openstack/ansible-hardening
Code Issues Proposed changes

Docs: Update dev notes for Cat 3 controls

Browse Source 
This patch updates the documentation for the developer notes associated
with the Cat 3 (High) controls applied by the security role.

Partial-bug: 1583744

Change-Id: Ia7dad9e8d1871cfa6d0408c329d6f771704e8d96
This commit is contained in:
Major Hayden 2016-05-19 15:06:57 -05:00 committed by Amy Marrich (spotz)
parent 490d2f4bd8
commit 32ce224637
13 changed files with 75 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
doc/source/developer-notes/V-38462.rst
View File

@ -1,9 +1,17 @@
Ubuntu checks packages against GPG signatures by default. It can be turned
off for all package installations by a setting in /etc/apt/apt.conf.d/ and we
search for that in the Ansible task. A warning is printed if the
``AllowUnauthenticated`` configuration option is present in the apt
configuration directories.
All versions of Ubuntu and CentOS supported by the role verify packages against
GPG signatures by default.
Please note that users can pass an argument on the apt command line
to bypass the checks as well, but that's outside the scope of this check
and remediation.
Deployers can disable GPG verification for all packages in Ubuntu by setting
the ``AllowUnauthenticated`` configuration option in a file within
``/etc/apt/apt.conf.d/``. The Ansible tasks will search for this configuration
option and will stop the playbook execution if the option is set. Note
that users can pass an argument on the apt command line to bypass the checks as
well, but that's outside the scope of this check and remediation.
In CentOS, deployers can set ``gpgcheck=0`` within individual yum repository
files in ``/etc/yum.repos.d/`` to disable GPG signature checking. The Ansible
tasks will check for this configuration option in those files and stop the
playbook execution.
Deployers can use ``--skip-tags V-38462`` to omit these tasks when applying the
security role on systems where GPG verification must be disabled.

26
doc/source/developer-notes/V-38476.rst
View File

@ -1,21 +1,7 @@
The STIG talks about yum having the RHN GPG keys installed, but this
requirement has been adapted to check for the Ubuntu signing keys normally
present in Ubuntu 14.04.
The security role verifies that the GPG keys that correspond to each supported
Linux distribution are installed on each host. If the GPG keys are not found,
or if they differ from the list of trusted GPG keys, the playbook execution
will stop.
See ``tasks/apt.yml`` for more details::
# apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub 2048g/79164387 2004-09-12
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
pub 4096R/C0B21F32 2012-05-11
uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
pub 4096R/EFE21092 2012-05-11
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
Deployers can skip this task (and avoid this failure) by using ``--skip-tags
V-38476`` when they are applying the security role.

6
doc/source/developer-notes/V-38491.rst
View File

@ -1,4 +1,6 @@
The Ansible task will check for the presence of ``/etc/hosts.equiv`` and
``/root/.rhosts``. Both of those files could potentially be used with ``rsh``
for host access, but ``rshd`` is not installed by default with Ubuntu 14.04
or openstack-ansible.
for host access.
The ``rshd`` daemon is not installed by default with Ubuntu 14.04, Ubuntu
16.04, CentOS 7, or OpenStack-Ansible.

12
doc/source/developer-notes/V-38589.rst
View File

@ -1,8 +1,6 @@
**Fixed by another STIG**
**Fixed by V-38587**
Neither Ubuntu or openstack-ansible installs the telnet daemon by default.
Running a telnet daemon isn't recommended under most situations, so the
telnet server package will be removed from the system if it is installed.
The telnet server is removed by the Ansible tasks for V-38587, so no action
is required here.
Running a telnet daemon isn't recommended under most situations, so the telnet
server package will be removed from the system if it is installed. The telnet
server is removed by the Ansible tasks for V-38587, so no action is required
here.

11
doc/source/developer-notes/V-38594.rst
View File

@ -1,8 +1,5 @@
**Fixed by another STIG**
**Fixed by V-38591**
Neither Ubuntu or openstack-ansible installs the rsh daemon by default.
Running a rsh daemon isn't recommended under most situations, so the
rsh server package will be removed from the system if it is installed.
The rsh server is removed by the Ansible tasks for V-38591, so no action
is required here.
Running a rsh daemon isn't recommended under most situations, so the rsh server
package will be removed from the system if it is installed. The rsh server is
removed by the Ansible tasks for V-38591, so no action is required here.

