Docs: Update dev notes for Cat 2 controls
This patch updates the documentation for the developer notes associated with the Cat 2 (Medium) controls applied by the security role. Partial-bug: 1583744 Change-Id: Ic342f33942521db009185585a21208a4688f6ed3
This commit is contained in:
Major Hayden
parent
aff2332a78
commit
a841e184de
@ -1,4 +1,2 @@
|
|||||||
The Ansible tasks will ensure that ``/etc/gshadow`` is owned by root. This is
|
The ``/etc/gshadow`` file is owned by root by default on Ubuntu 14.04, Ubuntu
|
||||||
the default in Ubuntu 14.04 already, but the tasks will ensure that the
|
16.04 and CentOS 7. The security role ensures that the file is owned by root.
|
||||||
permissions match the STIG requirements in case they were changed by other
|
|
||||||
means after the installation of the operating system.
|
|
||||||
|
|||||||
@ -1,3 +1,3 @@
|
|||||||
Although audit log files are owned by the root user and group by default
|
The logs generated by the audit daemon are owned by root in Ubuntu 14.04,
|
||||||
in Ubuntu 14.04, the Ansible task for V-38445 will ensure that they are
|
Ubuntu 16.04 and CentOS 7. The Ansible task for V-38445 ensures that the files
|
||||||
configured as such.
|
are owned by the root user.
|
||||||
|
|||||||
@ -1 +0,0 @@
|
|||||||
V-38447.rst
|
|
||||||
5
doc/source/developer-notes/V-38453.rst
Normal file
5
doc/source/developer-notes/V-38453.rst
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
**Exception for Ubuntu**
|
||||||
|
|
||||||
|
Verifying ownership and permissions of installed packages isn't possible in the
|
||||||
|
current version of ``dpkg`` as it is with ``rpm``. This security configuration
|
||||||
|
is skipped for Ubuntu. For CentOS, this check is done as part of V-38637.
|
||||||
@ -1,10 +1,14 @@
|
|||||||
Ubuntu's default for ``security_disk_error_action`` is ``SUSPEND``, which
|
The default configuration for ``disk_error_action`` is ``SUSPEND``, which
|
||||||
actually only suspends audit logging. That could be a security issue, so
|
only suspends audit logging when there is a disk error on the system.
|
||||||
``SYSLOG`` is recommended and is set by default by openstack-ansible-security.
|
Suspending audit logging can lead to security problems because the system is no
|
||||||
There are additional options available, like ``EXEC``, ``SINGLE`` or ``HALT``.
|
longer keeping track of which syscalls were made.
|
||||||
|
|
||||||
To configure a different ``security_disk_error_action``, set the following
|
The security role sets the configuration to ``SYSLOG`` so that messages are
|
||||||
Ansible variable:
|
sent to syslog when disk errors occur. There are additional options available,
|
||||||
|
like ``EXEC``, ``SINGLE`` or ``HALT``.
|
||||||
|
|
||||||
|
To configure a different ``disk_error_action``, set the following Ansible
|
||||||
|
variable:
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
**Exception**
|
**Exception**
|
||||||
|
|
||||||
Ubuntu 14.04 sets library files to have ``0755`` (or more restrictive)
|
Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set library files to have ``0755`` (or
|
||||||
permissions by default. Deployers are urged to review the permissions
|
more restrictive) permissions by default. Deployers are urged to review the
|
||||||
of libraries regularly to ensure the system hasn't been altered.
|
permissions of libraries regularly to ensure the system has not been altered.
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
**Exception**
|
**Exception**
|
||||||
|
|
||||||
As with V-38465, Ubuntu sets the ownership of library files to root by
|
As with V-38465, Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the ownership of
|
||||||
default. Deployers are urged to configure monitoring for changes to these
|
library files to root by default. Deployers are urged to configure monitoring
|
||||||
files.
|
for changes to these files.
|
||||||
|
|||||||
@ -1,11 +1,14 @@
|
|||||||
Ubuntu's default for ``security_disk_full_action`` is ``SUSPEND``, which
|
The default configuration for ``disk_full_action`` is ``SUSPEND``, which only
|
||||||
actually only suspends audit logging. That could be a security issue, so
|
suspends audit logging. Suspending audit logging can lead to security problems
|
||||||
``SYSLOG`` is recommended and is set by default by openstack-ansible-security.
|
because the system is no longer keeping track of which syscalls were made.
|
||||||
If syslog messages are being sent to remote servers, these log messages should
|
|
||||||
alert an administrator about the disk being full. There are additional options
|
|
||||||
available, like ``EXEC``, ``SINGLE`` or ``HALT``.
|
|
||||||
|
|
||||||
To configure a different ``security_disk_full_action``, set the following
|
The security role sets the configuration to ``SYSLOG`` so that messages are
|
||||||
|
sent to syslog when the disk is full. If syslog messages are being sent to
|
||||||
|
remote servers, these log messages should alert an administrator about the disk
|
||||||
|
being full. There are additional options available, like ``EXEC``, ``SINGLE``
|
||||||
|
or ``HALT``.
