[Docs] Metadata cleanup
This patch adds the right tags to each piece of metadata and corrects small errors found in the deployer notes. Closes-bug: 1595669 Change-Id: Ic04aaad85ebf111be5a0bdb01a350442fdea1433
This commit is contained in:
Major Hayden
parent
79eeaa43fb
commit
3c19f00a7f
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38437
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: services
|
||||
---
|
||||
|
||||
If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38438
|
||||
status: exception
|
||||
tag: misc
|
||||
status: implemented
|
||||
tag: boot
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
To opt-out of the change, set the following variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38439
|
||||
status: exception
|
||||
tag: misc
|
||||
status: exception - manual intervention
|
||||
tag: auth
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Although adding centralized authentication and carefully managing user
|
||||
accounts is critical for securing any system, that's left up to deployers
|
||||
to handle via their internal business processes.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38443
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The ``/etc/gshadow`` file is owned by root by default on Ubuntu 14.04, Ubuntu
|
||||
|
||||
@ -1,10 +1,8 @@
|
||||
---
|
||||
id: V-38444
|
||||
status: exception
|
||||
tag: misc
|
||||
status: exception - manual intervention
|
||||
tag: network
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
See V-38551 for additional details. IPv6 configuration and filtering is left
|
||||
up to the deployer.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38445
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
The logs generated by the audit daemon are owned by root in Ubuntu 14.04,
|
||||
|
||||
@ -1,10 +1,12 @@
|
||||
---
|
||||
id: V-38446
|
||||
status: implemented
|
||||
tag: misc
|
||||
status: configuration required
|
||||
tag: mail
|
||||
---
|
||||
|
||||
Forwarding root's email to another user is highly recommended, but the Ansible
|
||||
tasks won't configure an email address to receive root's email unless that
|
||||
email address is configured. Set ``security_root_forward_email`` to an email
|
||||
address that is ready to receive root's email.
|
||||
Forwarding root's email to another user is highly recommended so that someone
|
||||
can receive emails about errors or security events.
|
||||
|
||||
Deployers should set ``security_root_forward_email`` to a valid email address
|
||||
of a user or mailing list that should receive critical automated emails from
|
||||
the server.
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38447
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: package
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Although Ubuntu provides the ``debsums`` command for checking the contents of
|
||||
files installed from packages, it cannot perform a detailed level of checking
|
||||
sufficient to meet the STIG requirement. Some packages are not shipped with MD5
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38448
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
Although the ``/etc/gshadow`` file is group-owned by root by default, the
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38449
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38450
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The ownership of ``/etc/passwd`` will be changed to root.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38451
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The group ownership for ``/etc/passwd`` will be set to root.
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38452
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: package
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Although Ubuntu provides the ``debsums`` command for checking the contents of
|
||||
files installed from packages, it cannot perform a detailed level of checking
|
||||
sufficient to meet the STIG requirement. Some packages are not shipped with MD5
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
---
|
||||
id: V-38453
|
||||
status: exception
|
||||
tag: misc
|
||||
status: exception - ubuntu
|
||||
tag: package
|
||||
---
|
||||
|
||||
**Exception for Ubuntu**
|
||||
|
||||
Verifying ownership and permissions of installed packages isn't possible in the
|
||||
current version of ``dpkg`` as it is with ``rpm``. This security configuration
|
||||
is skipped for Ubuntu. For CentOS, this check is done as part of V-38637.
|
||||
is skipped for Ubuntu.
|
||||
|
||||
For CentOS, this check is done as part of V-38637.
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38454
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: package
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Although Ubuntu provides the ``debsums`` command for checking the contents of
|
||||
files installed from packages, it cannot perform a detailed level of checking
|
||||
sufficient to meet the STIG requirement. Some packages are not shipped with MD5
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38455
|
||||
status: exception
|
||||
tag: misc
|
||||
status: exception - initial provisioning
|
||||
tag: boot
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Configuring another mount for ``/tmp`` can disrupt a running system and this
|
||||
configuration is skipped.
|
||||
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38456
|
||||
status: exception
|
||||
tag: misc
|
||||
status: exception - initial provisioning
|
||||
tag: boot
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Configuring another mount for ``/var`` can disrupt a running system and this
|
||||
configuration is skipped.
