356 lines
16 KiB
YAML
356 lines
16 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## APT Cache Options
|
|
# This variable is used across multiple OpenStack-Ansible roles to handle the
|
|
# apt cache updates as efficiently as possible.
|
|
cache_timeout: 600
|
|
|
|
# Set the package install state for distribution packages
|
|
# Options are 'present' and 'latest'
|
|
security_package_state: "latest"
|
|
|
|
### Default configurations for openstack-ansible-security #####################
|
|
#
|
|
# All of the configuration items below are documented in the developer notes
|
|
# found here:
|
|
#
|
|
# http://docs.openstack.org/developer/openstack-ansible-security/
|
|
#
|
|
###############################################################################
|
|
|
|
## AIDE
|
|
# The default Ubuntu configuration for AIDE will cause it to wander into some
|
|
# terrible places on the system, such as /var/lib/lxc and images in /opt.
|
|
# The following three default exclusions are highly recommended for AIDE to
|
|
# work properly, but additional exclusions can be added to this list if needed.
|
|
security_aide_exclude_dirs:
|
|
- /openstack
|
|
- /opt
|
|
- /run
|
|
- /var
|
|
#
|
|
# By default, the AIDE database won't be initialized immediately since it can
|
|
# consume plenty of CPU and I/O resources while it runs. To initialize the
|
|
# AIDE database immediately when the playbook finishes, set the following
|
|
# variable to 'true':
|
|
security_initialize_aide: false
|
|
|
|
## Audit daemon
|
|
# V-38438 requires that auditd is enabled at boot time with a parameter in the
|
|
# GRUB configuration.
|
|
#
|
|
# If 'security_enable_audit_during_boot' is set to 'yes', then the 'audit=1'
|
|
# parameter will be added in /etc/default/grub.d/.
|
|
# If 'security_enable_grub_update is set to 'yes', the grub.cfg will be
|
|
# updated automatically.
|
|
security_enable_audit_during_boot: yes # V-38438
|
|
security_enable_grub_update: yes # V-38438
|
|
|
|
# The following booleans control the rule sets added to auditd's default
|
|
# set of auditing rules. To see which rules will be added for each boolean,
|
|
# refer to the templates/osas-auditd.j2 file.
|
|
#
|
|
# If the template changes due to booleans being adjusted, the new template
|
|
# will be deployed onto the host and auditd will get the new rules loaded
|
|
# automatically with augenrules.
|
|
#
|
|
security_audit_account_modification: yes # V-38531, V-38534, V-38538
|
|
security_audit_change_localtime: yes # V-38530
|
|
security_audit_change_system_time: yes # V-38635
|
|
security_audit_clock_settime: yes # V-38527
|
|
security_audit_clock_settimeofday: yes # V-38522
|
|
security_audit_clock_stime: yes # V-38525
|
|
security_audit_DAC_chmod: no # V-38543
|
|
security_audit_DAC_chown: no # V-38545
|
|
security_audit_DAC_lchown: no # V-38558
|
|
security_audit_DAC_fchmod: no # V-38547
|
|
security_audit_DAC_fchmodat: no # V-38550
|
|
security_audit_DAC_fchown: no # V-38552
|
|
security_audit_DAC_fchownat: no # V-38554
|
|
security_audit_DAC_fremovexattr: no # V-38556
|
|
security_audit_DAC_lremovexattr: no # V-38559
|
|
security_audit_DAC_fsetxattr: no # V-38557
