From bfcf6c742341738ef9cf13d75727e86872100919 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Mon, 5 Oct 2015 15:36:08 -0500 Subject: [PATCH] Initial import of openstack-ansible-security role This role contains around 150 controls from the 270+ controls that exist in the RHEL 6 STIG. New controls are still being added. Implements: blueprint security-hardening Change-Id: I0578f86bf42d55242bc72b97b40a5935a3cb18d6 --- .gitignore | 60 + LICENSE | 202 ++ README.rst | 30 + dev-requirements.txt | 3 + doc/Makefile | 195 ++ doc/source/_static/.gitkeep | 0 doc/source/_themes/openstack/layout.html | 109 + doc/source/_themes/openstack/static/basic.css | 419 ++++ .../_themes/openstack/static/default.css | 230 ++ .../_themes/openstack/static/header-line.gif | Bin 0 -> 48 bytes .../_themes/openstack/static/header_bg.jpg | Bin 0 -> 3738 bytes .../_themes/openstack/static/nature.css | 245 ++ .../openstack/static/openstack_logo.png | Bin 0 -> 3670 bytes .../_themes/openstack/static/tweaks.css | 128 + doc/source/_themes/openstack/theme.conf | 7 + doc/source/conf.py | 287 +++ doc/source/configurations-cat1.rst | 1543 ++++++++++++ doc/source/configurations-cat2.rst | 2194 +++++++++++++++++ doc/source/configurations-cat3.rst | 267 ++ doc/source/configurations.rst | 12 + doc/source/developer-notes/V-38437.rst | 6 + doc/source/developer-notes/V-38438.rst | 8 + doc/source/developer-notes/V-38439.rst | 5 + doc/source/developer-notes/V-38443.rst | 4 + doc/source/developer-notes/V-38444.rst | 4 + doc/source/developer-notes/V-38445.rst | 3 + doc/source/developer-notes/V-38446.rst | 4 + doc/source/developer-notes/V-38447.rst | 11 + doc/source/developer-notes/V-38448.rst | 2 + doc/source/developer-notes/V-38449.rst | 2 + doc/source/developer-notes/V-38450.rst | 1 + doc/source/developer-notes/V-38451.rst | 1 + doc/source/developer-notes/V-38452.rst | 5 + doc/source/developer-notes/V-38453.rst | 5 + doc/source/developer-notes/V-38454.rst | 6 + doc/source/developer-notes/V-38455.rst | 8 + doc/source/developer-notes/V-38456.rst | 9 + doc/source/developer-notes/V-38457.rst | 1 + doc/source/developer-notes/V-38459.rst | 1 + doc/source/developer-notes/V-38460.rst | 4 + doc/source/developer-notes/V-38461.rst | 2 + doc/source/developer-notes/V-38462.rst | 9 + doc/source/developer-notes/V-38463.rst | 8 + doc/source/developer-notes/V-38464.rst | 16 + doc/source/developer-notes/V-38465.rst | 5 + doc/source/developer-notes/V-38466.rst | 5 + doc/source/developer-notes/V-38467.rst | 4 + doc/source/developer-notes/V-38468.rst | 19 + doc/source/developer-notes/V-38469.rst | 5 + doc/source/developer-notes/V-38470.rst | 18 + doc/source/developer-notes/V-38471.rst | 4 + doc/source/developer-notes/V-38472.rst | 5 + doc/source/developer-notes/V-38473.rst | 4 + doc/source/developer-notes/V-38474.rst | 4 + doc/source/developer-notes/V-38475.rst | 12 + doc/source/developer-notes/V-38476.rst | 21 + doc/source/developer-notes/V-38477.rst | 10 + doc/source/developer-notes/V-38478.rst | 4 + doc/source/developer-notes/V-38479.rst | 12 + doc/source/developer-notes/V-38480.rst | 10 + doc/source/developer-notes/V-38481.rst | 10 + doc/source/developer-notes/V-38482.rst | 10 + doc/source/developer-notes/V-38483.rst | 3 + doc/source/developer-notes/V-38484.rst | 3 + doc/source/developer-notes/V-38486.rst | 5 + doc/source/developer-notes/V-38487.rst | 3 + doc/source/developer-notes/V-38488.rst | 5 + doc/source/developer-notes/V-38489.rst | 1 + doc/source/developer-notes/V-38490.rst | 9 + doc/source/developer-notes/V-38491.rst | 4 + doc/source/developer-notes/V-38492.rst | 2 + doc/source/developer-notes/V-38493.rst | 3 + doc/source/developer-notes/V-38494.rst | 7 + doc/source/developer-notes/V-38495.rst | 2 + doc/source/developer-notes/V-38497.rst | 5 + doc/source/developer-notes/V-38499.rst | 2 + doc/source/developer-notes/V-38522.rst | 1 + doc/source/developer-notes/V-38525.rst | 1 + doc/source/developer-notes/V-38527.rst | 2 + doc/source/developer-notes/V-38530.rst | 2 + doc/source/developer-notes/V-38531.rst | 3 + doc/source/developer-notes/V-38534.rst | 3 + doc/source/developer-notes/V-38536.rst | 3 + doc/source/developer-notes/V-38538.rst | 3 + doc/source/developer-notes/V-38540.rst | 3 + doc/source/developer-notes/V-38541.rst | 5 + doc/source/developer-notes/V-38547.rst | 2 + doc/source/developer-notes/V-38550.rst | 2 + doc/source/developer-notes/V-38551.rst | 18 + doc/source/developer-notes/V-38552.rst | 2 + doc/source/developer-notes/V-38556.rst | 2 + doc/source/developer-notes/V-38557.rst | 2 + doc/source/developer-notes/V-38558.rst | 2 + doc/source/developer-notes/V-38559.rst | 2 + doc/source/developer-notes/V-38561.rst | 3 + doc/source/developer-notes/V-38563.rst | 3 + doc/source/developer-notes/V-38565.rst | 4 + doc/source/developer-notes/V-38566.rst | 1 + doc/source/developer-notes/V-38567.rst | 6 + doc/source/developer-notes/V-38568.rst | 1 + doc/source/developer-notes/V-38575.rst | 1 + doc/source/developer-notes/V-38578.rst | 1 + doc/source/developer-notes/V-38581.rst | 1 + doc/source/developer-notes/V-38582.rst | 9 + doc/source/developer-notes/V-38583.rst | 1 + doc/source/developer-notes/V-38584.rst | 7 + doc/source/developer-notes/V-38585.rst | 6 + doc/source/developer-notes/V-38586.rst | 7 + doc/source/developer-notes/V-38587.rst | 3 + doc/source/developer-notes/V-38588.rst | 5 + doc/source/developer-notes/V-38590.rst | 8 + doc/source/developer-notes/V-38591.rst | 2 + doc/source/developer-notes/V-38592.rst | 9 + doc/source/developer-notes/V-38593.rst | 2 + doc/source/developer-notes/V-38595.rst | 4 + doc/source/developer-notes/V-38596.rst | 3 + doc/source/developer-notes/V-38597.rst | 8 + doc/source/developer-notes/V-38599.rst | 3 + doc/source/developer-notes/V-38600.rst | 4 + doc/source/developer-notes/V-38601.rst | 1 + doc/source/developer-notes/V-38603.rst | 7 + doc/source/developer-notes/V-38604.rst | 6 + doc/source/developer-notes/V-38605.rst | 4 + doc/source/developer-notes/V-38606.rst | 6 + doc/source/developer-notes/V-38607.rst | 1 + doc/source/developer-notes/V-38608.rst | 9 + doc/source/developer-notes/V-38609.rst | 3 + doc/source/developer-notes/V-38610.rst | 8 + doc/source/developer-notes/V-38611.rst | 3 + doc/source/developer-notes/V-38612.rst | 1 + doc/source/developer-notes/V-38613.rst | 15 + doc/source/developer-notes/V-38614.rst | 1 + doc/source/developer-notes/V-38615.rst | 3 + doc/source/developer-notes/V-38616.rst | 2 + doc/source/developer-notes/V-38617.rst | 2 + doc/source/developer-notes/V-38618.rst | 1 + doc/source/developer-notes/V-38619.rst | 2 + doc/source/developer-notes/V-38620.rst | 20 + doc/source/developer-notes/V-38628.rst | 1 + doc/source/developer-notes/V-38631.rst | 1 + doc/source/developer-notes/V-38632.rst | 3 + doc/source/developer-notes/V-38635.rst | 3 + doc/source/developer-notes/V-38640.rst | 1 + doc/source/developer-notes/V-38641.rst | 1 + doc/source/developer-notes/V-38645.rst | 4 + doc/source/developer-notes/V-38650.rst | 3 + doc/source/developer-notes/V-38653.rst | 5 + doc/source/developer-notes/V-38666.rst | 10 + doc/source/developer-notes/V-38668.rst | 3 + doc/source/developer-notes/V-38669.rst | 4 + doc/source/developer-notes/V-38673.rst | 8 + doc/source/developer-notes/V-38677.rst | 1 + doc/source/developer-notes/V-38701.rst | 4 + doc/source/developer-notes/V-51363.rst | 4 + doc/source/developer-notes/V-51369.rst | 6 + doc/source/getting-started.rst | 8 + doc/source/index.rst | 47 + doc/source/writing-docs.rst | 12 + openstack-ansible-security/README.md | 39 + openstack-ansible-security/defaults/main.yml | 157 ++ .../files/login_banner.txt | 6 + openstack-ansible-security/handlers/main.yml | 42 + openstack-ansible-security/meta/main.yml | 16 + openstack-ansible-security/tasks/apt.yml | 60 + openstack-ansible-security/tasks/auditd.yml | 116 + openstack-ansible-security/tasks/auth.yml | 211 ++ openstack-ansible-security/tasks/boot.yml | 32 + openstack-ansible-security/tasks/console.yml | 34 + .../tasks/file_perms.yml | 70 + openstack-ansible-security/tasks/kernel.yml | 59 + openstack-ansible-security/tasks/mail.yml | 48 + openstack-ansible-security/tasks/main.yml | 27 + openstack-ansible-security/tasks/misc.yml | 53 + openstack-ansible-security/tasks/nfsd.yml | 66 + openstack-ansible-security/tasks/services.yml | 120 + openstack-ansible-security/tasks/sshd.yml | 160 ++ .../templates/chrony.conf.j2 | 93 + .../templates/osas-auditd.j2 | 215 ++ openstack-ansible-security/vars/main.yml | 2 + setup.cfg | 24 + setup.py | 22 + tox.ini | 41 + 182 files changed, 8369 insertions(+) create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 README.rst create mode 100644 dev-requirements.txt create mode 100644 doc/Makefile create mode 100644 doc/source/_static/.gitkeep create mode 100644 doc/source/_themes/openstack/layout.html create mode 100644 doc/source/_themes/openstack/static/basic.css create mode 100644 doc/source/_themes/openstack/static/default.css create mode 100644 doc/source/_themes/openstack/static/header-line.gif create mode 100644 doc/source/_themes/openstack/static/header_bg.jpg create mode 100644 doc/source/_themes/openstack/static/nature.css create mode 100644 doc/source/_themes/openstack/static/openstack_logo.png create mode 100644 doc/source/_themes/openstack/static/tweaks.css create mode 100644 doc/source/_themes/openstack/theme.conf create mode 100644 doc/source/conf.py create mode 100644 doc/source/configurations-cat1.rst create mode 100644 doc/source/configurations-cat2.rst create mode 100644 doc/source/configurations-cat3.rst create mode 100644 doc/source/configurations.rst create mode 100644 doc/source/developer-notes/V-38437.rst create mode 100644 doc/source/developer-notes/V-38438.rst create mode 100644 doc/source/developer-notes/V-38439.rst create mode 100644 doc/source/developer-notes/V-38443.rst create mode 100644 doc/source/developer-notes/V-38444.rst create mode 100644 doc/source/developer-notes/V-38445.rst create mode 100644 doc/source/developer-notes/V-38446.rst create mode 100644 doc/source/developer-notes/V-38447.rst create mode 100644 doc/source/developer-notes/V-38448.rst create mode 100644 doc/source/developer-notes/V-38449.rst create mode 100644 doc/source/developer-notes/V-38450.rst create mode 100644 doc/source/developer-notes/V-38451.rst create mode 100644 doc/source/developer-notes/V-38452.rst create mode 100644 doc/source/developer-notes/V-38453.rst create mode 100644 doc/source/developer-notes/V-38454.rst create mode 100644 doc/source/developer-notes/V-38455.rst create mode 100644 doc/source/developer-notes/V-38456.rst create mode 100644 doc/source/developer-notes/V-38457.rst create mode 100644 doc/source/developer-notes/V-38459.rst create mode 100644 doc/source/developer-notes/V-38460.rst create mode 100644 doc/source/developer-notes/V-38461.rst create mode 100644 doc/source/developer-notes/V-38462.rst create mode 100644 doc/source/developer-notes/V-38463.rst create mode 100644 doc/source/developer-notes/V-38464.rst create mode 100644 doc/source/developer-notes/V-38465.rst create mode 100644 doc/source/developer-notes/V-38466.rst create mode 100644 doc/source/developer-notes/V-38467.rst create mode 100644 doc/source/developer-notes/V-38468.rst create mode 100644 doc/source/developer-notes/V-38469.rst create mode 100644 doc/source/developer-notes/V-38470.rst create mode 100644 doc/source/developer-notes/V-38471.rst create mode 100644 doc/source/developer-notes/V-38472.rst create mode 100644 doc/source/developer-notes/V-38473.rst create mode 100644 doc/source/developer-notes/V-38474.rst create mode 100644 doc/source/developer-notes/V-38475.rst create mode 100644 doc/source/developer-notes/V-38476.rst create mode 100644 doc/source/developer-notes/V-38477.rst create mode 100644 doc/source/developer-notes/V-38478.rst create mode 100644 doc/source/developer-notes/V-38479.rst create mode 100644 doc/source/developer-notes/V-38480.rst create mode 100644 doc/source/developer-notes/V-38481.rst create mode 100644 doc/source/developer-notes/V-38482.rst create mode 100644 doc/source/developer-notes/V-38483.rst create mode 100644 doc/source/developer-notes/V-38484.rst create mode 100644 doc/source/developer-notes/V-38486.rst create mode 100644 doc/source/developer-notes/V-38487.rst create mode 100644 doc/source/developer-notes/V-38488.rst create mode 100644 doc/source/developer-notes/V-38489.rst create mode 100644 doc/source/developer-notes/V-38490.rst create mode 100644 doc/source/developer-notes/V-38491.rst create mode 100644 doc/source/developer-notes/V-38492.rst create mode 100644 doc/source/developer-notes/V-38493.rst create mode 100644 doc/source/developer-notes/V-38494.rst create mode 100644 doc/source/developer-notes/V-38495.rst create mode 100644 doc/source/developer-notes/V-38497.rst create mode 100644 doc/source/developer-notes/V-38499.rst create mode 100644 doc/source/developer-notes/V-38522.rst create mode 100644 doc/source/developer-notes/V-38525.rst create mode 100644 doc/source/developer-notes/V-38527.rst create mode 100644 doc/source/developer-notes/V-38530.rst create mode 100644 doc/source/developer-notes/V-38531.rst create mode 100644 doc/source/developer-notes/V-38534.rst create mode 100644 doc/source/developer-notes/V-38536.rst create mode 100644 doc/source/developer-notes/V-38538.rst create mode 100644 doc/source/developer-notes/V-38540.rst create mode 100644 doc/source/developer-notes/V-38541.rst create mode 100644 doc/source/developer-notes/V-38547.rst create mode 100644 doc/source/developer-notes/V-38550.rst create mode 100644 doc/source/developer-notes/V-38551.rst create mode 100644 doc/source/developer-notes/V-38552.rst create mode 100644 doc/source/developer-notes/V-38556.rst create mode 100644 doc/source/developer-notes/V-38557.rst create mode 100644 doc/source/developer-notes/V-38558.rst create mode 100644 doc/source/developer-notes/V-38559.rst create mode 100644 doc/source/developer-notes/V-38561.rst create mode 100644 doc/source/developer-notes/V-38563.rst create mode 100644 doc/source/developer-notes/V-38565.rst create mode 100644 doc/source/developer-notes/V-38566.rst create mode 100644 doc/source/developer-notes/V-38567.rst create mode 100644 doc/source/developer-notes/V-38568.rst create mode 100644 doc/source/developer-notes/V-38575.rst create mode 100644 doc/source/developer-notes/V-38578.rst create mode 100644 doc/source/developer-notes/V-38581.rst create mode 100644 doc/source/developer-notes/V-38582.rst create mode 100644 doc/source/developer-notes/V-38583.rst create mode 100644 doc/source/developer-notes/V-38584.rst create mode 100644 doc/source/developer-notes/V-38585.rst create mode 100644 doc/source/developer-notes/V-38586.rst create mode 100644 doc/source/developer-notes/V-38587.rst create mode 100644 doc/source/developer-notes/V-38588.rst create mode 100644 doc/source/developer-notes/V-38590.rst create mode 100644 doc/source/developer-notes/V-38591.rst create mode 100644 doc/source/developer-notes/V-38592.rst create mode 100644 doc/source/developer-notes/V-38593.rst create mode 100644 doc/source/developer-notes/V-38595.rst create mode 100644 doc/source/developer-notes/V-38596.rst create mode 100644 doc/source/developer-notes/V-38597.rst create mode 100644 doc/source/developer-notes/V-38599.rst create mode 100644 doc/source/developer-notes/V-38600.rst create mode 100644 doc/source/developer-notes/V-38601.rst create mode 100644 doc/source/developer-notes/V-38603.rst create mode 100644 doc/source/developer-notes/V-38604.rst create mode 100644 doc/source/developer-notes/V-38605.rst create mode 100644 doc/source/developer-notes/V-38606.rst create mode 100644 doc/source/developer-notes/V-38607.rst create mode 100644 doc/source/developer-notes/V-38608.rst create mode 100644 doc/source/developer-notes/V-38609.rst create mode 100644 doc/source/developer-notes/V-38610.rst create mode 100644 doc/source/developer-notes/V-38611.rst create mode 100644 doc/source/developer-notes/V-38612.rst create mode 100644 doc/source/developer-notes/V-38613.rst create mode 100644 doc/source/developer-notes/V-38614.rst create mode 100644 doc/source/developer-notes/V-38615.rst create mode 100644 doc/source/developer-notes/V-38616.rst create mode 100644 doc/source/developer-notes/V-38617.rst create mode 100644 doc/source/developer-notes/V-38618.rst create mode 100644 doc/source/developer-notes/V-38619.rst create mode 100644 doc/source/developer-notes/V-38620.rst create mode 100644 doc/source/developer-notes/V-38628.rst create mode 100644 doc/source/developer-notes/V-38631.rst create mode 100644 doc/source/developer-notes/V-38632.rst create mode 100644 doc/source/developer-notes/V-38635.rst create mode 100644 doc/source/developer-notes/V-38640.rst create mode 100644 doc/source/developer-notes/V-38641.rst create mode 100644 doc/source/developer-notes/V-38645.rst create mode 100644 doc/source/developer-notes/V-38650.rst create mode 100644 doc/source/developer-notes/V-38653.rst create mode 100644 doc/source/developer-notes/V-38666.rst create mode 100644 doc/source/developer-notes/V-38668.rst create mode 100644 doc/source/developer-notes/V-38669.rst create mode 100644 doc/source/developer-notes/V-38673.rst create mode 100644 doc/source/developer-notes/V-38677.rst create mode 100644 doc/source/developer-notes/V-38701.rst create mode 100644 doc/source/developer-notes/V-51363.rst create mode 100644 doc/source/developer-notes/V-51369.rst create mode 100644 doc/source/getting-started.rst create mode 100644 doc/source/index.rst create mode 100644 doc/source/writing-docs.rst create mode 100644 openstack-ansible-security/README.md create mode 100644 openstack-ansible-security/defaults/main.yml create mode 100644 openstack-ansible-security/files/login_banner.txt create mode 100644 openstack-ansible-security/handlers/main.yml create mode 100644 openstack-ansible-security/meta/main.yml create mode 100644 openstack-ansible-security/tasks/apt.yml create mode 100644 openstack-ansible-security/tasks/auditd.yml create mode 100644 openstack-ansible-security/tasks/auth.yml create mode 100644 openstack-ansible-security/tasks/boot.yml create mode 100644 openstack-ansible-security/tasks/console.yml create mode 100644 openstack-ansible-security/tasks/file_perms.yml create mode 100644 openstack-ansible-security/tasks/kernel.yml create mode 100644 openstack-ansible-security/tasks/mail.yml create mode 100644 openstack-ansible-security/tasks/main.yml create mode 100644 openstack-ansible-security/tasks/misc.yml create mode 100644 openstack-ansible-security/tasks/nfsd.yml create mode 100644 openstack-ansible-security/tasks/services.yml create mode 100644 openstack-ansible-security/tasks/sshd.yml create mode 100644 openstack-ansible-security/templates/chrony.conf.j2 create mode 100644 openstack-ansible-security/templates/osas-auditd.j2 create mode 100644 openstack-ansible-security/vars/main.yml create mode 100644 setup.cfg create mode 100644 setup.py create mode 100644 tox.ini diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..87487896 --- /dev/null +++ b/.gitignore @@ -0,0 +1,60 @@ +# Override Files # +rpc_deployment/playbooks/lab_plays +rpc_deployment/vars/overrides/*.yml + +# Compiled source # +################### +*.com +*.class +*.dll +*.exe +*.o +*.so +*.pyc +build/ +dist/ +doc/build/ + +# Packages # +############ +# it's better to unpack these files and commit the raw source +# git has its own built in compression methods +*.7z +*.dmg +*.gz +*.iso +*.jar +*.rar +*.tar +*.zip + +# Logs and databases # +###################### +*.log +*.sql +*.sqlite + +# OS generated files # +###################### +.DS_Store +.DS_Store? +._* +.Spotlight-V100 +.Trashes +.idea +.tox +*.sublime* +*.egg-info +Icon? +ehthumbs.db +Thumbs.db +.eggs + +# User driven backup files # +############################ +*.bak + +# Generated by pbr while building docs +###################################### +AUTHORS +ChangeLog diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..8f71f43f --- /dev/null +++ b/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/README.rst b/README.rst new file mode 100644 index 00000000..9267ec4d --- /dev/null +++ b/README.rst @@ -0,0 +1,30 @@ +Security hardening for openstack-ansible +---------------------------------------- + +**--- Currently a work in progress ---** + +Documentation is on `ReadTheDocs`_ temporarily. + +.. _ReadTheDocs: http://openstack-ansible-security.readthedocs.org/en/latest/ + +What is this? +~~~~~~~~~~~~~ + +The goal of this Ansible role is to provide additional security for deployments of openstack-ansible, the OpenStack project which deploys a fully-functional OpenStack environment using Ansible roles. For a more detailed explanation, review the security hardening spec in the section below. + +How do I learn more? +~~~~~~~~~~~~~~~~~~~~ + +* `openstack-ansible`_ +* `Security hardening spec`_ in openstack-ansible +* `RHEL 6 STIG`_ in `STIG Viewer`_ + +.. _openstack-ansible: https://github.com/openstack/openstack-ansible +.. _Security hardening spec: http://specs.openstack.org/openstack/openstack-ansible-specs/specs/mitaka/security-hardening.html +.. _RHEL 6 STIG: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/ +.. _STIG Viewer: https://www.stigviewer.com + +Questions or comments? +~~~~~~~~~~~~~~~~~~~~~~ + +Join ``#openstack-ansible`` on Freenode or email openstack-dev@lists.openstack.org with the tag ``[openstack-ansible]`` in the subject line. diff --git a/dev-requirements.txt b/dev-requirements.txt new file mode 100644 index 00000000..998334cd --- /dev/null +++ b/dev-requirements.txt @@ -0,0 +1,3 @@ +ansible-lint +oslosphinx>=2.5.0 +sphinx diff --git a/doc/Makefile b/doc/Makefile new file mode 100644 index 00000000..28a679f2 --- /dev/null +++ b/doc/Makefile @@ -0,0 +1,195 @@ +# Makefile for Sphinx documentation +# + +# You can set these variables from the command line. +SPHINXOPTS = +SPHINXBUILD = sphinx-build +PAPER = +BUILDDIR = build + +# User-friendly check for sphinx-build +ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1) +$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/) +endif + +# Internal variables. +PAPEROPT_a4 = -D latex_paper_size=a4 +PAPEROPT_letter = -D latex_paper_size=letter +ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source +# the i18n builder cannot share the environment and doctrees with the others +I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source + +.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest coverage gettext + +help: + @echo "Please use \`make ' where is one of" + @echo " html to make standalone HTML files" + @echo " dirhtml to make HTML files named index.html in directories" + @echo " singlehtml to make a single large HTML file" + @echo " pickle to make pickle files" + @echo " json to make JSON files" + @echo " htmlhelp to make HTML files and a HTML help project" + @echo " qthelp to make HTML files and a qthelp project" + @echo " applehelp to make an Apple Help Book" + @echo " devhelp to make HTML files and a Devhelp project" + @echo " epub to make an epub" + @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" + @echo " latexpdf to make LaTeX files and run them through pdflatex" + @echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx" + @echo " text to make text files" + @echo " man to make manual pages" + @echo " texinfo to make Texinfo files" + @echo " info to make Texinfo files and run them through makeinfo" + @echo " gettext to make PO message catalogs" + @echo " changes to make an overview of all changed/added/deprecated items" + @echo " xml to make Docutils-native XML files" + @echo " pseudoxml to make pseudoxml-XML files for display purposes" + @echo " linkcheck to check all external links for integrity" + @echo " doctest to run all doctests embedded in the documentation (if enabled)" + @echo " coverage to run coverage check of the documentation (if enabled)" + +clean: + rm -rf $(BUILDDIR)/* + +html: + $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." + +dirhtml: + $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." + +singlehtml: + $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml + @echo + @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." + +pickle: + $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle + @echo + @echo "Build finished; now you can process the pickle files." + +json: + $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json + @echo + @echo "Build finished; now you can process the JSON files." + +htmlhelp: + $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp + @echo + @echo "Build finished; now you can run HTML Help Workshop with the" \ + ".hhp project file in $(BUILDDIR)/htmlhelp." + +qthelp: + $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp + @echo + @echo "Build finished; now you can run "qcollectiongenerator" with the" \ + ".qhcp project file in $(BUILDDIR)/qthelp, like this:" + @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/openstack-ansible.qhcp" + @echo "To view the help file:" + @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/openstack-ansible.qhc" + +applehelp: + $(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp + @echo + @echo "Build finished. The help book is in $(BUILDDIR)/applehelp." + @echo "N.B. You won't be able to view it unless you put it in" \ + "~/Library/Documentation/Help or install it in your application" \ + "bundle." + +devhelp: + $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp + @echo + @echo "Build finished." + @echo "To view the help file:" + @echo "# mkdir -p $$HOME/.local/share/devhelp/openstack-ansible" + @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/openstack-ansible" + @echo "# devhelp" + +epub: + $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub + @echo + @echo "Build finished. The epub file is in $(BUILDDIR)/epub." + +latex: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo + @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." + @echo "Run \`make' in that directory to run these through (pdf)latex" \ + "(use \`make latexpdf' here to do that automatically)." + +latexpdf: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through pdflatex..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +latexpdfja: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through platex and dvipdfmx..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf-ja + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +text: + $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text + @echo + @echo "Build finished. The text files are in $(BUILDDIR)/text." + +man: + $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man + @echo + @echo "Build finished. The manual pages are in $(BUILDDIR)/man." + +texinfo: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo + @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." + @echo "Run \`make' in that directory to run these through makeinfo" \ + "(use \`make info' here to do that automatically)." + +info: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo "Running Texinfo files through makeinfo..." + make -C $(BUILDDIR)/texinfo info + @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." + +gettext: + $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale + @echo + @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." + +changes: + $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes + @echo + @echo "The overview file is in $(BUILDDIR)/changes." + +linkcheck: + $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck + @echo + @echo "Link check complete; look for any errors in the above output " \ + "or in $(BUILDDIR)/linkcheck/output.txt." + +doctest: + $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest + @echo "Testing of doctests in the sources finished, look at the " \ + "results in $(BUILDDIR)/doctest/output.txt." + +coverage: + $(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage + @echo "Testing of coverage in the sources finished, look at the " \ + "results in $(BUILDDIR)/coverage/python.txt." + +xml: + $(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml + @echo + @echo "Build finished. The XML files are in $(BUILDDIR)/xml." + +pseudoxml: + $(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml + @echo + @echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml." + +livehtml: html + sphinx-autobuild -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html diff --git a/doc/source/_static/.gitkeep b/doc/source/_static/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/doc/source/_themes/openstack/layout.html b/doc/source/_themes/openstack/layout.html new file mode 100644 index 00000000..512ab3fa --- /dev/null +++ b/doc/source/_themes/openstack/layout.html @@ -0,0 +1,109 @@ +{% extends "basic/layout.html" %} +{% set css_files = css_files + ['_static/tweaks.css'] %} + +{% block sidebar2 %} +