|
||||||
|
|
||||||
|
To configure a different ``disk_full_action``, set the following
|
||||||
Ansible variable:
|
Ansible variable:
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
@ -15,5 +18,5 @@ Ansible variable:
|
|||||||
For details on available settings and what they do, run ``man auditd.conf``.
|
For details on available settings and what they do, run ``man auditd.conf``.
|
||||||
Some options can cause the host to go offline until the issue is fixed.
|
Some options can cause the host to go offline until the issue is fixed.
|
||||||
Deployers are urged to **carefully read the auditd documentation** prior to
|
Deployers are urged to **carefully read the auditd documentation** prior to
|
||||||
changing the ``security_disk_full_action`` setting from the default.
|
changing the ``disk_full_action`` setting from the default.
|
||||||
|
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
**Exception**
|
**Exception**
|
||||||
|
|
||||||
Ubuntu sets the permissions for system commands to ``0755`` or less already.
|
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the permissions for system
|
||||||
Deployers are urged to review these permissions for changes over time as they
|
commands to ``0755`` or less already. Deployers are urged to review these
|
||||||
can be a sign of a compromise.
|
permissions for changes over time as they can be a sign of a compromise.
|
||||||
|
|||||||
@ -1,11 +1,15 @@
|
|||||||
Ubuntu's default for ``security_space_left_action`` is ``SUSPEND``, which
|
The default configuration for ``security_space_left_action`` is ``SUSPEND``,
|
||||||
actually only suspends audit logging. That could be a security issue, so
|
which actually only suspends audit logging. Suspending audit logging can lead
|
||||||
``SYSLOG`` is recommended and is set by default by openstack-ansible-security.
|
to security problems because the system is no longer keeping track of which
|
||||||
If syslog messages are being sent to remote servers, these log messages should
|
syscalls were made.
|
||||||
alert an administrator about the disk being almost full. There are additional
|
|
||||||
options available, like ``EXEC``, ``SINGLE`` or ``HALT``.
|
|
||||||
|
|
||||||
To configure a different ``security_space_left_action``, set the following
|
The security role sets the configuration to ``SYSLOG`` so that messages are
|
||||||
|
sent to syslog when the available disk space reaches a low level. If syslog
|
||||||
|
messages are being sent to remote servers, these log messages should alert an
|
||||||
|
administrator about the disk being almost full. There are additional options
|
||||||
|
available, like ``EXEC``, ``SINGLE`` or ``HALT``.
|
||||||
|
|
||||||
|
To configure a different ``space_left_action``, set the following
|
||||||
Ansible variable:
|
Ansible variable:
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
@ -15,4 +19,4 @@ Ansible variable:
|
|||||||
For details on available settings and what they do, run ``man auditd.conf``.
|
For details on available settings and what they do, run ``man auditd.conf``.
|
||||||
Some options can cause the host to go offline until the issue is fixed.
|
Some options can cause the host to go offline until the issue is fixed.
|
||||||
Deployers are urged to **carefully read the auditd documentation** prior to
|
Deployers are urged to **carefully read the auditd documentation** prior to
|
||||||
changing the ``security_space_left_action`` setting from the default.
|
changing the ``space_left_action`` setting from the default.
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
**Exception**
|
**Exception**
|
||||||
|
|
||||||
Ubuntu sets system commands to be owned by root by default Deployers are
|
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set system commands to be owned by
|
||||||
urged to review ownership changes via auditd rules to ensure system
|
root by default. Deployers are urged to review ownership changes via auditd
|
||||||
commands haven't changed ownership over time.
|
rules to ensure system commands haven't changed ownership over time.
|
||||||
|
|||||||
@ -1,8 +1,7 @@
|
|||||||
**Configuration required**
|
**Configuration required**
|
||||||
|
|
||||||
Ubuntu 14.04 does not set a password length requirement by default. The STIG
|
The STIG recommends passwords to be a minimum of 14 characters in length. To
|
||||||
recommends passwords to be a minimum of 14 characters in length. To apply this
|
apply this setting, set the following Ansible variable:
|
||||||
setting, set the following Ansible variable:
|
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
|||||||
@ -1,9 +1,7 @@
|
|||||||
**Configuration required**
|
**Configuration required**
|
||||||
|
|
||||||
Ubuntu doesn't set a limitation on how frequently uses can change passwords.
|
The STIG recommends setting a limit of one password change per day. To enable
|
||||||
However, the STIG recommends setting a limit of one password change per day.
|
this configuration, use this Ansible variable:
|
||||||
|
|
||||||
To enable this configuration, use this Ansible variable:
|
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
|||||||
@ -1,10 +1,7 @@
|
|||||||
**Configuration required**
|
**Configuration required**
|
||||||
|
|
||||||
Ubuntu doesn't set a limitation on the age of passwords.
