Merge "V-3864{2,5,7,9}, V-38651: Umask adjustments"

defaults/main.yml

@@ -250,3 +250,28 @@ aide_exclude_dirs:
   - /var/lib/lxc
   - /openstack
   - /opt
+
+## umask settings
+# The STIG recommends changing various default umask settings for users and
+# daemons via different methods. However, this could cause serious issues for
+# production OpenStack environements which haven't been tested with these
+# changes.
+#
+# The variables below are set to match the STIG requirements, but they are
+# commented out to ensure they require deployers to opt-in for each change. To
+# opt in for one of the changes below, simply uncomment the line and run the
+# playbook. Deployers are strongly advised to review the documentation for
+# these changes and review their systems to ensure these changes won't cause
+# service disruptions.
+#
+# V-38642 - Set umask for daemons in init scripts to 027 or 022
+#umask_daemons_init: 027                          # V-38642
+#
+# V-38645 - System default umask in /etc/login.defs must be 077
+#umask_login_defs: 077                            # V-38645
+#
+# V-38649 - System default umask for csh must be 077
+#umask_csh: 077                                   # V-38649
+#
+# V-38651 - System default umask for bash must be 077
+#umask_bash: 077                                  # V-38651

doc/source/developer-notes/V-38642.rst

@@ -0,0 +1,7 @@
+The STIG requires that daemons have their umask set to ``027`` or ``022``.
+Since changing umasks can disrupt some systems, this is an opt-in change.
+
+Deployers that want this change applied to their systems must set the
+Ansible variable ``umask_daemons_init`` to ``027``. The current default
+for Ubuntu 14.04 is ``027`` already, so deployers do not need to make any
+adjustments to Ansible variables to meet the STIG requirement.

doc/source/developer-notes/V-38645.rst

@@ -1,4 +1,8 @@
-Audit rules are added in a task so that any events associated with the
-discretionary access controls (DAC) permission modifications via chown
-are logged. The new audit rule will be loaded immediately with
-``augenrules --load``.
+**Exception**
+
+Ubuntu's default umask setting in ``/etc/login.defs`` is ``022``, but the STIG
+requires ``077`` to be set. Since changing umask settings can disrupt some
+systems, this change requires a deployer to opt-in.
+
+To opt-in for this change and adjust the umask, the Ansible variable
+``umask_login_defs`` must be set to ``077``.

doc/source/developer-notes/V-38647.rst

@@ -0,0 +1,5 @@
+**Fixed by another STIG**
+
+Ubuntu 14.04 doesn't use umask settings in ``/etc/profile``. Those settings
+are expected to be in ``/etc/login.defs`` instead.  See V-38645 for more
+details.

doc/source/developer-notes/V-38649.rst

@@ -0,0 +1,11 @@
+**Opt-in required**
+
+Neither Ubuntu or openstack-ansible installs the csh shell by default.
+
+Since umask changes can be disruptive on some systems, the deployer must
+opt-in for this change to happen. If the ``umask_csh`` Ansible variable is
+set **and** the csh package is installed, the Ansible tasks will ensure the
+appropriate umask is set in the csh configuration file.
+
+If users have an active csh shell session, they will need to logout and create
+a new session to pick up the new umask change.

doc/source/developer-notes/V-38651.rst

@@ -0,0 +1,5 @@
+**Opt-in required**
+
+Changing the umask for the bash shell is an opt-in setting. Deployers that
+want to set the umask for bash sessions to match the STIG requirement must
+set the Ansible variable ``umask_bash`` to ``077``.

tasks/file_perms.yml

@@ -116,3 +116,69 @@
     - file_perms
     - cat2
     - V-38623
+
+# BEGIN: UMASK ADJUSTMENTS ####################################################
+# Please read the documentation and the comments in defaults/main.yml prior
+# to making any umask-related changes.
+
+# Ubuntu 14.04's default umask in /etc/init.d/rc is 022 already.
+- name: V-38642 - System default umask for daemons must be 027 or 022
+  lineinfile:
+    dest: /etc/init.d/rc
+    regexp: "^umask "
+    line: "umask {{ umask_daemons_init }}"
+  when: umask_daemons_init is defined
+  tags:
+    - file_perms
+    - cat3
+    - V-38642
+
+# Ubuntu 14.04's default umask in /etc/login.defs is 022
+- name: V-38645 - System default umask in /etc/login.defs must be 077
+  lineinfile:
+    dest: /etc/login.defs
+    regexp: "^UMASK"
+    line: "UMASK {{ umask_login_defs }}"
+  when: umask_login_defs is defined
+  tags:
+    - file_perms
+    - cat3
+    - V-38645
+
+# Ubuntu 14.04 and openstack-ansible don't install csh by default. We will
+# check if csh is installed and then apply the umask setting if needed.
+- name: Check if csh is installed (for V-38649)
+  shell: dpkg --status csh | grep ^Status | grep "ok installed"
+  register: v38649_result
+  changed_when: False
+  failed_when: False
+  when: umask_csh is defined
+  tags:
+    - file_perms
+    - cat3
+    - V-38649
+
+- name: V-38649 - System default umask for csh must be 077
+  lineinfile:
+    dest: /etc/csh.cshrc
+    regexp: "^(#)?umask"
+    line: "umask {{ umask_csh }}"
+    create: yes
+  when: umask_csh is defined and v38649_result.rc == 0
+  tags:
+    - file_perms
+    - cat3
+    - V-38649
+
+- name: V-38651 - System default umask for bash must be 077
+  lineinfile:
+    dest: /etc/bash.bashrc
+    regexp: "^(#)?umask"
+    line: "umask {{ umask_bash }}"
+  when: umask_bash is defined
+  tags:
+    - file_perms
+    - cat3
+    - V-38651
+
+# END: UMASK ADJUSTMENTS ######################################################