diff --git a/defaults/main.yml b/defaults/main.yml index 7d71d747..bc584047 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -228,6 +228,14 @@ postfix_inet_interfaces: localhost # V-38622 # #root_forward_email: user@example.com +## Linux Security Module (LSM) +# AppArmor and provides additional security controls on a Linux system +# by setting policies for allowed actions. By setting the following variable +# to 'yes', AppArmor will automatically by enabled. +# +# See the openstack-ansible-security documentation for more details. +security_enable_linux_security_module: no # V-51337 + ## PAM and authentication # V-38497 requires that accounts with null passwords aren't allowed to # authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index dbbcc814..b5da5f3d 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -142,6 +142,16 @@ default, but deployers can adjust this by changing ``disable_ipv6`` to ``yes``. Core dumps are also disabled by default in the openstack-ansible-security role. +Linux Security Module (LSM) +--------------------------- + +The STIG requires that SELinux is in enforcing mode to provide additional +security against attacks. The security role will enable AppArmor on Ubuntu +systems to meet this requirement. + +For more information on how these changes are applied, refer to the +documentation for V-51337. + Mail ---- diff --git a/doc/source/developer-notes/V-51337.rst b/doc/source/developer-notes/V-51337.rst index 0922dcf4..8bb2b9b3 100644 --- a/doc/source/developer-notes/V-51337.rst +++ b/doc/source/developer-notes/V-51337.rst @@ -1,10 +1,16 @@ -Ubuntu loads the AppArmor module by default starting with version 8.04. For -more information, review the `AppArmor documentation`_ on Ubuntu's site. -In addition, the openstack-ansible project configures AppArmor policies -for the LXC containers which run the OpenStack infrastructure. +**Opt-in required** -The tasks for this STIG will verify that AppArmor is enabled via the -``apparmor_status``. The playbook will fail if AppArmor is found to be -disabled on the host. +The tasks in the security role can enable the Linux Security Module (LSM) that +is appropriate for the Linux distribution in use. For Ubuntu, the default LSM +is AppArmor. Refer to Ubuntu's `AppArmor documentation`_ for more details on +how AppArmor works. + +Deployers can opt in for this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_enable_linux_security_module: yes + +Setting the variable to ``yes`` will run the tasks that enable AppArmor. .. _AppArmor documentation: https://help.ubuntu.com/community/AppArmor diff --git a/tasks/lsm.yml b/tasks/lsm.yml new file mode 100644 index 00000000..5f809244 --- /dev/null +++ b/tasks/lsm.yml @@ -0,0 +1,40 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Install packages for AppArmor support (for V-51337) + apt: + name: "{{ item }}" + state: present + with_items: + - apparmor + - apparmor-profiles + - apparmor-utils + when: + - security_enable_linux_security_module | bool + tags: + - cat2 + - V-51337 + +- name: Ensure AppArmor is running (for V-51337) + service: + name: apparmor + state: started + enabled: yes + when: + - security_enable_linux_security_module | bool + - not check_mode + tags: + - cat2 + - V-51337 diff --git a/tasks/main.yml b/tasks/main.yml index b93d6a32..aa1c7402 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -32,6 +32,7 @@ - include: console.yml - include: file_perms.yml - include: kernel.yml + - include: lsm.yml - include: mail.yml - include: misc.yml - include: nfsd.yml diff --git a/tasks/misc.yml b/tasks/misc.yml index a34836de..0b100463 100644 --- a/tasks/misc.yml +++ b/tasks/misc.yml @@ -306,20 +306,3 @@ tags: - cat2 - V-38674 - -- name: Check if AppArmor is running (for V-51337) - shell: "apparmor_status 2>&1 | head -n 1" - register: v51337_result - changed_when: False - always_run: True - tags: - - cat2 - - V-51337 - -- name: V-51337 - The system must use a Linux Security Module at boot time - fail: - msg: "FAILED: AppArmor isn't enabled" - when: "'apparmor module is loaded' not in v51337_result.stdout" - tags: - - cat2 - - V-51337 diff --git a/tox.ini b/tox.ini index 79319864..ebefaa2d 100644 --- a/tox.ini +++ b/tox.ini @@ -103,8 +103,6 @@ commands = # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building # images with apt config Apt::Get::AllowUnauthenticated set # to true. -# NOTE(mhayden): Some infra images don't have AppArmor enabled, so V-51337 -# must be skipped. commands = rm -rf {homedir}/.ansible git clone https://git.openstack.org/openstack/openstack-ansible-plugins \ @@ -112,7 +110,7 @@ commands = ansible-playbook -i {toxinidir}/tests/inventory \ -e "rolename={toxinidir}" \ {toxinidir}/tests/test.yml \ - --skip-tag V-38462,V-51337 + --skip-tag V-38462 [testenv:linters]