|
The STIG recommends setting a limit of 60 days before a password must
|
||||||
However, the STIG recommends setting a limit of 60 days before a password must
|
be changed. To enable this configuration, use this Ansible variable:
|
||||||
be changed.
|
|
||||||
|
|
||||||
To enable this configuration, use this Ansible variable:
|
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
|||||||
@ -1,18 +1,28 @@
|
|||||||
**Exception**
|
**Opt-in required**
|
||||||
|
|
||||||
Operating system patching policies vary from organization to organization and
|
Operating system patching policies vary from organization to organization and
|
||||||
are typically established based on business requirements and risk tolerance.
|
are typically established based on business requirements and risk tolerance.
|
||||||
|
|
||||||
If desired, automatic updates (using the ``unattended-upgrades`` package)
|
.. note::
|
||||||
can be enabled via openstack-ansible-security by setting the following
|
|
||||||
variable to ``true``:
|
Automatically upgrading packages can provide significant security benefits,
|
||||||
|
but they can reduce availability and reliability. Updating packages can
|
||||||
|
cause daemons to restart on some systems and they can cause local
|
||||||
|
customizations of configuration files to be lost.
|
||||||
|
|
||||||
|
Deployers are **strongly urged** to understand the nature of this change
|
||||||
|
and the associated risks prior to enabling automatic upgrades.
|
||||||
|
|
||||||
|
Deployers can enable automatic updates by setting
|
||||||
|
``security_unattended_upgrades`` to ``True`::
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
|
|
||||||
security_unattended_upgrades: true
|
security_unattended_upgrades: true
|
||||||
|
|
||||||
Note that this will only apply updates made available to the distro-security
|
In Ubuntu, the ``unattended-upgrades`` package is installed and enabled. This
|
||||||
(eg. trusty-security) repositories.
|
will apply updates that are made available to the trusty-security (Ubuntu
|
||||||
|
14.04) or xenial-security (Ubuntu 16.04) repositories.
|
||||||
|
|
||||||
**Deployers are urged to fully understand the impact of enabling automatic
|
In CentOS, the ``yum-cron`` package is installed and configured to
|
||||||
update before making the change.**
|
automatically apply updates.
|
||||||
|
|||||||
@ -1,3 +1,3 @@
|
|||||||
The Ansible task for V-38462 already checks for apt configurations that would
|
The Ansible task for V-38462 already checks for configurations that would
|
||||||
disable any GPG checks when installing packages. However, it's possible for
|
disable any GPG checks when installing packages. However, it is possible for
|
||||||
the root user to override these configurations via command line parameters.
|
the root user to override these configurations via command line parameters.
|
||||||
|
|||||||
@ -1,3 +1,3 @@
|
|||||||
Ubuntu 14.04 already enables the display of the last successful login for a
|
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last
|
||||||
user immediately after login. An Ansible task ensures this setting is
|
successful login for a user immediately after login. An Ansible task ensures
|
||||||
applied and restarts the ssh daemon if necessary.
|
this setting is applied and restarts the ssh daemon if necessary.
|
||||||
|
|||||||
@ -1 +1,2 @@
|
|||||||
The ``aide`` package will be installed by Ansible tasks.
|
The security role installs and configures the ``aide`` package to provide file
|
||||||
|
integrity monitoring on the host.
|
||||||
|
|||||||
@ -1,2 +1,10 @@
|
|||||||
The virtual consoles mentioned in V-38492 aren't used in Ubuntu 14.04 by
|
**Exception**
|
||||||
default.
|
|
||||||
|
Virtual consoles are helpful during an emergency and they can only be reached
|
||||||
|
by physical or other out-of-band access (such as DRAC, iLO, or iKVM). This
|
||||||
|
change can be confusing for system administrators and it is left up to the
|
||||||
|
deployer to complete.
|
||||||
|
|
||||||
|
As an alternative, deployers could take action to restrict physical access to
|
||||||
|
server terminals. Out-of-band access mechanisms should be segmented onto their
|
||||||
|
own restricted network and should use centralized authentication.
|
||||||
|
|||||||
@ -1,3 +1,3 @@
|
|||||||
Ubuntu 14.04 sets the mode of ``/var/log/audit/`` to ``0750`` by default. The
|
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the mode of ``/var/log/audit/`` to
|
||||||
Ansible task for this requirement ensures that the mode is ``0750`` (which
|
``0750`` by default. The Ansible task for this requirement ensures that the
|
||||||
is more strict than the STIG requirement).
|
mode is ``0750`` (which is more strict than the STIG requirement).
|
||||||
|
|||||||
@ -1,2 +1,2 @@
|
|||||||
Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by
|
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible
|
||||||
default. The Ansible task will ensure that the default is maintained.
|
task will ensure that the default is maintained.
|
||||||
|
|||||||
@ -1,2 +1,2 @@
|
|||||||
Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by
|
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible
|
||||||
default. The Ansible task will ensure that the default is maintained.
|
task will ensure that the default is maintained.
