openstack/ansible-hardening
Code Issues Proposed changes

Enable virus scanner

Browse Source 
The STIG requires that a virus scanner is installed and running. This
won't be popular on many hypervisors or OpenStack control plane servers,
so the tasks are disabled by default.

Implements: blueprint security-rhel7-stig
Change-Id: I3b4803139e63aae3b740e8e150cb552a298c4ece
This commit is contained in:
Major Hayden 2016-11-09 07:38:49 -06:00
parent 0fbf1cc09d
commit 3c0cc41969
9 changed files with 140 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
defaults/main.yml
View File

@ -437,6 +437,10 @@ security_disable_gdm_automatic_login: yes # RHEL-07-010430
# Disable timed gdm logins for guests
security_disable_gdm_timed_login: yes # RHEL-07-010431
## Miscellaneous (misc)
# Enable virus scanning with clamav
security_enable_virus_scanner: no # RHEL-07-030810
## Packages (packages)
# Remove packages from the system as required by the STIG. Set any of these
# to 'no' to skip their removal.

17
doc/metadata/rhel7/RHEL-07-030810.rst
View File

@ -1,7 +1,20 @@
---
id: RHEL-07-030810
status: not implemented
status: opt-in
tag: misc
---
This STIG requirement is not yet implemented.
The STIG requires that a virus scanner is installed and running, but the value
of a virus scanner within an OpenStack control plane or on a hypervisor is
negligible in many cases. In addition, the disk I/O impact of a virus scanner
can impact a production environment negatively.
The security role has tasks to deploy ClamAV with automatic updates, but the
tasks are disabled by default.
Deployers can enable the ClamAV virus scanner by setting the following Ansible
variable:
.. code-block:: yaml
security_enable_virus_scanner: yes

5
handlers/main.yml
View File

@ -57,6 +57,11 @@
name: vsftpd
state: restarted
- name: restart clamav
service:
name: "{{ clamav_service }}"
state: restarted
# Miscellaneous ##############################################################
- name: generate auditd rules
command: augenrules --load

1
tasks/rhel7stig/main.yml
View File

@ -47,6 +47,7 @@
- include: auth.yml
- include: file_perms.yml
- include: graphical.yml
- include: misc.yml
- include: sshd.yml
- name: Remove the temporary directory

93
tasks/rhel7stig/misc.yml Normal file
View File

@ -0,0 +1,93 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Check if ClamAV is installed
stat:
path: /usr/bin/clamdscan
register: clamav_install_check
changed_when: False
tags:
- always
- name: Remove 'Example' line from ClamAV configuration files
lineinfile:
dest: "{{ item }}"
regexp: "^Example"
state: absent
with_items:
- /etc/freshclam.conf
- /etc/clamd.d/scan.conf
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
- ansible_os_family | lower == 'redhat'
notify:
- restart clamav
tags:
- misc
- RHEL-07-030810
- name: Set ClamAV server type as socket
lineinfile:
dest: /etc/clamd.d/scan.conf
regexp: "^(#)?LocalSocket (.*)$"
line: 'LocalSocket \2'
backrefs: yes
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
- ansible_os_family | lower == 'redhat'
notify:
- restart clamav
tags:
- misc
- RHEL-07-030810
- name: Allow automatic freshclam updates
lineinfile:
dest: /etc/sysconfig/freshclam
regexp: "^FRESHCLAM_DELAY"
state: absent
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
- ansible_os_family | lower == 'redhat'
notify:
- restart clamav
tags:
- misc
- RHEL-07-030810
- name: Update ClamAV database
command: freshclam
changed_when: False
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
tags:
- misc
- RHEL-07-030810
- name: Ensure ClamAV is running
service:
name: "{{ clamav_service }}"
state: started
enabled: yes
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
tags:
- misc
- RHEL-07-030810

1
tasks/rhel7stig/packages.yml
View File

@ -33,6 +33,7 @@
- RHEL-07-021910
- RHEL-07-020000
- RHEL-08-020010
- RHEL-07-030810
- RHEL-07-040260
- RHEL-07-040500
- RHEL-07-040560

1
tests/test.yml
View File

@ -73,3 +73,4 @@
security_package_clean_on_remove: yes
security_unattended_upgrades_enabled: true
security_unattended_upgrades_notifications: true
security_enable_virus_scanner: yes

13
vars/redhat.yml
View File

@ -26,6 +26,7 @@ chrony_conf_file: /etc/chrony.conf
cron_service: crond
ssh_service: sshd
chrony_service: chronyd
clamav_service: 'clamd@scan'
# Commands
grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
@ -52,6 +53,18 @@ stig_packages:
- yum-cron
state: "{{ security_package_state }}"
enabled: "{{ security_unattended_upgrades_enabled }}"
- packages:
- clamav
- clamav-data
- clamav-devel
- clamav-filesystem
- clamav-lib
- clamav-scanner-systemd
- clamav-server-systemd
- clamav-server
- clamav-update
state: "{{ security_package_state }}"
enabled: "{{ security_enable_virus_scanner }}"
- packages:
- xinetd
state: absent

7
vars/ubuntu.yml
View File

@ -29,6 +29,7 @@ chrony_conf_file: /etc/chrony/chrony.conf
cron_service: cron
ssh_service: ssh
chrony_service: chrony
clamav_service: clamd
# Commands
grub_update_cmd: "update-grub"
@ -97,6 +98,12 @@ stig_packages_rhel7:
- screen
state: "{{ security_package_state }}"
enabled: True
- packages:
- clamav
- clamav-daemon
- clamav-freshclam
state: "{{ security_package_state }}"
enabled: "{{ security_enable_virus_scanner }}"
- packages:
- rsh-server
state: absent