+
+ {%- if not embedded %}{% if not theme_nosidebar|tobool %} + {%- block sidebarlogo %} + {%- if logo %} + + {%- endif %} + {%- endblock %} + {%- block sidebartoc %} + {%- if display_toc %} +

{{ _('Table Of Contents') }}

+ {{ toc }} + {%- endif %} + {%- endblock %} + {%- block sidebarrel %} + {%- if prev %} +

{{ _('Previous topic') }}

+

{{ prev.title }}

+ {%- endif %} + {%- if next %} +

{{ _('Next topic') }}

+

{{ next.title }}

+ {%- endif %} + {%- endblock %} + {%- block projectsource %} + {%- if cgit_link %} +

{{ _('Project Source') }}

+ + {%- endif %} + {%- endblock %} + {%- block sidebarsourcelink %} + {%- if show_source and has_source and sourcename %} +

{{ _('This Page') }}

+ + {%- endif %} + {%- endblock %} + {%- if customsidebar %} + {% include customsidebar %} + {%- endif %} + {%- block sidebarsearch %} + {%- if pagename != "search" %} + + + {%- endif %} + {%- endblock %} + {%- endif %}{% endif %} +
+
+{% endblock %} + +{% block relbar1 %}{% endblock relbar1 %} + +{% block header %} + +{% endblock %} + +{% block footer %} +{{ super() }} + + +{% endblock %} diff --git a/doc/source/_themes/openstack/static/basic.css b/doc/source/_themes/openstack/static/basic.css new file mode 100644 index 00000000..5542eea1 --- /dev/null +++ b/doc/source/_themes/openstack/static/basic.css @@ -0,0 +1,419 @@ +/** + * Sphinx stylesheet -- basic theme + * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + */ + +/* -- main layout ----------------------------------------------------------- */ + +div.clearer { + clear: both; +} + +/* -- relbar ---------------------------------------------------------------- */ + +div.related { + font-size: 90%; +} + +div.related h3 { + display: none; +} + +div.related ul { + margin: 0; + padding: 0 0 0 10px; + list-style: none; +} + +div.related li { + display: inline; +} + +div.related li.right { + float: right; + margin-right: 5px; +} + +/* -- sidebar --------------------------------------------------------------- */ + +div.sphinxsidebarwrapper { + padding: 10px 5px 0 10px; +} + +div.sphinxsidebar { + float: left; + width: 260px; + margin-left: -100%; + font-size: 90%; +} + +div.sphinxsidebar ul { + list-style: none; +} + +div.sphinxsidebar ul ul, +div.sphinxsidebar ul.want-points { + margin-left: 20px; + list-style: square; +} + +div.sphinxsidebar ul ul { + margin-top: 0; + margin-bottom: 0; +} + +div.sphinxsidebar form { + margin-top: 10px; +} + +div.sphinxsidebar input { + border: 1px solid #98dbcc; + font-family: sans-serif; + font-size: 1em; +} + +div.sphinxsidebar span.pre { + word-wrap: break-word; +} + +img { + border: 0; +} + +/* -- search page ----------------------------------------------------------- */ + +ul.search { + margin: 10px 0 0 20px; + padding: 0; +} + +ul.search li { + padding: 5px 0 5px 20px; + background-image: url(file.png); + background-repeat: no-repeat; + background-position: 0 7px; +} + +ul.search li a { + font-weight: bold; +} + +ul.search li div.context { + color: #888; + margin: 2px 0 0 30px; + text-align: left; +} + +ul.keywordmatches li.goodmatch a { + font-weight: bold; +} + +/* -- index page ------------------------------------------------------------ */ + +table.contentstable { + width: 90%; +} + +table.contentstable p.biglink { + line-height: 150%; +} + +a.biglink { + font-size: 1.3em; +} + +span.linkdescr { + font-style: italic; + padding-top: 5px; + font-size: 90%; +} + +/* -- general index --------------------------------------------------------- */ + +table.indextable td { + text-align: left; + vertical-align: top; +} + +table.indextable dl, table.indextable dd { + margin-top: 0; + margin-bottom: 0; +} + +table.indextable tr.pcap { + height: 10px; +} + +table.indextable tr.cap { + margin-top: 10px; + background-color: #f2f2f2; +} + +img.toggler { + margin-right: 3px; + margin-top: 3px; + cursor: pointer; +} + +/* -- general body styles --------------------------------------------------- */ + +a.headerlink { + visibility: hidden; +} + +h1:hover > a.headerlink, +h2:hover > a.headerlink, +h3:hover > a.headerlink, +h4:hover > a.headerlink, +h5:hover > a.headerlink, +h6:hover > a.headerlink, +dt:hover > a.headerlink { + visibility: visible; +} + +div.body p.caption { + text-align: inherit; +} + +div.body td { + text-align: left; +} + +.field-list ul { + padding-left: 1em; +} + +.first { +} + +p.rubric { + margin-top: 30px; + font-weight: bold; +} + +/* -- sidebars -------------------------------------------------------------- */ + +div.sidebar { + margin: 0 0 0.5em 1em; + border: 1px solid #ddb; + padding: 7px 7px 0 7px; + background-color: #ffe; + width: 40%; + float: right; +} + +p.sidebar-title { + font-weight: bold; +} + +/* -- topics ---------------------------------------------------------------- */ + +div.topic { + border: 1px solid #ccc; + padding: 7px 7px 0 7px; + margin: 10px 0 10px 0; +} + +p.topic-title { + font-size: 1.1em; + font-weight: bold; + margin-top: 10px; +} + +/* -- admonitions ----------------------------------------------------------- */ + +div.admonition { + margin-top: 10px; + margin-bottom: 10px; + padding: 7px; +} + +div.admonition dt { + font-weight: bold; +} + +div.admonition dl { + margin-bottom: 0; +} + +p.admonition-title { + margin: 0px 10px 5px 0px; + font-weight: bold; +} + +div.body p.centered { + text-align: center; + margin-top: 25px; +} + +/* -- tables ---------------------------------------------------------------- */ + +table.docutils { + border: 0; + border-collapse: collapse; +} + +table.docutils td, table.docutils th { + padding: 1px 8px 1px 0; + border-top: 0; + border-left: 0; + border-right: 0; + border-bottom: 1px solid #aaa; +} + +table.field-list td, table.field-list th { + border: 0 !important; +} + +table.footnote td, table.footnote th { + border: 0 !important; +} + +th { + text-align: left; + padding-right: 5px; +} + +/* -- other body styles ----------------------------------------------------- */ + +dl { + margin-bottom: 15px; +} + +dd p { + margin-top: 0px; +} + +dd ul, dd table { + margin-bottom: 10px; +} + +dd { + margin-top: 3px; + margin-bottom: 10px; + margin-left: 30px; +} + +dt:target, .highlight { + background-color: #fbe54e; +} + +dl.glossary dt { + font-weight: bold; + font-size: 1.1em; +} + +.field-list ul { + margin: 0; + padding-left: 1em; +} + +.field-list p { + margin: 0; +} + +.refcount { + color: #060; +} + +.optional { + font-size: 1.3em; +} + +.versionmodified { + font-style: italic; +} + +.system-message { + background-color: #fda; + padding: 5px; + border: 3px solid red; +} + +.footnote:target { + background-color: #ffa +} + +.line-block { + display: block; + margin-top: 1em; + margin-bottom: 1em; +} + +.line-block .line-block { + margin-top: 0; + margin-bottom: 0; + margin-left: 1.5em; +} + +/* -- code displays --------------------------------------------------------- */ + +pre { + overflow: auto; +} + +td.linenos pre { + padding: 5px 0px; + border: 0; + background-color: transparent; + color: #aaa; +} + +table.highlighttable { + margin-left: 0.5em; +} + +table.highlighttable td { + padding: 0 0.5em 0 0.5em; +} + +tt.descname { + background-color: transparent; + font-weight: bold; + font-size: 1.2em; +} + +tt.descclassname { + background-color: transparent; +} + +tt.xref, a tt { + background-color: transparent; + font-weight: bold; +} + +h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt { + background-color: transparent; +} + +/* -- math display ---------------------------------------------------------- */ + +img.math { + vertical-align: middle; +} + +div.body div.math p { + text-align: center; +} + +span.eqno { + float: right; +} + +/* -- printout stylesheet --------------------------------------------------- */ + +@media print { + div.document, + div.documentwrapper, + div.bodywrapper { + margin: 0 !important; + width: 100%; + } + + div.sphinxsidebar, + div.related, + div.footer, + #top-link { + display: none; + } +} diff --git a/doc/source/_themes/openstack/static/default.css b/doc/source/_themes/openstack/static/default.css new file mode 100644 index 00000000..c8091ecb --- /dev/null +++ b/doc/source/_themes/openstack/static/default.css @@ -0,0 +1,230 @@ +/** + * Sphinx stylesheet -- default theme + * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + */ + +@import url("basic.css"); + +/* -- page layout ----------------------------------------------------------- */ + +body { + font-family: sans-serif; + font-size: 100%; + background-color: #11303d; + color: #000; + margin: 0; + padding: 0; +} + +div.document { + background-color: #1c4e63; +} + +div.documentwrapper { + float: left; + width: 100%; +} + +div.bodywrapper { + margin: 0 0 0 230px; +} + +div.body { + background-color: #ffffff; + color: #000000; + padding: 0 20px 30px 20px; +} + +div.footer { + color: #ffffff; + width: 100%; + padding: 9px 0 9px 0; + text-align: center; + font-size: 75%; +} + +div.footer a { + color: #ffffff; + text-decoration: underline; +} + +div.related { + background-color: #133f52; + line-height: 30px; + color: #ffffff; +} + +div.related a { + color: #ffffff; +} + +div.sphinxsidebar { +} + +div.sphinxsidebar h3 { + font-family: 'Trebuchet MS', sans-serif; + color: #ffffff; + font-size: 1.4em; + font-weight: normal; + margin: 0; + padding: 0; +} + +div.sphinxsidebar h3 a { + color: #ffffff; +} + +div.sphinxsidebar h4 { + font-family: 'Trebuchet MS', sans-serif; + color: #ffffff; + font-size: 1.3em; + font-weight: normal; + margin: 5px 0 0 0; + padding: 0; +} + +div.sphinxsidebar p { + color: #ffffff; +} + +div.sphinxsidebar p.topless { + margin: 5px 10px 10px 10px; +} + +div.sphinxsidebar ul { + margin: 10px; + padding: 0; + color: #ffffff; +} + +div.sphinxsidebar a { + color: #98dbcc; +} + +div.sphinxsidebar input { + border: 1px solid #98dbcc; + font-family: sans-serif; + font-size: 1em; +} + +/* -- body styles ----------------------------------------------------------- */ + +a { + color: #355f7c; + text-decoration: none; +} + +a:hover { + text-decoration: underline; +} + +div.body p, div.body dd, div.body li { + text-align: left; + line-height: 130%; +} + +div.body h1, +div.body h2, +div.body h3, +div.body h4, +div.body h5, +div.body h6 { + font-family: 'Trebuchet MS', sans-serif; + background-color: #f2f2f2; + font-weight: normal; + color: #20435c; + border-bottom: 1px solid #ccc; + margin: 20px -20px 10px -20px; + padding: 3px 0 3px 10px; +} + +div.body h1 { margin-top: 0; font-size: 200%; } +div.body h2 { font-size: 160%; } +div.body h3 { font-size: 140%; } +div.body h4 { font-size: 120%; } +div.body h5 { font-size: 110%; } +div.body h6 { font-size: 100%; } + +a.headerlink { + color: #c60f0f; + font-size: 0.8em; + padding: 0 4px 0 4px; + text-decoration: none; +} + +a.headerlink:hover { + background-color: #c60f0f; + color: white; +} + +div.body p, div.body dd, div.body li { + text-align: left; + line-height: 130%; +} + +div.admonition p.admonition-title + p { + display: inline; +} + +div.admonition p { + margin-bottom: 5px; +} + +div.admonition pre { + margin-bottom: 5px; +} + +div.admonition ul, div.admonition ol { + margin-bottom: 5px; +} + +div.note { + background-color: #eee; + border: 1px solid #ccc; +} + +div.seealso { + background-color: #ffc; + border: 1px solid #ff6; +} + +div.topic { + background-color: #eee; +} + +div.warning { + background-color: #ffe4e4; + border: 1px solid #f66; +} + +p.admonition-title { + display: inline; +} + +p.admonition-title:after { + content: ":"; +} + +pre { + padding: 5px; + background-color: #eeffcc; + color: #333333; + line-height: 120%; + border: 1px solid #ac9; + border-left: none; + border-right: none; +} + +tt { + background-color: #ecf0f3; + padding: 0 1px 0 1px; + font-size: 0.95em; +} + +.warning tt { + background: #efc2c2; +} + +.note tt { + background: #d6d6d6; +} diff --git a/doc/source/_themes/openstack/static/header-line.gif b/doc/source/_themes/openstack/static/header-line.gif new file mode 100644 index 0000000000000000000000000000000000000000..3601730e03488b7b5f92dc992d23ad753357c167 GIT binary patch literal 48 zcmZ?wbhEHbWMg1uXkcVG`smgF|Nj+#vM@3*Ff!;c00Bsbfr-7RpY8O^Kn4bD08FwB Aga7~l literal 0 HcmV?d00001 diff --git a/doc/source/_themes/openstack/static/header_bg.jpg b/doc/source/_themes/openstack/static/header_bg.jpg new file mode 100644 index 0000000000000000000000000000000000000000..f788c41c26481728fa4329c17c87bde36001adc1 GIT binary patch literal 3738 zcmd5-YdDna8vedHnM0NtYi6>>At7O=uyTsZup5R_40A9)aXQa}U(l^=gSg=J*&3mKp$aM0r>UIFDe9Zy(vs} zWf)kqO2Y_n0$>ZQ0D&hY4tWjpY?Ii5?V)h*kc0fz?%ZIj3|{;F8E5l%d0)&*Hx~ulvc_*73u8%R zsVMV~ne!JY);&pWott~QIZYJFTXliYc2};JEU{X7W6;ZPfz;)U;U4#mEuK@K*=SC3BR-m&x9(Nna@>b@%FS34|P^jtsXRb5>z9gtPp;_MI2F3o*k z>csA-?CX4b;~4P-*L$+Mmb|51F)eD*wCc`Jt(9}C${Zo=!Uin=u_yMC^;`X!x$##4 z+~}dkT`NF@Uhw0r+6g_)?e!h8IX+OE^C96>UOsv0GPMD6(kr#ljhXRnA=O>Qj@%iT zqBF7aQ*}BG)h@6r0%#azk!r9yrN6>9dq~>KadV$~cGG?Hjk>~it^5rd#zS4KE*p+4 z;;B)%oBK8PNTs=A)a-z`n?3zJ%+h{`=>ijk4sYKr*>`eN1H`~Lo|Tm!o6qN{S* zeNl=NcpGzD55)XnLC|>g)~w={=c#4*x^;mk4Zo_FOFlffP@!?1`c+TogTVR4kp9-q z`d5cMBzNxk6qjPRK9*WY3uHS=bnm_QJvSMBBS_A#3i=ywsg6^|9rfruW0MhdGwHDO z?1gJRMQVecKE^gV{%uo(b)zl^Hd&vmnwFh88h*-?FJ;y=Hdqvt!K|s<$>xlzR=G4{ zZgGOCF43IXS?62B)w*N&dXt%U8X^Bjx}^%Yf>VFpFoKSGP%k?ems;&&J)|Dx(qtQD zu2tS)<_Qz4#LhBKYkl@Og}G)^5+F4P($Fk>)}{uMVv|;Sz2i4$XJ_WTw*;n>3N805rnXhbC52SC={E3rXRlrs|I6f;o|Cn%eje59{axu9sivy4oYmg=j|fLt3<3 zFce84aNb8GbK;y>RbBu71YBcYKL3@M3N25yoE%BtG z^K!`WTQ|fb-Ysa7T)mEw&4_b)PWYgc!)3W)H+neR9o^f|AXdgY1`gN+pvgzbbk`M z*Ts6${7M`2)9XIPy^MoXTiiP2GTp_OtgWMshnH)M&ZSO0)cet!oWo_0_&hV(0?Qdb zdo(sw{I#{hI`SWPM`N=U^#+MgN-*rZ#J7Cm7Jj89`5ehd_{z&9->Jc7$F(X4)&|`K z5rEgd;@dhi-IzJnSVpMd!Gf_G-QW+ zjVMrIas1)g%)GJ;(=oaK};O^)NYdS1`XR?K_;I7qj zhii5}x^he{U3M+GF+WpYws#=Pt#S9xB_X5QE7W+_rQdwMhukJnQj}5cnCz_sIJ#r0 zJa5drkRPI$X(4YdpCswJe#5aN4Jjw3V3Nzt&`lcKBI~#;!>jq7j8y# zvHrFg_#P376A45^hp-KU*P=R;DVdPK*w7D@Gw+`XsSpm^L-VkCooZF61sPAnnjsT# zND4C{>G#P10F_&txEoE!rX%Iy*L}Kna=Q%fDLJ_rF*LujRITZ)$g!?UYLkCXOoz-S z_p`Hny*Rh--l)aYQC&-2dd%;%VKGC1<1DJm_n~`nk4^yS`}&P zM}5bOypW0hwtvrwnE>}g1Mq+B>09qPp1b$hn6kC_iqF`tX#G-t7D$n}Ky9t}sUqiI zOe@odQ?JueZ+sg`-zoQ}J4if6vv1c9x{BDme+F6z{8esU^Kio zK_oPy9}@nlGywSOZy9`^- zzBg>C9|rgWF{pcCogEV@;d}VHrgeBl=5Dr*th4V!1`Z9Zrz9le1zHC#sM3{j#G2R?WMhl6b_yyoEAxX>Zixl$16`+^d$ihNtuIBUafyiCEv#oksNL<4= z*oDXsc7-(ww^9-b-6_|bITySG1N2C-7p0L4+V@R%j=4@ygc=89bmSNy38$S=ZiDyP z0SrqrVA;zi8kYBZ2@Mx(2Lx~-*bc@d1#4R($RJv$9ZTfx_t7Kc|HIHnd&@I386P?& z?d6Vd(48n${cTNFFCoSIUj#O{mmt%M&xCIFmR9Y3f{2UnF4e9@uFZOaYiY|CLdbDa z%xS9x4SHi7Fr-1?CnDqRK?)n&$TTBW5J?O&o{TnNCnLw*{QmT7{c}flSbp9&xi*zF z1TdUn&_!$_WxQbMKGkgsl}B%+N5ZV%Hy6_zJ>dejD89yCBMw9(d}z2fWjYH_nV6!F zqe_rI2H5Pi0^~S6)jjnu%lqZN*eQq6!||a24+edpSH_{C8Ew^g8dw2qdrH!@*E7K* z)00Bb8uUsai%v6Oa^L@3E02r|EG%EdV>q;=#2Q9Wjv3l?dAur$4bzyOl3M6 z1hf%&o*#2R&xnS1z4&R`Uq%`Ut0_P{BOwt;FuDbCW75Qp#l)U;+N6jaIz6Nf$t6dNV>^>ETzcpQ=%tMaf0k|rg72+IW`z$FyfE+D{1@tt$t5DmX)*;QV?c;%+5Z&egAgfXTQJq-mZkC z>pFAHu}U=Axde_?s!99ZfDg_+9TYzDa6N1R3adhx&2Mb7>9w`KpMNz!>U5t2XQ8lZ zu+!+H7(PRwF@jAkwvI;|8|=Z_dfzV`Kpi;I!e=|Ql+HAdEag?VZ^Ilw9XJj9N1#1a z?UFC!)X62`CRIe^9YCLKbJ` z&O@f0zt{Z1YDF1utg2$F+rzvrncys+g37Xsd8)idSW(=}t#~qF#qBo29*@^ZCs<$W zpa144=o4g0z63h_ttPfIpH-FyG^MAH+6B~r$(4qw+Uv{2d#h`$lq+i+#Tf%CAzDFUh!pzX(6nW{EASJAQkhm!+}aGpHc z;(+N`S*@tYmump1T37E}J;!$0#F>^M*mT_X1x~bvnp&qP9IHI#bj-0z8FR+=p+e#*w3ugV#wX``sR-CI1!YiQsfc@Om<;1MBw zlfqH9z4Q|m*C?URU1OG(`UYn>Q8<|I!mby#FlN5MMFE8;Pyh$skbR?ngFLt?%nWSkS-#W5umy>@^DyAERP~{E&`M%0(qi&((^ahqL}u^jT<2dcf)p< z%Fxc9J$nh_`>_oNYC?oy`rIDY46Yrw4si3Qn~oXV%dJ}IlUD-40>QipyGa_dV0Z%J ztcEXm5yxR0gySJ04{nnbm#vP=Hq&GI<8VxcZ34pRjt6m%pE2H|!+HBJQrdBdyKHJR z2O_}hp!5bXuwniQYTF>yI|=cjT+2l`9T3|H+l4%ryPxWQm(ODW#8Ctj_CplcO=)qj zD#d~V6BahR9NY1kE5rF)_j<|!Cqnpq0uOKhL%w z>y8OyeTM1?REXc{0|3b=#WPZneh80PxL=Ljau1~+CgtMgg-vccMDX-L z9^7An_;!lFAi`#G_1F*OdM|Z$EVQs0m0$?mY}(baOZ%Zpd62#Pyg!3Jd4d zD^8+lSir&T6Y9-p9L#Wz6$5nXLjdOl?7Lv!TeMr}F14ranauW9=L>ubu*x>Bcrgwp zjrT@{rL*2Fc}Ilwn07QvdJfMOO2=(1Px)6&ih7lg839!Bx&}lQER~T`^7_x@fXo({ zCZMeZYt*!VgMTg>PR)PBaIwubzRY%jjE`-s zG;B}>2!lD=QLOTfQOEZKIEz*;yTJ9(Af0zNv;IDq7#Fr#W{Ap+7Sq1N3TL21X|h2t z=Dk>^bGSsRX-u+cZ23mMB_Ioc0yNIfcfLWB>$hVU3W3>d&a?IM+bGRGt+t}aiv(eh z(D6Z9N>U2|Qxle(!UVTeEKE6W))3WI5z48Rs8d5v0GwmyC8iQiUJO8KS?QwHl2abL zNW+hadDdPc8z%MSOG$l&WR@!!&M{WLmrnS=-0G#&`a)chX>mN9W1>|yqve@lL8a`f zXRmn$B8P=dLxE!2rIi}a*gh%FI4j?C;b@L=WgypiTRf==n6DKr9mUExo6a@{wLM-I z9%V9{!;5G!<8fMYikfEbrGXRQN-9*24}kIIpP&dEg@fiLqAY5|jjv}$P3x0avZODU zdX`c|G>h`1f=3uEu)L9C)H5%frni#HZXcX`TD{iQ-e2qXxj_f%|WW;byDMc%7+uBy}Y?KLC?jp%yyyeBNkqQ-*osw2ex&97Q{#C7%CdSDMNIV zTdC(LEm?&qPcNOjM)h9Grs|M(gsuhV8@96?m4WkQ>j{bJIs)m^neL%ua!i+N8>Lh+ zKu#7rF~VOH@hb{zGXYwys!Um4Vkf+H8Hj6?^eI%kT%j+HA0K=6qdQ@nfR57Q`Jm9T zc)Yg9-`e~BRE!xoKZ z=mP|0Kihr}V1$5sHw$QekmoL)lQ;~@H$S)}s3xuwypiubB?1%OyBpwC08TH!=?BrQ zhOp`PTu;%u0}Q=XKGb7d$g8*;de8c1UI|Re2R;;Radh_D!FIZg+JP`oJg>5 z;&B7eVAomZe>j~hOOIVRO_Q7eSGz37hxmnsG!n%HX`C6gSqFcg(RLmikn%EPR*wel zrsc;>!vQ<>2ZW`lk`MbNLopFd#_9mh8iKPH;KbjC@xJU${pdxuTF{uO(eG#9t*>XP z_4Seh`r_#q$^xeiuy(=eSouv66cpS!t3n`|j`6xnmSs1q@;0!I)m<6eYHHGMRdB87 ziruozT=gn@yp`B9oGxD-b7PqhZum|oJCfLB38&8v51ijj-Pb`qvCr3FtJ0aFms2h3(n0-}3jJ~J$ zCzep7-MIZFbo$(m8zWm?SoRl__blLE+!fFBVVk1&XLg+vmVNcTk9O2+q?x#F0LZUN zu6oM~C)(7^0|az4nM}@aZf<@RkH0CR8<-Yn-fZe+Dbr#iJWSt#tnR4^h<@ePXWmeHIO4q^X zCbiy(=k3R1o1}0E+7x*OOe-qnIXG{#N_rqK*1NH}Qz6aumTR`YTgo5K=q=61;5@b- zrgUA_Qz=)(TPN!tCZE|{?B0*r9ov5Fcip6xQ2;Yqs*2_o7TFKGp0|~bcP@6+a(rz^ zXXmmyBfT}ucw_t(6s+f^t_)nc>RKW<-q_&J35vN+RPLsR?VAsQeHLyCR7AWvxFOVc zAg-xl=j*RipzaKWx3lAf?ei`PoM;bbAL>svH?JqQwjSulb9bghytRt%*5x-no>xlf zh7qj0LYRXVDU})?Btsy7^71*ujsEP_ACyd)P)*ULWBCXox@PUfwmQ#)Vl&oeIqpQY zHMgU+xe0EhQ)RmjdB3JHGdrsvJ9?A=WwOrn)J?BH{+D&O_@SKdrj2|8Z{hS1T(k>&Zlt;p=tqw*mVY1aLt=u^eAHkW>8cb#@q& z4-SLa@ii zCt7NGrLv)1Scy9ew-sOwwLYn2a6T#KzJgnbacm7Z20q6tcs~C!0DI+r(=$l+x{=W0A}~0&W)ll4*&oF07*qoM6N<$f~n6U7ytkO literal 0 HcmV?d00001 diff --git a/doc/source/_themes/openstack/static/tweaks.css b/doc/source/_themes/openstack/static/tweaks.css new file mode 100644 index 00000000..5bd5ff2a --- /dev/null +++ b/doc/source/_themes/openstack/static/tweaks.css @@ -0,0 +1,128 @@ +body { + background: #fff url(../_static/header_bg.jpg) top left no-repeat; +} + +#header { + width: 950px; + margin: 0 auto; + height: 102px; +} + +#header h1#logo { + background: url(../_static/openstack_logo.png) top left no-repeat; + display: block; + float: left; + text-indent: -9999px; + width: 175px; + height: 55px; +} + +#navigation { + background: url(../_static/header-line.gif) repeat-x 0 bottom; + display: block; + float: left; + margin: 27px 0 0 25px; + padding: 0; +} + +#navigation li{ + float: left; + display: block; + margin-right: 25px; +} + +#navigation li a { + display: block; + font-weight: normal; + text-decoration: none; + background-position: 50% 0; + padding: 20px 0 5px; + color: #353535; + font-size: 14px; +} + +#navigation li a.current, #navigation li a.section { + border-bottom: 3px solid #cf2f19; + color: #cf2f19; +} + +div.related { + background-color: #cde2f8; + border: 1px solid #b0d3f8; +} + +div.related a { + color: #4078ba; + text-shadow: none; +} + +div.sphinxsidebarwrapper { + padding-top: 0; +} + +pre { + color: #555; +} + +div.documentwrapper h1, div.documentwrapper h2, div.documentwrapper h3, div.documentwrapper h4, div.documentwrapper h5, div.documentwrapper h6 { + font-family: 'PT Sans', sans-serif !important; + color: #264D69; + border-bottom: 1px dotted #C5E2EA; + padding: 0; + background: none; + padding-bottom: 5px; +} + +div.documentwrapper h3 { + color: #CF2F19; +} + +a.headerlink { + color: #fff !important; + margin-left: 5px; + background: #CF2F19 !important; +} + +div.body { + margin-top: -25px; + margin-left: 260px; +} + +div.document { + width: 960px; + margin: 0 auto; +} + +div.sphinxsidebar h3.highlighted { + background-color: #cf2f19; + color: #EEE; + text-shadow: 1px 1px 0 #740101; +} + +div.sphinxsidebar h3.highlighted a { + color: #EEE; +} + +/** provide visual separation for sidebar for increased readability. */ +div.sphinxsidebar ul li { + margin-top: 1em; + font-weight: bold; +} + +div.sphinxsidebar ul li ul li { + margin-top: 0; + font-weight: normal; +} + +/** Provide the sidebar to allow long words to go to the next line + making them easier to read.*/ +div.sphinxsidebar a { + display: block; + text-indent: -1em; + margin-left: 1em; + word-wrap: break-word; +} + +div.sphinxsidebar ul { + margin: 10px 10px; +} \ No newline at end of file diff --git a/doc/source/_themes/openstack/theme.conf b/doc/source/_themes/openstack/theme.conf new file mode 100644 index 00000000..e2b8bfe6 --- /dev/null +++ b/doc/source/_themes/openstack/theme.conf @@ -0,0 +1,7 @@ +[theme] +inherit = basic +stylesheet = nature.css +pygments_style = tango + +[options] +incubating = false diff --git a/doc/source/conf.py b/doc/source/conf.py new file mode 100644 index 00000000..e39721da --- /dev/null +++ b/doc/source/conf.py @@ -0,0 +1,287 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# +# openstack-ansible documentation build configuration file, created by +# sphinx-quickstart on Mon Apr 13 20:42:26 2015. +# +# This file is execfile()d with the current directory set to its +# containing dir. +# +# Note that not all possible configuration values are present in this +# autogenerated file. +# +# All configuration values have a default; values that are commented out +# serve to show the default. + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +# sys.path.insert(0, os.path.abspath('.')) + +# -- General configuration ------------------------------------------------ + +# If your documentation needs a minimal Sphinx version, state it here. +# needs_sphinx = '1.0' + +# Add any Sphinx extension module names here, as strings. They can be +# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom +# ones. +extensions = [ + 'sphinx.ext.autodoc', + 'oslosphinx' +] + +# Add any paths that contain templates here, relative to this directory. +templates_path = ['_templates'] + +# The suffix(es) of source filenames. +# You can specify multiple suffix as a list of string: +# source_suffix = ['.rst', '.md'] +source_suffix = '.rst' + +# The encoding of source files. +# source_encoding = 'utf-8-sig' + +# The master toctree document. +master_doc = 'index' + +# General information about the project. +project = 'openstack-ansible-security' +copyright = '2015, openstack-ansible contributors' +author = 'openstack-ansible contributors' + +# The version info for the project you're documenting, acts as replacement for +# |version| and |release|, also used in various other places throughout the +# built documents. +# +# The short X.Y version. +version = 'master' +# The full version, including alpha/beta/rc tags. +release = 'master' + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +# +# This is also used if you do content translation via gettext catalogs. +# Usually you set "language" from the command line for these cases. +language = None + +# There are two options for replacing |today|: either, you set today to some +# non-false value, then it is used: +# today = '' +# Else, today_fmt is used as the format for a strftime call. +# today_fmt = '%B %d, %Y' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +exclude_patterns = [] + +# The reST default role (used for this markup: `text`) to use for all +# documents. +# default_role = None + +# If true, '()' will be appended to :func: etc. cross-reference text. +# add_function_parentheses = True + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +# add_module_names = True + +# If true, sectionauthor and moduleauthor directives will be shown in the +# output. They are ignored by default. +# show_authors = False + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'sphinx' + +# A list of ignored prefixes for module index sorting. +# modindex_common_prefix = [] + +# If true, keep warnings as "system message" paragraphs in the built documents. +# keep_warnings = False + +# If true, `todo` and `todoList` produce output, else they produce nothing. +todo_include_todos = False + + +# -- Options for HTML output ---------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +html_theme = 'openstack' + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +# html_theme_options = {} + +# Add any paths that contain custom themes here, relative to this directory. +html_theme_path = ['_themes'] + +# The name for this set of Sphinx documents. If None, it defaults to +# " v documentation". +# html_title = None + +# A shorter title for the navigation bar. Default is the same as html_title. +# html_short_title = None + +# The name of an image file (relative to this directory) to place at the top +# of the sidebar. +# html_logo = None + +# The name of an image file (within the static path) to use as favicon of the +# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 +# pixels large. +# html_favicon = None + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +html_static_path = ['_static'] + +# Add any extra paths that contain custom files (such as robots.txt or +# .htaccess) here, relative to this directory. These files are copied +# directly to the root of the documentation. +# html_extra_path = [] + +# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, +# using the given strftime format. +# html_last_updated_fmt = '%b %d, %Y' + +# If true, SmartyPants will be used to convert quotes and dashes to +# typographically correct entities. +# html_use_smartypants = True + +# Custom sidebar templates, maps document names to template names. +# html_sidebars = {} + +# Additional templates that should be rendered to pages, maps page names to +# template names. +# html_additional_pages = {} + +# If false, no module index is generated. +# html_domain_indices = True + +# If false, no index is generated. +# html_use_index = True + +# If