|
||||||
|
|||||||
@ -1,5 +1,8 @@
|
|||||||
Although Ubuntu 14.04's default for ``/etc/shadow`` is ``0640``, the STIG
|
Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but
|
||||||
requires a mode of ``0000``. This doesn't affect how the system operates since
|
CentOS 7 sets it to ``000``. The STIG requires the mode to be ``000`` and the
|
||||||
root is the only user that should be able to read from and write to
|
Ansible tasks in the security role ensure that the mode meets the requirement.
|
||||||
``/etc/shadow``. Allowing users to read the file could open up the system
|
|
||||||
to attacks since the password hashes can be dumped and brute forced.
|
**Special note for Ubuntu:** This change doesn't affect how the system operates
|
||||||
|
since root is the only user that should be able to read from and write to
|
||||||
|
``/etc/shadow``. Allowing users to read the file could open up the system to
|
||||||
|
attacks since the password hashes can be dumped and brute forced.
|
||||||
|
|||||||
@ -1,6 +1,7 @@
|
|||||||
The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not
|
The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not
|
||||||
needed. Neither Ubuntu 14.04 or openstack-ansible utilizes this kernel
|
needed. Although this protocol is occasionally used in some OpenStack
|
||||||
module and the Ansible tasks will disable it by default.
|
environments for quality of service functions, it is not in the default
|
||||||
|
implementation.
|
||||||
|
|
||||||
To opt-out of this change, simply change the following variable to ``no``:
|
To opt-out of this change, simply change the following variable to ``no``:
|
||||||
|
|
||||||
|
|||||||
@ -1,7 +1,5 @@
|
|||||||
The Stream Control Transmission Protocol (SCTP) must be disabled. This module
|
The Stream Control Transmission Protocol (SCTP) must be disabled. To opt-out of
|
||||||
isn't used by Ubuntu 14.04 or openstack-ansible by default.
|
this change, set the following variable to ``no``:
|
||||||
|
|
||||||
To opt-out of this change, set the following variable to ``no``:
|
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
|||||||
@ -1,11 +1,8 @@
|
|||||||
The `Transparent Inter-Process Communication (TIPC)`_ protocol must be
|
The `Transparent Inter-Process Communication (TIPC)`_ protocol must be
|
||||||
disabled. Neither Ubuntu 14.04 or openstack-ansible enables this module by
|
disabled. To opt-out of this change, set the following variable to ``no``:
|
||||||
default, so the Ansible tasks in this role will disable the module.
|
|
||||||
|
|
||||||
.. _Transparent Inter-Process Communication (TIPC): https://en.wikipedia.org/wiki/TIPC
|
.. _Transparent Inter-Process Communication (TIPC): https://en.wikipedia.org/wiki/TIPC
|
||||||
|
|
||||||
To opt-out of this change, set the following variable to ``no``:
|
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
|
|
||||||
security_disable_module_tipc: no
|
security_disable_module_tipc: no
|
||||||
|
|||||||
@ -3,3 +3,6 @@
|
|||||||
Different systems may have different log files populated depending on the type
|
Different systems may have different log files populated depending on the type
|
||||||
of data that ``rsyslogd`` receives. By default, log files are created with the
|
of data that ``rsyslogd`` receives. By default, log files are created with the
|
||||||
user and group ownership set to root.
|
user and group ownership set to root.
|
||||||
|
|
||||||
|
Deployers should review the files generated by the ``rsyslogd`` daemon to
|
||||||
|
verify that they have the most restrictive ownership and permissions.
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
The STIG requires SHA512 to be used for hashing password since it is
|
The STIG requires SHA512 to be used for hashing password since it is
|
||||||
in the list of FIPS 140-2 approved hashing algorithms. This is also the
|
in the list of FIPS 140-2 approved hashing algorithms. This is also the
|
||||||
default in Ubuntu 14.04.
|
default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
|
||||||
|
|
||||||
The Ansible tasks will verify that the secure default is still set in the
|
The Ansible tasks will verify that the secure default is still set in the
|
||||||
system's PAM configuration. If it has been altered, the playbook will fail
|
system's PAM configuration. If it has been altered, the playbook will fail
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
The STIG requires SHA512 to be used for hashing password since it is
|
The STIG requires SHA512 to be used for hashing password since it is
|
||||||
in the list of FIPS 140-2 approved hashing algorithms. This is also the
|
in the list of FIPS 140-2 approved hashing algorithms. This is also the
|
||||||
default in Ubuntu 14.04.
|
default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
|
||||||
|
|
||||||
The Ansible tasks will verify that the secure default is still set in
|
The Ansible tasks will verify that the secure default is still set in
|
||||||
``/etc/login.defs``. If it has been altered, the playbook will fail
|
``/etc/login.defs``. If it has been altered, the playbook will fail
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
The STIG requires SHA512 to be used for hashing password since it is
|
The STIG requires SHA512 to be used for hashing password since it is
|
||||||
in the list of FIPS 140-2 approved hashing algorithms. This is also the
|
in the list of FIPS 140-2 approved hashing algorithms. This is also the
|
||||||
default in Ubuntu 14.04.
