openstack
/
openstack-ansible-security
Code Issues Proposed changes

Migrate to unique variable names 

This patch migrates all of the remaining non-unique variable names
in the security role to a pattern that begins with `security_*`.
This will reduce potential variable collisions with other roles.

This is a breaking change for deployers and users who are moving
from the liberty or stable/mitaka branches to master. Release notes
are included with additional details to help with the transition.

Closes-Bug: 1578326

Change-Id: Ib716e81e6fed971b21dc5579ae1a871736e21189
This commit is contained in:
Major Hayden 2016-05-09 16:18:48 -05:00
parent 54de1b5734
commit fa2800419e
48 changed files with 225 additions and 197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
defaults/main.yml
View File

@ -14,6 +14,8 @@
# limitations under the License.
## APT Cache Options
# This variable is used across multiple OpenStack-Ansible roles to handle the
# apt cache updates as efficiently as possible.
cache_timeout: 600
### Default configurations for openstack-ansible-security #####################
@ -30,7 +32,7 @@ cache_timeout: 600
# terrible places on the system, such as /var/lib/lxc and images in /opt.
# The following three default exclusions are highly recommended for AIDE to
# work properly, but additional exclusions can be added to this list if needed.
aide_exclude_dirs:
security_aide_exclude_dirs:
- /var/lib/lxc
- /openstack
- /opt
@ -39,7 +41,7 @@ aide_exclude_dirs:
# consume plenty of CPU and I/O resources while it runs. To initialize the
# AIDE database immediately when the playbook finishes, set the following
# variable to 'true':
initialize_aide: false
security_initialize_aide: false
## Audit daemon
# The following booleans control the rule sets added to auditd's default
@ -84,36 +86,36 @@ security_audit_sudoers: yes # V-38578
#
# Set an action to occur when there is a disk error. Review the
# documentation for V-38464 before changing this option.
disk_error_action: SYSLOG # V-38464
security_disk_error_action: SYSLOG # V-38464
#
# Set an action to occur when the disk is full. Review the documentation for
# V-38468 before changing this option.
disk_full_action: SYSLOG # V-38468
security_disk_full_action: SYSLOG # V-38468
#
# V-38678 - Set the amount of megabytes left when the space_left_action
# triggers. The STIG guideline doesn't specify a size, but Ubuntu chooses a
# default of 75MB, which is reasonable.
space_left: 75 # V-38678
security_space_left: 75 # V-38678
#
# Set an action to occur when the disk is approaching its capacity.
# Review the documentation for V-38470 before changing this option.
space_left_action: SYSLOG # V-38470
security_space_left_action: SYSLOG # V-38470
#
# Set the maximum size of a rotated log file. Ubuntu's default
# matches the STIG requirement of 6MB.
max_log_file: 6 # V 38633
security_max_log_file: 6 # V 38633
#
# Sets the action to take when log files reach the maximum file size.
# Review the documentation for V-38634 before changing this option.
max_log_file_action: ROTATE # V-38634
security_max_log_file_action: ROTATE # V-38634
#
# Set the number of rotated audit logs to keep. Ubuntu has 5 as the default
# and this matches the STIG's requirements.
num_logs: 5 # V-38636
security_num_logs: 5 # V-38636
#
# Set the email address of someone who can receive and respond to notifications
# about low disk space for log volumes.
action_mail_acct: root # V-38680
security_action_mail_acct: root # V-38680
#
# **IMMINENT DANGER**
# The STIG says that the system should switch to single user mode when the
@ -121,18 +123,18 @@ action_mail_acct: root # V-38680
# and should only be set to 'single' for deployers in extremely high security
# environments. Ubuntu's default is SUSPEND, which will suspend logging.
# **IMMENENT DANGER**
admin_space_left_action: SUSPEND # V-54381
security_admin_space_left_action: SUSPEND # V-54381
## Chrony (NTP) configuration
# Adjust the following NTP servers if necessary.
ntp_servers:
security_ntp_servers:
- 0.north-america.pool.ntp.org
- 1.north-america.pool.ntp.org
- 2.north-america.pool.ntp.org
- 3.north-america.pool.ntp.org
# Chrony limits access to clients that are on certain subnets. Adjust the
# following subnets here to limit client access to chrony servers.
allowed_ntp_subnets:
security_allowed_ntp_subnets:
- 10/8
- 192.168/16
- 172.16/12
@ -140,7 +142,7 @@ allowed_ntp_subnets:
## Core dumps
# V-38675 requires disabling core dumps for all users unless absolutely
# necessary. Set this variable to 'no' to skip this change.
disable_core_dumps: yes # V-38675
security_disable_core_dumps: yes # V-38675
## Services
# The STIG recommends ensuring that some services are running if no services
@ -179,16 +181,16 @@ security_remove_ypserv: yes # V-38603
# they can be adjusted to fit a particular environment.
#
# Set a 15 minute time out for SSH sessions if there is no activity
ssh_client_alive_interval: 900 # V-38608
security_ssh_client_alive_interval: 900 # V-38608
#
# Timeout ssh sessions as soon as ClientAliveInterval is reached once
ssh_client_alive_count_max: 0 # V-38610
security_ssh_client_alive_count_max: 0 # V-38610
#
# The ssh daemon must not permit root logins. The default value of 'yes' is a
# deviation from the STIG requirements due to how openstack-ansible operates,
# especially within OpenStack CI gate jobs. See documentation for V-38613 for
# more details.
ssh_permit_root_login: 'yes' # V-38613
