer-notes/V-38675.rst | 4 ++-- doc/source/developer-notes/V-38676.rst | 3 +-- doc/source/developer-notes/V-38692.rst | 15 ++++++++------- doc/source/developer-notes/V-38702.rst | 9 ++++----- 22 files changed, 82 insertions(+), 81 deletions(-) mode change 100644 => 120000 doc/source/developer-notes/V-38452.rst mode change 100644 => 120000 doc/source/developer-notes/V-38453.rst mode change 100644 => 120000 doc/source/developer-notes/V-38454.rst diff --git a/doc/source/developer-notes/V-38447.rst b/doc/source/developer-notes/V-38447.rst index 11df8d93..de10ab7d 100644 --- a/doc/source/developer-notes/V-38447.rst +++ b/doc/source/developer-notes/V-38447.rst @@ -1,11 +1,20 @@ **Exception** -Verifying contents of files installed from packages is more difficult in -Ubuntu, mainly due to the lack of an equivalent of ``rpm -V``. The ``debsums`` -package installs the ``debsums`` command and that can be used to look for -files that have changed since the package was installed. +Although Ubuntu provides the ``debsums`` command for checking the contents of +files installed from packages, it cannot perform a detailed level of checking +sufficient to meet the STIG requirement. Some packages are not shipped with MD5 +checksums for all files. Deployers are encouraged to use ``debsums -c`` +regularly to check for alterations in as many packages as possible. -However, not all packages have MD5 checksums for all files and ``debsums`` -doesn't do detailed checking like ``rpm``. Deployers are urged to run -``debsums -c`` to review changes made to files on their systems. This report -takes a long time to run on most systems. +Ubuntu does not currently have a capability to check file permissions, +ownership, or group ownership against the permissions that were originally set +when the package was installed. + +In CentOS, the ``rpm`` command can verify package contents, ownership, group +ownership, and permissions after the package has been installed. However, many +configuration files are changed by the security role and this will cause the +verification to fail. + +Deployers should utilize the monitoring capabilities of the ``aide`` package +(which is installed by other Ansible tasks in this role) to determine which +configuration files, libraries or binaries may have been changed. diff --git a/doc/source/developer-notes/V-38452.rst b/doc/source/developer-notes/V-38452.rst deleted file mode 100644 index 4d2d9992..00000000 --- a/doc/source/developer-notes/V-38452.rst +++ /dev/null @@ -1,5 +0,0 @@ -**Exception** - -Verifying permissions of installed packages isn't possible in the current -version of ``dpkg`` as it is with ``rpm``. This security configuration is -skipped. diff --git a/doc/source/developer-notes/V-38452.rst b/doc/source/developer-notes/V-38452.rst new file mode 120000 index 00000000..e81a3160 --- /dev/null +++ b/doc/source/developer-notes/V-38452.rst @@ -0,0 +1 @@ +V-38447.rst \ No newline at end of file diff --git a/doc/source/developer-notes/V-38453.rst b/doc/source/developer-notes/V-38453.rst deleted file mode 100644 index 8f7ae067..00000000 --- a/doc/source/developer-notes/V-38453.rst +++ /dev/null @@ -1,5 +0,0 @@ -**Exception** - -Verifying ownership of installed packages isn't possible in the current -version of ``dpkg`` as it is with ``rpm``. This security configuration is -skipped. diff --git a/doc/source/developer-notes/V-38453.rst b/doc/source/developer-notes/V-38453.rst new file mode 120000 index 00000000..e81a3160 --- /dev/null +++ b/doc/source/developer-notes/V-38453.rst @@ -0,0 +1 @@ +V-38447.rst \ No newline at end of file diff --git a/doc/source/developer-notes/V-38454.rst b/doc/source/developer-notes/V-38454.rst deleted file mode 100644 index e21b199d..00000000 --- a/doc/source/developer-notes/V-38454.rst +++ /dev/null @@ -1,6 +0,0 @@ -**Exception** - -Verifying ownership of installed packages isn't possible in the current -version of ``dpkg`` as it is with ``rpm``. This security configuration is -skipped. - diff --git a/doc/source/developer-notes/V-38454.rst b/doc/source/developer-notes/V-38454.rst new file mode 120000 index 00000000..e81a3160 --- /dev/null +++ b/doc/source/developer-notes/V-38454.rst @@ -0,0 +1 @@ +V-38447.rst \ No newline at end of file diff --git a/doc/source/developer-notes/V-38478.rst b/doc/source/developer-notes/V-38478.rst index 84e8ee7d..9234f912 100644 --- a/doc/source/developer-notes/V-38478.rst +++ b/doc/source/developer-notes/V-38478.rst @@ -1,4 +1,6 @@ **Exception** -Ubuntu doesn't use the Red Hat Network Service, so this requirement doesn't -apply. +Ubuntu and CentOS do not use the Red Hat Network Service. However, there are +tasks in the security role which ensure that all packages have GPG checks +enabled (see V-38462) and provide the option for deployers to apply updates +automatically. diff --git a/doc/source/developer-notes/V-38516.rst b/doc/source/developer-notes/V-38516.rst index 01aa7ced..de5131fa 100644 --- a/doc/source/developer-notes/V-38516.rst +++ b/doc/source/developer-notes/V-38516.rst @@ -1,5 +1,4 @@ -The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. Neither Ubuntu -14.04 or openstack-ansible enables this module by default, so the Ansible +The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. The Ansible tasks in this role will disable the module. .. _Reliable Datagram Sockets (RDS): https://en.wikipedia.org/wiki/Reliable_Datagram_Sockets diff --git a/doc/source/developer-notes/V-38629.rst b/doc/source/developer-notes/V-38629.rst index cc52eee9..4828fe1e 100644 --- a/doc/source/developer-notes/V-38629.rst +++ b/doc/source/developer-notes/V-38629.rst @@ -1,6 +1,5 @@ **Exception** -Neither Ubuntu or openstack-ansible installs a graphical desktop by default. Deployers are urged to use graphical desktops only on client machines that connect to the OpenStack environment, rather than configuring graphical desktops within the OpenStack infrastructure itself. diff --git a/doc/source/developer-notes/V-38640.rst b/doc/source/developer-notes/V-38640.rst index 577c6903..94fd4e6e 100644 --- a/doc/source/developer-notes/V-38640.rst +++ b/doc/source/developer-notes/V-38640.rst @@ -1 +1,7 @@ -services.yml reads a list of services and their desired state from the 'defaults/main.yml' cat3_services variable. With this list the tasks will ensure the services are in the state desired by their corresponding STIG requirement. \ No newline at end of file +The Ansible tasks in the security role will disable the abrtd service and stop +the service immediately. To opt-out of this change, set the following Ansible +variable: + +.. code-block:: yaml + + security_disable_abrtd: no diff --git a/doc/source/developer-notes/V-38641.rst b/doc/source/developer-notes/V-38641.rst index 577c6903..50587459 100644 --- a/doc/source/developer-notes/V-38641.rst +++ b/doc/source/developer-notes/V-38641.rst @@ -1 +1,7 @@ -services.yml reads a list of services and their desired state from the 'defaults/main.yml' cat3_services variable. With this list the tasks will ensure the services are in the state desired by their corresponding STIG requirement. \ No newline at end of file +The Ansible tasks in the security role will disable the atd service and stop +the service immediately. To opt-out of this change, set the following Ansible +variable: + +.. code-block:: yaml + + security_disable_atd: no diff --git a/doc/source/developer-notes/V-38642.rst b/doc/source/developer-notes/V-38642.rst index 1b645714..d9e24fa7 100644 --- a/doc/source/developer-notes/V-38642.rst +++ b/doc/source/developer-notes/V-38642.rst @@ -1,7 +1,7 @@ +**Opt-in required** + The STIG requires that daemons have their umask set to ``027`` or ``022``. Since changing umasks can disrupt some systems, this is an opt-in change. Deployers that want this change applied to their systems must set the Ansible -variable ``security_umask_daemons_init`` to ``027``. The current default for -Ubuntu 14.04 is ``027`` already, so deployers do not need to make any -adjustments to Ansible variables to meet the STIG requirement. +variable ``security_umask_daemons_init`` to ``027``. diff --git a/doc/source/developer-notes/V-38644.rst b/doc/source/developer-notes/V-38644.rst index 160a7fd9..94ea3c0a 100644 --- a/doc/source/developer-notes/V-38644.rst +++ b/doc/source/developer-notes/V-38644.rst @@ -1,7 +1,2 @@ -**Special case** - -Ubuntu doesn't provide the same ``ntpdate`` service that a Red Hat Enterprise -Linux 6 server would have. In addition, time synchronization is added within -the fixes for V-38620 (where ``chrony`` is installed and configured). - -There is no action to be taken on Ubuntu for this STIG. +Time synchronization is added within the fixes for V-38620 (where ``chrony`` is +installed and configured). The ``ntpdate`` service is not used. diff --git a/doc/source/developer-notes/V-38645.rst b/doc/source/developer-notes/V-38645.rst index 41d810ba..06e83e1f 100644 --- a/doc/source/developer-notes/V-38645.rst +++ b/doc/source/developer-notes/V-38645.rst @@ -1,8 +1,8 @@ **Exception** -Ubuntu's default umask setting in ``/etc/login.defs`` is ``022``, but the STIG -requires ``077`` to be set. Since changing umask settings can disrupt some -systems, this change requires a deployer to opt-in. +Changing umask settings can disrupt some systems and this change requires a +deployer to opt-in. To opt-in for this change and adjust the umask, set the following Ansible variable: -To opt-in for this change and adjust the umask, the Ansible variable -``security_umask_login_defs`` must be set to ``077``. +.. code-block:: yaml + + security_umask_login_defs: 077 diff --git a/doc/source/developer-notes/V-38646.rst b/doc/source/developer-notes/V-38646.rst index 3fee80f4..b0163c2d 100644 --- a/doc/source/developer-notes/V-38646.rst +++ b/doc/source/developer-notes/V-38646.rst @@ -1,5 +1,5 @@ **Special case** -Ubuntu doesn't package the ``oddjobd`` daemon, so there are no packages to -remove or daemons to stop. There is no action to be taken for this STIG on -Ubuntu 14.04. +Very few environments run the ``oddjobd`` service, and those that do run it are +usually associated with highly-available, clustered systems. Deployers will +need to disable this service manually if it is running on the system. diff --git a/doc/source/developer-notes/V-38647.rst b/doc/source/developer-notes/V-38647.rst index 0a196166..bf5b4e9d 100644 --- a/doc/source/developer-notes/V-38647.rst +++ b/doc/source/developer-notes/V-38647.rst @@ -1,5 +1,9 @@ **Fixed by another STIG** Ubuntu 14.04 doesn't use umask settings in ``/etc/profile``. Those settings -are expected to be in ``/etc/login.defs`` instead. See V-38645 for more -details. +are expected to be in ``/etc/login.defs`` instead. + +For CentOS 7, umask settings are present in ``/etc/profile`` but they are +overidden by settings in ``/etc/login.defs``. + +See V-38645 for more details. diff --git a/doc/source/developer-notes/V-38649.rst b/doc/source/developer-notes/V-38649.rst index fc2766c6..5fbefb7f 100644 --- a/doc/source/developer-notes/V-38649.rst +++ b/doc/source/developer-notes/V-38649.rst @@ -1,9 +1,7 @@ **Opt-in required** -Neither Ubuntu or openstack-ansible installs the csh shell by default. - -Since umask changes can be disruptive on some systems, the deployer must -opt-in for this change to happen. If the ``security_umask_csh`` Ansible variable is +Since umask changes can be disruptive on some systems, the deployer must opt-in +for this change to happen. If the ``security_umask_csh`` Ansible variable is set **and** the csh package is installed, the Ansible tasks will ensure the appropriate umask is set in the csh configuration file. diff --git a/doc/source/developer-notes/V-38655.rst b/doc/source/developer-notes/V-38655.rst index 2b363980..a697eb1f 100644 --- a/doc/source/developer-notes/V-38655.rst +++ b/doc/source/developer-notes/V-38655.rst @@ -1,8 +1,7 @@ **Exception** -Neither Ubuntu nor openstack-ansible will configure any removable media mounts -by default. Deploys are strongly urged to mount any additional disks with the -``noexec`` mount option set. +Deployers are strongly urged to mount any additional disks with the ``noexec`` +mount option set whenever possible. For more information about the ``noexec`` mount option, review this `good answer from a ServerFault user about noexec`_. diff --git a/doc/source/developer-notes/V-38656.rst b/doc/source/developer-notes/V-38656.rst