|
default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
|
||||||
|
|
||||||
The ``libuser`` package isn't installed by default in Ubuntu or via
|
The ``libuser`` package isn't installed by default in Ubuntu or via
|
||||||
openstack-ansible. The Ansible tasks will do the following:
|
openstack-ansible. The Ansible tasks will do the following:
|
||||||
|
|||||||
@ -1,2 +1,9 @@
|
|||||||
Ubuntu 14.04 sets the ownership on ``/boot/grub/grub.cfg`` to root by default.
|
Ubuntu 14.04 sets the ownership on ``/boot/grub/grub.cfg`` to root by default.
|
||||||
The Ansible task will ensure that the secure default is maintained.
|
The Ansible task will ensure that the secure default is maintained.
|
||||||
|
|
||||||
|
In Ubuntu 16.04 and CentOS 7, the bootloader configuration files in
|
||||||
|
``/boot/grub2`` are owned by the root user by default.
|
||||||
|
|
||||||
|
Deployers should monitor these files for changes in ownership, permissions and
|
||||||
|
contents. The ``aide`` daemon is installed by the security role to monitor
|
||||||
|
these files.
|
||||||
|
|||||||
@ -1 +1,9 @@
|
|||||||
The permissions on ``/boot/grub/grub.cfg`` will be set to ``0644``.
|
**Exception for grub2**
|
||||||
|
|
||||||
|
For Ubuntu 14.04, the permissions on ``/boot/grub/grub.cfg`` will be set to
|
||||||
|
``0644``.
|
||||||
|
|
||||||
|
Ubuntu 16.04 and CentOS 7 use grub2. The configuration files in ``/boot/grub2``
|
||||||
|
are regenerated when new kernels are installed or when the root user
|
||||||
|
regenerates the configuration file. File ownership and permissions are set
|
||||||
|
appropriately after each of these events.
|
||||||
|
|||||||
@ -1,3 +1,3 @@
|
|||||||
The Ansible tasks will set ``kernel.randomize_va_space=2`` immediately and
|
The Ansible tasks will set ``kernel.randomize_va_space=2`` immediately and
|
||||||
will also ensure that the setting is applied on the next boot. This setting
|
will also ensure that the setting is applied on the next boot. This setting
|
||||||
is currently the default in Ubuntu 14.04.
|
is currently the default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
|
||||||
|
|||||||
@ -1,6 +1,5 @@
|
|||||||
Although Red Hat kernels provide ExecShield, Ubuntu provides Non-Executable
|
Non-Executable Memory (NX) is the successor to ExecShield, and it is enabled by
|
||||||
Memory (NX) support and it is enabled by default. There's not an option
|
default on Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
|
||||||
to enable or disable it.
|
|
||||||
|
|
||||||
For more information, refer to `Ubuntu's security feature documentation on
|
For more information, refer to `Ubuntu's security feature documentation on
|
||||||
NX`_.
|
NX`_.
|
||||||
|
|||||||
@ -1,5 +1,10 @@
|
|||||||
The ``nis`` package is Ubuntu's equivalent of Red Hat's ``ypserv`` package.
|
This packages is named differently depending on the Linux distribution:
|
||||||
The Ansible tasks will remove the ``nis`` package if it is installed. To
|
|
||||||
|
* Ubuntu 14.04: ``nis``
|
||||||
|
* Ubuntu 16.04: ``nis``
|
||||||
|
* CentOS 7: ``ypserv``
|
||||||
|
|
||||||
|
The Ansible tasks will remove the appropriate package if it is installed. To
|
||||||
opt-out of this change, adjust the following configuration variable to ``no``:
|
opt-out of this change, adjust the following configuration variable to ``no``:
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
|
|||||||
@ -1,6 +1 @@
|
|||||||
**Exception**
|
The ``ypbind`` service is removed entirely as part of V-38603.
|
||||||
|
|
||||||
The ``ypbind`` service is removed as part of V-38603 where the ``nis`` package
|
|
||||||
is removed from the system entirely. Since neither Ubuntu nor
|
|
||||||
openstack-ansible install any NIS-related services, this configuration is
|
|
||||||
skipped.
|
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
The ``cron`` service is running by default in Ubuntu and is required for
|
The ``cron`` service is running by default in Ubuntu 14.04, Ubuntu 16.04, and
|
||||||
openstack-ansible's services to function properly. The Ansible tasks in
|
CentOS 7. It is required for various OpenStack services to function properly.
|
||||||
this role will ensure that ``cron`` is running and is configured to start
|
The Ansible tasks in this role will ensure that ``cron`` is running and is
|
||||||
at boot time.
|
configured to start at boot time.
