openstack/ansible-hardening
Code Issues Proposed changes

Docs: Update dev notes for Cat 3 controls

Browse Source 
This patch updates the documentation for the developer notes associated
with the Cat 3 (High) controls applied by the security role.

Partial-bug: 1583744

Change-Id: Ia7dad9e8d1871cfa6d0408c329d6f771704e8d96
This commit is contained in:
Major Hayden 2016-05-19 15:06:57 -05:00 committed by Amy Marrich (spotz)
parent 490d2f4bd8
commit 32ce224637
13 changed files with 75 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
doc/source/developer-notes/V-38462.rst
View File

@ -1,9 +1,17 @@
Ubuntu checks packages against GPG signatures by default. It can be turned All versions of Ubuntu and CentOS supported by the role verify packages against
off for all package installations by a setting in /etc/apt/apt.conf.d/ and we GPG signatures by default.
search for that in the Ansible task. A warning is printed if the
``AllowUnauthenticated`` configuration option is present in the apt
configuration directories.
Please note that users can pass an argument on the apt command line Deployers can disable GPG verification for all packages in Ubuntu by setting
to bypass the checks as well, but that's outside the scope of this check the ``AllowUnauthenticated`` configuration option in a file within
and remediation. ``/etc/apt/apt.conf.d/``. The Ansible tasks will search for this configuration
option and will stop the playbook execution if the option is set. Note
that users can pass an argument on the apt command line to bypass the checks as
well, but that's outside the scope of this check and remediation.
In CentOS, deployers can set ``gpgcheck=0`` within individual yum repository
files in ``/etc/yum.repos.d/`` to disable GPG signature checking. The Ansible
tasks will check for this configuration option in those files and stop the
playbook execution.
Deployers can use ``--skip-tags V-38462`` to omit these tasks when applying the
security role on systems where GPG verification must be disabled.

26
doc/source/developer-notes/V-38476.rst
View File

@ -1,21 +1,7 @@
The STIG talks about yum having the RHN GPG keys installed, but this The security role verifies that the GPG keys that correspond to each supported
requirement has been adapted to check for the Ubuntu signing keys normally Linux distribution are installed on each host. If the GPG keys are not found,
present in Ubuntu 14.04. or if they differ from the list of trusted GPG keys, the playbook execution
will stop.
See ``tasks/apt.yml`` for more details:: Deployers can skip this task (and avoid this failure) by using ``--skip-tags
V-38476`` when they are applying the security role.
# apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub 2048g/79164387 2004-09-12
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
pub 4096R/C0B21F32 2012-05-11
uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
pub 4096R/EFE21092 2012-05-11
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

6
doc/source/developer-notes/V-38491.rst
View File

@ -1,4 +1,6 @@
The Ansible task will check for the presence of ``/etc/hosts.equiv`` and The Ansible task will check for the presence of ``/etc/hosts.equiv`` and
``/root/.rhosts``. Both of those files could potentially be used with ``rsh`` ``/root/.rhosts``. Both of those files could potentially be used with ``rsh``
for host access, but ``rshd`` is not installed by default with Ubuntu 14.04 for host access.
or openstack-ansible.
The ``rshd`` daemon is not installed by default with Ubuntu 14.04, Ubuntu
16.04, CentOS 7, or OpenStack-Ansible.

12
doc/source/developer-notes/V-38589.rst
View File

@ -1,8 +1,6 @@
**Fixed by another STIG** **Fixed by V-38587**
Neither Ubuntu or openstack-ansible installs the telnet daemon by default. Running a telnet daemon isn't recommended under most situations, so the telnet
Running a telnet daemon isn't recommended under most situations, so the server package will be removed from the system if it is installed. The telnet
telnet server package will be removed from the system if it is installed. server is removed by the Ansible tasks for V-38587, so no action is required
here.
The telnet server is removed by the Ansible tasks for V-38587, so no action
is required here.

11
doc/source/developer-notes/V-38594.rst
View File

@ -1,8 +1,5 @@
**Fixed by another STIG** **Fixed by V-38591**
Neither Ubuntu or openstack-ansible installs the rsh daemon by default. Running a rsh daemon isn't recommended under most situations, so the rsh server
Running a rsh daemon isn't recommended under most situations, so the package will be removed from the system if it is installed. The rsh server is
rsh server package will be removed from the system if it is installed. removed by the Ansible tasks for V-38591, so no action is required here.
The rsh server is removed by the Ansible tasks for V-38591, so no action
is required here.