|
|
security_audit_DAC_lsetxattr: no # V-38561
|
|
security_audit_DAC_setxattr: no # V-38565
|
|
security_audit_deletions: no # V-38575
|
|
security_audit_failed_access: no # V-38566
|
|
security_audit_filesystem_mounts: yes # V-38568
|
|
security_audit_kernel_modules: yes # V-38580
|
|
security_audit_mac_changes: yes # V-38541
|
|
security_audit_network_changes: yes # V-38540
|
|
security_audit_sudoers: yes # V-38578
|
|
#
|
|
# **DANGER**
|
|
# Changing the options below can cause systems to go offline unexpectedly or
|
|
# stop serving requests as a security precaution. Read the developer notes for
|
|
# each STIG prior to adjusting the following variables.
|
|
# **DANGER**
|
|
#
|
|
# Set an action to occur when there is a disk error. Review the
|
|
# documentation for V-38464 before changing this option.
|
|
security_disk_error_action: SYSLOG # V-38464
|
|
#
|
|
# Set an action to occur when the disk is full. Review the documentation for
|
|
# V-38468 before changing this option.
|
|
security_disk_full_action: SYSLOG # V-38468
|
|
#
|
|
# V-38678 - Set the amount of megabytes left when the space_left_action
|
|
# triggers. The STIG guideline doesn't specify a size, but Ubuntu chooses a
|
|
# default of 75MB, which is reasonable.
|
|
security_space_left: 75 # V-38678
|
|
#
|
|
# Set an action to occur when the disk is approaching its capacity.
|
|
# Review the documentation for V-38470 before changing this option.
|
|
security_space_left_action: SYSLOG # V-38470
|
|
#
|
|
# Set the maximum size of a rotated log file. Ubuntu's default
|
|
# matches the STIG requirement of 6MB.
|
|
security_max_log_file: 6 # V 38633
|
|
#
|
|
# Sets the action to take when log files reach the maximum file size.
|
|
# Review the documentation for V-38634 before changing this option.
|
|
security_max_log_file_action: ROTATE # V-38634
|
|
#
|
|
# Set the number of rotated audit logs to keep. Ubuntu has 5 as the default
|
|
# and this matches the STIG's requirements.
|
|
security_num_logs: 5 # V-38636
|
|
#
|
|
# Set the email address of someone who can receive and respond to notifications
|
|
# about low disk space for log volumes.
|
|
security_action_mail_acct: root # V-38680
|
|
#
|
|
# **IMMINENT DANGER**
|
|
# The STIG says that the system should switch to single user mode when the
|
|
# storage capacity gets very low. This can cause serious service disruptions
|
|
# and should only be set to 'single' for deployers in extremely high security
|
|
# environments. Ubuntu's default is SUSPEND, which will suspend logging.
|
|
# **IMMENENT DANGER**
|
|
security_admin_space_left_action: SUSPEND # V-54381
|
|
|
|
## Chrony (NTP) configuration
|
|
# Install and enable chrony to sync time with NTP servers.
|
|
security_enable_chrony: yes # V-38620
|
|
# Adjust the following NTP servers if necessary.
|
|
security_ntp_servers:
|
|
- 0.north-america.pool.ntp.org
|
|
- 1.north-america.pool.ntp.org
|
|
- 2.north-america.pool.ntp.org
|
|
- 3.north-america.pool.ntp.org
|
|
# Chrony limits access to clients that are on certain subnets. Adjust the
|
|
# following subnets here to limit client access to chrony servers.
|
|
security_allowed_ntp_subnets:
