diff --git a/doc/source/developer-notes/V-38462.rst b/doc/source/developer-notes/V-38462.rst index 13834fd1..464a3ed1 100644 --- a/doc/source/developer-notes/V-38462.rst +++ b/doc/source/developer-notes/V-38462.rst @@ -1,9 +1,17 @@ -Ubuntu checks packages against GPG signatures by default. It can be turned -off for all package installations by a setting in /etc/apt/apt.conf.d/ and we -search for that in the Ansible task. A warning is printed if the -``AllowUnauthenticated`` configuration option is present in the apt -configuration directories. +All versions of Ubuntu and CentOS supported by the role verify packages against +GPG signatures by default. -Please note that users can pass an argument on the apt command line -to bypass the checks as well, but that's outside the scope of this check -and remediation. +Deployers can disable GPG verification for all packages in Ubuntu by setting +the ``AllowUnauthenticated`` configuration option in a file within +``/etc/apt/apt.conf.d/``. The Ansible tasks will search for this configuration +option and will stop the playbook execution if the option is set. Note +that users can pass an argument on the apt command line to bypass the checks as +well, but that's outside the scope of this check and remediation. + +In CentOS, deployers can set ``gpgcheck=0`` within individual yum repository +files in ``/etc/yum.repos.d/`` to disable GPG signature checking. The Ansible +tasks will check for this configuration option in those files and stop the +playbook execution. + +Deployers can use ``--skip-tags V-38462`` to omit these tasks when applying the +security role on systems where GPG verification must be disabled. diff --git a/doc/source/developer-notes/V-38476.rst b/doc/source/developer-notes/V-38476.rst index 26f82492..ed8c0724 100644 --- a/doc/source/developer-notes/V-38476.rst +++ b/doc/source/developer-notes/V-38476.rst @@ -1,21 +1,7 @@ -The STIG talks about yum having the RHN GPG keys installed, but this -requirement has been adapted to check for the Ubuntu signing keys normally -present in Ubuntu 14.04. +The security role verifies that the GPG keys that correspond to each supported +Linux distribution are installed on each host. If the GPG keys are not found, +or if they differ from the list of trusted GPG keys, the playbook execution +will stop. -See ``tasks/apt.yml`` for more details:: - - # apt-key list - /etc/apt/trusted.gpg - -------------------- - pub 1024D/437D05B5 2004-09-12 - uid Ubuntu Archive Automatic Signing Key - sub 2048g/79164387 2004-09-12 - - pub 1024D/FBB75451 2004-12-30 - uid Ubuntu CD Image Automatic Signing Key - - pub 4096R/C0B21F32 2012-05-11 - uid Ubuntu Archive Automatic Signing Key (2012) - - pub 4096R/EFE21092 2012-05-11 - uid Ubuntu CD Image Automatic Signing Key (2012) +Deployers can skip this task (and avoid this failure) by using ``--skip-tags +V-38476`` when they are applying the security role. diff --git a/doc/source/developer-notes/V-38491.rst b/doc/source/developer-notes/V-38491.rst index bdaf6189..c8e0a1e4 100644 --- a/doc/source/developer-notes/V-38491.rst +++ b/doc/source/developer-notes/V-38491.rst @@ -1,4 +1,6 @@ The Ansible task will check for the presence of ``/etc/hosts.equiv`` and ``/root/.rhosts``. Both of those files could potentially be used with ``rsh`` -for host access, but ``rshd`` is not installed by default with Ubuntu 14.04 -or openstack-ansible. +for host access. + +The ``rshd`` daemon is not installed by default with Ubuntu 14.04, Ubuntu +16.04, CentOS 7, or OpenStack-Ansible. diff --git a/doc/source/developer-notes/V-38589.rst b/doc/source/developer-notes/V-38589.rst index 831113d1..1d12ee3c 100644 --- a/doc/source/developer-notes/V-38589.rst +++ b/doc/source/developer-notes/V-38589.rst @@ -1,8 +1,6 @@ -**Fixed by another STIG** +**Fixed by V-38587** -Neither Ubuntu or openstack-ansible installs