true, the index is split into individual pages for each letter. +# html_split_index = False + +# If true, links to the reST sources are added to the pages. +# html_show_sourcelink = True + +# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. +# html_show_sphinx = True + +# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. +# html_show_copyright = True + +# If true, an OpenSearch description file will be output, and all pages will +# contain a tag referring to it. The value of this option must be the +# base URL from which the finished HTML is served. +# html_use_opensearch = '' + +# This is the file name suffix for HTML files (e.g. ".xhtml"). +# html_file_suffix = None + +# Language to be used for generating the HTML full-text search index. +# Sphinx supports the following languages: +# 'da', 'de', 'en', 'es', 'fi', 'fr', 'h', 'it', 'ja' +# 'nl', 'no', 'pt', 'ro', 'r', 'sv', 'tr' +# html_search_language = 'en' + +# A dictionary with options for the search language support, empty by default. +# Now only 'ja' uses this config value +# html_search_options = {'type': 'default'} + +# The name of a javascript file (relative to the configuration directory) that +# implements a search results scorer. If empty, the default will be used. +# html_search_scorer = 'scorer.js' + +# Output file base name for HTML help builder. +htmlhelp_basename = 'openstack-ansibledoc' + +# -- Options for LaTeX output --------------------------------------------- + +latex_elements = { + # The paper size ('letterpaper' or 'a4paper'). + # 'papersize': 'letterpaper', + + # The font size ('10pt', '11pt' or '12pt'). + # 'pointsize': '10pt', + + # Additional stuff for the LaTeX preamble. + # 'preamble': '', + + # Latex figure (float) alignment + # 'figure_align': 'htbp', +} + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, +# author, documentclass [howto, manual, or own class]). +latex_documents = [ + (master_doc, 'openstack-ansible.tex', + 'openstack-ansible Documentation', + 'openstack-ansible contributors', 'manual'), +] + +# The name of an image file (relative to this directory) to place at the top of +# the title page. +# latex_logo = None + +# For "manual" documents, if this is true, then toplevel headings are parts, +# not chapters. +# latex_use_parts = False + +# If true, show page references after internal links. +# latex_show_pagerefs = False + +# If true, show URL addresses after external links. +# latex_show_urls = False + +# Documents to append as an appendix to all manuals. +# latex_appendices = [] + +# If false, no module index is generated. +# latex_domain_indices = True + + +# -- Options for manual page output --------------------------------------- + +# One entry per manual page. List of tuples +# (source start file, name, description, authors, manual section). +man_pages = [ + (master_doc, 'openstack-ansible', + 'openstack-ansible Documentation', + [author], 1) +] + +# If true, show URL addresses after external links. +# man_show_urls = False + + +# -- Options for Texinfo output ------------------------------------------- + +# Grouping the document tree into Texinfo files. List of tuples +# (source start file, target name, title, author, +# dir menu entry, description, category) +texinfo_documents = [ + (master_doc, 'openstack-ansible', + 'openstack-ansible Documentation', + author, 'openstack-ansible', 'One line description of project.', + 'Miscellaneous'), +] + +# Documents to append as an appendix to all manuals. +# texinfo_appendices = [] + +# If false, no module index is generated. +# texinfo_domain_indices = True + +# How to display URL addresses: 'footnote', 'no', or 'inline'. +# texinfo_show_urls = 'footnote' + +# If true, do not generate a @detailmenu in the "Top" node's menu. +# texinfo_no_detailmenu = False diff --git a/doc/source/configurations-cat1.rst b/doc/source/configurations-cat1.rst new file mode 100644 index 00000000..b735c482 --- /dev/null +++ b/doc/source/configurations-cat1.rst @@ -0,0 +1,1543 @@ +.. include:: +`Home `__ |raquo| Security hardening for openstack-ansible + +Category 1 (Low) configurations +================================ + +.. contents:: + :depth: 2 + + +V-38649: The system default umask for the csh shell must be 077. +---------------------------------------------------------------- + +The umask value influences the permissions assigned to files when they are +created. A misconfigured umask value could result in files with excessive +permissions that can be read and/or written to by unauthorized users. + +Details: `V-38649 in STIG Viewer`_. + +.. _V-38649 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38649 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38649.rst + +V-38648: The qpidd service must not be running. +----------------------------------------------- + +The qpidd service is automatically installed when the "base" package selection +is selected during installation. The qpidd service listens for network +connections which increases the attack surface of the system. If the system is +not intended to receive AMQP traffic then the "qpidd" service is not needed +and should be disabled or removed. + +Details: `V-38648 in STIG Viewer`_. + +.. _V-38648 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38648 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38648.rst + +V-38642: The system default umask for daemons must be 027 or 022. +----------------------------------------------------------------- + +The umask influences the permissions assigned to files created by a process at +run time. An unnecessarily permissive umask could result in files being +created with insecure permissions. + +Details: `V-38642 in STIG Viewer`_. + +.. _V-38642 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38642 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38642.rst + +V-38641: The atd service must be disabled. +------------------------------------------ + +The "atd" service could be used by an unsophisticated insider to carry out +activities outside of a normal login session, which could complicate +accountability. Furthermore, the need to schedule tasks with "at" or "batch" +is not common. + +Details: `V-38641 in STIG Viewer`_. + +.. _V-38641 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38641 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38641.rst + +V-38640: The Automatic Bug Reporting Tool (abrtd) service must not be running. +------------------------------------------------------------------------------ + +Mishandling crash data could expose sensitive information about +vulnerabilities in software executing on the local machine, as well as +sensitive information from within a process's address space or registers. + +Details: `V-38640 in STIG Viewer`_. + +.. _V-38640 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38640 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38640.rst + +V-38647: The system default umask in /etc/profile must be 077. +-------------------------------------------------------------- + +The umask value influences the permissions assigned to files when they are +created. A misconfigured umask value could result in files with excessive +permissions that can be read and/or written to by unauthorized users. + +Details: `V-38647 in STIG Viewer`_. + +.. _V-38647 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38647 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38647.rst + +V-38646: The oddjobd service must not be running. +------------------------------------------------- + +The "oddjobd" service may provide necessary functionality in some environments +but it can be disabled if it is not needed. Execution of tasks by privileged +programs, on behalf of unprivileged ones, has traditionally been a source of +privilege escalation security issues. + +Details: `V-38646 in STIG Viewer`_. + +.. _V-38646 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38646 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38646.rst + +V-38645: The system default umask in /etc/login.defs must be 077. +----------------------------------------------------------------- + +The umask value influences the permissions assigned to files when they are +created. A misconfigured umask value could result in files with excessive +permissions that can be read and/or written to by unauthorized users. + +Details: `V-38645 in STIG Viewer`_. + +.. _V-38645 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38645 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38645.rst + +V-38644: The ntpdate service must not be running. +------------------------------------------------- + +The "ntpdate" service may only be suitable for systems which are rebooted +frequently enough that clock drift does not cause problems between reboots. In +any event, the functionality of the ntpdate service is now available in the +ntpd program and should be considered deprecated. + +Details: `V-38644 in STIG Viewer`_. + +.. _V-38644 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38644 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38644.rst + +V-51369: The system must use a Linux Security Module configured to limit the privileges of system services. +----------------------------------------------------------------------------------------------------------- + +Setting the SELinux policy to "targeted" or a more specialized policy ensures +the system will confine processes that are likely to be targeted for +exploitation, such as network or system services. + +Details: `V-51369 in STIG Viewer`_. + +.. _V-51369 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-51369 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-51369.rst + +V-38452: The system package management tool must verify permissions on all files and directories associated with packages. +-------------------------------------------------------------------------------------------------------------------------- + +Permissions on system binaries and configuration files that are too generous +could allow an unauthorized user to gain privileges that they should not have. +The permissions set by the vendor should be maintained. Any deviations from +this baseline should be investigated. + +Details: `V-38452 in STIG Viewer`_. + +.. _V-38452 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38452 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38452.rst + +V-38453: The system package management tool must verify group-ownership on all files and directories associated with packages. +------------------------------------------------------------------------------------------------------------------------------ + +Group-ownership of system binaries and configuration files that is incorrect +could allow an unauthorized user to gain privileges that they should not have. +The group-ownership set by the vendor should be maintained. Any deviations +from this baseline should be investigated. + +Details: `V-38453 in STIG Viewer`_. + +.. _V-38453 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38453 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38453.rst + +V-38608: The SSH daemon must set a timeout interval on idle sessions. +--------------------------------------------------------------------- + +Causing idle users to be automatically logged out guards against compromises +one system leading trivially to compromises on another. + +Details: `V-38608 in STIG Viewer`_. + +.. _V-38608 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38608 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38608.rst + +V-38447: The system package management tool must verify contents of all files associated with packages. +------------------------------------------------------------------------------------------------------- + +The hash on important files like system executables should match the +information given by the RPM database. Executables with erroneous hashes could +be a sign of nefarious activity on the system. + +Details: `V-38447 in STIG Viewer`_. + +.. _V-38447 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38447 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38447.rst + +V-38659: The operating system must employ cryptographic mechanisms to protect information in storage. +----------------------------------------------------------------------------------------------------- + +The risk of a system's physical compromise, particularly mobile systems such +as laptops, places its data at risk of compromise. Encrypting this data +mitigates the risk of its loss if the system is lost. + +Details: `V-38659 in STIG Viewer`_. + +.. _V-38659 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38659 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38659.rst + +V-38650: The rdisc service must not be running. +----------------------------------------------- + +General-purpose systems typically have their network and routing information +configured statically by a system administrator. Workstations or some special- +purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network +configuration information. + +Details: `V-38650 in STIG Viewer`_. + +.. _V-38650 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38650 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38650.rst + +V-38651: The system default umask for the bash shell must be 077. +----------------------------------------------------------------- + +The umask value influences the permissions assigned to files when they are +created. A misconfigured umask value could result in files with excessive +permissions that can be read and/or written to by unauthorized users. + +Details: `V-38651 in STIG Viewer`_. + +.. _V-38651 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38651 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38651.rst + +V-38656: The system must use SMB client signing for connecting to samba servers using smbclient. +------------------------------------------------------------------------------------------------ + +Packet signing can prevent man-in-the-middle attacks which modify SMB packets +in transit. + +Details: `V-38656 in STIG Viewer`_. + +.. _V-38656 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38656 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38656.rst + +V-38657: The system must use SMB client signing for connecting to samba servers using mount.cifs. +------------------------------------------------------------------------------------------------- + +Packet signing can prevent man-in-the-middle attacks which modify SMB packets +in transit. + +Details: `V-38657 in STIG Viewer`_. + +.. _V-38657 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38657 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38657.rst + +V-38437: Automated file system mounting tools must not be enabled unless needed. +-------------------------------------------------------------------------------- + +All filesystems that are required for the successful operation of the system +should be explicitly listed in "/etc/fstab" by an administrator. New +filesystems should not be arbitrarily introduced via the automounter. The +"autofs" daemon mounts and unmounts filesystems, such as user home directories +shared via NFS, on demand. In addition, autofs can be used to handle removable +media, and the default configuration provides the cdrom device as "/misc/cd". +However, this method of providing access to removable media is not common, so +autofs can almost always be disabled if NFS is not in use. Even if NFS is +required, it is almost always possible to configure filesystem mounts +statically by editing "/etc/fstab" rather than relying on the automounter. + +Details: `V-38437 in STIG Viewer`_. + +.. _V-38437 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38437 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38437.rst + +V-51379: All device files must be monitored by the system Linux Security Module. +-------------------------------------------------------------------------------- + +If a device file carries the SELinux type "unlabeled_t", then SELinux cannot +properly restrict access to the device file. + +Details: `V-51379 in STIG Viewer`_. + +.. _V-51379 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-51379 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-51379.rst + +V-38527: The audit system must be configured to audit all attempts to alter system time through clock_settime. +-------------------------------------------------------------------------------------------------------------- + +Arbitrary changes to the system time can be used to obfuscate nefarious +activities in log files, as well as to confuse network services that are +highly dependent upon an accurate system time (such as sshd). All changes to +the system time should be audited. + +Details: `V-38527 in STIG Viewer`_. + +.. _V-38527 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38527 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38527.rst + +V-38525: The audit system must be configured to audit all attempts to alter system time through stime. +------------------------------------------------------------------------------------------------------ + +Arbitrary changes to the system time can be used to obfuscate nefarious +activities in log files, as well as to confuse network services that are +highly dependent upon an accurate system time (such as sshd). All changes to +the system time should be audited. + +Details: `V-38525 in STIG Viewer`_. + +.. _V-38525 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38525 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38525.rst + +V-38522: The audit system must be configured to audit all attempts to alter system time through settimeofday. +------------------------------------------------------------------------------------------------------------- + +Arbitrary changes to the system time can be used to obfuscate nefarious +activities in log files, as well as to confuse network services that are +highly dependent upon an accurate system time (such as sshd). All changes to +the system time should be audited. + +Details: `V-38522 in STIG Viewer`_. + +.. _V-38522 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38522 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38522.rst + +V-38487: The system package management tool must cryptographically verify the authenticity of all software packages during installation. +---------------------------------------------------------------------------------------------------------------------------------------- + +Ensuring all packages' cryptographic signatures are valid prior to +installation ensures the provenance of the software and protects against +malicious tampering. + +Details: `V-38487 in STIG Viewer`_. + +.. _V-38487 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38487 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38487.rst + +V-38480: Users must be warned 7 days in advance of password expiration. +----------------------------------------------------------------------- + +Setting the password warning age enables users to make the change at a +practical time. + +Details: `V-38480 in STIG Viewer`_. + +.. _V-38480 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38480 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38480.rst + +V-38528: The system must log Martian packets. +--------------------------------------------- + +The presence of "martian" packets (which have impossible addresses) as well as +spoofed packets, source-routed packets, and redirects could be a sign of +nefarious network activity. Logging these packets enables this activity to be +detected. + +Details: `V-38528 in STIG Viewer`_. + +.. _V-38528 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38528 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38528.rst + +V-38661: The operating system must protect the confidentiality and integrity of data at rest. +---------------------------------------------------------------------------------------------- + +The risk of a system's physical compromise, particularly mobile systems such +as laptops, places its data at risk of compromise. Encrypting this data +mitigates the risk of its loss if the system is lost. + +Details: `V-38661 in STIG Viewer`_. + +.. _V-38661 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38661 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38661.rst + +V-38662: The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures. +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +The risk of a system's physical compromise, particularly mobile systems such +as laptops, places its data at risk of compromise. Encrypting this data +mitigates the risk of its loss if the system is lost. + +Details: `V-38662 in STIG Viewer`_. + +.. _V-38662 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38662 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38662.rst + +V-38669: The postfix service must be enabled for mail delivery. +--------------------------------------------------------------- + +Local mail delivery is essential to some system maintenance and notification +tasks. + +Details: `V-38669 in STIG Viewer`_. + +.. _V-38669 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38669 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38669.rst + +V-38467: The system must use a separate file system for the system audit data path. +----------------------------------------------------------------------------------- + +Placing "/var/log/audit" in its own partition enables better separation +between audit files and other files, and helps ensure that auditing cannot be +halted due to the partition running out of space. + +Details: `V-38467 in STIG Viewer`_. + +.. _V-38467 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38467 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38467.rst + +V-38463: The system must use a separate file system for /var/log. +----------------------------------------------------------------- + +Placing "/var/log" in its own partition enables better separation between log +files and other files in "/var/". + +Details: `V-38463 in STIG Viewer`_. + +.. _V-38463 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38463 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38463.rst + +V-38460: The NFS server must not have the all_squash option enabled. +-------------------------------------------------------------------- + +The "all_squash" option maps all client requests to a single anonymous uid/gid +on the NFS server, negating the ability to track file access by user ID. + +Details: `V-38460 in STIG Viewer`_. + +.. _V-38460 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38460 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38460.rst + +V-38702: The FTP daemon must be configured for logging or verbose mode. +----------------------------------------------------------------------- + +To trace malicious activity facilitated by the FTP service, it must be +configured to ensure that all commands sent to the ftp server are logged using +the verbose vsftpd log format. The default vsftpd log file is +/var/log/vsftpd.log. + +Details: `V-38702 in STIG Viewer`_. + +.. _V-38702 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38702 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38702.rst + +V-38552: The audit system must be configured to audit all discretionary access control permission modifications using fchown. +----------------------------------------------------------------------------------------------------------------------------- + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC +modifications can facilitate the identification of patterns of abuse among +both authorized and unauthorized users. + +Details: `V-38552 in STIG Viewer`_. + +.. _V-38552 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38552 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38552.rst + +V-38550: The audit system must be configured to audit all discretionary access control permission modifications using fchmodat. +------------------------------------------------------------------------------------------------------------------------------- + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC +modifications can facilitate the identification of patterns of abuse among +both authorized and unauthorized users. + +Details: `V-38550 in STIG Viewer`_. + +.. _V-38550 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38550 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38550.rst + +V-38557: The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr. +-------------------------------------------------------------------------------------------------------------------------------- + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC +modifications can facilitate the identification of patterns of abuse among +both authorized and unauthorized users. + +Details: `V-38557 in STIG Viewer`_. + +.. _V-38557 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38557 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38557.rst + +V-38556: The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr. +----------------------------------------------------------------------------------------------------------------------------------- + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC +modifications can facilitate the identification of patterns of abuse among +both authorized and unauthorized users. + +Details: `V-38556 in STIG Viewer`_. + +.. _V-38556 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38556 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38556.rst + +V-38554: The audit system must be configured to audit all discretionary access control permission modifications using fchownat. +------------------------------------------------------------------------------------------------------------------------------- + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC +modifications can facilitate the identification of patterns of abuse among +both authorized and unauthorized users. + +Details: `V-38554 in STIG Viewer`_. + +.. _V-38554 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38554 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38554.rst + +V-38559: The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr. +----------------------------------------------------------------------------------------------------------------------------------- + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC +modifications can facilitate the identification of patterns of abuse among +both authorized and unauthorized users. + +Details: `V-38559 in STIG Viewer`_. + +.. _V-38559 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38559 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38559.rst + +V-38558: The audit system must be configured to audit all discretionary access control permission modifications using lchown. +----------------------------------------------------------------------------------------------------------------------------- + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC +modifications can facilitate the identification of patterns of abuse among +both authorized