|
||||||
|
|||||||
@ -1,5 +1,13 @@
|
|||||||
The ``tftpd`` package in Ubuntu will be removed. To opt-out, adjust the
|
The package containing the tftp daemon has different names depending on the
|
||||||
following configuration variable to ``no``:
|
Linux distribution:
|
||||||
|
|
||||||
|
* Ubuntu 14.04: ``tftpd``
|
||||||
|
* Ubuntu 16.04: ``tftpd``
|
||||||
|
* CentOS 7: ``tftp-server``
|
||||||
|
|
||||||
|
The Ansible tasks will select the appropriate package for the Linux
|
||||||
|
distribution and remove the package. To opt-out, adjust the following
|
||||||
|
configuration variable to ``no``:
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
|||||||
@ -1,3 +1 @@
|
|||||||
The ``tftpd`` service is removed by V-38606 and it is not installed by
|
The package containing the ``tftpd`` service is removed by V-38606.
|
||||||
Ubuntu or openstack-ansible by default. For this reason, it's recommended
|
|
||||||
to remove the service by using the Ansible task from V-38606.
|
|
||||||
|
|||||||
@ -1,3 +1,3 @@
|
|||||||
By default, Ubuntu configures the ssh daemon so that rsh's .rhosts files are
|
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 configure the ssh daemon so that rsh's
|
||||||
ignored. The Ansible tasks will ensure that this setting hasn't changed
|
.rhosts files are ignored by default. The Ansible tasks will ensure that this
|
||||||
from the default.
|
setting has not changed from the default.
|
||||||
|
|||||||
@ -1 +1,2 @@
|
|||||||
The tasks in sshd.yml will ensure that SSH does not allow host based authentication.
|
The Ansible tasks in the security role ensure that the ssh daemon does not
|
||||||
|
allow host based authentication.
|
||||||
|
|||||||
@ -1,6 +1,8 @@
|
|||||||
Ubuntu sets the mode on rsyslog files to ``0640`` by default, but the STIG
|
The mode on rsyslog files is set to ``0640`` by default in Ubuntu 14.04 and
|
||||||
requires ``0600`` or less. The Ansible tasks will adjust the rsyslog
|
Ubuntu 16.04 by default. CentOS 7 sets the mode to ``0600`` by default. The
|
||||||
configuration so that any new log files will have the mode set to ``0600``.
|
Ansible tasks will adjust the rsyslog configuration so that any new log files
|
||||||
|
will have the mode set to ``0600``.
|
||||||
|
|
||||||
This will take effect the next time that log files are rotated with
|
This will take effect the next time that log files are rotated with
|
||||||
``logrotate`` (configured in V-38624).
|
``logrotate`` (configured in V-38624). Deployers can also make this change
|
||||||
|
manually with ``chmod``.
|
||||||
|
|||||||
@ -1,8 +1,9 @@
|
|||||||
**Exception**
|
**Exception**
|
||||||
|
|
||||||
Neither Ubuntu 14.04 or openstack-ansible configures LDAP authentication by
|
Deployers that use LDAP authentication for systems are strongly urged to use
|
||||||
default. Deployers that use LDAP authentication for systems are strongly
|
TLS connectivity between client hosts and LDAP servers to prevent eavesdroppers
|
||||||
urged to use TLS connectivity between client hosts and LDAP servers to
|
on the network from reading the authentication attempts as they are made. The
|
||||||
prevent eavesdroppers on the network from reading the authentication attempts
|
certificates on the LDAP server must be trusted by each client.
|
||||||
as they are made. The certificates on the LDAP server must be trusted by
|
|
||||||
each client.
|
The tasks in the security role do not adjust the LDAP configuration since this
|
||||||
|
could disrupt future authentication attempts.
|
||||||
|
|||||||
@ -1,6 +1,7 @@
|
|||||||
Ubuntu's default setting for ``security_max_log_file`` matches the STIG
|
The default setting for ``security_max_log_file`` in Ubuntu 14.04, Ubuntu
|
||||||
requirement of rotating logs when they reach 6MB. The Ansible task for this
|
16.04, and CentOS 7 matches the STIG requirement of rotating logs when they
|
||||||
STIG requirement ensures that the secure default is maintained.
|
reach 6MB. The Ansible task for this STIG requirement ensures that the secure
|
||||||
|
default is maintained.
|
||||||
|
|
||||||
Deployers who want to exceed the STIG guideline can increase the size of logs
|
Deployers who want to exceed the STIG guideline can increase the size of logs
|
||||||
by adjusting the following Ansible variable:
|
by adjusting the following Ansible variable:
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
Ubuntu's default action for ``security_max_log_file_action`` is to rotate the
|
The default action for ``security_max_log_file_action`` on Ubuntu 14.04, Ubuntu
|
||||||
logs. This meets the STIG requirements and the Ansible task will ensure that
|
16.04, and CentOS 7 is to rotate the logs. This meets the STIG requirements and
|
||||||
the secure default is maintained.
|
the Ansible task will ensure that the secure default is maintained.
