[Docs] Overhaul STIG by tag docs
This patch gets rid of the old "special notes" section that was a dead-end in the documentation and replaces it with a brief header followed by a dynamically-generated list of tag-specific documentation. All of this sits underneath the "Hardening Domains" section. It also splits the "Deviations" documentation into its own section because it's quite important for a deployer to review. The patch also includes a link to video/slides from the Boston Summit, which provided the latest updates for the project and some background on how everything fits together. Change-Id: I1a5e78733c301335fe1bcfcee36cc146d690b841
This commit is contained in:
parent
75b29b6b2a
commit
875f635ab4
4
.gitignore
vendored
4
.gitignore
vendored
@ -70,4 +70,6 @@ tests/test.retry
|
||||
|
||||
# Auto-generated documentation
|
||||
doc/source/auto_*
|
||||
doc/source/rhel7
|
||||
doc/source/rhel7/auto_*
|
||||
doc/source/rhel7/domains/auto_*
|
||||
|
||||
|
33
doc/metadata/template_toc_partial_rhel7.j2
Normal file
33
doc/metadata/template_toc_partial_rhel7.j2
Normal file
@ -0,0 +1,33 @@
|
||||
{#
|
||||
This file renders *partial* documentation that is included by other
|
||||
documentation. This is used in the "Hardening Domains" section.
|
||||
#}
|
||||
{% for section_header, stig_id_list in stig_dict.items() %}
|
||||
STIG requirements
|
||||
-----------------
|
||||
|
||||
All of the tasks for these STIG requirements are included in
|
||||
``tasks/rhel7stig/{{ section_header }}.yml``.
|
||||
|
||||
{% for stig_id in stig_id_list | sort %}
|
||||
|
||||
{% set rule = all_deployer_notes[stig_id] %}
|
||||
{{ rule['id'] }}
|
||||
{{ "~" * rule['id'] | length }}
|
||||
|
||||
* **Summary**: {{ rule['title'] | replace("\n", " ") | indent(2, False) }}
|
||||
* **Severity:** {{ rule['severity'] | title }}
|
||||
* **Implementation Status:** {{ rule['deployer_notes']['status'] | title }}
|
||||
|
||||
Deployer/Auditor notes
|
||||
^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
{{ rule['deployer_notes']['content'] }}
|
||||
|
||||
|
||||
{% if not loop.last %}
|
||||
----
|
||||
{% endif %}
|
||||
|
||||
{% endfor %}
|
||||
{% endfor %}
|
26
doc/source/_exts/metadata-docs-rhel7.py
Normal file → Executable file
26
doc/source/_exts/metadata-docs-rhel7.py
Normal file → Executable file
@ -184,6 +184,16 @@ def render_toc(toc_type, stig_dict, all_deployer_notes):
|
||||
)
|
||||
|
||||
|
||||
def render_toc_partial(toc_type, stig_dict, all_deployer_notes):
|
||||
"""Generate documentation RST for each STIG configuration."""
|
||||
template = JINJA_ENV.get_template('template_toc_partial_rhel7.j2')
|
||||
return template.render(
|
||||
toc_type=toc_type,
|
||||
stig_dict=stig_dict,
|
||||
all_deployer_notes=all_deployer_notes,
|
||||
)
|
||||
|
||||
|
||||
def write_file(filename, content):
|
||||
"""Write contents to files."""
|
||||
file_path = "{0}/{1}".format(DOC_SOURCE_DIR, filename)
|
||||
@ -235,7 +245,6 @@ def generate_docs():
|
||||
rule['description'] = {x.tag: x.text for x in temp.iter()}
|
||||
|
||||
# Get the deployer notes from YAML
|
||||
print(rule['id'])
|
||||
deployer_notes = get_deployer_notes(rule['id'])
|
||||
rule['deployer_notes'] = deployer_notes
|
||||
|
||||
@ -258,17 +267,26 @@ def generate_docs():
|
||||
status_toc = render_toc('implementation status',
|
||||
status,
|
||||
all_deployer_notes)