and unauthorized users. + +Details: `V-38558 in STIG Viewer`_. + +.. _V-38558 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38558 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38558.rst + +V-38494: The system must prevent the root account from logging in from serial consoles. +--------------------------------------------------------------------------------------- + +Preventing direct root login to serial port interfaces helps ensure +accountability for actions taken on the systems using the root account. + +Details: `V-38494 in STIG Viewer`_. + +.. _V-38494 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38494 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38494.rst + +V-38672: The netconsole service must be disabled unless required. +----------------------------------------------------------------- + +The "netconsole" service is not necessary unless there is a need to debug +kernel panics, which is not common. + +Details: `V-38672 in STIG Viewer`_. + +.. _V-38672 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38672 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38672.rst + +V-38676: The xorg-x11-server-common (X Windows) package must not be installed, unless required. +----------------------------------------------------------------------------------------------- + +Unnecessary packages should not be installed to decrease the attack surface of +the system. + +Details: `V-38676 in STIG Viewer`_. + +.. _V-38676 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38676 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38676.rst + +V-38675: Process core dumps must be disabled unless needed. +----------------------------------------------------------- + +A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and +is generally useful only for developers trying to debug problems. + +Details: `V-38675 in STIG Viewer`_. + +.. _V-38675 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38675 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38675.rst + +V-38474: The system must allow locking of graphical desktop sessions. +--------------------------------------------------------------------- + +The ability to lock graphical desktop sessions manually allows users to easily +secure their accounts should they need to depart from their workstations +temporarily. + +Details: `V-38474 in STIG Viewer`_. + +.. _V-38474 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38474 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38474.rst + +V-38471: The system must forward audit records to the syslog service. +--------------------------------------------------------------------- + +The auditd service does not include the ability to send audit records to a +centralized server for management directly. It does, however, include an +audit event multiplexor plugin (audispd) to pass audit records to the local +syslog server. + +Details: `V-38471 in STIG Viewer`_. + +.. _V-38471 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38471 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38471.rst + +V-38473: The system must use a separate file system for user home directories. +------------------------------------------------------------------------------ + +Ensuring that "/home" is mounted on its own partition enables the setting of +more restrictive mount options, and also helps ensure that users cannot +trivially fill partitions used for log or audit data storage. + +Details: `V-38473 in STIG Viewer`_. + +.. _V-38473 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38473 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38473.rst + +V-38536: The operating system must automatically audit account disabling actions. +--------------------------------------------------------------------------------- + +In addition to auditing new user and group accounts, these watches will alert +the system administrator(s) to any modifications. Any unexpected users, +groups, or modifications should be investigated for legitimacy. + +Details: `V-38536 in STIG Viewer`_. + +.. _V-38536 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38536 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38536.rst + +V-38478: The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite. +--------------------------------------------------------------------------------------------------------------- + +Although systems management and patching is extremely important to system +security, management by a system outside the enterprise enclave is not +desirable for some environments. However, if the system is being managed by +RHN or RHN Satellite Server the "rhnsd" daemon can remain on. + +Details: `V-38478 in STIG Viewer`_. + +.. _V-38478 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38478 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38478.rst + +V-38540: The audit system must be configured to audit modifications to the systems network configuration. +--------------------------------------------------------------------------------------------------------- + +The network environment should not be modified by anything other than +administrator action. Any change to network parameters should be audited. + +Details: `V-38540 in STIG Viewer`_. + +.. _V-38540 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38540 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38540.rst + +V-38541: The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux). +------------------------------------------------------------------------------------------------------------------------------------------ + +The system's mandatory access policy (SELinux) should not be arbitrarily +changed by anything other than administrator action. All changes to MAC policy +should be audited. + +Details: `V-38541 in STIG Viewer`_. + +.. _V-38541 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38541 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38541.rst + +V-38543: The audit system must be configured to audit all discretionary access control permission modifications using chmod. +---------------------------------------------------------------------------------------------------------------------------- + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC +modifications can facilitate the identification of patterns of abuse among +both authorized and unauthorized users. + +Details: `V-38543 in STIG Viewer`_. + +.. _V-38543 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38543 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38543.rst + +V-38547: The audit system must be configured to audit all discretionary access control permission modifications using fchmod. +----------------------------------------------------------------------------------------------------------------------------- + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC +modifications can facilitate the identification of patterns of abuse among +both authorized and unauthorized users. + +Details: `V-38547 in STIG Viewer`_. + +.. _V-38547 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38547 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38547.rst + +V-38482: The system must require passwords to contain at least one numeric character. +------------------------------------------------------------------------------------- + +Requiring digits makes password guessing attacks more difficult by ensuring a +larger search space. + +Details: `V-38482 in STIG Viewer`_. + +.. _V-38482 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38482 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38482.rst + +V-38454: The system package management tool must verify ownership on all files and directories associated with packages. +------------------------------------------------------------------------------------------------------------------------ + +Ownership of system binaries and configuration files that is incorrect could +allow an unauthorized user to gain privileges that they should not have. The +ownership set by the vendor should be maintained. Any deviations from this +baseline should be investigated. + +Details: `V-38454 in STIG Viewer`_. + +.. _V-38454 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38454 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38454.rst + +V-38687: The system must provide VPN connectivity for communications over untrusted networks. +--------------------------------------------------------------------------------------------- + +Providing the ability for remote users or systems to initiate a secure VPN +connection protects information when it is transmitted over a wide area +network. + +Details: `V-38687 in STIG Viewer`_. + +.. _V-38687 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38687 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38687.rst + +V-38685: Temporary accounts must be provisioned with an expiration date. +------------------------------------------------------------------------ + +When temporary accounts are created, there is a risk they may remain in place +and active after the need for them no longer exists. Account expiration +greatly reduces the risk of accounts being misused or hijacked. + +Details: `V-38685 in STIG Viewer`_. + +.. _V-38685 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38685 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38685.rst + +V-38684: The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements. +--------------------------------------------------------------------------------------------------------------------------------------------- + +Limiting simultaneous user logins can insulate the system from denial of +service problems caused by excessive logins. Automated login processes +operating improperly or maliciously may result in an exceptional number of +simultaneous login sessions. + +Details: `V-38684 in STIG Viewer`_. + +.. _V-38684 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38684 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38684.rst + +V-38683: All accounts on the system must have unique user or account names +-------------------------------------------------------------------------- + +Unique usernames allow for accountability on the system. + +Details: `V-38683 in STIG Viewer`_. + +.. _V-38683 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38683 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38683.rst + +V-38681: All GIDs referenced in /etc/passwd must be defined in /etc/group +------------------------------------------------------------------------- + +Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user +having unintended rights. + +Details: `V-38681 in STIG Viewer`_. + +.. _V-38681 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38681 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38681.rst + +V-38530: The audit system must be configured to audit all attempts to alter system time through /etc/localtime. +--------------------------------------------------------------------------------------------------------------- + +Arbitrary changes to the system time can be used to obfuscate nefarious +activities in log files, as well as to confuse network services that are +highly dependent upon an accurate system time (such as sshd). All changes to +the system time should be audited. + +Details: `V-38530 in STIG Viewer`_. + +.. _V-38530 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38530 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38530.rst + +V-38578: The audit system must be configured to audit changes to the /etc/sudoers file. +--------------------------------------------------------------------------------------- + +The actions taken by system administrators should be audited to keep a record +of what was executed on the system, as well as, for accountability purposes. + +Details: `V-38578 in STIG Viewer`_. + +.. _V-38578 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38578 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38578.rst + +V-38575: The audit system must be configured to audit user deletions of files and programs. +------------------------------------------------------------------------------------------- + +Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well +as detecting malicious processes that attempt to delete log files to conceal +their presence. + +Details: `V-38575 in STIG Viewer`_. + +.. _V-38575 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38575 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38575.rst + +V-38571: The system must require passwords to contain at least one lowercase alphabetic character. +-------------------------------------------------------------------------------------------------- + +Requiring a minimum number of lowercase characters makes password guessing +attacks more difficult by ensuring a larger search space. + +Details: `V-38571 in STIG Viewer`_. + +.. _V-38571 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38571 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38571.rst + +V-38572: The system must require at least four characters be changed between the old and new passwords during a password change. +-------------------------------------------------------------------------------------------------------------------------------- + +Requiring a minimum number of different characters during password changes +ensures that newly changed passwords should not resemble previously +compromised ones. Note that passwords which are changed on compromised systems +will still be compromised, however. + +Details: `V-38572 in STIG Viewer`_. + +.. _V-38572 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38572 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38572.rst + +V-38699: All public directories must be owned by a system account. +------------------------------------------------------------------ + +Allowing a user account to own a world-writable directory is undesirable +because it allows the owner of that directory to remove or replace any files +that may be placed in the directory by other users. + +Details: `V-38699 in STIG Viewer`_. + +.. _V-38699 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38699 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38699.rst + +V-38516: The Reliable Datagram Sockets (RDS) protocol must be disabled unless required. +--------------------------------------------------------------------------------------- + +Disabling RDS protects the system against exploitation of any flaws in its +implementation. + +Details: `V-38516 in STIG Viewer`_. + +.. _V-38516 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38516 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38516.rst + +V-38690: Emergency accounts must be provisioned with an expiration date. + +------------------------------------------------------------------------- + +When emergency accounts are created, there is a risk they may remain in place +and active after the need for them no longer exists. Account expiration +greatly reduces the risk of accounts being misused or hijacked. + +Details: `V-38690 in STIG Viewer`_. + +.. _V-38690 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38690 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38690.rst + +V-38693: The system must require passwords to contain no more than three consecutive repeating characters. +---------------------------------------------------------------------------------------------------------- + +Passwords with excessive repeating characters may be more vulnerable to +password-guessing attacks. + +Details: `V-38693 in STIG Viewer`_. + +.. _V-38693 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38693 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38693.rst + +V-38590: The system must allow locking of the console screen in text mode. +-------------------------------------------------------------------------- + +Installing "screen" ensures a console locking capability is available for +users who may need to suspend console logins. + +Details: `V-38590 in STIG Viewer`_. + +.. _V-38590 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38590 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38590.rst + +V-38456: The system must use a separate file system for /var. +------------------------------------------------------------- + +Ensuring that "/var" is mounted on its own partition enables the setting of +more restrictive mount options. This helps protect system services such as +daemons or other programs which use it. It is not uncommon for the "/var" +directory to contain world-writable directories, installed by other software +packages. + +Details: `V-38456 in STIG Viewer`_. + +.. _V-38456 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38456 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38456.rst + +V-38455: The system must use a separate file system for /tmp. +------------------------------------------------------------- + +The "/tmp" partition is used as temporary storage by many programs. Placing +"/tmp" in its own partition enables the setting of more restrictive mount +options, which can help protect programs which use it. + +Details: `V-38455 in STIG Viewer`_. + +.. _V-38455 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38455 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38455.rst + +V-38618: The avahi service must be disabled. +-------------------------------------------- + +Because the Avahi daemon service keeps an open network port, it is subject to +network attacks. Its functionality is convenient but is only appropriate if +the local network can be trusted. + +Details: `V-38618 in STIG Viewer`_. + +.. _V-38618 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38618 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38618.rst + +V-38570: The system must require passwords to contain at least one special character. +------------------------------------------------------------------------------------- + +Requiring a minimum number of special characters makes password guessing +attacks more difficult by ensuring a larger search space. + +Details: `V-38570 in STIG Viewer`_. + +.. _V-38570 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38570 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38570.rst + +V-38568: The audit system must be configured to audit successful file system mounts. +------------------------------------------------------------------------------------ + +The unauthorized exportation of data to external media could result in an +information leak where classified information, Privacy Act information, and +intellectual property could be lost. An audit trail should be created each +time a filesystem is mounted to help identify and guard against information +loss. + +Details: `V-38568 in STIG Viewer`_. + +.. _V-38568 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38568 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38568.rst + +V-38569: The system must require passwords to contain at least one uppercase alphabetic character. +-------------------------------------------------------------------------------------------------- + +Requiring a minimum number of uppercase characters makes password guessing +attacks more difficult by ensuring a larger search space. + +Details: `V-38569 in STIG Viewer`_. + +.. _V-38569 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38569 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38569.rst + +V-38561: The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr. +-------------------------------------------------------------------------------------------------------------------------------- + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC +modifications can facilitate the identification of patterns of abuse among +both authorized and unauthorized users. + +Details: `V-38561 in STIG Viewer`_. + +.. _V-38561 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38561 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38561.rst + +V-38566: The audit system must be configured to audit failed attempts to access files and programs. +--------------------------------------------------------------------------------------------------- + +Unsuccessful attempts to access files could be an indicator of malicious +activity on a system. Auditing these events could serve as evidence of +potential system compromise. + +Details: `V-38566 in STIG Viewer`_. + +.. _V-38566 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38566 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38566.rst + +V-38567: The audit system must be configured to audit all use of setuid and setgid programs. +-------------------------------------------------------------------------------------------- + +Privileged programs are subject to escalation-of-privilege attacks, which +attempt to subvert their normal role of providing some necessary but limited +capability. As such, motivation exists to monitor these programs for unusual +activity. + +Details: `V-38567 in STIG Viewer`_. + +.. _V-38567 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38567 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38567.rst + +V-38565: The audit system must be configured to audit all discretionary access control permission modifications using setxattr. +------------------------------------------------------------------------------------------------------------------------------- + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC +modifications can facilitate the identification of patterns of abuse among +both authorized and unauthorized users. + +Details: `V-38565 in STIG Viewer`_. + +.. _V-38565 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38565 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38565.rst + +V-38537: The system must ignore ICMPv4 bogus error responses. +------------------------------------------------------------- + +Ignoring bogus ICMP error responses reduces log size, although some activity +would not be logged. + +Details: `V-38537 in STIG Viewer`_. + +.. _V-38537 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38537 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38537.rst + +V-38624: System logs must be rotated daily. +------------------------------------------- + +Log files that are not properly rotated run the risk of growing so large that +they fill up the /var/log partition. Valuable logging information could be +lost if the /var/log partition becomes full. + +Details: `V-38624 in STIG Viewer`_. + +.. _V-38624 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38624 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38624.rst + +V-38627: The openldap-servers package must not be installed unless required. +---------------------------------------------------------------------------- + +Unnecessary packages should not be installed to decrease the attack surface of +the system. + +Details: `V-38627 in STIG Viewer`_. + +.. _V-38627 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38627 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38627.rst + +V-38584: The xinetd service must be uninstalled if no network services utilizing it are enabled. +------------------------------------------------------------------------------------------------ + +Removing the "xinetd" package decreases the risk of the xinetd service's +accidental (or intentional) activation. + +Details: `V-38584 in STIG Viewer`_. + +.. _V-38584 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38584 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38584.rst + +V-38694: The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity. +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +Disabling inactive accounts ensures that accounts which may not have been +responsibly removed are not available to attackers who may have compromised +their credentials. + +Details: `V-38694 in STIG Viewer`_. + +.. _V-38694 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38694 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38694.rst + +V-38545: The audit system must be configured to audit all discretionary access control permission modifications using chown. +---------------------------------------------------------------------------------------------------------------------------- + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC +modifications can facilitate the identification of patterns of abuse among +both authorized and unauthorized users. + +Details: `V-38545 in STIG Viewer`_. + +.. _V-38545 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38545 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38545.rst + +V-38538: The operating system must automatically audit account termination. +--------------------------------------------------------------------------- + +In addition to auditing new user and group accounts, these watches will alert +the system administrator(s) to any modifications. Any unexpected users, +groups, or modifications should be investigated for legitimacy. + +Details: `V-38538 in STIG Viewer`_. + +.. _V-38538 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38538 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38538.rst + +V-38697: The sticky bit must be set on all public directories. +-------------------------------------------------------------- + +Failing to set the sticky bit on public directories allows unauthorized users +to delete files in the directory structure. The only authorized public +directories are those temporary directories supplied with the system, or those +designed to be temporary file repositories. The setting is normally reserved +for directories used by the system, and by users for temporary file storage - +such as /tmp - and for directories requiring global read/write access. + +Details: `V-38697 in STIG Viewer`_. + +.. _V-38697 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38697 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38697.rst + +V-38531: The operating system must automatically audit account creation. +------------------------------------------------------------------------ + +In addition to auditing new user and group accounts, these watches will alert +the system administrator(s) to any modifications. Any unexpected users, +groups, or modifications should be investigated for legitimacy. + +Details: `V-38531 in STIG Viewer`_. + +.. _V-38531 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38531 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38531.rst + +V-38533: The system must ignore ICMPv4 redirect messages by default. +-------------------------------------------------------------------- + +This feature of the IPv4 protocol has few legitimate uses. It should be +disabled unless it is absolutely required. + +Details: `V-38533 in STIG Viewer`_. + +.. _V-38533 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38533 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38533.rst + +V-38535: The system must not respond to ICMPv4 sent to a broadcast address. +--------------------------------------------------------------------------- + +Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses +makes