|
||||||
|
|
||||||
Use caution when changing this option. Certain values, like ``SUSPEND`` will
|
Use caution when changing this option. Certain values, like ``SUSPEND`` will
|
||||||
cause the audit daemon to lock the machine when the maximum size for a log
|
cause the audit daemon to lock the machine when the maximum size for a log
|
||||||
|
|||||||
@ -1,6 +1,8 @@
|
|||||||
The auditd package is verified with ``debsums`` and the playbook will fail
|
The auditd package is verified with ``debsums`` in Ubuntu and with ``rpm`` in
|
||||||
immediately if any of the files from the auditd package have been altered.
|
CentOS. The playbook will fail immediately if any of the files from the auditd
|
||||||
This could be the sign of a system compromise.
|
package have been altered. This could be the sign of a system compromise.
|
||||||
|
|
||||||
If the ``debsums`` package isn't installed, the Ansible task will install it
|
.. note::
|
||||||
during the playbook run.
|
|
||||||
|
If the ``debsums`` package isn't installed on Ubuntu, the Ansible task will
|
||||||
|
install it during the playbook run.
|
||||||
|
|||||||
@ -1,5 +1,7 @@
|
|||||||
**Exception**
|
**Exception**
|
||||||
|
|
||||||
Although neither Ubuntu 14.04 or openstack-ansible mount remote filesystems
|
Deployers are urged to use the ``nodev`` option on any remotely mounted
|
||||||
by default, deployers are urged to use the ``nodev`` option on any remotely
|
filesystems whenever possible.
|
||||||
mounted filesystems whenever possible.
|
|
||||||
|
The security role does not take action on filesystem mounts since this could
|
||||||
|
affect the stability or availability of the host.
|
||||||
|
|||||||
@ -1,6 +1,7 @@
|
|||||||
**Exception**
|
**Exception**
|
||||||
|
|
||||||
Although neither Ubuntu 14.04 or openstack-ansible mount remote filesystems
|
Deployers are urged to use the ``nosuid`` option on any remotely mounted
|
||||||
by default, deployers are urged to use the ``nosuid`` option on any remotely
|
filesystems whenever possible.
|
||||||
mounted filesystems whenever possible.
|
|
||||||
|
|
||||||
|
The security role does not take action on filesystem mounts since this could
|
||||||
|
affect the stability or availability of the host.
|
||||||
|
|||||||
@ -1,8 +1,6 @@
|
|||||||
Although neither Ubuntu 14.04 or openstack-ansible install or configure the
|
The Ansible tasks will check to see if the SNMP configuration file is present.
|
||||||
SNMP daemon by default, the Ansible tasks will check to see if the SNMP
|
If the file is present, and the file contains configurations for insecure SNMP
|
||||||
configuration file is present. If the file is present, and the file contains
|
protocols, an error will be printed and the playbook will fail.
|
||||||
configurations for insecure SNMP protocols, an error will be
|
|
||||||
printed and the playbook will fail.
|
|
||||||
|
|
||||||
The task specifically looks for uncommented configuration lines containing:
|
The task specifically looks for uncommented configuration lines containing:
|
||||||
|
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
The AIDE package is already installed as part of the Ansible tasks to fix
|
The AIDE package is already installed as part of the Ansible tasks to fix
|
||||||
V-38429, but these Ansible tasks will verify that the cron job file is actually
|
V-38429, but these Ansible tasks will verify that the cron job file is actually
|
||||||
in place. Ubuntu will configure the cron job automatically as soon as the
|
in place. The cron job is installed as part of the aide package installation.
|
||||||
package is installed. If the cron job is missing, an error will be printed
|
If the cron job is missing, an error will be printed and the playbook will
|
||||||
and the playbook will fail.
|
fail.
|
||||||
|
|||||||
@ -1,7 +1,4 @@
|
|||||||
Although neither Ubuntu nor openstack-ansible install or configure sendmail
|
The security role will remove the sendmail package if it exists on the system.
|
||||||
by default, the Ansible task will remove the sendmail package if it exists on
|
|
||||||
the system.
|
|
||||||
|
|
||||||
To opt-out of this change, adjust the following Ansible variable to ``no``:
|
To opt-out of this change, adjust the following Ansible variable to ``no``:
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
|
|||||||
@ -1,4 +1,10 @@
|
|||||||
Ubuntu sets the default runlevel in ``/etc/init/rc-sysinit.conf`` and it should
|
Ubuntu 14.04 sets the default runlevel in ``/etc/init/rc-sysinit.conf`` and it
|
||||||
be set to ``2`` on Ubuntu systems. The Ansible task will verify that the
|
should be set to ``2`` on Ubuntu systems. The Ansible task will verify that the
|
||||||
correct runlevel is set. If the verification fails, an error will be printed
|
correct runlevel is set.
|
||||||
and the playbook will fail.
|
|
||||||
|
For operating systems that use systemd, such as Ubuntu 16.04 and CentOS 7, the
|
||||||
|
Ansible tasks will verify that the ``graphical.target`` is not loaded by
|
||||||
|
default.
|
||||||
|
|
||||||
|
If any of these verifications fails, an error will be printed and the playbook
|
||||||
|
will fail.