the telnet daemon by default. -Running a telnet daemon isn't recommended under most situations, so the -telnet server package will be removed from the system if it is installed. - -The telnet server is removed by the Ansible tasks for V-38587, so no action -is required here. +Running a telnet daemon isn't recommended under most situations, so the telnet +server package will be removed from the system if it is installed. The telnet +server is removed by the Ansible tasks for V-38587, so no action is required +here. diff --git a/doc/source/developer-notes/V-38594.rst b/doc/source/developer-notes/V-38594.rst index 57e448a3..3720e8f3 100644 --- a/doc/source/developer-notes/V-38594.rst +++ b/doc/source/developer-notes/V-38594.rst @@ -1,8 +1,5 @@ -**Fixed by another STIG** +**Fixed by V-38591** -Neither Ubuntu or openstack-ansible installs the rsh daemon by default. -Running a rsh daemon isn't recommended under most situations, so the -rsh server package will be removed from the system if it is installed. - -The rsh server is removed by the Ansible tasks for V-38591, so no action -is required here. +Running a rsh daemon isn't recommended under most situations, so the rsh server +package will be removed from the system if it is installed. The rsh server is +removed by the Ansible tasks for V-38591, so no action is required here. diff --git a/doc/source/developer-notes/V-38598.rst b/doc/source/developer-notes/V-38598.rst index 5c82ae60..894df0a1 100644 --- a/doc/source/developer-notes/V-38598.rst +++ b/doc/source/developer-notes/V-38598.rst @@ -1,10 +1,8 @@ -**Fixed by another STIG** +**Fixed by V-38591** -The ``rexecd`` daemon is part of the package that contains the ``rsh`` daemon. +On Ubuntu, the ``rexecd`` daemon is part of the package that contains the +``rsh`` daemon. CentOS 7 doesn't provide the ``rexecd`` daemon in any packages. -Neither Ubuntu or openstack-ansible installs the rsh daemon by default. -Running a rsh daemon isn't recommended under most situations, so the -rsh server package will be removed from the system if it is installed. - -The rsh server is removed by the Ansible tasks for V-38591, so no action -is required here. +Running a rsh daemon isn't recommended under most situations, so the rsh server +package will be removed from the system if it is installed. The rsh server is +removed by the Ansible tasks for V-38591, so no action is required here. diff --git a/doc/source/developer-notes/V-38602.rst b/doc/source/developer-notes/V-38602.rst index c93a6354..b657301f 100644 --- a/doc/source/developer-notes/V-38602.rst +++ b/doc/source/developer-notes/V-38602.rst @@ -1,10 +1,9 @@ -**Fixed by another STIG** +**Fixed by V-38591** -The ``rlogind`` daemon is part of the package that contains the ``rsh`` daemon. +In Ubuntu, the ``rlogind`` daemon is part of the package that contains the +``rsh`` daemon. CentOS 7 does not provide the ``rlogind`` daemon in any +packages. -Neither Ubuntu or openstack-ansible installs the rsh daemon by default. -Running a rsh daemon isn't recommended under most situations, so the -rsh server package will be removed from the system if it is installed. - -The rsh server is removed by the Ansible tasks for V-38591, so no action -is required here. +Running a rsh daemon isn't recommended under most situations, so the rsh server +package will be removed from the system if it is installed. The rsh server is +removed by the Ansible tasks for V-38591, so no action is required here. diff --git a/doc/source/developer-notes/V-38607.rst b/doc/source/developer-notes/V-38607.rst index 3dcee345..0413ccae 100644 --- a/doc/source/developer-notes/V-38607.rst +++ b/doc/source/developer-notes/V-38607.rst @@ -1 +1,2 @@ -The tasks in sshd.yml will ensure that SSH does uses protocol version 2. \ No newline at end of file +The tasks in ``sshd.yml`` will ensure that SSH