the system slightly more difficult to enumerate on the network. + +Details: `V-38535 in STIG Viewer`_. + +.. _V-38535 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38535 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38535.rst + +V-38534: The operating system must automatically audit account modification. +---------------------------------------------------------------------------- + +In addition to auditing new user and group accounts, these watches will alert +the system administrator(s) to any modifications. Any unexpected users, +groups, or modifications should be investigated for legitimacy. + +Details: `V-38534 in STIG Viewer`_. + +.. _V-38534 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38534 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38534.rst + +V-38655: The noexec option must be added to removable media partitions. +----------------------------------------------------------------------- + +Allowing users to execute binaries from removable media such as USB keys +exposes the system to potential compromise. + +Details: `V-38655 in STIG Viewer`_. + +.. _V-38655 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38655 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38655.rst + +V-38438: Auditing must be enabled at boot by setting a kernel parameter. +------------------------------------------------------------------------ + +Each process on the system carries an "auditable" flag which indicates whether +its activities can be audited. Although "auditd" takes care of enabling this +for all processes which launch after it does, adding the kernel argument +ensures it is set for every process during boot. + +Details: `V-38438 in STIG Viewer`_. + +.. _V-38438 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38438 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38438.rst + +V-38692: Accounts must be locked upon 35 days of inactivity. +------------------------------------------------------------ + +Disabling inactive accounts ensures that accounts which may not have been +responsibly removed are not available to attackers who may have compromised +their credentials. + +Details: `V-38692 in STIG Viewer`_. + +.. _V-38692 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38692 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38692.rst + +V-38639: The system must display a publicly-viewable pattern during a graphical desktop environment session lock. +----------------------------------------------------------------------------------------------------------------- + +Setting the screensaver mode to blank-only conceals the contents of the +display from passersby. + +Details: `V-38639 in STIG Viewer`_. + +.. _V-38639 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38639 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38639.rst + +V-38635: The audit system must be configured to audit all attempts to alter system time through adjtimex. +--------------------------------------------------------------------------------------------------------- + +Arbitrary changes to the system time can be used to obfuscate nefarious +activities in log files, as well as to confuse network services that are +highly dependent upon an accurate system time (such as sshd). All changes to +the system time should be audited. + +Details: `V-38635 in STIG Viewer`_. + +.. _V-38635 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38635 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38635.rst + +V-38616: The SSH daemon must not permit user environment settings. +------------------------------------------------------------------ + +SSH environment options potentially allow users to bypass access restriction +in some configurations. + +Details: `V-38616 in STIG Viewer`_. + +.. _V-38616 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38616 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38616.rst + +V-38563: The audit system must be configured to audit all discretionary access control permission modifications using removexattr. +---------------------------------------------------------------------------------------------------------------------------------- + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC +modifications can facilitate the identification of patterns of abuse among +both authorized and unauthorized users. + +Details: `V-38563 in STIG Viewer`_. + +.. _V-38563 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38563 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38563.rst + +V-38610: The SSH daemon must set a timeout count on idle sessions. +------------------------------------------------------------------ + +This ensures a user login will be terminated as soon as the +"ClientAliveCountMax" is reached. + +Details: `V-38610 in STIG Viewer`_. + +.. _V-38610 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38610 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38610.rst diff --git a/doc/source/configurations-cat2.rst b/doc/source/configurations-cat2.rst new file mode 100644 index 00000000..49ca1490 --- /dev/null +++ b/doc/source/configurations-cat2.rst @@ -0,0 +1,2194 @@ +.. include:: +`Home `__ |raquo| Security hardening for openstack-ansible + +Category 2 (Medium) configurations +================================ + +.. contents:: + :depth: 2 + + +V-38612: The SSH daemon must not allow host-based authentication. +----------------------------------------------------------------- + +SSH trust relationships mean a compromise on one host can allow an attacker to +move trivially to other hosts. + +Details: `V-38612 in STIG Viewer`_. + +.. _V-38612 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38612 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38612.rst + +V-38580: The audit system must be configured to audit the loading and unloading of dynamic kernel modules. +---------------------------------------------------------------------------------------------------------- + +The addition/removal of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is +important to have an audit trail of modules that have been introduced into the +kernel. + +Details: `V-38580 in STIG Viewer`_. + +.. _V-38580 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38580 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38580.rst + +V-38459: The /etc/group file must be group-owned by root. +--------------------------------------------------------- + +The "/etc/group" file contains information regarding groups that are +configured on the system. Protection of this file is important for system +security. + +Details: `V-38459 in STIG Viewer`_. + +.. _V-38459 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38459 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38459.rst + +V-38643: There must be no world-writable files on the system. +------------------------------------------------------------- + +Data in world-writable files can be modified by any user on the system. In +almost all circumstances, files can be configured using a combination of user +and group permissions to support whatever legitimate access is needed without +the risk caused by world-writable files. + +Details: `V-38643 in STIG Viewer`_. + +.. _V-38643 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38643 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38643.rst + +V-38551: The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ + +The "ip6tables" service provides the system's host-based firewalling +capability for IPv6 and ICMPv6. + +Details: `V-38551 in STIG Viewer`_. + +.. _V-38551 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38551 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38551.rst + +V-51363: The system must use a Linux Security Module configured to enforce limits on system services. +----------------------------------------------------------------------------------------------------- + +Setting the SELinux state to enforcing ensures SELinux is able to confine +potentially compromised processes to the security policy, which is designed to +prevent them from causing damage to the system or further elevating their +privileges. + +Details: `V-51363 in STIG Viewer`_. + +.. _V-51363 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-51363 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-51363.rst + +V-38499: The /etc/passwd file must not contain password hashes. +--------------------------------------------------------------- + +The hashes for all user account passwords should be stored in the file +"/etc/shadow" and never in "/etc/passwd", which is readable by all users. + +Details: `V-38499 in STIG Viewer`_. + +.. _V-38499 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38499 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38499.rst + +V-38450: The /etc/passwd file must be owned by root. +---------------------------------------------------- + +The "/etc/passwd" file contains information about the users that are +configured on the system. Protection of this file is critical for system +security. + +Details: `V-38450 in STIG Viewer`_. + +.. _V-38450 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38450 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38450.rst + +V-38581: The system boot loader configuration file(s) must be group-owned by root. +---------------------------------------------------------------------------------- + +The "root" group is a highly-privileged group. Furthermore, the group-owner of +this file should not have any access privileges anyway. + +Details: `V-38581 in STIG Viewer`_. + +.. _V-38581 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38581 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38581.rst + +V-38451: The /etc/passwd file must be group-owned by root. +---------------------------------------------------------- + +The "/etc/passwd" file contains information about the users that are +configured on the system. Protection of this file is critical for system +security. + +Details: `V-38451 in STIG Viewer`_. + +.. _V-38451 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38451 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38451.rst + +V-38458: The /etc/group file must be owned by root. +--------------------------------------------------- + +The "/etc/group" file contains information regarding groups that are +configured on the system. Protection of this file is important for system +security. + +Details: `V-38458 in STIG Viewer`_. + +.. _V-38458 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38458 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38458.rst + +V-38658: The system must prohibit the reuse of passwords within twenty-four iterations. +--------------------------------------------------------------------------------------- + +Preventing reuse of previous passwords helps ensure that a compromised +password is not reused by a user. + +Details: `V-38658 in STIG Viewer`_. + +.. _V-38658 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38658 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38658.rst + +V-38582: The xinetd service must be disabled if no network services utilizing it are enabled. +--------------------------------------------------------------------------------------------- + +The xinetd service provides a dedicated listener service for some programs, +which is no longer necessary for commonly-used network services. Disabling it +ensures that these uncommon services are not running, and also prevents +attacks against xinetd itself. + +Details: `V-38582 in STIG Viewer`_. + +.. _V-38582 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38582 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38582.rst + +V-38652: Remote file systems must be mounted with the nodev option. +------------------------------------------------------------------- + +Legitimate device files should only exist in the /dev directory. NFS mounts +should not present device files to users. + +Details: `V-38652 in STIG Viewer`_. + +.. _V-38652 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38652 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38652.rst + +V-38654: Remote file systems must be mounted with the nosuid option. +-------------------------------------------------------------------- + +NFS mounts should not present suid binaries to users. Only vendor-supplied +suid executables should be installed to their default location on the local +filesystem. + +Details: `V-38654 in STIG Viewer`_. + +.. _V-38654 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38654 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38654.rst + +V-38490: The operating system must enforce requirements for the connection of mobile devices to operating systems. +------------------------------------------------------------------------------------------------------------------ + +USB storage devices such as thumb drives can be used to introduce unauthorized +software and other vulnerabilities. Support for these devices should be +disabled and the devices themselves should be tightly controlled. + +Details: `V-38490 in STIG Viewer`_. + +.. _V-38490 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38490 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38490.rst + +V-38443: The /etc/gshadow file must be owned by root. +----------------------------------------------------- + +The "/etc/gshadow" file contains group password hashes. Protection of this +file is critical for system security. + +Details: `V-38443 in STIG Viewer`_. + +.. _V-38443 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38443 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38443.rst + +V-38526: The system must not accept ICMPv4 secure redirect packets on any interface. +------------------------------------------------------------------------------------ + +Accepting "secure" ICMP redirects (from those gateways listed as default +gateways) has few legitimate uses. It should be disabled unless it is +absolutely required. + +Details: `V-38526 in STIG Viewer`_. + +.. _V-38526 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38526 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38526.rst + +V-38524: The system must not accept ICMPv4 redirect packets on any interface. +----------------------------------------------------------------------------- + +Accepting ICMP redirects has few legitimate uses. It should be disabled unless +it is absolutely required. + +Details: `V-38524 in STIG Viewer`_. + +.. _V-38524 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38524 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38524.rst + +V-38488: The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives. +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +Operating system backup is a critical step in maintaining data assurance and +availability. User-level information is data generated by information system +and/or application users. Backups shall be consistent with organizational +recovery time and recovery point objectives. + +Details: `V-38488 in STIG Viewer`_. + +.. _V-38488 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38488 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38488.rst + +V-38520: The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited. +------------------------------------------------------------------------------------------------------------------------------------------------------------- + +A log server (loghost) receives syslog messages from one or more systems. This +data can be used as an additional log source in the event a system is +compromised and its local logs are suspect. Forwarding log messages to a +remote loghost also provides system administrators with a centralized place to +view the status of multiple hosts within the enterprise. + +Details: `V-38520 in STIG Viewer`_. + +.. _V-38520 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38520 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38520.rst + +V-38521: The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components. +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +A log server (loghost) receives syslog messages from one or more systems. This +data can be used as an additional log source in the event a system is +compromised and its local logs are suspect. Forwarding log messages to a +remote loghost also provides system administrators with a centralized place to +view the status of multiple hosts within the enterprise. + +Details: `V-38521 in STIG Viewer`_. + +.. _V-38521 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38521 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38521.rst + +V-38484: The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh. +------------------------------------------------------------------------------------------------------------------------------------- + +Users need to be aware of activity that occurs regarding their account. +Providing users with information regarding the date and time of their last +successful login allows the user to determine if any unauthorized activity has +occurred and gives them an opportunity to notify administrators. At ssh +login, a user must be presented with the last successful login date and time. + +Details: `V-38484 in STIG Viewer`_. + +.. _V-38484 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38484 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38484.rst + +V-38486: The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives. +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +Operating system backup is a critical step in maintaining data assurance and +availability. System-level information includes system-state information, +operating system and application software, and licenses. Backups must be +consistent with organizational recovery time and recovery point objectives. + +Details: `V-38486 in STIG Viewer`_. + +.. _V-38486 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38486 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38486.rst + +V-38481: System security patches and updates must be installed and up-to-date. +------------------------------------------------------------------------------ + +Installing software updates is a fundamental mitigation against the +exploitation of publicly-known vulnerabilities. + +Details: `V-38481 in STIG Viewer`_. + +.. _V-38481 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38481 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38481.rst + +V-38529: The system must not accept IPv4 source-routed packets by default. +-------------------------------------------------------------------------- + +Accepting source-routed packets in the IPv4 protocol has few legitimate uses. +It should be disabled unless it is absolutely required. + +Details: `V-38529 in STIG Viewer`_. + +.. _V-38529 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38529 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38529.rst + +V-38665: The system package management tool must verify group-ownership on all files and directories associated with the audit package. +--------------------------------------------------------------------------------------------------------------------------------------- + +Group-ownership of audit binaries and configuration files that is incorrect +could allow an unauthorized user to gain privileges that they should not have. +The group-ownership set by the vendor should be maintained. Any deviations +from this baseline should be investigated. + +Details: `V-38665 in STIG Viewer`_. + +.. _V-38665 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38665 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38665.rst + +V-38664: The system package management tool must verify ownership on all files and directories associated with the audit package. +--------------------------------------------------------------------------------------------------------------------------------- + +Ownership of audit binaries and configuration files that is incorrect could +allow an unauthorized user to gain privileges that they should not have. The +ownership set by the vendor should be maintained. Any deviations from this +baseline should be investigated. + +Details: `V-38664 in STIG Viewer`_. + +.. _V-38664 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38664 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38664.rst + +V-38667: The system must have a host-based intrusion detection tool installed. +------------------------------------------------------------------------------ + +Adding host-based intrusion detection tools can provide the capability to +automatically take actions in response to malicious behavior, which can +provide additional agility in reacting to network threats. These tools also +often include a reporting capability to provide network awareness of system, +which may not otherwise exist in an organization's systems management regime. + +Details: `V-38667 in STIG Viewer`_. + +.. _V-38667 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38667 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38667.rst + +V-38660: The snmpd service must use only SNMP protocol version 3 or newer. +-------------------------------------------------------------------------- + +Earlier versions of SNMP are considered insecure, as they potentially allow +unauthorized access to detailed system management information. + +Details: `V-38660 in STIG Viewer`_. + +.. _V-38660 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38660 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38660.rst + +V-38663: The system package management tool must verify permissions on all files and directories associated with the audit package. +----------------------------------------------------------------------------------------------------------------------------------- + +Permissions on audit binaries and configuration files that are too generous +could allow an unauthorized user to gain privileges that they should not have. +The permissions set by the vendor should be maintained. Any deviations from +this baseline should be investigated. + +Details: `V-38663 in STIG Viewer`_. + +.. _V-38663 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38663 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38663.rst + +V-38446: The mail system must forward all mail for root to one or more system administrators. +--------------------------------------------------------------------------------------------- + +A number of system services utilize email messages sent to the root user to +notify system administrators of active or impending issues. These messages +must be forwarded to at least one monitored email address. + +Details: `V-38446 in STIG Viewer`_. + +.. _V-38446 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38446 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38446.rst + +V-38466: Library files must be owned by root. +--------------------------------------------- + +Files from shared library directories are loaded into the address space of +processes (including privileged ones) or of the kernel itself at runtime. +Proper ownership is necessary to protect the integrity of the system. + +Details: `V-38466 in STIG Viewer`_. + +.. _V-38466 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38466 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38466.rst + +V-38465: Library files must have mode 0755 or less permissive. +-------------------------------------------------------------- + +Files from shared library directories are loaded into the address space of +processes (including privileged ones) or of the kernel itself at runtime. +Restrictive permissions are necessary to protect the integrity of the system. + +Details: `V-38465 in STIG Viewer`_. + +.. _V-38465 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38465 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38465.rst + +V-38464: The audit system must take appropriate action when there are disk errors on the audit storage volume. +-------------------------------------------------------------------------------------------------------------- + +Taking appropriate action in case of disk errors will minimize the possibility +of losing audit records. + +Details: `V-38464 in STIG Viewer`_. + +.. _V-38464 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38464 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38464.rst + +V-38461: The /etc/group file must have mode 0644 or less permissive. +-------------------------------------------------------------------- + +The "/etc/group" file contains information regarding groups that are +configured on the system. Protection of this file is important for system +security. + +Details: `V-38461 in STIG Viewer`_. + +.. _V-38461 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38461 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38461.rst + +V-38492: The system must prevent the root account from logging in from virtual consoles. +---------------------------------------------------------------------------------------- + +Preventing direct root login to virtual console devices helps ensure +accountability for actions taken on the system using the root account. + +Details: `V-38492 in STIG Viewer`_. + +.. _V-38492 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38492 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38492.rst + +V-38469: All system command files must have mode 755 or less permissive. +------------------------------------------------------------------------ + +System binaries are executed by privileged users, as well as system services, +and restrictive permissions are necessary to ensure execution of these +programs cannot be co-opted. + +Details: `V-38469 in STIG Viewer`_. + +.. _V-38469 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38469 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38469.rst + +V-38468: The audit system must take appropriate action when the audit storage volume is full. +--------------------------------------------------------------------------------------------- + +Taking appropriate action in case of a filled audit storage volume will +minimize the possibility of losing audit records. + +Details: `V-38468 in STIG Viewer`_. + +.. _V-38468 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38468 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38468.rst + +V-38553: The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +The "ip6tables" service provides the system's host-based firewalling +capability for IPv6 and ICMPv6. + +Details: `V-38553 in STIG Viewer`_. + +.. _V-38553 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38553 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38553.rst + +V-38498: Audit log files must have mode 0640 or less permissive. +---------------------------------------------------------------- + +If users can write to audit logs, audit trails can be modified or destroyed. + +Details: `V-38498 in STIG Viewer`_. + +.. _V-38498 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38498 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38498.rst + +V-38555: The system must employ a local IPv4 