|
||||
tag_toc = render_toc('tag',
|
||||
tag,
|
||||
|
||||
# Write the docs for each tag to individual files so we can include them
|
||||
# from doc files in the domains folder.
|
||||
unique_tags = [x for x, y in tag.items()]
|
||||
for unique_tag in unique_tags:
|
||||
tag_toc = render_toc_partial(None,
|
||||
{unique_tag: tag[unique_tag]},
|
||||
all_deployer_notes)
|
||||
write_file("rhel7/domains/auto_{}.rst".format(unique_tag), tag_toc)
|
||||
|
||||
write_file("rhel7/auto_controls-all.rst", all_toc)
|
||||
write_file("rhel7/auto_controls-by-severity.rst", severity_toc)
|
||||
write_file("rhel7/auto_controls-by-status.rst", status_toc)
|
||||
write_file("rhel7/auto_controls-by-tag.rst", tag_toc)
|
||||
|
||||
|
||||
def setup(app):
|
||||
"""Set up the Sphinx extension."""
|
||||
print("Generating RHEL7 STIG documentation...")
|
||||
generate_docs()
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
generate_docs()
|
||||
|
0
doc/source/_exts/metadata-docs.py
Normal file → Executable file
0
doc/source/_exts/metadata-docs.py
Normal file → Executable file
@ -64,5 +64,4 @@ documentation below.
|
||||
|
||||
rhel7/auto_controls-by-severity.rst
|
||||
rhel7/auto_controls-by-status.rst
|
||||
rhel7/auto_controls-by-tag.rst
|
||||
rhel7/auto_controls-all.rst
|
||||
|
37
doc/source/deviations.rst
Normal file
37
doc/source/deviations.rst
Normal file
@ -0,0 +1,37 @@
|
||||
Deviations from the Security Technical Implementation Guide (STIG)
|
||||
==================================================================
|
||||
|
||||
The ansible-hardening role deviates from some of the STIG's requirements when a
|
||||
security control could cause significant issues with production systems. The
|
||||
role classifies each control into an implementation status and provides notes
|
||||
on why a certain control is skipped or altered.
|
||||
|
||||
The following provides a brief overview of each implementation status:
|
||||
|
||||
Exception
|
||||
If a control requires manual intervention outside the host, or if it could
|
||||
cause significant harm to a host, it will be skipped and listed as an
|
||||
exception. All controls in this category are not implemented in Ansible.
|
||||
|
||||
Configuration Required
|
||||
These controls require some type of initial configuration before they can
|
||||
be applied. Review the notes for each control to determine how to configure
|
||||
each of them.
|
||||
|
||||
Implemented
|
||||
These controls are fully implemented and they may have configurations which
|
||||
can be adjusted. The notes for each control will identify which configuration
|
||||
options are available.
|
||||
|
||||
Opt-In
|
||||
The controls in the opt-in list are implemented in Ansible, but are disabled
|
||||
by default. They are often disabled because they could cause harm to a subset
|
||||
of systems. Each control has notes that explains the caveats of the control
|
||||
and how to enable it if needed.
|
||||
|
||||
Deployers should review the full list of controls
|
||||
`sorted by implementation status <auto_controls-by-status.html>`_.
|
||||
|
||||
.. note::
|
||||
|
||||
All of the default configurations are found within ``defaults/main.yml``.
|
23
doc/source/domains.rst
Normal file
23
doc/source/domains.rst
Normal file
@ -0,0 +1,23 @@
|
||||
Hardening Domains
|
||||
=================
|
||||
|
||||
The STIG divides its hardening requirements into severity levels, but the
|
||||
security role divides the requirements into system domains. The documentation
|
||||
provided here includes a brief overview of each hardening domain and the STIG
|
||||
requirements that go along with each.