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38457
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The permissions for ``/etc/passwd`` will be set to ``0644``.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38458
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The Ansible task will ensure that the ``/etc/group`` file is owned by the root
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
id: V-38459
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The tasks in file_perms.yml will ensure that "/etc/group" is owned by
|
||||
the root account.
|
||||
The Ansible tasks will ensure that ``/etc/group`` is owned by the ``root``
|
||||
user.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38460
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: nfsd
|
||||
---
|
||||
|
||||
The Ansible tasks will check for ``all_squash`` in ``/etc/exports`` (if it is
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
id: V-38461
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
Ubuntu sets the mode of ``/etc/group`` to ``0644`` by default and the Ansible
|
||||
task will ensure that it is current set to those permissions.
|
||||
The Ansible tasks will ensure that the mode of ``/etc/group//` is set to
|
||||
``0644``.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38462
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: package
|
||||
---
|
||||
|
||||
All versions of Ubuntu and CentOS supported by the role verify packages against
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38463
|
||||
status: exception
|
||||
status: exception - initial provisioning
|
||||
tag: misc
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Configuring a separate partition for ``/var/log`` is currently left up to the
|
||||
deployer. There are security and operational benefits that come from the
|
||||
change, but it must be done when the system is initially installed.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38464
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
The default configuration for ``disk_error_action`` is ``SUSPEND``, which
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38465
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set library files to have ``0755`` (or
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set library files to have ``0755`` (or
|
||||
more restrictive) permissions by default. Deployers are urged to review the
|
||||
permissions of libraries regularly to ensure the system has not been altered.
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38466
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
As with V-38465, Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the ownership of
|
||||
library files to root by default. Deployers are urged to configure monitoring
|
||||
for changes to these files.
|
||||
|
||||
@ -1,10 +1,8 @@
|
||||
---
|
||||
id: V-38467
|
||||
status: exception
|
||||
tag: misc
|
||||
status: exception - initial provisioning
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Storing audit logs on a separate partition is recommended, but this change
|
||||
is left up to deployers to configure during the installation of the OS.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38468
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
The default configuration for ``disk_full_action`` is ``SUSPEND``, which only
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38469
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the permissions for system
|
||||
commands to ``0755`` or less already. Deployers are urged to review these
|
||||
permissions for changes over time as they can be a sign of a compromise.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38470
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
The default configuration for ``security_space_left_action`` is ``SUSPEND``,
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
---
|
||||
id: V-38471
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
An Ansible task will adjust ``active`` from `no` to `yes` in
|
||||
An Ansible task will adjust ``active`` from ``no`` to ``yes`` in
|
||||
``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to
|
||||
syslog automatically. The auditd daemon will be restarted if the configuration
|
||||
file is changed.
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38472
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set system commands to be owned by
|
||||
root by default. Deployers are urged to review ownership changes via auditd
|
||||
rules to ensure system commands haven't changed ownership over time.
|
||||
|
||||
@ -1,10 +1,8 @@
|
||||
---
|
||||
id: V-38473
|
||||
status: exception
|
||||
status: exception - initial provisioning
|
||||
tag: misc
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Creating ``/home`` on a different partition is highly recommended but it is
|
||||
left to deployers to configure during the installation of the OS.
|
||||
|
||||
@ -1,10 +1,8 @@
|
||||
---
|
||||
id: V-38474
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: x11
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The openstack-ansible roles don't install X by default, so there is no
|
||||
graphical desktop to configure.