firewall. +------------------------------------------------------ + +The "iptables" service provides the system's host-based firewalling capability +for IPv4 and ICMP. + +Details: `V-38555 in STIG Viewer`_. + +.. _V-38555 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38555 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38555.rst + +V-51875: The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access. +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ + +Users need to be aware of activity that occurs regarding their account. +Providing users with information regarding the number of unsuccessful attempts +that were made to login to their account allows the user to determine if any +unauthorized activity has occurred and gives them an opportunity to notify +administrators. + +Details: `V-51875 in STIG Viewer`_. + +.. _V-51875 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-51875 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-51875.rst + +V-38493: Audit log directories must have mode 0755 or less permissive. +---------------------------------------------------------------------- + +If users can delete audit logs, audit trails can be modified or destroyed. + +Details: `V-38493 in STIG Viewer`_. + +.. _V-38493 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38493 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38493.rst + +V-38496: Default operating system accounts, other than root, must be locked. +---------------------------------------------------------------------------- + +Disabling authentication for default system accounts makes it more difficult +for attackers to make use of them to compromise a system. + +Details: `V-38496 in STIG Viewer`_. + +.. _V-38496 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38496.rst + +V-38523: The system must not accept IPv4 source-routed packets on any interface. +-------------------------------------------------------------------------------- + +Accepting source-routed packets in the IPv4 protocol has few legitimate uses. +It should be disabled unless it is absolutely required. + +Details: `V-38523 in STIG Viewer`_. + +.. _V-38523 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38523 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38523.rst + +V-38673: The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked. +--------------------------------------------------------------------------------------------------------------------- + +By default, AIDE does not install itself for periodic execution. Periodically +running AIDE may reveal unexpected changes in installed files. + +Details: `V-38673 in STIG Viewer`_. + +.. _V-38673 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38673 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38673.rst + +V-38670: The operating system must detect unauthorized changes to software and information. +-------------------------------------------------------------------------------------------- + +By default, AIDE does not install itself for periodic execution. Periodically +running AIDE may reveal unexpected changes in installed files. + +Details: `V-38670 in STIG Viewer`_. + +.. _V-38670 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38670 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38670.rst + +V-38671: The sendmail package must be removed. +---------------------------------------------- + +The sendmail software was not developed with security in mind and its design +prevents it from being effectively contained by SELinux. Postfix should be +used instead. + +Details: `V-38671 in STIG Viewer`_. + +.. _V-38671 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38671 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38671.rst + +V-38674: X Windows must not be enabled unless required. +------------------------------------------------------- + +Unnecessary services should be disabled to decrease the attack surface of the +system. + +Details: `V-38674 in STIG Viewer`_. + +.. _V-38674 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38674 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38674.rst + +V-38630: The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment. +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ + +Enabling idle activation of the screen saver ensures the screensaver will be +activated after the idle delay. Applications requiring continuous, real-time +screen display (such as network management products) require the login session +does not have administrator rights and the display station is located in a +controlled-access area. + +Details: `V-38630 in STIG Viewer`_. + +.. _V-38630 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38630 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38630.rst + +V-38678: The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity. +--------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +Notifying administrators of an impending disk space problem may allow them to +take corrective action prior to any disruption. + +Details: `V-38678 in STIG Viewer`_. + +.. _V-38678 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38678 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38678.rst + +V-58901: The sudo command must require authentication. +------------------------------------------------------ + +The "sudo" command allows authorized users to run programs (including shells) +as other users, system users, and root. The "/etc/sudoers" file is used to +configure authorized "sudo" users as well as the programs they are allowed to +run. Some configuration options in the "/etc/sudoers" file allow configured +users to run programs without re-authenticating. Use of these configuration +options makes it easier for one compromised account to be used to compromise +other accounts. + +Details: `V-58901 in STIG Viewer`_. + +.. _V-58901 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-58901 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-58901.rst + +V-38475: The system must require passwords to contain a minimum of 14 characters. +--------------------------------------------------------------------------------- + +Requiring a minimum password length makes password cracking attacks more +difficult by ensuring a larger search space. However, any security benefit +from an onerous requirement must be carefully weighed against usability +problems, support costs, or counterproductive behavior that may result. While +it does not negate the password length requirement, it is preferable to +migrate from a password-based authentication scheme to a stronger one based on +PKI (public key infrastructure). + +Details: `V-38475 in STIG Viewer`_. + +.. _V-38475 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38475 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38475.rst + +V-38477: Users must not be able to change passwords more than once every 24 hours. +---------------------------------------------------------------------------------- + +Setting the minimum password age protects against users cycling back to a +favorite password after satisfying the password reuse requirement. + +Details: `V-38477 in STIG Viewer`_. + +.. _V-38477 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38477 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38477.rst + +V-38470: The audit system must alert designated staff members when the audit storage volume approaches capacity. +---------------------------------------------------------------------------------------------------------------- + +Notifying administrators of an impending disk space problem may allow them to +take corrective action prior to any disruption. + +Details: `V-38470 in STIG Viewer`_. + +.. _V-38470 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38470 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38470.rst + +V-38679: The DHCP client must be disabled if not needed. +-------------------------------------------------------- + +DHCP relies on trusting the local network. If the local network is not +trusted, then it should not be used. However, the automatic configuration +provided by DHCP is commonly used and the alternative, manual configuration, +presents an unacceptable burden in many circumstances. + +Details: `V-38679 in STIG Viewer`_. + +.. _V-38679 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38679 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38679.rst + +V-38479: User passwords must be changed at least every 60 days. +--------------------------------------------------------------- + +Setting the password maximum age ensures users are required to periodically +change their passwords. This could possibly decrease the utility of a stolen +password. Requiring shorter password lifetimes increases the risk of users +writing down the password in a convenient location subject to physical +compromise. + +Details: `V-38479 in STIG Viewer`_. + +.. _V-38479 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38479 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38479.rst + +V-54381: The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low. +--------------------------------------------------------------------------------------------------------------------------------- + +Administrators should be made aware of an inability to record audit records. +If a separate partition or logical volume of adequate size is used, running +low on space for audit records should never occur. + +Details: `V-54381 in STIG Viewer`_. + +.. _V-54381 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-54381 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-54381.rst + +V-38445: Audit log files must be group-owned by root. +----------------------------------------------------- + +If non-privileged users can write to audit logs, audit trails can be modified +or destroyed. + +Details: `V-38445 in STIG Viewer`_. + +.. _V-38445 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38445 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38445.rst + +V-38542: The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. +------------------------------------------------------------------------------------------------------------ + +Enabling reverse path filtering drops packets with source addresses that +should not have been able to be received on the interface they were received +on. It should not be used on systems which are routers for complicated +networks, but is helpful for end hosts and routers serving small networks. + +Details: `V-38542 in STIG Viewer`_. + +.. _V-38542 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38542 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38542.rst + +V-38544: The system must use a reverse-path filter for IPv4 network traffic when possible by default. +----------------------------------------------------------------------------------------------------- + +Enabling reverse path filtering drops packets with source addresses that +should not have been able to be received on the interface they were received +on. It should not be used on systems which are routers for complicated +networks, but is helpful for end hosts and routers serving small networks. + +Details: `V-38544 in STIG Viewer`_. + +.. _V-38544 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38544 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38544.rst + +V-38546: The IPv6 protocol handler must not be bound to the network stack unless needed. +---------------------------------------------------------------------------------------- + +Any unnecessary network stacks - including IPv6 - should be disabled, to +reduce the vulnerability to exploitation. + +Details: `V-38546 in STIG Viewer`_. + +.. _V-38546 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38546 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38546.rst + +V-38548: The system must ignore ICMPv6 redirects by default. +------------------------------------------------------------ + +An illicit ICMP redirect message could result in a man-in-the-middle attack. + +Details: `V-38548 in STIG Viewer`_. + +.. _V-38548 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38548 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38548.rst + +V-38549: The system must employ a local IPv6 firewall. +------------------------------------------------------ + +The "ip6tables" service provides the system's host-based firewalling +capability for IPv6 and ICMPv6. + +Details: `V-38549 in STIG Viewer`_. + +.. _V-38549 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38549 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38549.rst + +V-38472: All system command files must be owned by root. +-------------------------------------------------------- + +System binaries are executed by privileged users as well as system services, +and restrictive permissions are necessary to ensure that their execution of +these programs cannot be co-opted. + +Details: `V-38472 in STIG Viewer`_. + +.. _V-38472 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38472 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38472.rst + +V-38689: The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. +--------------------------------------------------------------------------------------------------------------------------------------------------------- + +An appropriate warning message reinforces policy awareness during the logon +process and facilitates possible legal action against attackers. + +Details: `V-38689 in STIG Viewer`_. + +.. _V-38689 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38689 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38689.rst + +V-38688: A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. +--------------------------------------------------------------------------------------------------------------------------- + +An appropriate warning message reinforces policy awareness during the logon +process and facilitates possible legal action against attackers. + +Details: `V-38688 in STIG Viewer`_. + +.. _V-38688 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38688 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38688.rst + +V-38686: The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets. +--------------------------------------------------------------------------------------------------------------- + +In "iptables" the default policy is applied only after all the applicable +rules in the table are examined for a match. Setting the default policy to +"DROP" implements proper design for a firewall, i.e., any packets which are +not explicitly permitted should not be accepted. + +Details: `V-38686 in STIG Viewer`_. + +.. _V-38686 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38686 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38686.rst + +V-38682: The Bluetooth kernel module must be disabled. +------------------------------------------------------ + +If Bluetooth functionality must be disabled, preventing the kernel from +loading the kernel module provides an additional safeguard against its +activation. + +Details: `V-38682 in STIG Viewer`_. + +.. _V-38682 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38682 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38682.rst + +V-38680: The audit system must identify staff members to receive notifications of audit log storage volume capacity issues. +--------------------------------------------------------------------------------------------------------------------------- + +Email sent to the root account is typically aliased to the administrators of +the system, who can take appropriate action. + +Details: `V-38680 in STIG Viewer`_. + +.. _V-38680 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38680 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38680.rst + +V-38606: The tftp-server package must not be installed unless required. +----------------------------------------------------------------------- + +Removing the "tftp-server" package decreases the risk of the accidental (or +intentional) activation of tftp services. + +Details: `V-38606 in STIG Viewer`_. + +.. _V-38606 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38606 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38606.rst + +V-38605: The cron service must be running. +------------------------------------------ + +Due to its usage for maintenance and security-supporting tasks, enabling the +cron daemon is essential. + +Details: `V-38605 in STIG Viewer`_. + +.. _V-38605 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38605 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38605.rst + +V-38604: The ypbind service must not be running. +------------------------------------------------ + +Disabling the "ypbind" service ensures the system is not acting as a client in +a NIS or NIS+ domain. + +Details: `V-38604 in STIG Viewer`_. + +.. _V-38604 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38604 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38604.rst + +V-38603: The ypserv package must not be installed. +-------------------------------------------------- + +Removing the "ypserv" package decreases the risk of the accidental (or +intentional) activation of NIS or NIS+ services. + +Details: `V-38603 in STIG Viewer`_. + +.. _V-38603 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38603 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38603.rst + +V-38601: The system must not send ICMPv4 redirects from any interface. +---------------------------------------------------------------------- + +Sending ICMP redirects permits the system to instruct other systems to update +their routing information. The ability to send ICMP redirects is only +appropriate for systems acting as routers. + +Details: `V-38601 in STIG Viewer`_. + +.. _V-38601 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38601 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38601.rst + +V-38600: The system must not send ICMPv4 redirects by default. +-------------------------------------------------------------- + +Sending ICMP redirects permits the system to instruct other systems to update +their routing information. The ability to send ICMP redirects is only +appropriate for systems acting as routers. + +Details: `V-38600 in STIG Viewer`_. + +.. _V-38600 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38600 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38600.rst + +V-38449: The /etc/gshadow file must have mode 0000. +--------------------------------------------------- + +The /etc/gshadow file contains group password hashes. Protection of this file +is critical for system security. + +Details: `V-38449 in STIG Viewer`_. + +.. _V-38449 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38449 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38449.rst + +V-38448: The /etc/gshadow file must be group-owned by root. +----------------------------------------------------------- + +The "/etc/gshadow" file contains group password hashes. Protection of this +file is critical for system security. + +Details: `V-38448 in STIG Viewer`_. + +.. _V-38448 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38448 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38448.rst + +V-38609: The TFTP service must not be running. +---------------------------------------------- + +Disabling the "tftp" service ensures the system is not acting as a tftp +server, which does not provide encryption or authentication. + +Details: `V-38609 in STIG Viewer`_. + +.. _V-38609 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38609 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38609.rst + +V-51391: A file integrity baseline must be created. +--------------------------------------------------- + +For AIDE to be effective, an initial database of "known-good" information +about files must be captured and it should be able to be verified against the +installed files. + +Details: `V-51391 in STIG Viewer`_. + +.. _V-51391 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-51391 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-51391.rst + +V-38632: The operating system must produce audit records containing sufficient information to establish what type of events occurred. +------------------------------------------------------------------------------------------------------------------------------------- + +Ensuring the "auditd" service is active ensures audit records generated by the +kernel can be written to disk, or that appropriate actions will be taken if +other obstacles exist. + +Details: `V-38632 in STIG Viewer`_. + +.. _V-38632 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38632 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38632.rst + +V-38579: The system boot loader configuration file(s) must be owned by root. +---------------------------------------------------------------------------- + +Only root should be able to modify important boot parameters. + +Details: `V-38579 in STIG Viewer`_. + +.. _V-38579 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38579 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38579.rst + +V-38613: The system must not permit root logins using remote access programs such as ssh. +----------------------------------------------------------------------------------------- + +Permitting direct root login reduces auditable information about who ran +privileged commands on the system and also allows direct attack attempts on +root's password. + +Details: `V-38613 in STIG Viewer`_. + +.. _V-38613 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38613 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38613.rst + +V-38574: The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth). +---------------------------------------------------------------------------------------------------------------------------------------- + +Using a stronger hashing algorithm makes password cracking attacks more +difficult. + +Details: `V-38574 in STIG Viewer`_. + +.. _V-38574 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38574 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38574.rst + +V-38577: The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf). +----------------------------------------------------------------------------------------------------------------------------------------- + +Using a stronger hashing algorithm makes password cracking attacks more +difficult. + +Details: `V-38577 in STIG Viewer`_. + +.. _V-38577 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38577 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38577.rst + +V-38576: The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs). +--------------------------------------------------------------------------------------------------------------------------------------- + +Using a stronger hashing algorithm makes password cracking attacks more +difficult. + +Details: `V-38576 in STIG Viewer`_. + +.. _V-38576 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38576 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38576.rst + +V-38489: A file integrity tool must be installed. +------------------------------------------------- + +The AIDE package must be installed if it is to be available for integrity +checking. + +Details: `V-38489 in STIG Viewer`_. + +.. _V-38489 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38489 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38489.rst + +V-38573: The system must disable accounts after three consecutive unsuccessful logon attempts. +---------------------------------------------------------------------------------------------- + +Locking out user accounts after a number of incorrect attempts prevents direct +password guessing attacks. + +Details: `V-38573 in STIG Viewer`_. + +.. _V-38573 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38573 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38573.rst + +V-38698: The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency. +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +By default, AIDE does not install itself for periodic execution. Periodically +running AIDE may reveal unexpected changes in installed files. + +Details: `V-38698 in STIG Viewer`_. + +.. _V-38698 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38698 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38698.rst + +V-38519: All rsyslog-generated log files must be group-owned by root. +--------------------------------------------------------------------- + +The log files generated by rsyslog contain valuable information regarding +system configuration, user authentication, and other such information. Log +files should be protected from unauthorized access. + +Details: `V-38519 in STIG Viewer`_. + +.. _V-38519 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38519 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38519.rst + +V-38518: All rsyslog-generated log files must be owned by root. +--------------------------------------------------------------- + +The log files generated by rsyslog contain valuable information regarding +system configuration, user authentication, and other such information. Log +files should be protected from unauthorized access. + +Details: `V-38518 in STIG Viewer`_. + +.. _V-38518 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38518 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38518.rst + +V-38517: The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required. +------------------------------------------------------------------------------------------------------ + +Disabling TIPC protects the system against exploitation of any flaws in its +implementation. + +Details: `V-38517 in STIG Viewer`_. + +.. _V-38517 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38517 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38517.rst + +V-38515: The Stream Control Transmission Protocol (SCTP) must be disabled unless required. +------------------------------------------------------------------------------------------ + +Disabling SCTP protects the system against exploitation of any flaws in its +implementation. + +Details: `V-38515 in STIG Viewer`_. + +.. _V-38515 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38515 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38515.rst + +V-38514: The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. +------------------------------------------------------------------------------------------ + +Disabling DCCP protects the system against exploitation of any flaws in its +implementation. + +Details: `V-38514 in STIG Viewer`_. + +.. _V-38514 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38514 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38514.rst + +V-38691: The Bluetooth service must be disabled. +------------------------------------------------ + +Disabling the "bluetooth" service prevents the system from attempting +connections to Bluetooth devices, which entails some security risk. +Nevertheless, variation in this risk decision may be expected due to the +utility of Bluetooth connectivity and its limited range. + +Details: `V-38691 in STIG Viewer`_. + +.. _V-38691 