security_ssh_permit_root_login: 'yes' # V-38613
## Kernel
# Set these booleans to 'yes' to disable the kernel module (following the
@ -211,7 +213,7 @@ security_sysctl_tcp_syncookies: 1 # V-38539
# Deployers who wish to disable IPv6 entirely must set this configuration
# variable to 'yes'. See the documentation for V-38546 before making this
# change.
disable_ipv6: no # V-38546
security_disable_ipv6: no # V-38546
## Mail
# The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
@ -221,12 +223,12 @@ disable_ipv6: no # V-38546
# need to receive emails over the network (which isn't common).
#
# See the documentation for V-38622 for more details.
postfix_inet_interfaces: localhost # V-38622
security_postfix_inet_interfaces: localhost # V-38622
#
# Configuring an email address here will cause hosts to forward the root user's
# email to another address.
#
#root_forward_email: user@example.com
#security_root_forward_email: user@example.com
## PAM and authentication
# V-38497 requires that accounts with null passwords aren't allowed to
@ -234,38 +236,40 @@ postfix_inet_interfaces: localhost # V-38622
# documentation for V-38497 for more details. Set the variable below to 'yes'
# to remove 'nullok_secure' from the PAM configuration or set it to 'no' to
# leave the PAM configuration unaltered.
pam_remove_nullok: yes # V-38497
security_pam_remove_nullok: yes # V-38497
#
# V-38501 requires that failed login attempts must lock a user account using
# pam_faillock, but Ubuntu doesn't package that PAM module. Instead, fail2ban
# can be installed to lock out IP addresses with failed logins for 15 minutes.
# Set the variable below to 'yes' to install and configure fail2ban.
install_fail2ban: no # V-38501
security_install_fail2ban: no # V-38501
#
# The STIG requires bans to last 15 minutes. Adjust the following variable
# to set the time an IP is banned by fail2ban (in seconds).
fail2ban_bantime: 900 # V-38501
security_fail2ban_bantime: 900 # V-38501
## Password complexity and aging
# V-38475 - There is no password length requirement by default in Ubuntu
# 14.04. To set a password length requirement, uncomment
# password_minimum_length below. The STIG recommendation is 14 characters.
#password_minimum_length: 14 # V-38475
# V-38477 - There is no password change limitation set by default in Ubuntu.
# To set the minimum number of days between password changes, uncomment
# the password_minimum_days variable below. The STIG recommendation is 1 day.
#password_minimum_days: 1 # V-38477
# V-38475 - There is no password length requirement by default in Ubuntu 14.04.
# To set a password length requirement, uncomment
# security_password_minimum_length below. The STIG recommendation is 14
# characters.
#security_password_minimum_length: 14 # V-38475
# V-38477 - There is no password change limitation set by default in Ubuntu. To
# set the minimum number of days between password changes, uncomment the
# security_password_minimum_days variable below. The STIG recommendation is 1
# day.
#security_password_minimum_days: 1 # V-38477
# V-38479 - There is no age limit on password by default in Ubuntu. Uncomment
# line below to use the STIG recommendation of 60 days.
#password_maximum_days: 60 # V-38479
#security_password_maximum_days: 60 # V-38479
# V-38480 - To warn users before their password expires, uncomment the line
# below and they will be warned 7 days prior (following the STIG).
#password_warn_age: 7 # V-38480
#security_password_warn_age: 7 # V-38480
# V-38684 - Setting the maximum number of simultaneous logins per user. The
# STIG sets a limit of 10.
#max_simultaneous_logins: 10 # V-38684
#security_max_simultaneous_logins: 10 # V-38684
# V-38692 - Lock accounts that are inactive for 35 days.
#inactive_account_lock_days: 35 # V-38692
#security_inactive_account_lock_days: 35 # V-38692
## sudo
# V-58901 requires that 'NOPASSWD' and '!authenticate' do not appear in any
@ -274,8 +278,8 @@ fail2ban_bantime: 900 # V-38501
# parameters or leave them set to 'no' (the default) to leave sudoers files
# unaltered. Deployers are urged to review the documentation for this STIG
# before making changes.
sudoers_remove_nopasswd: no # V-58901
sudoers_remove_authenticate: no # V-58901
security_sudoers_remove_nopasswd: no # V-58901
security_sudoers_remove_authenticate: no # V-58901
## umask settings
# The STIG recommends changing various default umask settings for users and
@ -291,17 +295,17 @@ sudoers_remove_authenticate: no # V-58901
# service disruptions.
#
# V-38642 - Set umask for daemons in init scripts to 027 or 022
#umask_daemons_init: 027 # V-38642
#security_umask_daemons_init: 027 # V-38642
#
# V-38645 - System default umask in /etc/login.defs must be 077
#umask_login_defs: 077 # V-38645
#security_umask_login_defs: 077 # V-38645
#
# V-38649 - System default umask for csh must be 077
#umask_csh: 077 # V-38649
#security_umask_csh: 077 # V-38649
#
# V-38651 - System default umask for bash must be 077
#umask_bash: 077 # V-38651
#security_umask_bash: 077 # V-38651
## Unattended upgrades (APT) configuration
unattended_upgrades_enabled: false
unattended_upgrades_notifications: false
security_unattended_upgrades_enabled: false
security_unattended_upgrades_notifications: false