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38475
|
||||
status: implemented
|
||||
tag: misc
|
||||
status: configuration required
|
||||
tag: auth
|
||||
---
|
||||
|
||||
**Configuration required**
|
||||
|
||||
The STIG recommends passwords to be a minimum of 14 characters in length. To
|
||||
apply this setting, set the following Ansible variable:
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38476
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: package
|
||||
---
|
||||
|
||||
The security role verifies that the GPG keys that correspond to each supported
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38477
|
||||
status: implemented
|
||||
tag: misc
|
||||
status: configuration required
|
||||
tag: auth
|
||||
---
|
||||
|
||||
**Configuration required**
|
||||
|
||||
The STIG recommends setting a limit of one password change per day. To enable
|
||||
this configuration, use this Ansible variable:
|
||||
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38478
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: package
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Ubuntu and CentOS do not use the Red Hat Network Service. However, there are
|
||||
tasks in the security role which ensure that all packages have GPG checks
|
||||
enabled (see V-38462) and provide the option for deployers to apply updates
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38479
|
||||
status: implemented
|
||||
tag: misc
|
||||
status: configuration required
|
||||
tag: auth
|
||||
---
|
||||
|
||||
**Configuration required**
|
||||
|
||||
The STIG recommends setting a limit of 60 days before a password must
|
||||
be changed. To enable this configuration, use this Ansible variable:
|
||||
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38480
|
||||
status: implemented
|
||||
tag: misc
|
||||
status: configuration required
|
||||
tag: auth
|
||||
---
|
||||
|
||||
**Configuration required**
|
||||
|
||||
After enabling password age limits in V-38479, be sure to configure
|
||||
warnings for users so they know when their password is approaching expiration.
|
||||
STIG's recommendation is seven days prior to the expiration. Use an Ansible
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38481
|
||||
status: opt-in
|
||||
tag: misc
|
||||
tag: package
|
||||
---
|
||||
|
||||
**Opt-in required**
|
||||
|
||||
Operating system patching policies vary from organization to organization and
|
||||
are typically established based on business requirements and risk tolerance.
|
||||
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38482
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Password complexity requirements are left up to the deployer. Deployers are
|
||||
urged to rely on SSH keys as often as possible to avoid problems with
|
||||
passwords.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38483
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: package
|
||||
---
|
||||
|
||||
The Ansible task for V-38462 already checks for configurations that would
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38484
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: package
|
||||
---
|
||||
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last
|
||||
|
||||
@ -4,8 +4,6 @@ status: exception
|
||||
tag: misc
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
System backups are left to the deployer to configure. Deployers are stringly
|
||||
urged to maintain backups of each system, including log files and critical
|
||||
configuration information.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38487
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: package
|
||||
---
|
||||
|
||||
The Ansible task for V-38462 already checks for apt configurations that would
|
||||
|
||||
@ -4,8 +4,6 @@ status: exception
|
||||
tag: misc
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
System backups are left to the deployer to configure. Deployers are stringly
|
||||
urged to maintain backups of each system, including log files and critical
|
||||
configuration information.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38489
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: aide
|
||||
---
|
||||
|
||||
The security role installs and configures the ``aide`` package to provide file
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38490
|
||||
status: exception
|
||||
tag: misc
|
||||
status: opt-in
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Disabling the ``usb-storage`` module can add extra security, but it's not
|
||||
necessary on most systems. To disable the ``usb-storage`` module on hosts,
|
||||
set the following variable to ``yes``:
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38491
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The Ansible task will check for the presence of ``/etc/hosts.equiv`` and
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38492
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Virtual consoles are helpful during an emergency and they can only be reached
|
||||
by physical or other out-of-band access (such as DRAC, iLO, or iKVM). This
|
||||
change can be confusing for system administrators and it is left up to the
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38493
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the mode of ``/var/log/audit/`` to
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38494
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Removing serial consoles from ``/etc/securetty`` can make troubleshooting
|
||||
a server extremely difficult. Deployers are urged to use strong physical
|
||||
security practices to prevent unauthorized users from gaining physical access
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38495
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
The Ansible tasks will ensure that files in ``/var/log/audit`` are owned
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38496
|
||||
status: exception
|
||||
tag: misc
|
||||
status: exception - manual intervention
|
||||
tag: auth
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The Ansible tasks will check for default system accounts (other than root)
|
||||
that are not locked. The tasks won't take any action, however, because
|
||||
any action could cause authorized users to be unable to access the system.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38497
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38498
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
Ubuntu and CentOS set the current audit log (the one that is actively being
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38499
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The Ansible task will search for password hashes in ``/etc/passwd`` using
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38500
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The Ansible tasks will search for accounts in ``/etc/passwd`` that have UID 0
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38501
|
||||
status: exception
|
||||
tag: misc
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
||||
**Exception and opt-in alternative**
|
||||
|
||||
Adjusting PAM configurations is very risky since it affects how all users
|
||||
authenticate. In addition, ``pam_faillock.so`` isn't available in Ubuntu.
