From 31424a42af0af500b3f0b03437da1b445f580892 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Wed, 25 May 2016 10:06:02 -0500 Subject: [PATCH] Enable LSM instead of checking status This patch enables the appropriate Linux Security Module (LSM) for the system rather than simply checking it. This brings the role more in line with the STIG requirements and allows it to be used as a more generic role in other non-OpenStack-Ansible deployments. It shouldn't affect OpenStack-Ansible deployments since AppArmor is expected to be running in those deployments. Documentation and release notes are included. Change-Id: Ia017f12be0d60ea74b54396bc8278e4db92295ba --- defaults/main.yml | 11 +++ doc/source/configuration.rst | 10 +++ doc/source/developer-notes/V-51337.rst | 39 +++++++-- .../notes/enable-lsm-bae903e463079a3f.yaml | 14 ++++ tasks/lsm.yml | 81 +++++++++++++++++++ tasks/main.yml | 1 + tasks/misc.yml | 41 ---------- tox.ini | 6 +- 8 files changed, 151 insertions(+), 52 deletions(-) create mode 100644 releasenotes/notes/enable-lsm-bae903e463079a3f.yaml create mode 100644 tasks/lsm.yml diff --git a/defaults/main.yml b/defaults/main.yml index a5bf8ae6..20cb5a9a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -232,6 +232,17 @@ security_postfix_inet_interfaces: localhost # V-38622 # #security_root_forward_email: user@example.com +## Linux Security Module (LSM) +# AppArmor and SELinux provide powerful security controls on a Linux system +# by setting policies for allowed actions. By setting the following variable +# to true, the appropriate LSM will be enabled for the Linux distribution: +# +# Ubuntu: AppArmor +# CentOS: SELinux +# +# See the openstack-ansible-security documentation for more details. +security_enable_linux_security_module: yes # V-51337 + ## PAM and authentication # V-38497 requires that accounts with null passwords aren't allowed to # authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 1715bc98..d319fd9d 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -143,6 +143,16 @@ deployers can adjust this by changing ``security_disable_ipv6`` to ``yes``. Core dumps are also disabled by default in the openstack-ansible-security role. +Linux Security Module (LSM) +--------------------------- + +The STIG requires that SELinux is in enforcing mode to provide additional +security against attacks. The security role will enable SELinux on CentOS +systems and enable AppArmor on Ubuntu systems. + +For more information on how these changes are applied, refer to the +documentation for V-51337. + Mail ---- diff --git a/doc/source/developer-notes/V-51337.rst b/doc/source/developer-notes/V-51337.rst index 929a3f5f..a3973060 100644 --- a/doc/source/developer-notes/V-51337.rst +++ b/doc/source/developer-notes/V-51337.rst @@ -1,14 +1,39 @@ -Ubuntu loads the AppArmor module by default starting with version 8.04. For -more information, review the `AppArmor documentation`_ on Ubuntu's site. -In addition, the OpenStack-Ansible project configures AppArmor policies -for the LXC containers which run the OpenStack infrastructure. +The tasks in the security role will enable the Linux Security +Module (LSM) that is appropriate for the Linux distribution in use. -The tasks for this STIG will verify that AppArmor is enabled via the -``apparmor_status``. The playbook will fail if AppArmor is found to be -disabled on the host. +For Ubuntu, the default LSM is AppArmor. Refer to Ubuntu's `AppArmor +documentation`_ for more details on how AppArmor works. The tasks will enable +AppArmor and start it immediately on the system. + +For CentOS, the default LSM is SELinux. Refer to Red Hat's `Security-Enhanced +Linux`_ documentation for more details on SELinux. The tasks will enable +SELinux on the next boot. + +.. note:: + + **If SELinux was disabled before the security role was applied, the + filesystem will be automatically relabeled on the next boot.** For most + systems, this process only takes a few minutes. However, it can take + additional time to finish on systems with slow disks or a large number of + files. + + Deployers are strongly urged to relabel the filesystem if the system has + never had SELinux in enforcing mode previously. Rebooting into enforcing + mode with a partially-labeled filesystem can lead to unnecessary SELinux + policy denials. + +Deployers can opt-out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_enable_linux_security_module: False + +Setting the variable to ``False`` will prevent the tasks from making any +adjustments to the LSM status. On CentOS 7, the security role will verify that SELinux is in *Enforcing* mode. If SELinux is in *Disabled* or *Permissive* mode, the playbook will fail with an error message. .. _AppArmor documentation: https://help.ubuntu.com/community/AppArmor +.. _Security-Enhanced Linux: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/ diff --git a/releasenotes/notes/enable-lsm-bae903e463079a3f.yaml b/releasenotes/notes/enable-lsm-bae903e463079a3f.yaml new file mode 100644 index 00000000..64b945dd --- /dev/null +++ b/releasenotes/notes/enable-lsm-bae903e463079a3f.