23
doc/source/configuration.rst
View File

@ -41,7 +41,7 @@ the following variable to ``true``:
.. code-block:: yaml
initialize_aide: true
security_initialize_aide: true
Audit daemon
------------
@ -102,9 +102,10 @@ The fail2ban service is installed to meet some requirements around failed login
attempts. The STIG requires ``pam_faillock``, but that module isn't available
in Ubuntu 14.04.
To opt-in for the fail2ban service to be installed, set ``install_fail2ban`` to
``yes`` and set an appropriate time for bans with ``fail2ban_bantime``. See
the notes for V-38501 for more details.
To opt-in for the fail2ban service to be installed, set
``security_install_fail2ban`` to ``yes`` and set an appropriate time for bans
with ``security_fail2ban_bantime``. See the notes for V-38501 for more
details.
Kernel
------
@ -136,9 +137,9 @@ certain types of attacks, like SYN floods. This can cause issues in some
environments with busy load balancers. Deployers should review the notes for
V-38539 for more details.
Also, the STIG requires IPv6 support to be fully disabled, and this could
cause issues for production systems. The role will not disable IPv6 by
default, but deployers can adjust this by changing ``disable_ipv6`` to ``yes``.
Also, the STIG requires IPv6 support to be fully disabled, and this could cause
issues for production systems. The role will not disable IPv6 by default, but
deployers can adjust this by changing ``security_disable_ipv6`` to ``yes``.
Core dumps are also disabled by default in the openstack-ansible-security role.
@ -146,8 +147,8 @@ Mail
----
Deployers are strongly urged to configure an address to receive the ``root``
user's email on various hosts. This is done with the ``root_forward_email``
variable.
user's email on various hosts. This is done with the
``security_root_forward_email`` variable.
The STIG requires that a valid user receives the email in case of errors or a
security issue.
@ -229,5 +230,5 @@ umask adjustments
Certain umask adjustments are required by the STIG, but these can cause
problems with production systems. The requirements are commented out within
``defaults/main.yml`` and can be applied by uncommenting the variables that
start with ``umask_*``. There is extensive documentation available within
the developer notes for each STIG requirement.
start with ``security_umask_*``. There is extensive documentation available
within the developer notes for each STIG requirement.

4
doc/source/developer-notes/V-38446.rst
View File

@ -1,4 +1,4 @@
Forwarding root's email to another user is highly recommended, but the Ansible
tasks won't configure an email address to receive root's email unless that
email address is configured. Set ``root_forward_email`` to an email address
that is ready to receive root's email.
email address is configured. Set ``security_root_forward_email`` to an email
address that is ready to receive root's email.

16
doc/source/developer-notes/V-38464.rst
View File

@ -1,16 +1,16 @@
Ubuntu's default for ``disk_error_action`` is ``SUSPEND``, which actually
only suspends audit logging. That could be a security issue, so ``SYSLOG``
is recommended and is set by default by openstack-ansible-security. There
are additional options available, like ``EXEC``, ``SINGLE`` or ``HALT``.
Ubuntu's default for ``security_disk_error_action`` is ``SUSPEND``, which
actually only suspends audit logging. That could be a security issue, so
``SYSLOG`` is recommended and is set by default by openstack-ansible-security.
There are additional options available, like ``EXEC``, ``SINGLE`` or ``HALT``.
To configure a different ``disk_error_action``, set the following Ansible
variable:
To configure a different ``security_disk_error_action``, set the following
Ansible variable:
.. code-block:: yaml
disk_error_action: SYSLOG
security_disk_error_action: SYSLOG
For details on available settings and what they do, run ``man auditd.conf``.
Some options can cause the host to go offline until the issue is fixed.
Deployers are urged to **carefully read the auditd documentation** prior to
changing the ``disk_error_action`` setting from the default.
changing the ``security_disk_error_action`` setting from the default.

18
doc/source/developer-notes/V-38468.rst
View File

@ -1,19 +1,19 @@
Ubuntu's default for ``disk_full_action`` is ``SUSPEND``, which actually
only suspends audit logging. That could be a security issue, so ``SYSLOG``
is recommended and is set by default by openstack-ansible-security. If syslog
messages are being sent to remote servers, these log messages should alert
an administrator about the disk being full. There are additional options
Ubuntu's default for ``security_disk_full_action`` is ``SUSPEND``, which
actually only suspends audit logging. That could be a security issue, so
``SYSLOG`` is recommended and is set by default by openstack-ansible-security.
If syslog messages are being sent to remote servers, these log messages should
alert an administrator about the disk being full. There are additional options
available, like ``EXEC``, ``SINGLE`` or ``HALT``.
To configure a different ``disk_full_action``, set the following Ansible
variable:
To configure a different ``security_disk_full_action``, set the following
Ansible variable:
.. code-block:: yaml
disk_full_action: SYSLOG
security_disk_full_action: SYSLOG
For details on available settings and what they do, run ``man auditd.conf``.
Some options can cause the host to go offline until the issue is fixed.
Deployers are urged to **carefully read the auditd documentation** prior to
changing the ``disk_full_action`` setting from the default.
changing the ``security_disk_full_action`` setting from the default.