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38502
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38503
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38504
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auth
|
||||
---
|
||||
|
||||
Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but
|
||||
|
||||
@ -4,8 +4,6 @@ status: implemented
|
||||
tag: misc
|
||||
---
|
||||
|
||||
**Special Case**
|
||||
|
||||
Running virtual infrastructure requires IP forwarding to be enabled on various
|
||||
interfaces. The STIG allows for this, so long as the system is being operated
|
||||
as a router (as is the case for an OpenStack host).
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38512
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: network
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Although a minimal set of iptables rules are configured on openstack-ansible
|
||||
hosts, the "deny all" requirement of the STIG is not met. This is largely left
|
||||
up to the deployer to do, based on their assessment of their own network
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38513
|
||||
status: exception
|
||||
tag: misc
|
||||
status: exception - manual intervention
|
||||
tag: network
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Although a minimal set of iptables rules are configured on openstack-ansible
|
||||
hosts, the "deny all" requirement of the STIG is not met. This is largely left
|
||||
up to the deployer to do, based on their assessment of their own network
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38514
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38515
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
The Stream Control Transmission Protocol (SCTP) must be disabled. To opt-out of
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38516
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. The Ansible
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38517
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
The `Transparent Inter-Process Communication (TIPC)`_ protocol must be
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38518
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Different systems may have different log files populated depending on the type
|
||||
of data that ``rsyslogd`` receives. By default, log files are created with the
|
||||
user and group ownership set to root.
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38519
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
Different systems may have different log files populated depending on the type
|
||||
of data that ``rsyslogd`` receives. By default, log files are created with the
|
||||
user and group ownership set to root.
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38520
|
||||
status: exception
|
||||
tag: misc
|
||||
status: exception - manual intervention
|
||||
tag: log
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
At the moment, openstack-ansible already sends logs to the rsyslog container
|
||||
from various containers and hosts. However, deployers are strongly urged
|
||||
to forward these logs to a system outside their openstack-ansible environment
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38521
|
||||
status: exception
|
||||
tag: misc
|
||||
status: exception - manual intervention
|
||||
tag: log
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
At the moment, openstack-ansible already sends logs to the rsyslog container
|
||||
from various containers and hosts. However, deployers are strongly urged
|
||||
to forward these logs to a system outside their openstack-ansible environment
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38523
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The STIG makes several requirements for IPv4 network restrictions, but these
|
||||
restrictions can impact certain network interfaces and cause service
|
||||
disruptions. Some security configurations make sense for certain types of
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
---
|
||||
id: V-38524
|
||||
status: implemented
|
||||
tag: misc
|
||||
status: opt-in
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
This patch disables ICMPv4 redirects feature on the host.
|
||||
Accepting ICMP redirects has few legitimate uses.
|
||||
It should be disabled unless it is absolutely required.
|
||||
The STIG requires that ICMPv4 redirects are disabled on the host. However, this
|
||||
can cause problems with LXC-based deployments, such as environments deployed
|
||||
with OpenStack-Ansible.
|
||||
|
||||
It is configurable by ``security_disable_icmpv4_redirects`` variable.
|
||||
This feature is disabled by default as it can disrupt ``LXC`` deployments.
|
||||
Deployers can opt-in for this change by setting the following Ansible variable:
|
||||
|
||||
Deployers can skip or enable this task by setting
|
||||
``security_disable_icmpv4_redirects`` to ``no`` or ``yes``, respectively.
|
||||
.. code-block:: yaml
|
||||
|
||||
security_disable_icmpv4_redirects: yes
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38525
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
Rules are added for auditing changes to system time done via ``stime``.
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38526
|
||||
status: opt-in
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
**Opt-in required**
|
||||
|
||||
The STIG requires that secure ICMP redirects are disabled, but this can cause
|
||||
issues in some virtualized or containerized environments. The Ansible tasks
|
||||
in the security role will not disable these redirects by default.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38527
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
Rules are added for auditing changes to system time done via
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38528
|
||||
status: exception
|
||||
tag: misc
|
||||
status: opt-in
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The STIG requires that all martian packets are logged by setting the sysctl
|
||||
parameter ``net.ipv4.conf.all.log_martians`` to ``1``.
|
||||
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38529
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The STIG makes several requirements for IPv4 network restrictions, but these
|
||||
restrictions can impact certain network interfaces and cause service
|
||||
disruptions. Some security configurations make sense for certain types of
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38530
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
Rules are added to auditd to log all attempts to change the system time using
|
||||
|
||||
@ -1,9 +1,7 @@
|
||||
---
|
||||
id: V-38531
|
||||
status: exception
|
||||
tag: misc
|
||||
status: implemented
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The audit rules from V-38534 already cover all account modifications.