requires all connections to use +protocol version 2. diff --git a/doc/source/developer-notes/V-38614.rst b/doc/source/developer-notes/V-38614.rst index 572b1060..100fdd15 100644 --- a/doc/source/developer-notes/V-38614.rst +++ b/doc/source/developer-notes/V-38614.rst @@ -1 +1 @@ -The tasks in sshd.yml will ensure that SSH does not allow empty passwords. \ No newline at end of file +The tasks in ``sshd.yml`` will ensure that SSH does not allow empty passwords. diff --git a/doc/source/developer-notes/V-38653.rst b/doc/source/developer-notes/V-38653.rst index d00ca4f3..69b73914 100644 --- a/doc/source/developer-notes/V-38653.rst +++ b/doc/source/developer-notes/V-38653.rst @@ -1,5 +1,5 @@ **Exception** -The openstack-ansible project doesn't install snmpd by default, and neither -does Ubuntu 14.04. Deployers are strongly recommended to use SNMPv3 with -strong passwords for all connectivity if they choose to install snmpd. +The OpenStack-Ansible project doesn't install snmpd by default. Deployers are +strongly recommended to use SNMPv3 with strong passwords for all connectivity +if they choose to install snmpd. diff --git a/doc/source/developer-notes/V-38666.rst b/doc/source/developer-notes/V-38666.rst index 585cf5b3..8558465f 100644 --- a/doc/source/developer-notes/V-38666.rst +++ b/doc/source/developer-notes/V-38666.rst @@ -1,10 +1,14 @@ **Exception** -Installing an antivirus program on openstack-ansible infrastructure is left -up to the deployer. There are strong arguments against virus scanners due to -detection failures and performance impacts. +The installation of an antivirus program is left up to the deployer. There are +strong arguments against virus scanners due to detection failures and +performance impacts. -For deployers who require an antivirus solution, refer to the suggestions and -examples in `Ubuntu's documentation on antivirus software`_. +The following links provide more information about installing antivirus +software on Ubuntu and CentOS: -.. _Ubuntu's documentation on antivirus software: https://help.ubuntu.com/community/Antivirus +* `Ubuntu documentation - Antivirus`_ +* `CentOS Blog - How to Install ClamAV and Configure Daily Scanning on CentOS`_ + +.. _Ubuntu documentation - Antivirus: https://help.ubuntu.com/community/Antivirus +.. _CentOS Blog - How to Install ClamAV and Configure Daily Scanning on CentOS: https://www.centosblog.com/how-to-install-clamav-and-configure-daily-scanning-on-centos/ diff --git a/doc/source/developer-notes/V-38668.rst b/doc/source/developer-notes/V-38668.rst index d5e8ec77..fb9071de 100644 --- a/doc/source/developer-notes/V-38668.rst +++ b/doc/source/developer-notes/V-38668.rst @@ -1,3 +1,7 @@ -The control-alt-delete keyboard sequence is disable by an Ansible task in -``/etc/init/control-alt-delete.conf``. A reboot is recommended to apply the -change. +In Ubuntu 14.04, the Ansible tasks disable the control-alt-delete keyboard +sequence via a configuration in ``/etc/init/control-alt-delete.conf``. A +reboot is recommended to apply the change. + +Linux distributions that use systemd, such as Ubuntu 16.04 and CentOS 7, +disable the key sequence by masking the ``ctrl-alt-del.target`` with +``systemctl``. diff --git a/doc/source/developer-notes/V-38701.rst b/doc/source/developer-notes/V-38701.rst index 1ecc417c..286c6209 100644 --- a/doc/source/developer-notes/V-38701.rst +++ b/doc/source/developer-notes/V-38701.rst @@ -1,4 +1,6 @@ **Exception** -Neither Ubuntu 14.04 nor openstack-ansible adds a tftp daemon to the system. -The xinetd service is also not installed. +Neither OpenStack-Ansible or any of the operating systems supported by the +security role will install the tftp daemon by default. Deployers with a tftp +server deployed should review the risks associated with running the service and +configure it to meet the STIG's requirements.