20
doc/source/developer-notes/V-38470.rst
View File

@ -1,18 +1,18 @@
Ubuntu's default for ``space_left_action`` is ``SUSPEND``, which actually
only suspends audit logging. That could be a security issue, so ``SYSLOG``
is recommended and is set by default by openstack-ansible-security. If syslog
messages are being sent to remote servers, these log messages should alert
an administrator about the disk being almost full. There are additional options
available, like ``EXEC``, ``SINGLE`` or ``HALT``.
Ubuntu's default for ``security_space_left_action`` is ``SUSPEND``, which
actually only suspends audit logging. That could be a security issue, so
``SYSLOG`` is recommended and is set by default by openstack-ansible-security.
If syslog messages are being sent to remote servers, these log messages should
alert an administrator about the disk being almost full. There are additional
options available, like ``EXEC``, ``SINGLE`` or ``HALT``.
To configure a different ``space_left_action``, set the following Ansible
variable:
To configure a different ``security_space_left_action``, set the following
Ansible variable:
.. code-block:: yaml
space_left_action: SYSLOG
security_space_left_action: SYSLOG
For details on available settings and what they do, run ``man auditd.conf``.
Some options can cause the host to go offline until the issue is fixed.
Deployers are urged to **carefully read the auditd documentation** prior to
changing the ``space_left_action`` setting from the default.
changing the ``security_space_left_action`` setting from the default.

2
doc/source/developer-notes/V-38475.rst
View File

@ -6,7 +6,7 @@ setting, set the following Ansible variable:
.. code-block:: yaml
password_minimum_length: 14
security_password_minimum_length: 14
Deployers are urged to avoid the use of passwords and rely upon SSH keys if
possible.

2
doc/source/developer-notes/V-38477.rst
View File

@ -7,4 +7,4 @@ To enable this configuration, use this Ansible variable:
.. code-block:: yaml
password_minimum_days: 14
security_password_minimum_days: 14

2
doc/source/developer-notes/V-38479.rst
View File

@ -8,5 +8,5 @@ To enable this configuration, use this Ansible variable:
.. code-block:: yaml
password_maximum_days: 60
security_password_maximum_days: 60

2
doc/source/developer-notes/V-38480.rst
View File

@ -7,4 +7,4 @@ variable to configure the warning:
.. code-block:: yaml
password_warn_age: 7
security_password_warn_age: 7

2
doc/source/developer-notes/V-38481.rst
View File

@ -9,7 +9,7 @@ variable to ``true``:
.. code-block:: yaml
unattended_upgrades: true
security_unattended_upgrades: true
Note that this will only apply updates made available to the distro-security
(eg. trusty-security) repositories.

2
doc/source/developer-notes/V-38497.rst
View File

@ -10,7 +10,7 @@ However, deployers can opt-out of this change by adjusting an Ansible variable:
.. code-block:: yaml
pam_remove_nullok: no
security_pam_remove_nullok: no
Setting the variable to ``yes`` (the default) will cause the Ansible tasks to
remove the ``nullok_secure`` parameter while setting the variable to ``no``

10
doc/source/developer-notes/V-38501.rst
View File

@ -19,14 +19,14 @@ addresses using the following logic
* That IP will be banned for 15 minutes (via iptables rules)
Deployers must opt-in for fail2ban to be installed and configured. To opt-in,
set the ``install_fail2ban`` Ansible variable to ``yes``. The time period for
bans can also be configured (in seconds) via tha ``fail2ban_bantime``
variable:
set the ``security_install_fail2ban`` Ansible variable to ``yes``. The time
period for bans can also be configured (in seconds) via tha
``security_fail2ban_bantime`` variable:
.. code-block:: yaml
install_fail2ban: yes
fail2ban_bantime: 900
security_install_fail2ban: yes
security_fail2ban_bantime: 900
**NOTE:** Fail2ban can only review authentication attempts for services that
listen on the network, such as ssh. It has no control over physical consoles.

2
doc/source/developer-notes/V-38546.rst
View File

@ -8,7 +8,7 @@ To opt-in for this change, set the following Ansible variable to ``yes``:
.. code-block:: yaml
disable_ipv6: yes
security_disable_ipv6: yes
**NOTE:** This change will go into effect **immediately** on the system and
persist through reboots.

4
doc/source/developer-notes/V-38608.rst
View File

@ -1,9 +1,9 @@
The ``ClientAliveInterval`` in the ssh configuration will be set to 15 minutes
as recommended by the STIG. However, this time is configurable by setting
``ssh_client_alive_interval`` to another value, in seconds.
``security_ssh_client_alive_interval`` to another value, in seconds.
To change to 10 minutes, adjust the configuration item to 600 seconds:
.. code-block:: yaml
ssh_client_alive_interval: 600
security_ssh_client_alive_interval: 600

2
doc/source/developer-notes/V-38610.rst
View File

@ -5,4 +5,4 @@ to something other than ``0``:
.. code-block:: yaml
ssh_client_alive_count_max: 0
security_ssh_client_alive_count_max: 0

2
doc/source/developer-notes/V-38613.rst
View File

@ -7,7 +7,7 @@ To disallow root logins via ssh, simply adjust this configuration variable:
.. code-block:: yaml
ssh_permit_root_login: 'no'
security_ssh_permit_root_login: 'no'
**NOTE:** The quotes around ``'no'`` or ``'yes'`` are very important. Ansible
will treat ``no`` and ``yes`` as booleans by default and that will cause a

