From 0a7a9932a0faee84d2d226601bb5fa1a8d64ae90 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Wed, 12 Oct 2016 13:22:25 -0500 Subject: [PATCH] Security: Add tasks for RHEL-07-010020 This patch adds tasks which check for files that have been modified since their packages were installed. This can sometimes be sign of compromise. Any files failing checksum validation are displayed for the deployer to review. Implements: blueprint security-rhel7-stig Change-Id: I5ccc375ecb08e51c51dab80b47a190050731f700 --- doc/metadata/rhel7/RHEL-07-010020.rst | 16 +++++-- tasks/rhel7stig/apt.yml | 62 +++++++++++++++++++++++++++ tasks/rhel7stig/main.yml | 12 ++++++ tasks/rhel7stig/rpm.yml | 44 +++++++++++++++++++ 4 files changed, 131 insertions(+), 3 deletions(-) create mode 100644 tasks/rhel7stig/apt.yml create mode 100644 tasks/rhel7stig/rpm.yml diff --git a/doc/metadata/rhel7/RHEL-07-010020.rst b/doc/metadata/rhel7/RHEL-07-010020.rst index d1b6233d..7ab5cce1 100644 --- a/doc/metadata/rhel7/RHEL-07-010020.rst +++ b/doc/metadata/rhel7/RHEL-07-010020.rst @@ -1,7 +1,17 @@ --- id: RHEL-07-010020 -status: not implemented -tag: misc +status: implemented +tag: packages --- -This STIG requirement is not yet implemented. +Ansible tasks will check the ``rpm -Va`` output (on CentOS and RHEL) or the +output of ``debsums`` (on Ubuntu) to see if any files installed from packages +have been altered. The tasks will print a list of files that have changed +since their package was installed. + +Deployers should be most concerned with any checksum failures for binaries and +their libraries. These are most often a sign of system compromise or poor +system administration practices. + +Configuration files may appear in the list as well, but these are often less +concerning since some of these files are adjusted by the security role itself. diff --git a/tasks/rhel7stig/apt.yml b/tasks/rhel7stig/apt.yml new file mode 100644 index 00000000..e4acfb13 --- /dev/null +++ b/tasks/rhel7stig/apt.yml @@ -0,0 +1,62 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Ensure debsums is installed + apt: + name: debsums + state: installed + +- name: Gather debsums report + shell: "debsums > {{ temp_dir }}/debsums.txt" + changed_when: False + failed_when: False + when: + - not check_mode | bool + +- name: RHEL-07-010020 - Get files with invalid checksums (apt) + shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'" + register: rhel_07_010020_files + changed_when: False + when: + - not check_mode | bool + - ansible_os_family | lower == 'debian' + tags: + - high + - RHEL-07-010020 + +- name: RHEL-07-010020 - Create comma-separated list + set_fact: + rhel_07_010020_violations: "{{ rhel_07_010020_files.stdout_lines | default([]) | join(', ') }}" + when: + - rhel_07_010020_files is defined + - rhel_07_010020_files.stdout_lines | length > 0 + tags: + - high + - RHEL-07-010020 + +- name: RHEL-07-010020 - The cryptographic hash of system files and commands must match vendor values (apt) + debug: + msg: > + The following files have checksums that differ from the checksum provided + with their package. Each of these should be verified manually to ensure + they have not been modified by an unauthorized user: + {{ rhel_07_010020_violations }} + when: + - ansible_os_family | lower == 'debian' + - rhel_07_010020_files is defined + - rhel_07_010020_files.stdout_lines | length > 0 + tags: + - high + - RHEL-07-010020 diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index db9b55b4..44da204e 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -42,10 +42,22 @@ - always - skip_ansible_lint +- include: apt.yml + when: + - ansible_os_family | lower == 'debian' + tags: + - apt + - include: file_perms.yml tags: - file_perms +- include: rpm.yml + when: + - ansible_os_family | lower == 'redhat' + tags: + - rpm + - name: Remove the temporary directory file: path: "{{ temp_dir }}" diff --git a/tasks/rhel7stig/rpm.yml b/tasks/rhel7stig/rpm.yml new file mode 100644 index 00000000..9f554bf1 --- /dev/null +++ b/tasks/rhel7stig/rpm.yml @@ -0,0 +1,44 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: RHEL-07-010020 - Get files with invalid checksums (rpm) + shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" + register: rhel_07_010020_files + changed_when: False + when: + - not check_mode | bool + - ansible_os_family | lower == 'redhat' + tags: + - high + - RHEL-07-010020 + +- name: RHEL-07-010020 - The cryptographic hash of system files and commands must match vendor values (rpm) + debug: + msg: | + The following files have checksums that differ from the checksum provided + with their package. Each of these should be verified manually to ensure + they have not been modified by an unauthorized user. + + {% for filename in rhel_07_010020_files.stdout_lines %} + {{ filename }} + {% endfor %} + when: + - not check_mode | bool + - ansible_os_family | lower == 'redhat' + - rhel_07_010020_files is defined + - rhel_07_010020_files.stdout_lines | length > 0 + tags: + - high + - RHEL-07-010020