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38532
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The STIG makes several requirements for IPv4 network restrictions, but these
|
||||
restrictions can impact certain network interfaces and cause service
|
||||
disruptions. Some security configurations make sense for certain types of
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38533
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The STIG makes several requirements for IPv4 network restrictions, but these
|
||||
restrictions can impact certain network interfaces and cause service
|
||||
disruptions. Some security configurations make sense for certain types of
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38534
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
Audit rules are added in a task so that any events associated with
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
---
|
||||
id: V-38535
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
By default, Ubuntu 14.04 rejects ICMPv4 packets sent to a broadcast address.
|
||||
The Ansible tasks for this STIG configuration ensures that the secure default
|
||||
setting is maintained.
|
||||
The Ansible tasks will ensure that ``net.ipv4.icmp_echo_ignore_broadcasts`` is
|
||||
set to ``1``, which will cause the system to stop responding to ICMPv4 packets
|
||||
sent to the broadcast address.
|
||||
|
||||
@ -1,9 +1,7 @@
|
||||
---
|
||||
id: V-38536
|
||||
status: exception
|
||||
tag: misc
|
||||
status: implemented
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The audit rules from V-38534 already cover all account modifications.
|
||||
|
||||
@ -1,8 +1,9 @@
|
||||
---
|
||||
id: V-38537
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
Ubuntu already ignores ICMPv4 bogus error messages by default. The role will
|
||||
ensure that this default setting is maintained.
|
||||
The Ansible tasks will ensure that
|
||||
``net.ipv4.icmp_ignore_bogus_error_responses`` is set to ``1``. This prevents
|
||||
a host from responding to bogus ICMPv4 error messages.
|
||||
|
||||
@ -1,9 +1,7 @@
|
||||
---
|
||||
id: V-38538
|
||||
status: exception
|
||||
tag: misc
|
||||
status: implemented
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The audit rules from V-38534 already cover all account modifications.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38539
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.
|
||||
|
||||
@ -1,9 +1,7 @@
|
||||
---
|
||||
id: V-38540
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
Rules are added for auditing network configuration changes. The path to
|
||||
Ubuntu's standard network configuration location has replaced the path
|
||||
to Red Hat's default network configuration location.
|
||||
Rules are added that allows auditd to track network configuration changes.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
id: V-38541
|
||||
status: implemented
|
||||
tag: misc
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
For Ubuntu, rules are added to auditd that will log any changes made in the
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38542
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The STIG makes several requirements for IPv4 network restrictions, but these
|
||||
restrictions can impact certain network interfaces and cause service
|
||||
disruptions. Some security configurations make sense for certain types of
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38543
|
||||
status: exception
|
||||
tag: misc
|
||||
status: opt-in
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``
|
||||
syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments
|
||||
and while updating packages with apt. By default, these rules are disabled.
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38544
|
||||
status: exception
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The STIG makes several requirements for IPv4 network restrictions, but these
|
||||
restrictions can impact certain network interfaces and cause service
|
||||
disruptions. Some security configurations make sense for certain types of
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38545
|
||||
status: exception
|
||||
tag: misc
|
||||
status: opt-in
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The audit rules for permission changes made with ``chown`` are disabled by
|
||||
default as they can generate an excessive amount of logs in a short period of
|
||||
time, especially during a deployment.
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38546
|
||||
status: opt-in
|
||||
tag: misc
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
**Opt-in required**
|
||||
|
||||
The STIG requires IPv6 to be disabled system-wide unless it is needed for the
|
||||
system to operate. Deployers must consider how their network is configured
|
||||
before disabling IPv6 entirely.
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
---
|
||||
id: V-38547
|
||||
status: exception
|
||||
tag: misc
|
||||
status: opt-in
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
**Exception**
|
||||
|
||||
The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``
|
||||
syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments
|
||||
and while updating packages with apt. By default, these rules are disabled.
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user