9
doc/source/developer-notes/V-38620.rst
View File

@ -6,13 +6,14 @@ environments.
There are two configurations available for users to adjust chrony's default
configuration:
The ``ntp_servers`` variable is a list of NTP servers that
The ``security_ntp_servers`` variable is a list of NTP servers that
chrony should use to synchronize time. They are set to North American NTP
servers by default.
The ``allowed_ntp_subnets`` variable is a list of subnets (in CIDR notation)
that are allowed to reach your servers running chrony. A sane default is
chosen (all RFC1918 networks are allowed), but this can be easily adjusted.
The ``security_allowed_ntp_subnets`` variable is a list of subnets (in CIDR
notation) that are allowed to reach your servers running chrony. A sane
default is chosen (all RFC1918 networks are allowed), but this can be easily
adjusted.
For more information on chrony, review the `chrony documentation`_ at the
upstream site, or run `man chrony` on a host with chrony installed.

2
doc/source/developer-notes/V-38622.rst
View File

@ -8,7 +8,7 @@ the following Ansible variable:
.. code-block:: yaml
postfix_inet_interfaces: all
security_postfix_inet_interfaces: all
Note that postfix can have ``inet_interfaces`` set to ``localhost`` and it can
still send email on the network. The ``inet_interfaces`` directive only

8
doc/source/developer-notes/V-38633.rst
View File

@ -1,12 +1,12 @@
Ubuntu's default setting for ``max_log_files`` matches the STIG requirement of
rotating logs when they reach 6MB. The Ansible task for this STIG
requirement ensures that the secure default is maintained.
Ubuntu's default setting for ``security_max_log_file`` matches the STIG
requirement of rotating logs when they reach 6MB. The Ansible task for this
STIG requirement ensures that the secure default is maintained.
Deployers who want to exceed the STIG guideline can increase the size of logs
by adjusting the following Ansible variable:
.. code-block:: yaml
max_log_file: 6
security_max_log_file: 6

6
doc/source/developer-notes/V-38634.rst
View File

@ -1,6 +1,6 @@
Ubuntu's default action for ``max_log_file_action`` is to rotate the logs.
This meets the STIG requirements and the Ansible task will ensure that the
secure default is maintained.
Ubuntu's default action for ``security_max_log_file_action`` is to rotate the
logs. This meets the STIG requirements and the Ansible task will ensure that
the secure default is maintained.
Use caution when changing this option. Certain values, like ``SUSPEND`` will
cause the audit daemon to lock the machine when the maximum size for a log

8
doc/source/developer-notes/V-38636.rst
View File

@ -1,12 +1,12 @@
Ubuntu keeps 5 rotated logs with the ``num_logs`` option and this meets the
STIG requirement. The Ansible task will ensure that the secure default is
maintained.
Ubuntu keeps 5 rotated logs with the ``security_num_logs`` option and this
meets the STIG requirement. The Ansible task will ensure that the secure
default is maintained.
Deployers who want to allow logs to grow to larger sizes prior to rotation can
adjust the following Ansible variable:
.. code-block:: yaml
num_logs: 5
security_num_logs: 5

6
doc/source/developer-notes/V-38642.rst
View File

@ -1,7 +1,7 @@
The STIG requires that daemons have their umask set to ``027`` or ``022``.
Since changing umasks can disrupt some systems, this is an opt-in change.
Deployers that want this change applied to their systems must set the
Ansible variable ``umask_daemons_init`` to ``027``. The current default
for Ubuntu 14.04 is ``027`` already, so deployers do not need to make any
Deployers that want this change applied to their systems must set the Ansible
variable ``security_umask_daemons_init`` to ``027``. The current default for
Ubuntu 14.04 is ``027`` already, so deployers do not need to make any
adjustments to Ansible variables to meet the STIG requirement.

2
doc/source/developer-notes/V-38645.rst
View File

@ -5,4 +5,4 @@ requires ``077`` to be set. Since changing umask settings can disrupt some
systems, this change requires a deployer to opt-in.
To opt-in for this change and adjust the umask, the Ansible variable
``umask_login_defs`` must be set to ``077``.
``security_umask_login_defs`` must be set to ``077``.

2
doc/source/developer-notes/V-38649.rst
View File

@ -3,7 +3,7 @@
Neither Ubuntu or openstack-ansible installs the csh shell by default.
Since umask changes can be disruptive on some systems, the deployer must
opt-in for this change to happen. If the ``umask_csh`` Ansible variable is
opt-in for this change to happen. If the ``security_umask_csh`` Ansible variable is
set **and** the csh package is installed, the Ansible tasks will ensure the
appropriate umask is set in the csh configuration file.

2
doc/source/developer-notes/V-38651.rst
View File

@ -2,4 +2,4 @@
Changing the umask for the bash shell is an opt-in setting. Deployers that
want to set the umask for bash sessions to match the STIG requirement must
set the Ansible variable ``umask_bash`` to ``077``.
set the Ansible variable ``security_umask_bash`` to ``077``.

