Update to RHEL 7 STIG V1R3

This patch updates the tasks to match the changes in Version 1, Release 3 of the RHEL 7 STIG. It adds four new configurations: - V-77819 (docs only, manual intervention req'd) - V-77821 (disabling DCCP, implemented) - V-77823 (docs only, manual intervention req'd) - V-77825 (enabling ASLR, implemented) Closes-Bug: 1729344 Change-Id: I009fb31139e654f839d94781baf3d392c6613f46
2017-11-01 13:31:34 -05:00 · 2017-11-01 13:31:34 -05:00 · 782bb48c14
commit 782bb48c14
parent e79c6c0594
10 changed files with 573 additions and 274 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -363,3 +363,7 @@ security_disallow_ip_forwarding: no                          # V-72309
 security_rhel7_disable_usb_storage: yes                      # V-71983
 # Disable kdump.
 security_disable_kdump: yes                                  # V-72057
+# Disable Datagram Congestion Control Protocol (DCCP).
+security_rhel7_disable_dccp: yes                             # V-77821
+# Enable Address Space Layout Randomization (ASLR).
+security_enable_aslr: yes                                    # V-77825
--- a/doc/metadata/U_Red_Hat_Enterprise_Linux_7_STIG_V1R3_Manual-xccdf.xml
+++ b/doc/metadata/U_Red_Hat_Enterprise_Linux_7_STIG_V1R3_Manual-xccdf.xml
--- a/doc/metadata/rhel7/V-77819.rst
+++ b/doc/metadata/rhel7/V-77819.rst
@ -0,0 +1,13 @@
+---
+id: V-77819
+status: exception - manual intervention
+tag: misc
+---
+
+The STIG requires that multifactor authentication is used for graphical user
+logon, but this change requires custom configuration based on the
+authentication solution that is used.
+
+Deployers should review the available options, such as traditional
+smartcards, USB devices (such as Yubikeys), or software token systems, and
+use one of these solutions on each system.
--- a/doc/metadata/rhel7/V-77821.rst
+++ b/doc/metadata/rhel7/V-77821.rst
@ -0,0 +1,14 @@
+---
+id: V-77821
+status: implemented
+tag: kernel
+---
+
+The ansible-hardening role disables the DCCP kernel module by default. Each
+system must be rebooted to fully apply the change.
+
+Deployers can opt out of the change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_disable_dccp: no
--- a/doc/metadata/rhel7/V-77823.rst
+++ b/doc/metadata/rhel7/V-77823.rst
@ -0,0 +1,13 @@
+---
+id: V-77823
+status: exception - manual intervention
+tag: auth
+---
+
+Modifying sensitive systemd unit files directly or via overrides could cause
+a system to have issues during the boot process. The role does not make any
+adjustments to the ``rescue.service`` because this service is critical during
+emergencies.
+
+All of the distributions supported by the role already require authentication
+for single user mode.
--- a/doc/metadata/rhel7/V-77825.rst
+++ b/doc/metadata/rhel7/V-77825.rst
@ -0,0 +1,18 @@
+---
+id: V-77825
+status: implemented
+tag: kernel
+---
+
+Most modern systems enable Address Space Layout Randomization (ASLR) by
+default (with a setting of ``2``), and the role ensures that the secure
+default is maintained.
+
+Deployers can opt out of the change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_aslr: no
+
+For more details on the ASLR settings, review the
+`sysctl documentation <https://www.kernel.org/doc/Documentation/sysctl/kernel.txt>`_.
--- a/doc/source/_exts/metadata-docs-rhel7.py
+++ b/doc/source/_exts/metadata-docs-rhel7.py
@ -28,7 +28,7 @@ import yaml
 SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
 METADATA_DIR = "{0}/../../metadata".format(SCRIPT_DIR)
 DOC_SOURCE_DIR = "{0}/..".format(SCRIPT_DIR)
-XCCDF_FILE = 'U_Red_Hat_Enterprise_Linux_7_STIG_V1R2_Manual-xccdf.xml'
+XCCDF_FILE = 'U_Red_Hat_Enterprise_Linux_7_STIG_V1R3_Manual-xccdf.xml'
 XCCDF_NAMESPACE = {'x': 'http://checklists.nist.gov/xccdf/1.1'}


--- a/releasenotes/notes/rhel7-stig-v1r3-update-c533ed40ba609ccf.yaml
+++ b/releasenotes/notes/rhel7-stig-v1r3-update-c533ed40ba609ccf.yaml
@ -0,0 +1,15 @@
+---
+features:
+  - |
+    The tasks within the ansible-hardening role are now based on Version 1,
+    Release 3 of the Red Hat Enteprise Linux Security Technical Implementation
+    Guide.
+  - |
+    The ``sysctl`` parameter ``kernel.randomize_va_space`` is now set to
+    ``2`` by default. This matches the default of most modern Linux
+    distributions and it ensures that Address Space Layout Randomization
+    (ASLR) is enabled.
+  - |
+    The Datagram Congestion Control Protocol (DCCP) kernel module is now
+    disabled by default, but a reboot is required to make the change
+    effective.
--- a/tasks/rhel7stig/kernel.yml
+++ b/tasks/rhel7stig/kernel.yml
@ -95,3 +95,15 @@
    - high
    - misc
    - V-72067
+
+- name: V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled
+  lineinfile:
+    dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf
+    line: install dccp /bin/true
+    create: yes
+  when:
+    - security_rhel7_disable_dccp | bool
+  tags:
+    - kernel
+    - medium
+    - V-77821
--- a/vars/main.yml
+++ b/vars/main.yml
@ -253,9 +253,9 @@ password_quality_rhel7:
    description: "Password must have at least four character classes changed"
    enabled: "{{ security_pwquality_require_character_classes_changed }}"
  - parameter: maxrepeat
-    value: 4
+    value: 3
    stig_id: V-71915
-    description: "Password must have at most four characters repeated consecutively"
+    description: "Password must have at most three characters repeated consecutively"
    enabled: "{{ security_pwquality_limit_repeated_characters }}"
  - parameter: maxclassrepeat
    value: 4
@ -341,3 +341,6 @@ sysctl_settings_rhel7:
  - name: net.ipv4.conf.default.accept_redirects
    value: 0
    enabled: "{{ security_disallow_icmp_redirects | bool }}"
+  - name: kernel.randomize_va_space
+    value: 2
+    enabled: "{{ security_enable_aslr | bool }}"