|
||||||
|
|||||||
@ -3,6 +3,6 @@ will trigger the ``security_space_left_action``. The threshold of remaining
|
|||||||
disk space is configured by ``security_space_left`` in
|
disk space is configured by ``security_space_left`` in
|
||||||
``/etc/audit/auditd.conf``.
|
``/etc/audit/auditd.conf``.
|
||||||
|
|
||||||
By default, Ubuntu sets this value to 75 megabytes. The STIG doesn't set a
|
By default, Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set this value to 75
|
||||||
specific requirement for the exact size, so the Ansible task will ensure that
|
megabytes. The STIG doesn't set a specific requirement for the exact size, so
|
||||||
the Ubuntu default of 75 megabytes is set.
|
the Ansible task will ensure that the default of 75 megabytes is set.
|
||||||
|
|||||||
@ -1,6 +1,5 @@
|
|||||||
Although neither Ubuntu 14.04 or openstack-ansible installs the ``bluetooth``
|
The Ansible tasks will disable the ``bluetooth`` service and stop it if it is
|
||||||
package, the Ansible tasks will disable the service and stop it if it's found
|
running on the system.
|
||||||
to be running on the system.
|
|
||||||
|
|
||||||
To opt-out of this change, adjust the following Ansible variable to ``no``:
|
To opt-out of this change, adjust the following Ansible variable to ``no``:
|
||||||
|
|
||||||
|
|||||||
@ -1,10 +1,14 @@
|
|||||||
Ubuntu loads the AppArmor module by default starting with version 8.04. For
|
Ubuntu loads the AppArmor module by default starting with version 8.04. For
|
||||||
more information, review the `AppArmor documentation`_ on Ubuntu's site.
|
more information, review the `AppArmor documentation`_ on Ubuntu's site.
|
||||||
In addition, the openstack-ansible project configures AppArmor policies
|
In addition, the OpenStack-Ansible project configures AppArmor policies
|
||||||
for the LXC containers which run the OpenStack infrastructure.
|
for the LXC containers which run the OpenStack infrastructure.
|
||||||
|
|
||||||
The tasks for this STIG will verify that AppArmor is enabled via the
|
The tasks for this STIG will verify that AppArmor is enabled via the
|
||||||
``apparmor_status``. The playbook will fail if AppArmor is found to be
|
``apparmor_status``. The playbook will fail if AppArmor is found to be
|
||||||
disabled on the host.
|
disabled on the host.
|
||||||
|
|
||||||
|
On CentOS 7, the security role will verify that SELinux is in *Enforcing* mode.
|
||||||
|
If SELinux is in *Disabled* or *Permissive* mode, the playbook will fail with
|
||||||
|
an error message.
|
||||||
|
|
||||||
.. _AppArmor documentation: https://help.ubuntu.com/community/AppArmor
|
.. _AppArmor documentation: https://help.ubuntu.com/community/AppArmor
|
||||||
|
|||||||
@ -1,4 +1,7 @@
|
|||||||
The openstack-ansible project configures AppArmor to limit the actions of
|
For Ubuntu, the standard AppArmor policies provided by the AppArmor package are
|
||||||
containers and reduce the changes (and potential damages) of a container
|
loaded. The OpenStack-Ansible project also configures AppArmor to limit the
|
||||||
breakout. The RHEL 6 STIG mentions SELinux but the existing SELinux policies
|
actions of containers and reduce the changes (and potential damages) of a
|
||||||
provided with Ubuntu aren't as well maintained as those provided with RHEL.
|
container breakout.
|
||||||
|
|
||||||
|
On CentOS 7, the ``selinux-policy-targeted`` package provides SELinux policies
|
||||||
|
that enforce limits on system services and users.
|
||||||
|
|||||||
@ -3,11 +3,14 @@
|
|||||||
The STIG requires that the audit system must switch the entire system into
|
The STIG requires that the audit system must switch the entire system into
|
||||||
single-user mode when the space for logging becomes dangerously low.
|
single-user mode when the space for logging becomes dangerously low.
|
||||||
|
|
||||||
**This will cause serious service disruptions for any environment and should
|
.. note::
|
||||||
only be enabled for extremely high security environments.**
|
|
||||||
|
|
||||||
Ubuntu sets ``security_admin_space_left_action`` to ``SUSPEND`` by default, and
|
**This will cause serious service disruptions for any environment and
|
||||||
this will cause logging to be temporarily suspended until disk space is freed.
|
should only be enabled for extremely high security environments.**
|
||||||
|
|
||||||
|
The ``security_admin_space_left_action`` configuration is set to ``SUSPEND`` by
|
||||||
|
default, and this will cause logging to be temporarily suspended until disk
|
||||||
|
space is freed.
|
||||||
|
|
||||||
For extremely high security environments, this Ansible variable can be
|
For extremely high security environments, this Ansible variable can be
|
||||||
provided to meet the requirements of the STIG:
|
provided to meet the requirements of the STIG:
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user