2
doc/source/developer-notes/V-38675.rst
View File

@ -5,4 +5,4 @@ To opt-out of this change, set the following Ansible variable to ``no``:
.. code-block:: yaml
disable_core_dumps: no
security_disable_core_dumps: no

5
doc/source/developer-notes/V-38678.rst
View File

@ -1,6 +1,7 @@
When auditd notices that free disk space on its logging partition is low, it
will trigger the ``space_left_action``. The threshold of remaining disk space
is configured by ``space_left`` in ``/etc/audit/auditd.conf``.
will trigger the ``security_space_left_action``. The threshold of remaining
disk space is configured by ``security_space_left`` in
``/etc/audit/auditd.conf``.
By default, Ubuntu sets this value to 75 megabytes. The STIG doesn't set a
specific requirement for the exact size, so the Ansible task will ensure that

4
doc/source/developer-notes/V-38680.rst
View File

@ -2,5 +2,5 @@ By default, Ubuntu sets the default recipient for storage capacity issues in
auditd to the root user. The Ansible task ensures that the default remains set.
Deployers are strongly urged to review V-38446 to ensure they have set the
``root_forward_email`` variable so that the email system can route these
critical notifications to a monitored mailbox.
``security_root_forward_email`` variable so that the email system can route
these critical notifications to a monitored mailbox.

2
doc/source/developer-notes/V-38684.rst
View File

@ -8,4 +8,4 @@ To opt-in for this change, set the following Ansible variable:
.. code-block:: yaml
max_simultaneous_logins: 10
security_max_simultaneous_logins: 10

7
doc/source/developer-notes/V-38692.rst
View File

@ -5,6 +5,7 @@ period of time. The STIG requires that accounts with 35 days of activity are
locked.
Deployers must opt-in for this change by setting the
``inactive_account_lock_days`` Ansible variable. The STIG requires this to be
set to 35 days at a maximum. The Ansible tasks will not make any changes to
``/etc/default/useradd`` unless ``inactive_account_lock_days`` is set.
``security_inactive_account_lock_days`` Ansible variable. The STIG requires
this to be set to 35 days at a maximum. The Ansible tasks will not make any
changes to ``/etc/default/useradd`` unless
``security_inactive_account_lock_days`` is set.

2
doc/source/developer-notes/V-51391.rst
View File

@ -7,4 +7,4 @@ down the playbook run.
Some directories are excluded from AIDE runs to prevent AIDE from wandering
into directories where it shouldn't be hashing/monitoring files. The
``defaults/main.yml`` file has some recommended directories as part of the
``aide_exclude_dirs`` variable.
``security_aide_exclude_dirs`` variable.

6
doc/source/developer-notes/V-54381.rst
View File

@ -6,12 +6,12 @@ single-user mode when the space for logging becomes dangerously low.
**This will cause serious service disruptions for any environment and should
only be enabled for extremely high security environments.**
Ubuntu sets ``admin_space_left_action`` to ``SUSPEND`` by default, and this
will cause logging to be temporarily suspended until disk space is freed.
Ubuntu sets ``security_admin_space_left_action`` to ``SUSPEND`` by default, and
this will cause logging to be temporarily suspended until disk space is freed.
For extremely high security environments, this Ansible variable can be
provided to meet the requirements of the STIG:
.. code-block:: yaml
admin_space_left_action: SINGLE
security_admin_space_left_action: SINGLE

12
doc/source/developer-notes/V-58901.rst
View File

@ -12,11 +12,11 @@ configuration files will not be altered:
.. code-block:: yaml
sudoers_remove_nopasswd: no
sudoers_remove_authenticate: no
security_sudoers_remove_nopasswd: no
security_sudoers_remove_authenticate: no
Setting ``sudoers_remove_nopasswd`` to ``yes`` will cause the Ansible tasks to
search for any lines containing ``NOPASSWD`` and comment them out of the
configuration. Setting ``sudoers_remove_authenticate`` will do the same
actions on lines containing ``!authenticate``. Lines that are already
Setting ``security_sudoers_remove_nopasswd`` to ``yes`` will cause the Ansible
tasks to search for any lines containing ``NOPASSWD`` and comment them out of
the configuration. Setting ``security_sudoers_remove_authenticate`` will do the
same actions on lines containing ``!authenticate``. Lines that are already
commented will be left unaltered.

2
handlers/main.yml
View File

@ -62,7 +62,7 @@
# the background so it doesn't hold up the whole playbook.
- name: initialize AIDE
shell: "aideinit -b"
when: initialize_aide | bool
when: security_initialize_aide | bool
- name: rehash aliases
command: newaliases

20
releasenotes/notes/unique-variable-migration-c0639030b495438f.yaml Normal file
View File

@ -0,0 +1,20 @@
---
upgrade:
- |
All variables in the security role are now prepended with ``security_`` to
avoid collisions with variables in other roles. All deployers who have
used the security role in previous releases will need to prepend all
security role variables with ``security_``.
For example, a deployer could have disabled direct root ssh logins with the
following variable:
.. code-block:: yaml
ssh_permit_root_login: yes
That variable would become:
.. code-block:: yaml
security_ssh_permit_root_login: yes

8
tasks/apt.yml
View File

@ -65,7 +65,7 @@
apt:
name: unattended-upgrades
state: present
when: unattended_upgrades_enabled | bool
when: security_unattended_upgrades_enabled | bool
tags:
- apt
- cat2
@ -75,7 +75,7 @@
copy:
src: 20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
when: unattended_upgrades_enabled | bool
when: security_unattended_upgrades_enabled | bool
tags:
- apt
- cat2
@ -87,8 +87,8 @@
regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";'
line: 'Unattended-Upgrade::Mail "root";'
when:
- unattended_upgrades_enabled | bool
- unattended_upgrades_notifications | bool
- security_unattended_upgrades_enabled | bool
- security_unattended_upgrades_notifications | bool
tags:
- apt
- cat2