index df8c1c32..e8cf0ede 100644 --- a/doc/source/developer-notes/V-38656.rst +++ b/doc/source/developer-notes/V-38656.rst @@ -1,4 +1,3 @@ -Although the ``samba`` server isn't installed by Ubuntu or openstack-ansible -by default, the Ansible tasks will check to see if the package is installed -and the configuration file will be adjusted. If adjustments are made, the -service will be restarted. +The Ansible tasks will check to see if the package is installed and the +configuration file will be adjusted. If adjustments are made, the service will +be restarted. diff --git a/doc/source/developer-notes/V-38657.rst b/doc/source/developer-notes/V-38657.rst index 00401a5a..24b7770e 100644 --- a/doc/source/developer-notes/V-38657.rst +++ b/doc/source/developer-notes/V-38657.rst @@ -1,5 +1,4 @@ **Exception** -Ubuntu and openstack-ansible do not currently configure any samba share mounts -by default. However, deployers are urged to follow this STIG if they ever -mount samba shares within their infrastructure. +Deployers are urged to require SMB client signing if they ever mount samba +shares within their infrastructure. diff --git a/doc/source/developer-notes/V-38675.rst b/doc/source/developer-notes/V-38675.rst index 71419970..85810112 100644 --- a/doc/source/developer-notes/V-38675.rst +++ b/doc/source/developer-notes/V-38675.rst @@ -1,5 +1,5 @@ -Ubuntu doesn't restrict core dumps by default, but the STIG requires that core -dumps are disabled for all users unless absolutely necessary. +The security role will add a file in ``/etc/security/limits.d/`` that disables +core dumps for all users. Although this setting is more secure, it can prevent users from debugging kernel errors. To opt-out of this change, set the following Ansible variable to ``no``: diff --git a/doc/source/developer-notes/V-38676.rst b/doc/source/developer-notes/V-38676.rst index 9e285bb2..42a6c74a 100644 --- a/doc/source/developer-notes/V-38676.rst +++ b/doc/source/developer-notes/V-38676.rst @@ -1,5 +1,4 @@ -Neither Ubuntu nor openstack-ansible install the X windows server by default. -The ansible tasks will remove the ``xserver-xorg`` package if it is present. +The Ansible tasks will remove the ``xserver-xorg`` package if it is present. To opt-out of the change, set the following Ansible variable to ``no``: diff --git a/doc/source/developer-notes/V-38692.rst b/doc/source/developer-notes/V-38692.rst index b77c3622..2cb57a36 100644 --- a/doc/source/developer-notes/V-38692.rst +++ b/doc/source/developer-notes/V-38692.rst @@ -1,11 +1,12 @@ **Opt-in required** -By default, Ubuntu doesn't require that inactive accounts are locked after a -period of time. The STIG requires that accounts with 35 days of activity are -locked. +Deployers must opt-in for this change by setting the following Ansible +variable: -Deployers must opt-in for this change by setting the -``security_inactive_account_lock_days`` Ansible variable. The STIG requires -this to be set to 35 days at a maximum. The Ansible tasks will not make any -changes to ``/etc/default/useradd`` unless +.. code-block:: yaml + + security_inactive_account_lock_days: 35 + +The STIG requires this to be set to 35 days at a maximum. The Ansible tasks +will not make any changes to ``/etc/default/useradd`` unless ``security_inactive_account_lock_days`` is set. diff --git a/doc/source/developer-notes/V-38702.rst b/doc/source/developer-notes/V-38702.rst index 04da5aae..85b9806c 100644 --- a/doc/source/developer-notes/V-38702.rst +++ b/doc/source/developer-notes/V-38702.rst @@ -1,5 +1,4 @@ -Although neither Ubuntu nor openstack-ansible installs or configures -``vsftpd`` by default, the Ansible task will ensure that the appropriate -log configuration lines are applied to ``/etc/vsftpd.conf`` to meet the -STIG requirements. If the ``vsftpd`` package isn't installed, the Ansible -tasks won't make any changes to the system. +The security role will ensure that the appropriate log configuration lines are +applied to ``/etc/vsftpd.conf`` to meet the STIG requirements. If the +``vsftpd`` package isn't installed, the Ansible tasks won't make any changes to +the system.