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
rhel7/domains/accounts.rst
|
||||
rhel7/domains/aide.rst
|
||||
rhel7/domains/auditd.rst
|
||||
rhel7/domains/auth.rst
|
||||
rhel7/domains/file_perms.rst
|
||||
rhel7/domains/graphical.rst
|
||||
rhel7/domains/implemented.rst
|
||||
rhel7/domains/kernel.rst
|
||||
rhel7/domains/lsm.rst
|
||||
rhel7/domains/misc.rst
|
||||
rhel7/domains/packages.rst
|
||||
rhel7/domains/sshd.rst
|
@ -26,11 +26,20 @@ Deployers have the option to pick and choose which configurations are applied
|
||||
using Ansible variables and tags. Some tasks allow deployers to provide custom
|
||||
configurations to tighten down or relax certain requirements.
|
||||
|
||||
For more details, review the *Documentation* section below.
|
||||
|
||||
.. _Security Technical Implementation Guide (STIG): http://iase.disa.mil/stigs/Pages/index.aspx
|
||||
.. _Defense Information Systems Agency (DISA): http://www.disa.mil/
|
||||
|
||||
OpenStack Summit Boston 2017 Talk
|
||||
---------------------------------
|
||||
|
||||
This talk covers the latest updates from the project and a live demo. Slides
|
||||
from the talk are
|
||||
`available for download <https://www.slideshare.net/MajorHayden/securing-openstack-and-beyond-with-ansible>`_.
|
||||
|
||||
.. raw:: html
|
||||
|
||||
<iframe width="640" height="360" src="https://www.youtube-nocookie.com/embed/E67zaS_UZks?rel=0" frameborder="0" allowfullscreen></iframe>
|
||||
|
||||
Documentation
|
||||
-------------
|
||||
|
||||
@ -41,13 +50,14 @@ previous releases are available in the *Releases* section below.
|
||||
:maxdepth: 2
|
||||
|
||||
getting-started.rst
|
||||
deviations.rst
|
||||
faq.rst
|
||||
special-notes.rst
|
||||
domains.rst
|
||||
controls-rhel7.rst
|
||||
developer-guide.rst
|
||||
|
||||
Special Notes: STIG Content
|
||||
---------------------------
|
||||
Legacy RHEL 6 STIG Content
|
||||
--------------------------
|
||||
|
||||
The RHEL 7 STIG content was first added in the Ocata release using the
|
||||
pre-release STIG content (version 0.2). The Pike release contains the final
|
||||
|
19
doc/source/rhel7/domains/accounts.rst
Normal file
19
doc/source/rhel7/domains/accounts.rst
Normal file
@ -0,0 +1,19 @@
|
||||
accounts - User account security controls
|
||||
=========================================
|
||||
|
||||
Security controls for user accounts on Linux systems are a crucial barrier to
|
||||
prevent unauthorized access.
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
Many of the STIG requirements for user account controls are already included in
|
||||
many Linux distributions or they can be applied without disruptions. However,
|
||||
some requirements can cause problems with user authentication without
|
||||
coordination.
|
||||
|
||||
Deployers should consider an authentication solution that uses centralized
|
||||
authentication, such as LDAP, Active Directory, or Kerberos, for the best
|
||||
security posture.
|
||||
|
||||
.. include:: auto_accounts.rst
|
34
doc/source/rhel7/domains/aide.rst
Normal file
34
doc/source/rhel7/domains/aide.rst
Normal file
@ -0,0 +1,34 @@
|
||||
aide - Advanced Intrusion Detection Environment
|
||||
===============================================
|
||||
|
||||
AIDE provides integrity monitoring for files on a Linux system and can notify
|
||||
system administrators of changes to critical files and packages.