18
tasks/auditd.yml
View File

@ -65,7 +65,7 @@
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?max_log_file ="
line: "max_log_file = {{ max_log_file }}"
line: "max_log_file = {{ security_max_log_file }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
@ -78,7 +78,7 @@
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?max_log_file_action ="
line: "max_log_file_action = {{ max_log_file_action }}"
line: "max_log_file_action = {{ security_max_log_file_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
@ -91,7 +91,7 @@
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?num_logs ="
line: "num_logs = {{ num_logs }}"
line: "num_logs = {{ security_num_logs }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
@ -155,7 +155,7 @@
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?disk_error_action"
line: "disk_error_action = {{ disk_error_action }}"
line: "disk_error_action = {{ security_disk_error_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
@ -168,7 +168,7 @@
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?disk_full_action"
line: "disk_full_action = {{ disk_full_action }}"
line: "disk_full_action = {{ security_disk_full_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
@ -181,7 +181,7 @@
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?space_left"
line: "space_left = {{ space_left }}"
line: "space_left = {{ security_space_left }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
@ -194,7 +194,7 @@
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?space_left_action"
line: "space_left_action = {{ space_left_action }}"
line: "space_left_action = {{ security_space_left_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
@ -207,7 +207,7 @@
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?action_mail_acct"
line: "action_mail_acct = {{ action_mail_acct }}"
line: "action_mail_acct = {{ security_action_mail_acct }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
@ -280,7 +280,7 @@
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?admin_space_left_action"
line: "admin_space_left_action = {{ admin_space_left_action }}"
line: "admin_space_left_action = {{ security_admin_space_left_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd

30
tasks/auth.yml
View File

@ -17,8 +17,8 @@
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_MIN_LEN"
line: "PASS_MIN_LEN {{ password_minimum_length }}"
when: password_minimum_length is defined
line: "PASS_MIN_LEN {{ security_password_minimum_length }}"
when: security_password_minimum_length is defined
tags:
- auth
- cat2
@ -28,8 +28,8 @@
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_MIN_DAYS"
line: "PASS_MIN_DAYS {{ password_minimum_days }}"
when: password_minimum_days is defined
line: "PASS_MIN_DAYS {{ security_password_minimum_days }}"
when: security_password_minimum_days is defined
tags:
- auth
- cat2
@ -39,8 +39,8 @@
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_MAX_DAYS"
line: "PASS_MAX_DAYS {{ password_maximum_days }}"
when: password_maximum_days is defined
line: "PASS_MAX_DAYS {{ security_password_maximum_days }}"
when: security_password_maximum_days is defined
tags:
- auth
- cat2
@ -50,8 +50,8 @@
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_WARN_DAYS"
line: "PASS_WARN_DAYS {{ password_warn_age }}"
when: password_warn_age is defined
line: "PASS_WARN_DAYS {{ security_password_warn_age }}"
when: security_password_warn_age is defined
tags:
- auth
- cat3
@ -110,7 +110,7 @@
line: '\1\2'
backup: yes
backrefs: yes
when: pam_remove_nullok | bool
when: security_pam_remove_nullok | bool
tags:
- auth
- cat1
@ -171,7 +171,7 @@
apt:
name: fail2ban
state: present
when: install_fail2ban | bool
when: security_install_fail2ban | bool
tags:
- auth
- cat2
@ -183,7 +183,7 @@
template:
src: jail.local.j2
dest: /etc/fail2ban/jail.d/jail.local
when: install_fail2ban | bool
when: security_install_fail2ban | bool
notify:
- restart fail2ban
tags:
@ -363,8 +363,8 @@
lineinfile:
dest: /etc/default_useradd
regexp: "^(#)?INACTIVE"
line: "INACTIVE {{ inactive_account_lock_days }}"
when: inactive_account_lock_days is defined
line: "INACTIVE {{ security_inactive_account_lock_days }}"
when: security_inactive_account_lock_days is defined
tags:
- auth
- cat3
@ -404,7 +404,7 @@
- name: Comment out sudoers lines with NOPASSWD present (for V-58901)
shell: "sed -e '/NOPASSWD/ s/^#*/#/' -i {{ item }}"
with_items: v58901_result.stdout_lines
when: sudoers_remove_nopasswd | bool
when: security_sudoers_remove_nopasswd | bool
tags:
- auth
- cat2
@ -415,7 +415,7 @@
- name: Comment out sudoers lines with !authenticate present (for V-58901)
shell: "sed -e '/!authenticate/ s/^#*/#/' -i {{ item }}"
with_items: v58901_result.stdout_lines
when: sudoers_remove_authenticate | bool
when: security_sudoers_remove_authenticate | bool
tags:
- auth
- cat2