14
doc/source/developer-notes/V-38598.rst
View File

@ -1,10 +1,8 @@
**Fixed by another STIG** **Fixed by V-38591**
The ``rexecd`` daemon is part of the package that contains the ``rsh`` daemon. On Ubuntu, the ``rexecd`` daemon is part of the package that contains the
``rsh`` daemon. CentOS 7 doesn't provide the ``rexecd`` daemon in any packages.
Neither Ubuntu or openstack-ansible installs the rsh daemon by default. Running a rsh daemon isn't recommended under most situations, so the rsh server
Running a rsh daemon isn't recommended under most situations, so the package will be removed from the system if it is installed. The rsh server is
rsh server package will be removed from the system if it is installed. removed by the Ansible tasks for V-38591, so no action is required here.
The rsh server is removed by the Ansible tasks for V-38591, so no action
is required here.

15
doc/source/developer-notes/V-38602.rst
View File

@ -1,10 +1,9 @@
**Fixed by another STIG** **Fixed by V-38591**
The ``rlogind`` daemon is part of the package that contains the ``rsh`` daemon. In Ubuntu, the ``rlogind`` daemon is part of the package that contains the
``rsh`` daemon. CentOS 7 does not provide the ``rlogind`` daemon in any
packages.
Neither Ubuntu or openstack-ansible installs the rsh daemon by default. Running a rsh daemon isn't recommended under most situations, so the rsh server
Running a rsh daemon isn't recommended under most situations, so the package will be removed from the system if it is installed. The rsh server is
rsh server package will be removed from the system if it is installed. removed by the Ansible tasks for V-38591, so no action is required here.
The rsh server is removed by the Ansible tasks for V-38591, so no action
is required here.

3
doc/source/developer-notes/V-38607.rst
View File

@ -1 +1,2 @@
The tasks in sshd.yml will ensure that SSH does uses protocol version 2. The tasks in ``sshd.yml`` will ensure that SSH requires all connections to use
protocol version 2.

2
doc/source/developer-notes/V-38614.rst
View File

@ -1 +1 @@
The tasks in sshd.yml will ensure that SSH does not allow empty passwords. The tasks in ``sshd.yml`` will ensure that SSH does not allow empty passwords.

6
doc/source/developer-notes/V-38653.rst
View File

@ -1,5 +1,5 @@
**Exception** **Exception**
The openstack-ansible project doesn't install snmpd by default, and neither The OpenStack-Ansible project doesn't install snmpd by default. Deployers are
does Ubuntu 14.04. Deployers are strongly recommended to use SNMPv3 with strongly recommended to use SNMPv3 with strong passwords for all connectivity
strong passwords for all connectivity if they choose to install snmpd. if they choose to install snmpd.

16
doc/source/developer-notes/V-38666.rst
View File

@ -1,10 +1,14 @@
**Exception** **Exception**
Installing an antivirus program on openstack-ansible infrastructure is left The installation of an antivirus program is left up to the deployer. There are
up to the deployer. There are strong arguments against virus scanners due to strong arguments against virus scanners due to detection failures and
detection failures and performance impacts. performance impacts.
For deployers who require an antivirus solution, refer to the suggestions and The following links provide more information about installing antivirus
examples in `Ubuntu's documentation on antivirus software`_. software on Ubuntu and CentOS:
.. _Ubuntu's documentation on antivirus software: https://help.ubuntu.com/community/Antivirus * `Ubuntu documentation - Antivirus`_
* `CentOS Blog - How to Install ClamAV and Configure Daily Scanning on CentOS`_
.. _Ubuntu documentation - Antivirus: https://help.ubuntu.com/community/Antivirus
.. _CentOS Blog - How to Install ClamAV and Configure Daily Scanning on CentOS: https://www.centosblog.com/how-to-install-clamav-and-configure-daily-scanning-on-centos/

10
doc/source/developer-notes/V-38668.rst
View File

@ -1,3 +1,7 @@
The control-alt-delete keyboard sequence is disable by an Ansible task in In Ubuntu 14.04, the Ansible tasks disable the control-alt-delete keyboard
``/etc/init/control-alt-delete.conf``. A reboot is recommended to apply the sequence via a configuration in ``/etc/init/control-alt-delete.conf``. A
change. reboot is recommended to apply the change.
Linux distributions that use systemd, such as Ubuntu 16.04 and CentOS 7,
disable the key sequence by masking the ``ctrl-alt-del.target`` with
``systemctl``.

6
doc/source/developer-notes/V-38701.rst
View File

@ -1,4 +1,6 @@
**Exception** **Exception**
Neither Ubuntu 14.04 nor openstack-ansible adds a tftp daemon to the system. Neither OpenStack-Ansible or any of the operating systems supported by the
The xinetd service is also not installed. security role will install the tftp daemon by default. Deployers with a tftp
server deployed should review the risks associated with running the service and
configure it to meet the STIG's requirements.