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
By default, AIDE will examine and monitor all of the files on a host unless
|
||||
directories are added to its exclusion list. The security role sets directories
|
||||
to exclude from AIDE monitoring via the ``aide_exclude_dirs`` variable. this
|
||||
list excludes the most common directories that change very often via automated
|
||||
methods.
|
||||
|
||||
The security role skips the AIDE initialization step by default to avoid system
|
||||
disruption or a reduction in performance. Deployers should determine the best
|
||||
time to initialize the database that does not interfere with the system's
|
||||
operations.
|
||||
|
||||
To initialize the AIDE database, set the following Ansible variable and
|
||||
re-apply the role:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_rhel7_initialize_aide: true
|
||||
|
||||
.. warning::
|
||||
|
||||
Even with the excluded directories, the first AIDE initialization can take
|
||||
a long time on some systems. During this time, the CPU and disks are **very
|
||||
busy**.
|
||||
|
||||
.. include:: auto_aide.rst
|
48
doc/source/rhel7/domains/auditd.rst
Normal file
48
doc/source/rhel7/domains/auditd.rst
Normal file
@ -0,0 +1,48 @@
|
||||
auditd - audit daemon
|
||||
=====================
|
||||
|
||||
The STIG requires all systems to have the audit daemon, ``auditd``, running to
|
||||
monitor system calls and other critical events. The daemon has rules that
|
||||
define which events are noteworthy on the system and it can generate alerts
|
||||
based on the events it finds.
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
Audit daemon rules
|
||||
The auditd rules are deployed in a single task via a template
|
||||
(``templates/osas-auditd-rhel7.j2``). Each rule or set of similar rules are
|
||||
controlled by an Ansible variable that starts with ``security_audit_rhel7``.
|
||||
Refer to ``defaults/main.yml`` for a list of these variables.
|
||||
|
||||
Example:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
# Add audit rules for commands/syscalls.
|
||||
security_rhel7_audit_chsh: yes # V-72167
|
||||
security_rhel7_audit_chage: yes # V-72155
|
||||
security_rhel7_audit_chcon: yes # V-72139
|
||||
security_rhel7_audit_chmod: no # V-72105
|
||||
security_rhel7_audit_chown: no # V-72097
|
||||
|
||||
For example, setting ``security_rhel7_audit_chown`` to ``yes`` will
|
||||
ensure that the rule for auditing the usage of the ``chown`` are included
|
||||
on each host. Setting ``security_rhel7_audit_chown`` to ``no`` will omit that
|
||||
rule on each host.
|
||||
|
||||
Handling audit emergencies
|
||||
There are several configurations for auditd which are critical for deployers
|
||||
to review in detail. The options beneath the ``## Audit daemon (auditd)``
|
||||
comment will change how auditd handles log files and what it should do in
|
||||
case of emergencies.
|
||||
|
||||
.. warning::
|
||||
|
||||
Deployers should thoroughly test all changes to auditd emergency
|
||||
configurations. Some of these configuration options can cause serious
|
||||
issues on production systems, ranging from a reduction in security to
|
||||
servers going offline unexpectedly. There is extensive documentation in the
|
||||
developer notes below for each STIG requirement.
|
||||
|
||||
.. include:: auto_auditd.rst
|
15
doc/source/rhel7/domains/auth.rst
Normal file
15
doc/source/rhel7/domains/auth.rst
Normal file
@ -0,0 +1,15 @@
|
||||
auth - Authentication
|
||||
=====================
|
||||
|
||||
User or automated authentication to a Linux system must be closely monitored
|
||||
and carefully configured to prevent unauthorized access.
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
Most of the STIG requirements for authentication are already included in Linux
|
||||
distributions by default or are easily applied without disruptions. Deployers
|
||||
should review the documentation below and test all changes on a non-production
|
||||
system first.
|
||||
|
||||
.. include:: auto_auth.rst
|
17
doc/source/rhel7/domains/file_perms.rst
Normal file
17
doc/source/rhel7/domains/file_perms.rst
Normal file
@ -0,0 +1,17 @@
|
||||
file_perms - Filesystem permissions
|
||||
===================================
|
||||
|
||||
One of the first layers of defense against attacks on a Linux system is
|
||||
Discretionary Access Control (DAC), which is managed through filesystem
|
||||
permissions.