18
tasks/file_perms.yml
View File

@ -126,8 +126,8 @@
lineinfile:
dest: /etc/init.d/rc
regexp: "^umask "
line: "umask {{ umask_daemons_init }}"
when: umask_daemons_init is defined
line: "umask {{ security_umask_daemons_init }}"
when: security_umask_daemons_init is defined
tags:
- file_perms
- cat3
@ -138,8 +138,8 @@
lineinfile:
dest: /etc/login.defs
regexp: "^UMASK"
line: "UMASK {{ umask_login_defs }}"
when: umask_login_defs is defined
line: "UMASK {{ security_umask_login_defs }}"
when: security_umask_login_defs is defined
tags:
- file_perms
- cat3
@ -152,7 +152,7 @@
register: v38649_result
changed_when: False
failed_when: False
when: umask_csh is defined
when: security_umask_csh is defined
tags:
- file_perms
- cat3
@ -162,9 +162,9 @@
lineinfile:
dest: /etc/csh.cshrc
regexp: "^(#)?umask"
line: "umask {{ umask_csh }}"
line: "umask {{ security_umask_csh }}"
create: yes
when: umask_csh is defined and v38649_result.rc == 0
when: security_umask_csh is defined and v38649_result.rc == 0
tags:
- file_perms
- cat3
@ -174,8 +174,8 @@
lineinfile:
dest: /etc/bash.bashrc
regexp: "^(#)?umask"
line: "umask {{ umask_bash }}"
when: umask_bash is defined
line: "umask {{ security_umask_bash }}"
when: security_umask_bash is defined
tags:
- file_perms
- cat3

2
tasks/kernel.yml
View File

@ -158,7 +158,7 @@
with_items:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
when: disable_ipv6 | bool
when: security_disable_ipv6 | bool
tags:
- kernel
- cat2

12
tasks/mail.yml
View File

@ -38,20 +38,20 @@
dest: /etc/postfix/main.cf
regexp: "^(#)?mynetworks"
line: "mynetworks = 127.0.0.0/8"
when: disable_ipv6 | bool
when: security_disable_ipv6 | bool
tags:
- mail
- cat3
- V-38669
# Be sure to set root_forward_email so that this task is executed. See the
# documentation for more details.
# Be sure to set security_root_forward_email so that this task is executed. See
# the documentation for more details.
- name: V-38446 - Mail system must forward root's email
lineinfile:
dest: /etc/aliases
regexp: "^root"
line: "root: {{ root_forward_email }}"
when: root_forward_email is defined
line: "root: {{ security_root_forward_email }}"
when: security_root_forward_email is defined
notify:
- rehash aliases
tags:
@ -71,7 +71,7 @@
lineinfile:
dest: /etc/postfix/main.cf
regexp: "^(#)?inet_interfaces"
line: "inet_interfaces = {{ postfix_inet_interfaces }}"
line: "inet_interfaces = {{ security_postfix_inet_interfaces }}"
when: postfix_main_cf.stat.exists | bool
notify:
- restart postfix

6
tasks/misc.yml
View File

@ -204,7 +204,7 @@
dest: /etc/security/limits.d/V-38675-coredump.conf
line: "* hard core 0"
create: yes
when: disable_core_dumps is defined
when: security_disable_core_dumps is defined
tags:
- cat3
- V-38675
@ -212,9 +212,9 @@
- name: V-38684 - Maximum simultaneous logins per user
lineinfile:
dest: /etc/security/limits.d/V-38684-maxlogins.conf
line: "* hard maxlogins {{ max_simultaneous_logins }}"
line: "* hard maxlogins {{ security_max_simultaneous_logins }}"
create: yes
when: max_simultaneous_logins is defined
when: security_max_simultaneous_logins is defined
tags:
- cat3
- V-38684

6
tasks/sshd.yml
View File

@ -128,7 +128,7 @@
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?ClientAliveInterval'
line: 'ClientAliveInterval {{ ssh_client_alive_interval }}'
line: 'ClientAliveInterval {{ security_ssh_client_alive_interval }}'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
@ -143,7 +143,7 @@
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?ClientAliveCountMax'
line: 'ClientAliveCountMax {{ ssh_client_alive_count_max }}'
line: 'ClientAliveCountMax {{ security_ssh_client_alive_count_max }}'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
@ -173,7 +173,7 @@
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitRootLogin'
line: 'PermitRootLogin {{ ssh_permit_root_login }}'
line: 'PermitRootLogin {{ security_ssh_permit_root_login }}'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:

2
templates/ZZ_aide_exclusions.j2
View File

@ -2,6 +2,6 @@
# These excluded paths prevent AIDE from wandering into directories where it
# shouldn't be hashing/monitoring files.
{% for dir in aide_exclude_dirs %}
{% for dir in security_aide_exclude_dirs %}
!{{ dir }}
{% endfor %}

4
templates/chrony.conf.j2
View File

@ -17,7 +17,7 @@
# fails they will be discarded. Thus under some circumstances it is
# better to use IP numbers than host names.
{% for ntp_server in ntp_servers %}
{% for ntp_server in security_ntp_servers %}
server {{ ntp_server }} offline minpoll 8
{% endfor %}
@ -62,7 +62,7 @@ local stratum 10
# Allow computers on the unrouted nets to use the server.
{% for subnet in allowed_ntp_subnets %}
{% for subnet in security_allowed_ntp_subnets %}
allow {{ subnet }}
{% endfor %}

2
templates/jail.local.j2
View File

@ -2,4 +2,4 @@
[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime = {{ fail2ban_bantime }}
bantime = {{ security_fail2ban_bantime }}

4
tests/test.yml
View File

@ -42,5 +42,5 @@
roles:
- role: "{{ rolename }}"
vars:
unattended_upgrades_enabled: true
unattended_upgrades_notifications: true
security_unattended_upgrades_enabled: true
security_unattended_upgrades_notifications: true