|
|
- 10/8
|
|
- 192.168/16
|
|
- 172.16/12
|
|
# Listen for NTP requests only on local interfaces.
|
|
security_ntp_bind_local_interfaces_only: yes
|
|
|
|
## Core dumps
|
|
# V-38675 requires disabling core dumps for all users unless absolutely
|
|
# necessary. Set this variable to 'no' to skip this change.
|
|
security_disable_core_dumps: yes # V-38675
|
|
|
|
## Services
|
|
# The STIG recommends ensuring that some services are running if no services
|
|
# utilizing it are enabled. Setting a boolean to 'yes' here will ensure that
|
|
# a service isn't actively running and will not be started after boot-up.
|
|
# Setting a 'no' will ensure that this Ansible role does not alter the service
|
|
# in any way from its current configuration.
|
|
#
|
|
security_disable_abrtd: yes # V-38641
|
|
security_disable_atd: yes # V-38640
|
|
security_disable_autofs: yes # V-38437
|
|
security_disable_avahi: yes # V-31618
|
|
security_disable_bluetooth: yes # V-38691
|
|
security_disable_netconsole: yes # v-38672
|
|
security_disable_qpidd: yes # V-38648
|
|
security_disable_rdisc: yes # V-38650
|
|
security_disable_rsh: yes # V-38594
|
|
security_disable_ypbind: yes # V-38604
|
|
security_disable_xinetd: yes # V-38582
|
|
#
|
|
# The STIG recommends ensuring that some services aren't installed at ANY time.
|
|
# Those services are listed here. Setting a boolean here to 'yes' wiil
|
|
# ensure that the STIG is followed and the service is removed. Setting a
|
|
# boolean to 'no' means that the playbook will not alter the service.
|
|
#
|
|
security_remove_ldap_server: yes # V-38627
|
|
security_remove_rsh_server: yes # V-38591
|
|
security_remove_sendmail: yes # V-38671
|
|
security_remove_telnet_server: yes # V-38587
|
|
security_remove_tftp_server: yes # V-38606
|
|
security_remove_xinetd: yes # V-38584
|
|
security_remove_xorg: yes # v-38676
|
|
security_remove_ypserv: yes # V-38603
|
|
#
|
|
# The STIG does not allow the system to run a graphical interface. Set this
|
|
# variable to 'no' if you need a graphical interface on the server.
|
|
security_disable_x_windows: yes # V-38674
|
|
|
|
## SSH configuration
|
|
# The following configuration items will adjust how the ssh daemon is
|
|
# configured. The recommendations from the RHEL 6 STIG are shown below, but
|
|
# they can be adjusted to fit a particular environment.
|
|
#
|
|
# Set a 15 minute time out for SSH sessions if there is no activity
|
|
security_ssh_client_alive_interval: 900 # V-38608
|
|
#
|
|
# Timeout ssh sessions as soon as ClientAliveInterval is reached once
|
|
security_ssh_client_alive_count_max: 0 # V-38610
|
|
#
|
|
# The ssh daemon must not permit root logins. The default value of 'yes' is a
|
|
# deviation from the STIG requirements due to how openstack-ansible operates,
|
|
# especially within OpenStack CI gate jobs. See documentation for V-38613 for
|
|
# more details.
|
|
security_ssh_permit_root_login: 'yes' # V-38613
|
|
|
|
## Kernel
|
|
# Set these booleans to 'yes' to disable the kernel module (following the
|
|
# STIG requirements). Set the boolean to 'no' to ensure no changes are made.
|
|
security_disable_module_bluetooth: yes # V-38682
|
|
security_disable_module_dccp: yes # V-38514
|
|
security_disable_module_rds: yes # V-38516
|
|
security_disable_module_sctp: yes # V-38515
|
|
security_disable_module_tipc: yes # V-38517
|
|
security_disable_module_usb_storage: no # V-38490
|
|
security_disable_icmpv4_redirects: no # V-38524
|
|
security_disable_icmpv4_redirects_secure: no # V-38526
|
|
security_disable_icmpv6_redirects: no # V-38548
|
|
#
|
|
# ** DANGER **
|
|
# It's strongly recommended to fully understand the effects of changing the
|
|
# following sysctl tunables. Refer to the documentation under 'Developer
|
|
# Notes' for each of the STIGs below before making any changes.
|
|
# ** DANGER **
|
|
#
|
|
security_sysctl_enable_tcp_syncookies: yes # V-38539
|
|
security_sysctl_enable_martian_logging: no # V-38528
|
|
#
|
|
# Deployers who wish to disable IPv6 entirely must set this configuration
|
|
# variable to 'yes'. See the documentation for V-38546 before making this
|
|
# change.
|
|
security_disable_ipv6: no # V-38546
|
|
|
|
# Sets the global challenge ACK counter to a large value such
|
|
# that a potential attacker could not reasonably come up against it.
|
|
security_set_tcp_challenge_ack_limit: yes # CVE-2016-5696
|
|
|
|
## Mail
|
|
# The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
|
|
# configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when
|
|
# Ansible installs packages). The default here is 'localhost' to meet the STIG
|
|
# requirement, but some deployers may want this set to 'all' if their hosts
|
|
# need to receive emails over the network (which isn't common).
|
|
#
|
|
# See the documentation for V-38622 for more details.
|
|