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
Some of the STIG requirements for file permissions could cause disruptions on
|
||||
production systems if the permissions were adjusted to meet the needs of a
|
||||
particular application. These configurations are applied on an opt-in basis.
|
||||
Deployers must verify that these changes work well with their systems before
|
||||
applying the changes.
|
||||
|
||||
.. include:: auto_file_perms.rst
|
17
doc/source/rhel7/domains/graphical.rst
Normal file
17
doc/source/rhel7/domains/graphical.rst
Normal file
@ -0,0 +1,17 @@
|
||||
graphical - Graphical login security controls
|
||||
=============================================
|
||||
|
||||
Although most Linux servers only have text-based interfaces, graphical
|
||||
environments are required for certain applications. Security controls must be
|
||||
applied to these graphical environments to prevent unauthorized access.
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
The STIG requirements for graphical interfaces are focused on ensuring proper
|
||||
authentication for new sessions and enforcing re-authentication after idle
|
||||
periods.
|
||||
|
||||
These controls will be skipped on systems without a graphical login interface.
|
||||
|
||||
.. include:: auto_graphical.rst
|
18
doc/source/rhel7/domains/kernel.rst
Normal file
18
doc/source/rhel7/domains/kernel.rst
Normal file
@ -0,0 +1,18 @@
|
||||
kernel - Kernel parameters
|
||||
==========================
|
||||
|
||||
The Linux kernel has many parameters that can improve overall system security
|
||||
and most of these parameters can be changed while a system is running.
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
The security role applies several changes to kernel parameters and each of
|
||||
these changes are controlled by Ansible variables. Review the ``## Kernel
|
||||
settings`` section within ``defaults/main.yml`` file for more information on
|
||||
these changes.
|
||||
|
||||
One deviation appears in this section for IP forwarding. Review the
|
||||
documentation for ``V-72309`` below for more details.
|
||||
|
||||
.. include:: auto_kernel.rst
|
16
doc/source/rhel7/domains/lsm.rst
Normal file
16
doc/source/rhel7/domains/lsm.rst
Normal file
@ -0,0 +1,16 @@
|
||||
lsm - Linux Security Modules
|
||||
============================
|
||||
|
||||
Linux Security Modules, such as AppArmor and SELinux, provide an extra level of
|
||||
security controls on a Linux system. They provide Mandatory Access Control
|
||||
(MAC) that checks system activities against security policy. These policies
|
||||
apply to all users, including root.
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
The STIG requires that SELinux is in enforcing mode to provide additional
|
||||
security against attacks. The security role will enable SELinux on CentOS
|
||||
systems and enable AppArmor on Ubuntu and Debian systems.
|
||||
|
||||
.. include:: auto_lsm.rst
|
27
doc/source/rhel7/domains/misc.rst
Normal file
27
doc/source/rhel7/domains/misc.rst
Normal file
@ -0,0 +1,27 @@
|
||||
misc - Miscellaneous security controls
|
||||
======================================
|
||||
|
||||
Some of the security controls provided by the STIG are difficult to group
|
||||
together. The following documentation includes STIG requirements which do not
|
||||
easily fit into one of the other hardening domains.
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
Reliable time synchronization is a requirement in the STIG and the ``chrony``
|
||||
package will be installed to handle NTP for systems secured with the openstack-
|
||||
ansible-security role. The default settings will work for most environments,
|
||||
but some deployers may prefer to use NTP servers which are geographically
|
||||
closer to their servers.
|
||||
|
||||
The role configures the chrony daemon to listen only on ``localhost``. To allow
|
||||
chrony to listen on all addresses (the upstream default for chrony),
|
||||
set the ``security_ntp_bind_local_interfaces_only`` variable to ``False``.
|
||||
|
||||
The default configuration allows `RFC1918`_ addresses to reach the NTP server
|
||||
running on each host. That could be changed by using the
|
||||
``security_allowed_ntp_subnets`` parameter.
|
||||
|
||||
.. _RFC1918: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
|
||||
|
||||
.. include:: auto_misc.rst
|
13
doc/source/rhel7/domains/packages.rst
Normal file
13
doc/source/rhel7/domains/packages.rst
Normal file
@ -0,0 +1,13 @@
|
||||
packages - Package managers
|
||||
===========================
|
||||
|
||||
Package managers provide a convenient, secure method for installing and
|
||||
upgrading applications on a system. They must be configured properly to ensure
|
||||
that software is carefully verified before it is installed.