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + The Linux Security Module (LSM) that is appropriate for the Linux + distribution in use will be automatically enabled by the security role by + default. Deployers can opt out of this change by setting the following + Ansible variable: + + .. code-block:: yaml + + security_enable_linux_security_module: False + + The documentation for STIG V-51337 has more information about how each + LSM is enabled along with special notes for SELinux. diff --git a/tasks/lsm.yml b/tasks/lsm.yml new file mode 100644 index 00000000..2ddd85a5 --- /dev/null +++ b/tasks/lsm.yml @@ -0,0 +1,81 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Install packages for AppArmor support (for V-51337) + apt: + name: "{{ item }}" + state: present + with_items: + - apparmor + - apparmor-profiles + - apparmor-utils + when: + - ansible_os_family == "Debian" + - security_enable_linux_security_module | bool + tags: + - cat2 + - V-51337 + +- name: Ensure AppArmor is running (for V-51337) + service: + name: apparmor + state: started + enabled: yes + when: + - ansible_os_family == "Debian" + - security_enable_linux_security_module | bool + tags: + - cat2 + - V-51337 + +- name: Install packages for SELinux support (for V-51337) + yum: + name: "{{ item }}" + state: present + with_items: + - libselinux-python + - policycoreutils-python + - selinux-policy + - selinux-policy-targeted + when: + - ansible_os_family == "RedHat" + - security_enable_linux_security_module | bool + tags: + - cat2 + - V-51337 + +- name: Ensure SELinux is in enforcing mode on the next reboot (for V-51337) + selinux: + state: enforcing + policy: targeted + register: selinux_status_change + when: + - ansible_os_family == "RedHat" + - security_enable_linux_security_module | bool + tags: + - cat2 + - V-51337 + +- name: Relabel files on next boot if SELinux mode changed (for V-51337) + file: + path: /.autorelabel + state: touch + when: + - ansible_os_family == "RedHat" + - security_enable_linux_security_module | bool + - selinux_status_change | changed + tags: + - cat2 + - V-51337 diff --git a/tasks/main.yml b/tasks/main.yml index 6a317253..4fa6f443 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -55,6 +55,7 @@ - include: console.yml - include: file_perms.yml - include: kernel.yml + - include: lsm.yml - include: mail.yml - include: misc.yml - include: nfsd.yml diff --git a/tasks/misc.yml b/tasks/misc.yml index b9067a22..da950a1d 100644 --- a/tasks/misc.yml +++ b/tasks/misc.yml @@ -412,44 +412,3 @@ tags: - cat2 - V-38674 - -- name: Check if AppArmor is running (for V-51337) - shell: "apparmor_status 2>&1 | head -n 1" - register: v51337_result - changed_when: False - always_run: True - when: ansible_pkg_mgr == 'apt' - tags: - - cat2 - - V-51337 - -- name: V-51337 - The system must use a Linux Security Module at boot time - fail: - msg: "FAILED: AppArmor isn't enabled" - when: - - ansible_pkg_mgr == 'apt' - - "'apparmor module is loaded' not in v51337_result.stdout" - tags: - - cat2 - - V-51337 - - -- name: Check if SELinux is enforcing (for V-51337) - command: getenforce - register: v51337_result - changed_when: False - always_run: True - when: ansible_pkg_mgr == 'yum' - tags: - - cat2 - - V-51337 - -- name: V-51337 - The system must use a Linux Security Module at boot time - fail: - msg: "FAILED: SELinux is not in enforcing mode." - when: - - ansible_pkg_mgr == 'yum' - - "'Enforcing' not in v51337_result.stdout" - tags: - - cat2 - - V-51337 diff --git a/tox.ini b/tox.ini index bbe6b89e..84442333 100644 --- a/tox.ini +++ b/tox.ini @@ -105,9 +105,7 @@ commands = # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building # images with apt config Apt::Get::AllowUnauthenticated set # to true. -# NOTE(mhayden): V-51337: OpenStack infra images don't have AppArmor -# enabled, so it must be skipped. -# V-38674: OpenStack infra images have graphical target +# NOTE(mhayden): V-38674: OpenStack infra images have graphical target # enabled, so it must be skipped. # V-38574: OpenStack infra images have non-standard pam # configurations that don't match a standard CentOS 7 server @@ -118,7 +116,7 @@ commands = {homedir}/.ansible/plugins ansible-playbook -i {toxinidir}/tests/inventory \ -e "rolename={toxinidir}" \ - --skip-tag V-38462,V-51337,V-38574,V-38674 \ + --skip-tag V-38462,V-38574,V-38674 \ {toxinidir}/tests/test.yml