14
doc/source/developer-notes/V-38598.rst
View File

@ -1,10 +1,8 @@
**Fixed by another STIG**
**Fixed by V-38591**
The ``rexecd`` daemon is part of the package that contains the ``rsh`` daemon.
On Ubuntu, the ``rexecd`` daemon is part of the package that contains the
``rsh`` daemon. CentOS 7 doesn't provide the ``rexecd`` daemon in any packages.
Neither Ubuntu or openstack-ansible installs the rsh daemon by default.
Running a rsh daemon isn't recommended under most situations, so the
rsh server package will be removed from the system if it is installed.
The rsh server is removed by the Ansible tasks for V-38591, so no action
is required here.
Running a rsh daemon isn't recommended under most situations, so the rsh server
package will be removed from the system if it is installed. The rsh server is
removed by the Ansible tasks for V-38591, so no action is required here.

15
doc/source/developer-notes/V-38602.rst
View File

@ -1,10 +1,9 @@
**Fixed by another STIG**
**Fixed by V-38591**
The ``rlogind`` daemon is part of the package that contains the ``rsh`` daemon.
In Ubuntu, the ``rlogind`` daemon is part of the package that contains the
``rsh`` daemon. CentOS 7 does not provide the ``rlogind`` daemon in any
packages.
Neither Ubuntu or openstack-ansible installs the rsh daemon by default.
Running a rsh daemon isn't recommended under most situations, so the
rsh server package will be removed from the system if it is installed.
The rsh server is removed by the Ansible tasks for V-38591, so no action
is required here.
Running a rsh daemon isn't recommended under most situations, so the rsh server
package will be removed from the system if it is installed. The rsh server is
removed by the Ansible tasks for V-38591, so no action is required here.

3
doc/source/developer-notes/V-38607.rst
View File

@ -1 +1,2 @@
The tasks in sshd.yml will ensure that SSH does uses protocol version 2.
The tasks in ``sshd.yml`` will ensure that SSH requires all connections to use
protocol version 2.

2
doc/source/developer-notes/V-38614.rst
View File

@ -1 +1 @@
The tasks in sshd.yml will ensure that SSH does not allow empty passwords.
The tasks in ``sshd.yml`` will ensure that SSH does not allow empty passwords.

6
doc/source/developer-notes/V-38653.rst
View File

@ -1,5 +1,5 @@
**Exception**
The openstack-ansible project doesn't install snmpd by default, and neither
does Ubuntu 14.04. Deployers are strongly recommended to use SNMPv3 with
strong passwords for all connectivity if they choose to install snmpd.
The OpenStack-Ansible project doesn't install snmpd by default. Deployers are
strongly recommended to use SNMPv3 with strong passwords for all connectivity
if they choose to install snmpd.

16
doc/source/developer-notes/V-38666.rst
View File

@ -1,10 +1,14 @@
**Exception**
Installing an antivirus program on openstack-ansible infrastructure is left
up to the deployer. There are strong arguments against virus scanners due to
detection failures and performance impacts.
The installation of an antivirus program is left up to the deployer. There are
strong arguments against virus scanners due to detection failures and
performance impacts.
For deployers who require an antivirus solution, refer to the suggestions and
examples in `Ubuntu's documentation on antivirus software`_.
The following links provide more information about installing antivirus
software on Ubuntu and CentOS:
.. _Ubuntu's documentation on antivirus software: https://help.ubuntu.com/community/Antivirus
* `Ubuntu documentation - Antivirus`_
* `CentOS Blog - How to Install ClamAV and Configure Daily Scanning on CentOS`_
.. _Ubuntu documentation - Antivirus: https://help.ubuntu.com/community/Antivirus
.. _CentOS Blog - How to Install ClamAV and Configure Daily Scanning on CentOS: https://www.centosblog.com/how-to-install-clamav-and-configure-daily-scanning-on-centos/

10
doc/source/developer-notes/V-38668.rst
View File

@ -1,3 +1,7 @@
The control-alt-delete keyboard sequence is disable by an Ansible task in
``/etc/init/control-alt-delete.conf``. A reboot is recommended to apply the
change.
In Ubuntu 14.04, the Ansible tasks disable the control-alt-delete keyboard
sequence via a configuration in ``/etc/init/control-alt-delete.conf``. A
reboot is recommended to apply the change.
Linux distributions that use systemd, such as Ubuntu 16.04 and CentOS 7,
disable the key sequence by masking the ``ctrl-alt-del.target`` with
``systemctl``.

6
doc/source/developer-notes/V-38701.rst
View File

@ -1,4 +1,6 @@
**Exception**
Neither Ubuntu 14.04 nor openstack-ansible adds a tftp daemon to the system.
The xinetd service is also not installed.
Neither OpenStack-Ansible or any of the operating systems supported by the
security role will install the tftp daemon by default. Deployers with a tftp
server deployed should review the risks associated with running the service and
configure it to meet the STIG's requirements.