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
Lorem ipsum
|
||||
|
||||
.. include:: auto_packages.rst
|
23
doc/source/rhel7/domains/sshd.rst
Normal file
23
doc/source/rhel7/domains/sshd.rst
Normal file
@ -0,0 +1,23 @@
|
||||
sshd - SSH daemon
|
||||
=================
|
||||
|
||||
The SSH daemon, ``sshd``, provides secure, encrypted access to Linux servers.
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
The STIG has several requirements for ssh server configuration and these
|
||||
requirements are applied by default by the role. To opt-out or change these
|
||||
requirements, see the section under the ``## ssh server (sshd)`` comment in
|
||||
``defaults/main.yml``.
|
||||
|
||||
Deviation for PermitRootLogin
|
||||
There is one deviation from the STIG for the ``PermitRootLogin``
|
||||
configuration option. The STIG requires that direct root logins are
|
||||
disabled, and this is the recommended setting for secure production
|
||||
environments.
|
||||
|
||||
However, this can cause problems in some existing environments and the
|
||||
default for the role is to set it to ``yes`` (direct root logins allowed).
|
||||
|
||||
.. include:: auto_sshd.rst
|
@ -1,154 +0,0 @@
|
||||
.. _special_notes:
|
||||
|
||||
Deviations & Special Notes
|
||||
==========================
|
||||
|
||||
The Security Technical Implementation Guide (STIG) provides over 200 controls
|
||||
to secure a Linux system, but some of these configurations can cause problems
|
||||
with production environments.
|
||||
|
||||
.. contents::
|
||||
:local:
|
||||
:backlinks: none
|
||||
:depth: 2
|
||||
|
||||
Reviewing deviations
|
||||
--------------------
|
||||
|
||||
The ansible-hardening role deviates from some of the STIG's
|
||||
requirements when a security control could cause significant issues with
|
||||
production systems. The role classifies each control into an implementation
|
||||
status and provides notes on why a certain control is skipped or altered.
|
||||
|
||||
The following provides a brief overview of each implementation status:
|
||||
|
||||
Exception
|
||||
If a control requires manual intervention outside the host, or if it could
|
||||
cause significant harm to a host, it will be skipped and listed as an
|
||||
exception. All controls in this category are not implemented in Ansible.
|
||||
|
||||
Configuration Required
|
||||
These controls require some type of initial configuration before they can
|
||||
be applied. Review the notes for each control to determine how to configure
|
||||
each of them.
|
||||
|
||||
Implemented
|
||||
These controls are fully implemented and they may have configurations which
|
||||
can be adjusted. The notes for each control will identify which configuration
|
||||
options are available.
|
||||
|
||||
Opt-In
|
||||
The controls in the opt-in list are implemented in Ansible, but are disabled
|
||||
by default. They are often disabled because they could cause harm to a subset
|
||||
of systems. Each control has notes that explains the caveats of the control
|
||||
and how to enable it if needed.
|
||||
|
||||
Deployers should review the full list of controls
|
||||
`sorted by implementation status <auto_controls-by-status.html>`_.
|
||||
|
||||
.. note::
|
||||
|
||||
All of the default configurations are found within ``defaults/main.yml``.
|
||||
|
||||
AIDE initialization
|
||||
-------------------
|
||||
|
||||
The STIG sets requirements for integrity monitoring of the system and the role
|
||||
will install AIDE to meet these requirements.
|
||||
|
||||
By default AIDE will examine and monitor all of the files on a host unless
|
||||
directories are added to its exclusion list. The security role sets directories
|
||||
to exclude from AIDE monitoring via the ``aide_exclude_dirs`` variable. this
|
||||
list excludes the most common directories that change very often via automated
|
||||
methods.
|
||||
|
||||
Even with the excluded directories, the first AIDE initialization can take a
|
||||
long time on some systems. During this time, the CPU and disks are **very
|
||||
busy**.
