From 27fb9a5cfb81911fa7e360eca37f63045c97153f Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Wed, 7 Oct 2015 17:08:21 -0500 Subject: [PATCH] V-3862{5,6,7}: LDAP server security Implements: blueprint security-hardening Change-Id: Ia36dc2c5f65b82a5756f2f221cebfb7b6bab1912 --- doc/source/developer-notes/V-38625.rst | 8 ++++++++ doc/source/developer-notes/V-38626.rst | 1 + doc/source/developer-notes/V-38627.rst | 8 ++++++++ openstack-ansible-security/defaults/main.yml | 3 ++- openstack-ansible-security/tasks/services.yml | 10 ++++++++++ 5 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 doc/source/developer-notes/V-38625.rst create mode 120000 doc/source/developer-notes/V-38626.rst create mode 100644 doc/source/developer-notes/V-38627.rst diff --git a/doc/source/developer-notes/V-38625.rst b/doc/source/developer-notes/V-38625.rst new file mode 100644 index 00000000..18a73677 --- /dev/null +++ b/doc/source/developer-notes/V-38625.rst @@ -0,0 +1,8 @@ +**Exception** + +Neither Ubuntu 14.04 or openstack-ansible configures LDAP authentication by +default. Deployers that use LDAP authentication for systems are strongly +urged to use TLS connectivity between client hosts and LDAP servers to +prevent eavesdroppers on the network from reading the authentication attempts +as they are made. The certificates on the LDAP server must be trusted by +each client. diff --git a/doc/source/developer-notes/V-38626.rst b/doc/source/developer-notes/V-38626.rst new file mode 120000 index 00000000..88f29fe2 --- /dev/null +++ b/doc/source/developer-notes/V-38626.rst @@ -0,0 +1 @@ +V-38625.rst \ No newline at end of file diff --git a/doc/source/developer-notes/V-38627.rst b/doc/source/developer-notes/V-38627.rst new file mode 100644 index 00000000..879c5c21 --- /dev/null +++ b/doc/source/developer-notes/V-38627.rst @@ -0,0 +1,8 @@ +The STIG requires that any LDAP server packages on the system are removed. +The Ansible role will remove ``slapd`` from the server if it is present. + +To opt-out of this change, set the following Ansible variable to ``no``: + +.. code-block:: yaml + + remove_services['ldap-server']: no diff --git a/openstack-ansible-security/defaults/main.yml b/openstack-ansible-security/defaults/main.yml index 7d247c16..8c899612 100644 --- a/openstack-ansible-security/defaults/main.yml +++ b/openstack-ansible-security/defaults/main.yml @@ -44,11 +44,12 @@ disable_services: # boolean to 'no' means that the playbook will not alter the service. # remove_services: - ypserv: yes # V-38603 rsh-server: yes # V-38591 + ldap-server: yes # V-38627 telnet_server: yes # V-38587 tftp-server: yes # V-38606 xinetd: yes # V-38584 + ypserv: yes # V-38603 ## Additional rules for auditd # The following booleans control the rule sets added to auditd's default diff --git a/openstack-ansible-security/tasks/services.yml b/openstack-ansible-security/tasks/services.yml index 7138105c..e56ae062 100644 --- a/openstack-ansible-security/tasks/services.yml +++ b/openstack-ansible-security/tasks/services.yml @@ -118,3 +118,13 @@ - services - cat3 - V-38618 + +- name: V-38627 - Remove LDAP servers unless required + apt: + name: slapd + state: absent + when: remove_services['ldap-server'] | bool + tags: + - services + - cat3 + - V-38627