security_postfix_inet_interfaces: localhost # V-38622
|
|
#
|
|
# Configuring an email address here will cause hosts to forward the root user's
|
|
# email to another address.
|
|
#
|
|
#security_root_forward_email: user@example.com
|
|
|
|
## Linux Security Module (LSM)
|
|
# AppArmor and SELinux provide powerful security controls on a Linux system
|
|
# by setting policies for allowed actions. By setting the following variable
|
|
# to true, the appropriate LSM will be enabled for the Linux distribution:
|
|
#
|
|
# Ubuntu: AppArmor
|
|
# CentOS: SELinux
|
|
#
|
|
# See the openstack-ansible-security documentation for more details.
|
|
security_enable_linux_security_module: yes # V-51337
|
|
|
|
## PAM and authentication
|
|
# V-38497 requires that accounts with null passwords aren't allowed to
|
|
# authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the
|
|
# documentation for V-38497 for more details. Set the variable below to 'yes'
|
|
# to remove 'nullok_secure' from the PAM configuration or set it to 'no' to
|
|
# leave the PAM configuration unaltered.
|
|
security_pam_remove_nullok: yes # V-38497
|
|
#
|
|
# V-38501 requires that failed login attempts must lock a user account using
|
|
# pam_faillock, but Ubuntu doesn't package that PAM module. Instead, fail2ban
|
|
# can be installed to lock out IP addresses with failed logins for 15 minutes.
|
|
# Set the variable below to 'yes' to install and configure fail2ban.
|
|
security_install_fail2ban: no # V-38501
|
|
#
|
|
# The STIG requires bans to last 15 minutes. Adjust the following variable
|
|
# to set the time an IP is banned by fail2ban (in seconds).
|
|
security_fail2ban_bantime: 900 # V-38501
|
|
|
|
## Password complexity and aging
|
|
# V-38475 - There is no password length requirement by default in Ubuntu 14.04.
|
|
# To set a password length requirement, uncomment
|
|
# security_password_minimum_length below. The STIG recommendation is 14
|
|
# characters.
|
|
#security_password_minimum_length: 14 # V-38475
|
|
# V-38477 - There is no password change limitation set by default in Ubuntu. To
|
|
# set the minimum number of days between password changes, uncomment the
|
|
# security_password_minimum_days variable below. The STIG recommendation is 1
|
|
# day.
|
|
#security_password_minimum_days: 1 # V-38477
|
|
# V-38479 - There is no age limit on password by default in Ubuntu. Uncomment
|
|
# line below to use the STIG recommendation of 60 days.
|
|
#security_password_maximum_days: 60 # V-38479
|
|
# V-38480 - To warn users before their password expires, uncomment the line
|
|
# below and they will be warned 7 days prior (following the STIG).
|
|
#security_password_warn_age: 7 # V-38480
|
|
# V-38684 - Setting the maximum number of simultaneous logins per user. The
|
|
# STIG sets a limit of 10.
|
|
#security_max_simultaneous_logins: 10 # V-38684
|
|
# V-38692 - Lock accounts that are inactive for 35 days.
|
|
#security_inactive_account_lock_days: 35 # V-38692
|
|
|
|
## sudo
|
|
# V-58901 requires that 'NOPASSWD' and '!authenticate' do not appear in any
|
|
# sudoers files since they could lead to a compromise. Set the following
|
|
# variables to 'yes' to comment out any lines found with these prohibited
|
|
# parameters or leave them set to 'no' (the default) to leave sudoers files
|
|
# unaltered. Deployers are urged to review the documentation for this STIG
|
|
# before making changes.
|
|
security_sudoers_remove_nopasswd: no # V-58901
|
|
security_sudoers_remove_authenticate: no # V-58901
|
|
|
|
## umask settings
|
|
# The STIG recommends changing various default umask settings for users and
|
|
# daemons via different methods. However, this could cause serious issues for
|
|
# production OpenStack environements which haven't been tested with these
|
|
# changes.
|
|
#
|
|
# The variables below are set to match the STIG requirements, but they are
|
|
# commented out to ensure they require deployers to opt-in for each change. To
|
|
# opt in for one of the changes below, simply uncomment the line and run the
|
|
# playbook. Deployers are strongly advised to review the documentation for
|
|
# these changes and review their systems to ensure these changes won't cause
|
|
# service disruptions.
|
|
#
|
|
# V-38642 - Set umask for daemons in init scripts to 027 or 022
|
|
#security_umask_daemons_init: 027 # V-38642
|
|
#
|
|
# V-38645 - System default umask in /etc/login.defs must be 077
|
|
#security_umask_login_defs: 077 # V-38645
|
|
#
|
|
# V-38649 - System default umask for csh must be 077
|
|
#security_umask_csh: 077 # V-38649
|
|
#
|
|
# V-38651 - System default umask for bash must be 077
|
|
#security_umask_bash: 077 # V-38651
|
|
|
|
## Unattended upgrades (APT) configuration
|
|
security_unattended_upgrades_enabled: false
|
|
security_unattended_upgrades_notifications: false
|