|
||||
|
||||
The security role will skip the AIDE initialization step by default. Deployers
|
||||
must set the following Ansible variable to initialize the database:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_rhel7_initialize_aide: true
|
||||
|
||||
auditd
|
||||
------
|
||||
|
||||
The audit daemon (``auditd``) is required by the STIG and it provides useful
|
||||
logging of critical events on a Linux server. The audit daemon monitors
|
||||
syscalls on a Linux system and logs alerts based on sets of auditing rules.
|
||||
|
||||
Rules for auditd
|
||||
Each set of rules is controlled by Ansible variables that begin with
|
||||
``security_audit__rhel7``. To omit a set of rules on a host, set the variable
|
||||
to ``no``. To include a set of rules on a host, set the variable to ``yes``.
|
||||
|
||||
For example, setting ``security_rhel7_audit_mount`` to ``yes`` will
|
||||
ensure that the rules for auditing filesystem mounts are included on each
|
||||
host. Setting ``security_rhel7_audit_mount`` to ``no`` will omit that
|
||||
group of rules on each host.
|
||||
|
||||
To review the full list of rules and variables, refer to
|
||||
``templates/osas-auditd-rhel7.j2``.
|
||||
|
||||
Handling audit emergencies
|
||||
There are several configurations for auditd which are critical for deployers
|
||||
to review in detail. The options beneath the ``## Audit daemon (auditd)``
|
||||
comment will change how auditd handles log files and what it should do in
|
||||
case of emergencies.
|
||||
|
||||
.. note::
|
||||
|
||||
Some of these configuration options can cause serious issues on
|
||||
production systems, ranging from a reduction in security to servers going
|
||||
offline unexpectedly. There is extensive documentation in the developer
|
||||
notes for each STIG requirement.
|
||||
|
||||
Linux Security Modules (LSM)
|
||||
----------------------------
|
||||
|
||||
The STIG requires that SELinux is in enforcing mode to provide additional
|
||||
security against attacks. The security role will enable SELinux on CentOS
|
||||
systems and enable AppArmor on Ubuntu systems.
|
||||
|
||||
For more information on how these changes are applied, refer to the
|
||||
documentation for :ref:`V-71989 <stig-V-71989>`.
|
||||
|
||||
SSH server
|
||||
----------
|
||||
|
||||
The STIG has some requirements for ssh server configuration and these
|
||||
requirements are applied by default by the role. To opt-out or change these
|
||||
requirements, see the section under the ``## ssh server (sshd)`` comment in
|
||||
``defaults/main.yml``.
|
||||
|
||||
Deviation for PermitRootLogin
|
||||
There is one deviation from the STIG for the ``PermitRootLogin``
|
||||
configuration option. The STIG requires that direct root logins are
|
||||
disabled, and this is the recommended setting for secure production
|
||||
environments.
|
||||
|
||||
However, this can cause problems in some existing environments and the
|
||||
default for the role is to set it to ``yes`` (direct root logins allowed).
|
||||
|
||||
Time synchronization
|
||||
--------------------
|
||||
|
||||
Reliable time synchronization is a requirement in the STIG and the ``chrony``
|
||||
package will be installed to handle NTP for systems secured with the
|
||||
ansible-hardening role.
|
||||
|
||||
The default settings will work for most environments, but some deployers may
|
||||
prefer to use NTP servers which are geographically closer to their servers.
|
||||
|
||||
The role configures the chrony daemon to listen only on ``localhost``. To allow
|
||||
chrony to listen on all addresses (the upstream default for chrony),
|
||||
set the ``security_ntp_bind_local_interfaces_only`` variable to ``False``.
|
||||
|
||||
The default configuration allows `RFC1918`_ addresses to reach the NTP server
|
||||
running on each host. That could be changed by using the
|
||||
``security_allowed_ntp_subnets`` parameter.
|
||||
|
||||
.. _RFC1918: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
|
Loading…
Reference in New Issue
Block a user