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38691 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38691.rst + +V-38511: IP forwarding for IPv4 must not be enabled, unless the system is a router. +----------------------------------------------------------------------------------- + +IP forwarding permits the kernel to forward packets from one network interface +to another. The ability to forward packets between two networks is only +appropriate for systems acting as routers. + +Details: `V-38511 in STIG Viewer`_. + +.. _V-38511 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38511 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38511.rst + +V-38597: The system must limit the ability of processes to have simultaneous write and execute access to memory. +---------------------------------------------------------------------------------------------------------------- + +ExecShield uses the segmentation feature on all x86 systems to prevent +execution in memory higher than a certain address. It writes an address as a +limit in the code segment descriptor, to control where code can be executed, +on a per-process basis. When the kernel places a process's memory regions such +as the stack and heap higher than this address, the hardware prevents +execution in that address range. + +Details: `V-38597 in STIG Viewer`_. + +.. _V-38597 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38597 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38597.rst + +V-38596: The system must implement virtual address space randomization. +----------------------------------------------------------------------- + +Address space layout randomization (ASLR) makes it more difficult for an +attacker to predict the location of attack code he or she has introduced into +a process's address space during an attempt at exploitation. Additionally, +ASLR also makes it more difficult for an attacker to know the location of +existing code in order to repurpose it using return oriented programming (ROP) +techniques. + +Details: `V-38596 in STIG Viewer`_. + +.. _V-38596 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38596 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38596.rst + +V-38595: The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. +---------------------------------------------------------------------------------------------------------------------------------------------------- + +Smart card login provides two-factor authentication stronger than that +provided by a username/password combination. Smart cards leverage a PKI +(public key infrastructure) in order to provide and verify credentials. + +Details: `V-38595 in STIG Viewer`_. + +.. _V-38595 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38595 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38595.rst + +V-38593: The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. +----------------------------------------------------------------------------------------------------------------------------------- + +An appropriate warning message reinforces policy awareness during the logon +process and facilitates possible legal action against attackers. + +Details: `V-38593 in STIG Viewer`_. + +.. _V-38593 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38593 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38593.rst + +V-38592: The system must require administrator action to unlock an account locked by excessive failed login attempts. +--------------------------------------------------------------------------------------------------------------------- + +Locking out user accounts after a number of incorrect attempts prevents direct +password guessing attacks. Ensuring that an administrator is involved in +unlocking locked accounts draws appropriate attention to such situations. + +Details: `V-38592 in STIG Viewer`_. + +.. _V-38592 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38592 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38592.rst + +V-38457: The /etc/passwd file must have mode 0644 or less permissive. +--------------------------------------------------------------------- + +If the "/etc/passwd" file is writable by a group-owner or the world the risk +of its compromise is increased. The file contains the list of accounts on the +system and associated information, and protection of this file is critical for +system security. + +Details: `V-38457 in STIG Viewer`_. + +.. _V-38457 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38457 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38457.rst + +V-38495: Audit log files must be owned by root. +----------------------------------------------- + +If non-privileged users can write to audit logs, audit trails can be modified +or destroyed. + +Details: `V-38495 in STIG Viewer`_. + +.. _V-38495 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38495 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38495.rst + +V-38619: There must be no .netrc files on the system. +----------------------------------------------------- + +Unencrypted passwords for remote FTP servers may be stored in ".netrc" files. +DoD policy requires passwords be encrypted in storage and not used in access +scripts. + +Details: `V-38619 in STIG Viewer`_. + +.. _V-38619 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38619 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38619.rst + +V-38599: The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner. +----------------------------------------------------------------------------------------------------------------- + +This setting will cause the system greeting banner to be used for FTP +connections as well. + +Details: `V-38599 in STIG Viewer`_. + +.. _V-38599 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38599 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38599.rst + +V-51337: The system must use a Linux Security Module at boot time. +------------------------------------------------------------------ + +Disabling a major host protection feature, such as SELinux, at boot time +prevents it from confining system services at boot time. Further, it increases +the chances that it will remain off during system operation. + +Details: `V-51337 in STIG Viewer`_. + +.. _V-51337 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-51337 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-51337.rst + +V-38585: The system boot loader must require authentication. +------------------------------------------------------------ + +Password protection on the boot loader configuration ensures users with +physical access cannot trivially alter important bootloader settings. These +include which kernel to use, and whether to enter single-user mode. + +Details: `V-38585 in STIG Viewer`_. + +.. _V-38585 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38585 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38585.rst + +V-43150: The login user list must be disabled. +---------------------------------------------- + +Leaving the user list enabled is a security risk since it allows anyone with +physical access to the system to quickly enumerate known user accounts without +logging in. + +Details: `V-43150 in STIG Viewer`_. + +.. _V-43150 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-43150 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-43150.rst + +V-57569: The noexec option must be added to the /tmp partition. +--------------------------------------------------------------- + +Allowing users to execute binaries from world-writable directories such as +"/tmp" should never be necessary in normal operation and can expose the system +to potential compromise. + +Details: `V-57569 in STIG Viewer`_. + +.. _V-57569 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-57569 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-57569.rst + +V-38560: The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ + +The "iptables" service provides the system's host-based firewalling capability +for IPv4 and ICMP. + +Details: `V-38560 in STIG Viewer`_. + +.. _V-38560 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38560 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38560.rst + +V-38444: The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets. +------------------------------------------------------------------------------------------------------------------ + +In "ip6tables" the default policy is applied only after all the applicable +rules in the table are examined for a match. Setting the default policy to +"DROP" implements proper design for a firewall, i.e., any packets which are +not explicitly permitted should not be accepted. + +Details: `V-38444 in STIG Viewer`_. + +.. _V-38444 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38444 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38444.rst + +V-38504: The /etc/shadow file must have mode 0000. +-------------------------------------------------- + +The "/etc/shadow" file contains the list of local system accounts and stores +password hashes. Protection of this file is critical for system security. +Failure to give ownership of this file to root provides the designated owner +with access to sensitive information which could weaken the system security +posture. + +Details: `V-38504 in STIG Viewer`_. + +.. _V-38504 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38504 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38504.rst + +V-38583: The system boot loader configuration file(s) must have mode 0600 or less permissive. +--------------------------------------------------------------------------------------------- + +Proper permissions ensure that only the root user can modify important boot +parameters. + +Details: `V-38583 in STIG Viewer`_. + +.. _V-38583 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38583 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38583.rst + +V-38500: The root account must be the only account having a UID of 0. +--------------------------------------------------------------------- + +An account has root authority if it has a UID of 0. Multiple accounts with a +UID of 0 afford more opportunity for potential intruders to guess a password +for a privileged account. Proper configuration of sudo is recommended to +afford multiple system administrators access to root privileges in an +accountable manner. + +Details: `V-38500 in STIG Viewer`_. + +.. _V-38500 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38500 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38500.rst + +V-38501: The system must disable accounts after excessive login failures within a 15-minute interval. +----------------------------------------------------------------------------------------------------- + +Locking out user accounts after a number of incorrect attempts within a +specific period of time prevents direct password guessing attacks. + +Details: `V-38501 in STIG Viewer`_. + +.. _V-38501 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38501 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38501.rst + +V-38502: The /etc/shadow file must be owned by root. +---------------------------------------------------- + +The "/etc/shadow" file contains the list of local system accounts and stores +password hashes. Protection of this file is critical for system security. +Failure to give ownership of this file to root provides the designated owner +with access to sensitive information which could weaken the system security +posture. + +Details: `V-38502 in STIG Viewer`_. + +.. _V-38502 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38502 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38502.rst + +V-38503: The /etc/shadow file must be group-owned by root. +---------------------------------------------------------- + +The "/etc/shadow" file stores password hashes. Protection of this file is +critical for system security. + +Details: `V-38503 in STIG Viewer`_. + +.. _V-38503 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38503 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38503.rst + +V-38621: The system clock must be synchronized to an authoritative DoD time source. +----------------------------------------------------------------------------------- + +Synchronizing with an NTP server makes it possible to collate system logs from +multiple sources or correlate computer events with real time events. Using a +trusted NTP server provided by your organization is recommended. + +Details: `V-38621 in STIG Viewer`_. + +.. _V-38621 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38621 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38621.rst + +V-38620: The system clock must be synchronized continuously, or at least daily. +------------------------------------------------------------------------------- + +Enabling the "ntpd" service ensures that the "ntpd" service will be running +and that the system will synchronize its time to any servers specified. This +is important whether the system is configured to be a client (and synchronize +only its own clock) or it is also acting as an NTP server to other systems. +Synchronizing time is essential for authentication services such as Kerberos, +but it is also important for maintaining accurate logs and auditing possible +security breaches. + +Details: `V-38620 in STIG Viewer`_. + +.. _V-38620 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38620 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38620.rst + +V-38623: All rsyslog-generated log files must have mode 0600 or less permissive. +-------------------------------------------------------------------------------- + +Log files can contain valuable information regarding system configuration. If +the system log files are not protected, unauthorized users could change the +logged data, eliminating their forensic value. + +Details: `V-38623 in STIG Viewer`_. + +.. _V-38623 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38623 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38623.rst + +V-38625: If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms. +------------------------------------------------------------------------------------------------------------------------------------------------------------------------ + +The ssl directive specifies whether to use ssl or not. If not specified it +will default to "no". It should be set to "start_tls" rather than doing LDAP +over SSL. + +Details: `V-38625 in STIG Viewer`_. + +.. _V-38625 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38625 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38625.rst + +V-38626: The LDAP client must use a TLS connection using trust certificates signed by the site CA. +-------------------------------------------------------------------------------------------------- + +The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer +is configured (which is the default for openldap versions 2.1 and up). These +directives define the path to the trust certificates signed by the site CA. + +Details: `V-38626 in STIG Viewer`_. + +.. _V-38626 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38626 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38626.rst + +V-38629: The graphical desktop environment must set the idle timeout to no more than 15 minutes. +------------------------------------------------------------------------------------------------ + +Setting the idle delay controls when the screensaver will start, and can be +combined with screen locking to prevent access from passersby. + +Details: `V-38629 in STIG Viewer`_. + +.. _V-38629 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38629 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38629.rst + +V-38628: The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event. +------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +Ensuring the "auditd" service is active ensures audit records generated by the +kernel can be written to disk, or that appropriate actions will be taken if +other obstacles exist. + +Details: `V-38628 in STIG Viewer`_. + +.. _V-38628 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38628 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38628.rst + +V-38588: The system must not permit interactive boot. +----------------------------------------------------- + +Using interactive boot, the console user could disable auditing, firewalls, or +other services, weakening system security. + +Details: `V-38588 in STIG Viewer`_. + +.. _V-38588 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38588 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38588.rst + +V-38700: The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. +--------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +By default, AIDE does not install itself for periodic execution. Periodically +running AIDE may reveal unexpected changes in installed files. + +Details: `V-38700 in STIG Viewer`_. + +.. _V-38700 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38700 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38700.rst + +V-38695: A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +By default, AIDE does not install itself for periodic execution. Periodically +running AIDE may reveal unexpected changes in installed files. + +Details: `V-38695 in STIG Viewer`_. + +.. _V-38695 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38695 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38695.rst + +V-38483: The system package management tool must cryptographically verify the authenticity of system software packages during installation. +------------------------------------------------------------------------------------------------------------------------------------------- + +Ensuring the validity of packages' cryptographic signatures prior to +installation ensures the provenance of the software and protects against +malicious tampering. + +Details: `V-38483 in STIG Viewer`_. + +.. _V-38483 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38483 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38483.rst + +V-38539: The system must be configured to use TCP syncookies when experiencing a TCP SYN flood. +----------------------------------------------------------------------------------------------- + +A TCP SYN flood attack can cause a denial of service by filling a system's TCP +connection table with connections in the SYN_RCVD state. Syncookies can be +used to track a connection when a subsequent ACK is received, verifying the +initiator is attempting a valid connection and is not a flood source. This +feature is activated when a flood condition is detected, and enables the +system to continue servicing valid connection requests. + +Details: `V-38539 in STIG Viewer`_. + +.. _V-38539 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38539 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38539.rst + +V-38513: The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets. +------------------------------------------------------------------------------------------------------------------ + +In "iptables" the default policy is applied only after all the applicable +rules in the table are examined for a match. Setting the default policy to +"DROP" implements proper design for a firewall, i.e., any packets which are +not explicitly permitted should not be accepted. + +Details: `V-38513 in STIG Viewer`_. + +.. _V-38513 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38513 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38513.rst + +V-38532: The system must not accept ICMPv4 secure redirect packets by default. +------------------------------------------------------------------------------ + +Accepting "secure" ICMP redirects (from those gateways listed as default +gateways) has few legitimate uses. It should be disabled unless it is +absolutely required. + +Details: `V-38532 in STIG Viewer`_. + +.. _V-38532 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38532 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38532.rst + +V-38512: The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +The "iptables" service provides the system's host-based firewalling capability +for IPv4 and ICMP. + +Details: `V-38512 in STIG Viewer`_. + +.. _V-38512 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38512 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38512.rst + +V-38439: The system must provide automated support for account management functions. +------------------------------------------------------------------------------------ + +A comprehensive account management process that includes automation helps to +ensure the accounts designated as requiring attention are consistently and +promptly addressed. Enterprise environments make user account management +challenging and complex. A user management process requiring administrators to +manually address account management functions adds risk of potential +oversight. + +Details: `V-38439 in STIG Viewer`_. + +.. _V-38439 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38439 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38439.rst + +V-38638: The graphical desktop environment must have automatic lock enabled. +---------------------------------------------------------------------------- + +Enabling the activation of the screen lock after an idle period ensures +password entry will be required in order to access the system, preventing +access by passersby. + +Details: `V-38638 in STIG Viewer`_. + +.. _V-38638 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38638 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38638.rst + +V-38636: The system must retain enough rotated audit logs to cover the required log retention period. +----------------------------------------------------------------------------------------------------- + +The total storage for audit log files must be large enough to retain log +information over the period required. This is a function of the maximum log +file size and the number of logs retained. + +Details: `V-38636 in STIG Viewer`_. + +.. _V-38636 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38636 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38636.rst + +V-38637: The system package management tool must verify contents of all files associated with the audit package. +---------------------------------------------------------------------------------------------------------------- + +The hash on important files like audit system executables should match the +information given by the RPM database. Audit executables with erroneous +hashes could be a sign of nefarious activity on the system. + +Details: `V-38637 in STIG Viewer`_. + +.. _V-38637 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38637 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38637.rst + +V-38634: The system must rotate audit log files that reach the maximum file size. +--------------------------------------------------------------------------------- + +Automatically rotating logs (by setting this to "rotate") minimizes the +chances of the system unexpectedly running out of disk space by being +overwhelmed with log data. However, for systems that must never discard log +data, or which use external processes to transfer it and reclaim space, +"keep_logs" can be employed. + +Details: `V-38634 in STIG Viewer`_. + +.. _V-38634 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38634 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38634.rst + +V-38696: The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system. +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +By default, AIDE does not install itself for periodic execution. Periodically +running AIDE may reveal unexpected changes in installed files. + +Details: `V-38696 in STIG Viewer`_. + +.. _V-38696 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38696 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38696.rst + +V-38633: The system must set a maximum audit log file size. +----------------------------------------------------------- + +The total storage for audit log files must be large enough to retain log +information over the period required. This is a function of the maximum log +file size and the number of logs retained. + +Details: `V-38633 in STIG Viewer`_. + +.. _V-38633 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38633 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38633.rst + +V-38586: The system must require authentication upon booting into single-user and maintenance modes. +---------------------------------------------------------------------------------------------------- + +This prevents attackers with physical access from trivially bypassing security +on the machine and gaining root access. Such accesses are further prevented by +configuring the bootloader password. + +Details: `V-38586 in STIG Viewer`_. + +.. _V-38586 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38586 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38586.rst + +V-38631: The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods. +--------------------------------------------------------------------------------------------------------------------------------- + +Ensuring the "auditd" service is active ensures audit records generated by the +kernel can be written to disk, or that appropriate actions will be taken if +other obstacles exist. + +Details: `V-38631 in STIG Viewer`_. + +.. _V-38631 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38631 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38631.rst + +V-38615: The SSH daemon must be configured with the Department of Defense (DoD) login banner. +--------------------------------------------------------------------------------------------- + +The warning message reinforces policy awareness during the logon process and +facilitates possible legal action against attackers. Alternatively, systems +whose ownership should not be obvious should ensure usage of a banner that +does not provide easy attribution. + +Details: `V-38615 in STIG Viewer`_. + +.. _V-38615 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38615 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38615.rst + +V-38622: Mail relaying must be restricted. +------------------------------------------ + +This ensures "postfix" accepts mail messages (such as cron job reports) from +the local system only, and not from the network, which protects it from +network attack. + +Details: `V-38622 in STIG Viewer`_. + +.. _V-38622 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38622 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38622.rst + +V-38617: The SSH daemon must be configured to use only FIPS 140-2 approved ciphers. +----------------------------------------------------------------------------------- + +Approved algorithms should impart some level of confidence in their +implementation. These are also required for compliance. + +Details: `V-38617 in STIG Viewer`_. + +.. _V-38617 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38617 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38617.rst + +V-38611: The SSH daemon must ignore .rhosts files. +-------------------------------------------------- + +SSH trust relationships mean a compromise on one host can allow an attacker to +move trivially to other hosts. + +Details: `V-38611 in STIG Viewer`_. + +.. _V-38611 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38611 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38611.rst diff --git a/doc/source/configurations-cat3.rst b/doc/source/configurations-cat3.rst new file mode 100644 index 00000000..1b289a3f --- /dev/null +++ b/doc/source/configurations-cat3.rst @@ -0,0 +1,267 @@ +.. include:: +`Home `__ |raquo| Security hardening for openstack-ansible + +Category 3 (High) configurations +================================ + +.. contents:: + :depth: 2 + + +V-38653: The snmpd service must not use a default password. +----------------------------------------------------------- + +Presence of the default SNMP password enables querying of different system +aspects and could result in unauthorized knowledge of the system. + +Details: `V-38653 in STIG Viewer`_. + +.. _V-38653 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38653 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38653.rst + +V-38666: The system must use and update a DoD-approved virus scan program. +-------------------------------------------------------------------------- + +Virus scanning software can be used to detect if a system has been compromised +by computer viruses, as well as to limit their spread to other systems. + +Details: `V-38666 in STIG Viewer`_. + +.. _V-38666 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38666 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38666.rst + +V-38668: The x86 Ctrl-Alt-Delete key sequence must be disabled. +--------------------------------------------------------------- + +A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can +reboot the system. If accidentally pressed, as could happen in the case of +mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In the GNOME graphical +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +Details: `V-38668 in STIG Viewer`_. + +.. _V-38668 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38668 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38668.rst + +V-38462: The RPM package management tool must cryptographically verify the authenticity of all software packages during installation. +------------------------------------------------------------------------------------------------------------------------------------- + +Ensuring all packages' cryptographic signatures are valid prior to +installation ensures the provenance of the software and protects against +malicious tampering. + +Details: `V-38462 in STIG Viewer`_. + +.. _V-38462 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38462 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38462.rst + +V-38497: The system must not have accounts configured with blank or null passwords. +----------------------------------------------------------------------------------- + +If an account has an empty password, anyone could log in and run commands with +the privileges of that account. Accounts with empty passwords should never be +used in operational environments. + +Details: `V-38497 in STIG Viewer`_. + +.. _V-38497 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38497 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38497.rst + +V-38677: The NFS server must not have the insecure file locking option enabled. +------------------------------------------------------------------------------- + +Allowing insecure file locking could allow for sensitive data to be viewed or +edited by an unauthorized user. + +Details: `V-38677 in STIG Viewer`_. + +.. _V-38677 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38677 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38677.rst + +V-38476: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. +----------------------------------------------------------------------------------------------------------------- + +The Red Hat GPG keys are necessary to cryptographically verify packages are +from Red Hat. + +Details: `V-38476 in STIG Viewer`_. + +.. _V-38476 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38476 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38476.rst + +V-38491: There must be no .rhosts or hosts.equiv files on the system. +--------------------------------------------------------------------- + +Trust files are convenient, but when used in conjunction with the R-services, +they can allow unauthenticated access to a system. + +Details: `V-38491 in STIG Viewer`_. + +.. _V-38491 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38491 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38491.rst + +V-38607: The SSH daemon must be configured to use only the SSHv2 protocol. +-------------------------------------------------------------------------- + +SSH protocol version 1 suffers from design flaws that result in security +vulnerabilities and should not be used. + +Details: `V-38607 in STIG Viewer`_. + +.. _V-38607 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38607 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38607.rst + +V-38602: The rlogind service must not be running. +------------------------------------------------- + +The rlogin service uses unencrypted network communications, which means that +data from the login session, including passwords and all other information +transmitted during the session, can be stolen by eavesdroppers on the network. + +Details: `V-38602 in STIG Viewer`_. + +.. _V-38602 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38602 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38602.rst + +V-38594: The rshd service must not be running. +---------------------------------------------- + +The rsh service uses unencrypted network communications, which means that data +from the login session, including passwords and all other information +transmitted during the session, can be stolen by eavesdroppers on the network. + +Details: `V-38594 in STIG Viewer`_. + +.. _V-38594 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38594 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38594.rst + +V-38591: The rsh-server package must not be installed. +------------------------------------------------------ + +The "rsh-server" package provides several obsolete and insecure network +services. Removing it decreases the risk of those services' accidental (or +intentional) activation. + +Details: `V-38591 in STIG Viewer`_. + +.. _V-38591 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38591 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38591.rst + +V-38598: The rexecd service must not be running. +------------------------------------------------ + +The rexec service uses unencrypted network communications, which means that +data from the login session, including passwords and all other information +transmitted during the session, can be stolen by eavesdroppers on the network. + +Details: `V-38598 in STIG Viewer`_. + +.. _V-38598 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38598 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38598.rst + +V-38587: The telnet-server package must not be installed. +--------------------------------------------------------- + +Removing the "telnet-server" package decreases the risk of the unencrypted +telnet service's accidental (or intentional) activation. Mitigation: If the +telnet-server package is configured to only allow encrypted sessions, such as +with Kerberos or the use of encrypted network tunnels, the risk of exposing +sensitive information is mitigated. + +Details: `V-38587 in STIG Viewer`_. + +.. _V-38587 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38587 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38587.rst + +V-38589: The telnet daemon must not be running. +----------------------------------------------- + +The telnet protocol uses unencrypted network communication, which means that +data from the login session, including passwords and all other information +transmitted during the session, can be stolen by eavesdroppers on the network. +The telnet protocol is also subject to man-in-the-middle attacks. Mitigation: +If an enabled telnet daemon is configured to only allow encrypted sessions, +such as with Kerberos or the use of encrypted network tunnels, the risk of +exposing sensitive information is mitigated. + +Details: `V-38589 in STIG Viewer`_. + +.. _V-38589 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38589 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38589.rst + +V-38701: The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system. +------------------------------------------------------------------------------------------------------------------------------ + +Using the "-s" option causes the TFTP service to only serve files from the +given directory. Serving files from an intentionally specified directory +reduces the risk of sharing files which should remain private. + +Details: `V-38701 in STIG Viewer`_. + +.. _V-38701 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38701 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38701.rst + +V-38614: The SSH daemon must not allow authentication using an empty password. +------------------------------------------------------------------------------ + +Configuring this setting for the SSH daemon provides additional assurance that +remote login via SSH will require a password, even in the event of +misconfiguration elsewhere. + +Details: `V-38614 in STIG Viewer`_. + +.. _V-38614 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38614 + +Developer Notes +~~~~~~~~~~~~~~~ +.. include:: developer-notes/V-38614.rst diff --git a/doc/source/configurations.rst b/doc/source/configurations.rst new file mode 100644 index 00000000..74829fc8 --- /dev/null +++ b/doc/source/configurations.rst @@ -0,0 +1,12 @@ +.. include:: +`Home `__ |raquo| Security hardening for openstack-ansible + +Security hardening configurations +================================= + +.. toctree:: + :maxdepth: 2 + + configurations-cat3.rst + configurations-cat2.rst + configurations-cat1.rst diff --git a/doc/source/developer-notes/V-38437.rst b/doc/source/developer-notes/V-38437.rst new file mode 100644 index 00000000..82dddae3 --- /dev/null +++ b/doc/source/developer-notes/V-38437.rst @@ -0,0 +1,6 @@ +If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out +of this change, adjust the following variable: + +.. code-block:: yaml + + disable_services['autofs'] = no diff --git a/doc/source/developer-notes/V-38438.rst b/doc/source/developer-notes/V-38438.rst new file mode 100644 index 00000000..4b39ed3d --- /dev/null +++ b/doc/source/developer-notes/V-38438.rst @@ -0,0 +1,8 @@ +**Exception** + +Adjusting the bootloader configuration can cause issues with reboots and this +work is left up to the deployer. Enabling auditing at boot time is helpful, +but the risk may not be worth the change in most environments. + +The ``auditd`` process starts very early during the boot process to catch +events already, and this should be sufficient for most environments. diff --git a/doc/source/developer-notes/V-38439.rst b/doc/source/developer-notes/V-38439.rst new file mode 100644 index 00000000..d06d35fe --- /dev/null +++ b/doc/source/developer-notes/V-38439.rst @@ -0,0 +1,5 @@ +**Exception** + +Although adding centralized authentication and carefully managing user +accounts is critical for securing any system, that's left up to deployers +to handle via their internal business processes. diff --git a/doc/source/developer-notes/V-38443.rst b/doc/source/developer-notes/V-38443.rst new file mode 100644 index 00000000..0f8a56f4 --- /dev/null +++ b/doc/source/developer-notes/V-38443.rst @@ -0,0 +1,4 @@ +The Ansible tasks will ensure that ``/etc/gshadow`` is owned by root. This is +the default in Ubuntu 14.04 already, but the tasks will ensure that the +permissions match the STIG requirements in case they were changed by other +means after the installation of the operating system. diff --git a/doc/source/developer-notes/V-38444.rst b/doc/source/developer-notes/V-38444.rst new file mode 100644 index 00000000..eaea8db5 --- /dev/null +++ b/doc/source/developer-notes/V-38444.rst @@ -0,0 +1,4 @@ +**Exception** + +See V-38551 for additional details. IPv6 configuration and filtering is left +up to the deployer. diff --git a/doc/source/developer-notes/V-38445.rst b/doc/source/developer-notes/V-38445.rst new file mode 100644 index 00000000..3818e0fd --- /dev/null +++ b/doc/source/developer-notes/V-38445.rst @@ -0,0 +1,3 @@ +Although audit log files are owned by the root user and group by default +in Ubuntu 14.04, the Ansible task for V-38445 will ensure that they are +configured as such. diff --git a/doc/source/developer-notes/V-38446.rst b/doc/source/developer-notes/V-38446.rst new file mode 100644 index 00000000..de70a78c --- /dev/null +++ b/doc/source/developer-notes/V-38446.rst @@ -0,0 +1,4 @@ +Forwarding root's email to another user is highly recommended, but the Ansible +tasks won't configure an email address to receive root's email unless that +email address is configured. Set ``root_forward_email`` to an email address +that is ready to receive root's email. diff --git a/doc/source/developer-notes/V-38447.rst b/doc/source/developer-notes/V-38447.rst new file mode 100644 index 00000000..11df8d93 --- /dev/null +++ b/doc/source/developer-notes/V-38447.rst @@ -0,0 +1,11 @@ +**Exception** + +Verifying contents of files installed from packages is more difficult in +Ubuntu, mainly due to the lack of an equivalent of ``rpm -V``. The ``debsums`` +package installs the ``debsums`` command and that can be used to look for +files that have changed since the package was installed. + +However, not all packages have MD5 checksums for all files and ``debsums`` +doesn't do detailed checking like ``rpm``. Deployers are urged to run +``debsums -c`` to review changes made to files on their systems. This report +takes a long time to run on most systems. diff --git a/doc/source/developer-notes/V-38448.rst b/doc/source/developer-notes/V-38448.rst new file mode 100644 index 00000000..ef9023ab --- /dev/null +++ b/doc/source/developer-notes/V-38448.rst @@ -0,0 +1,2 @@ +Although the ``/etc/gshadow`` file is group-owned by root by default, the +Ansible tasks will ensure that it is configured that way. diff --git a/doc/source/developer-notes/V-38449.rst b/doc/source/developer-notes/V-38449.rst new file mode 100644 index 00000000..c4746e25 --- /dev/null +++ b/doc/source/developer-notes/V-38449.rst @@ -0,0 +1,2 @@ +The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet +the requirements of the STIG. diff --git a/doc/source/developer-notes/V-38450.rst b/doc/source/developer-notes/V-38450.rst new file mode 100644 index 00000000..e697cf70 --- /dev/null +++ b/doc/source/developer-notes/V-38450.rst @@ -0,0 +1 @@ +The ownership of ``/etc/passwd`` will be changed to root. diff --git a/doc/source/developer-notes/V-38451.rst b/doc/source/developer-notes/V-38451.rst new file mode 100644 index 00000000..6bc4e6e8 --- /dev/null +++ b/doc/source/developer-notes/V-38451.rst @@ -0,0 +1 @@ +The group ownership for ``/etc/passwd`` will be set to root. diff --git a/doc/source/developer-notes/V-38452.rst b/doc/source/developer-notes/V-38452.rst new file mode 100644 index 00000000..4d2d9992 --- /dev/null +++ b/doc/source/developer-notes/V-38452.rst @@ -0,0 +1,5 @@ +**Exception** + +Verifying permissions of installed packages isn't possible in the current +version of ``dpkg`` as it is with ``rpm``. This security configuration is +skipped. diff --git a/doc/source/developer-notes/V-38453.rst b/doc/source/developer-notes/V-38453.rst new file mode 100644 index 00000000..8f7ae067 --- /dev/null +++ b/doc/source/developer-notes/V-38453.rst @@ -0,0 +1,5 @@ +**Exception** + +Verifying ownership of installed packages isn't possible in the current +version of ``dpkg`` as it is with ``rpm``. This security configuration is +skipped. diff --git a/doc/source/developer-notes/V-38454.rst b/doc/source/developer-notes/V-38454.rst new file mode 100644 index 00000000..e21b199d --- /dev/null +++ b/doc/source/developer-notes/V-38454.rst @@ -0,0 +1,6 @@ +**Exception** + +Verifying ownership of installed packages isn't possible in the current +version of ``dpkg`` as it is with ``rpm``. This security configuration is +skipped. + diff --git a/doc/source/developer-notes/V-38455.rst b/doc/source/developer-notes/V-38455.rst new file mode 100644 index 00000000..6e7733fd --- /dev/null +++ b/doc/source/developer-notes/V-38455.rst @@ -0,0 +1,8 @@ +**Exception** + +Configuring another mount for ``/tmp`` can disrupt a running system and this +configuration is skipped. + +However, deployers are strongly urged to consider creating a separate +partition and/or LVM logical volume for ``/tmp`` during installation of the OS +if possible. diff --git a/doc/source/developer-notes/V-38456.rst b/doc/source/developer-notes/V-38456.rst new file mode 100644 index 00000000..fce916fe --- /dev/null +++ b/doc/source/developer-notes/V-38456.rst @@ -0,0 +1,9 @@ +**Exception** + +Configuring another mount for ``/var`` can disrupt a running system and this +configuration is skipped. + +However, deployers are strongly urged to consider creating a separate +partition and/or LVM logical volume for ``/var`` during installation of the OS +if possible. + diff --git a/doc/source/developer-notes/V-38457.rst b/doc/source/developer-notes/V-38457.rst new file mode 100644 index 00000000..76d83a9e --- /dev/null +++ b/doc/source/developer-notes/V-38457.rst @@ -0,0 +1 @@ +The permissions for ``/etc/passwd`` will be set to ``0644``. diff --git a/doc/source/developer-notes/V-38459.rst b/doc/source/developer-notes/V-38459.rst new file mode 100644 index 00000000..c616011e --- /dev/null +++ b/doc/source/developer-notes/V-38459.rst @@ -0,0 +1 @@ +The tasks in file_perms.yml will ensure that "/etc/group" is owned by the root account. \ No newline at end of file diff --git a/doc/source/developer-notes/V-38460.rst b/doc/source/developer-notes/V-38460.rst new file mode 100644 index 00000000..bcde014c --- /dev/null +++ b/doc/source/developer-notes/V-38460.rst @@ -0,0 +1,4 @@ +The Ansible tasks will chek for ``all_squash`` in ``/etc/exports`` (if it is +present). If found, a warning message will be printed. No configuration +changes will be made since neither Ubuntu or openstack-ansible configures +the NFS server by default. diff --git a/doc/source/developer-notes/V-38461.rst b/doc/source/developer-notes/V-38461.rst new file mode 100644 index 00000000..b10c0988 --- /dev/null +++ b/doc/source/developer-notes/V-38461.rst @@ -0,0 +1,2 @@ +Ubuntu sets the mode of ``/etc/group`` to ``0644`` by default and the Ansible +task will ensure that it is current set to those permissions. diff --git a/doc/source/developer-notes/V-38462.rst b/doc/source/developer-notes/V-38462.rst new file mode 100644 index 00000000..13834fd1 --- /dev/null +++ b/doc/source/developer-notes/V-38462.rst @@ -0,0 +1,9 @@ +Ubuntu checks packages against GPG signatures by default. It can be turned +off for all package installations by a setting in /etc/apt/apt.conf.d/ and we +search for that in the Ansible task. A warning is printed if the +``AllowUnauthenticated`` configuration option is present in the apt +configuration directories. + +Please note that users can pass an argument on the apt command line +to bypass the checks as well, but that's outside the scope of this check +and remediation. diff --git a/doc/source/developer-notes/V-38463.rst b/doc/source/developer-notes/V-38463.rst new file mode 100644 index 00000000..91a1a032 --- /dev/null +++ b/doc/source/developer-notes/V-38463.rst @@ -0,0 +1,8 @@ +**Exception** + +Configuring a separate partition for ``/var/log`` is currently left up to the +deployer. There are security and operational benefits that come from the +change, but it must be done when the system is initially installed. + +Deployers are urged to consider making a separate partition for ``/var/log`` +during OS installation. diff --git a/doc/source/developer-notes/V-38464.rst b/doc/source/developer-notes/V-38464.rst new file mode 100644 index 00000000..26b7e283 --- /dev/null +++ b/doc/source/developer-notes/V-38464.rst @@ -0,0 +1,16 @@ +Ubuntu's default for ``disk_error_action`` is ``SUSPEND``, which actually +only suspends audit logging. That could be a security issue, so ``SYSLOG`` +is recommended and is set by default be openstack-ansible-security. There +are additional options available, like ``EXEC``, ``SINGLE`` or ``HALT``. + +To configure a different ``disk_error_action``, set the following Ansible +variable: + +.. code-block:: yaml + + disk_error_action = SYSLOG + +For details on available settings and what they do, run ``man auditd.conf``. +Some options can cause the host to go offline until the issue is fixed. +Deployers are urged to **carefully read the auditd documentation** prior to +changing the ``disk_error_action`` setting from the default. diff --git a/doc/source/developer-notes/V-38465.rst b/doc/source/developer-notes/V-38465.rst new file mode 100644 index 00000000..0afc2ad4 --- /dev/null +++ b/doc/source/developer-notes/V-38465.rst @@ -0,0 +1,5 @@ +**Exception** + +Ubuntu 14.04 sets library files to have ``0755`` (or more restrictive) +permissions by default. Deployers are urged to review the permissions +of libraries regularly to ensure the system hasn't been altered. diff --git a/doc/source/developer-notes/V-38466.rst b/doc/source/developer-notes/V-38466.rst new file mode 100644 index 00000000..972ecdde --- /dev/null +++ b/doc/source/developer-notes/V-38466.rst @@ -0,0 +1,5 @@ +**Exception** + +As with V-38465, Ubuntu sets the ownership of library files to root by +default. Deployers are urged to configure monitoring for changes to these +files. diff --git a/doc/source/developer-notes/V-38467.rst b/doc/source/developer-notes/V-38467.rst new file mode 100644 index 00000000..88931522 --- /dev/null +++ b/doc/source/developer-notes/V-38467.rst @@ -0,0 +1,4 @@ +**Exception** + +Storing audit logs on a separate partition is recommended, but this change +is left up to deployers to configure during the installation of the OS. diff --git a/doc/source/developer-notes/V-38468.rst b/doc/source/developer-notes/V-38468.rst new file mode 100644 index 00000000..b33ecdf6 --- /dev/null +++ b/doc/source/developer-notes/V-38468.rst @@ -0,0 +1,19 @@ +Ubuntu's default for ``disk_full_action`` is ``SUSPEND``, which actually +only suspends audit logging. That could be a security issue, so ``SYSLOG`` +is recommended and is set by default be openstack-ansible-security. If syslog +messages are being sent to remote servers, these log messages should alert +an administrator about the disk being full. There are additional options +available, like ``EXEC``, ``SINGLE`` or ``HALT``. + +To configure a different ``disk_full_action``, set the following Ansible +variable: + +.. code-block:: yaml + + disk_full_action = SYSLOG + +For details on available settings and what they do, run ``man auditd.conf``. +Some options can cause the host to go offline until the issue is fixed. +Deployers are urged to **carefully read the auditd documentation** prior to +changing the ``disk_full_action`` setting from the default. + diff --git a/doc/source/developer-notes/V-38469.rst b/doc/source/developer-notes/V-38469.rst new file mode 100644 index 00000000..36e64026 --- /dev/null +++ b/doc/source/developer-notes/V-38469.rst @@ -0,0 +1,5 @@ +**Exception** + +Ubuntu sets the permissions for system commands to ``0755`` or less already. +Deployers are urged to review these permissions for changes over time as they +can be a sign of a compromise. diff --git a/doc/source/developer-notes/V-38470.rst b/doc/source/developer-notes/V-38470.rst new file mode 100644 index 00000000..3a7a3cff --- /dev/null +++ b/doc/source/developer-notes/V-38470.rst @@ -0,0 +1,18 @@ +Ubuntu's default for ``space_left_action`` is ``SUSPEND``, which actually +only suspends audit logging. That could be a security issue, so ``SYSLOG`` +is recommended and is set by default be openstack-ansible-security. If syslog +messages are being sent to remote servers, these log messages should alert +an administrator about the disk being almost full. There are additional options +available, like ``EXEC``, ``SINGLE`` or ``HALT``. + +To configure a different ``space_left_action``, set the following Ansible +variable: + +.. code-block:: yaml + + space_left_action = SYSLOG + +For details on available settings and what they do, run ``man auditd.conf``. +Some options can cause the host to go offline until the issue is fixed. +Deployers are urged to **carefully read the auditd documentation** prior to +changing the ``space_left_action`` setting from the default. diff --git a/doc/source/developer-notes/V-38471.rst b/doc/source/developer-notes/V-38471.rst new file mode 100644 index 00000000..64c61b21 --- /dev/null +++ b/doc/source/developer-notes/V-38471.rst @@ -0,0 +1,4 @@ +An Ansible task will adjust ``active`` from `no` to `yes` in +``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to +syslog automatically. The auditd daemon will be restarted if the configuration +file is changed. diff --git a/doc/source/developer-notes/V-38472.rst b/doc/source/developer-notes/V-38472.rst new file mode 100644 index 00000000..ab8da360 --- /dev/null +++ b/doc/source/developer-notes/V-38472.rst @@ -0,0 +1,5 @@ +**Exception** + +Ubuntu sets system commands to be owned by root by default Deployers are +urged to review ownership changes via auditd rules to ensure system +commands haven't changed ownership over time. diff --git a/doc/source/developer-notes/V-38473.rst b/doc/source/developer-notes/V-38473.rst new file mode 100644 index 00000000..10f99698 --- /dev/null +++ b/doc/source/developer-notes/V-38473.rst @@ -0,0 +1,4 @@ +**Exception** + +Creating ``/home`` on a different partition is highly recommended but it is +left to deployers to configure during the installation of the OS. diff --git a/doc/source/developer-notes/V-38474.rst b/doc/source/developer-notes/V-38474.rst new file mode 100644 index 00000000..e6e70aff --- /dev/null +++ b/doc/source/developer-notes/V-38474.rst @@ -0,0 +1,4 @@ +**Exception** + +The openstack-ansible roles don't install X by default, so there is no +graphical desktop to configure. diff --git a/doc/source/developer-notes/V-38475.rst b/doc/source/developer-notes/V-38475.rst new file mode 100644 index 00000000..2a5dc965 --- /dev/null +++ b/doc/source/developer-notes/V-38475.rst @@ -0,0 +1,12 @@ +**Configuration required** + +Ubuntu 14.04 does not set a password length requirement by default. The STIG +recommends passwords to be a minimum of 14 characters in length. To apply this +setting, set the following Ansible variable: + +.. code-block:: yaml + + password_minimum_length: 14 + +Deployers are urged to avoid the use of passwords and rely upon SSH keys if +possible. diff --git a/doc/source/developer-notes/V-38476.rst b/doc/source/developer-notes/V-38476.rst new file mode 100644 index 00000000..26f82492 --- /dev/null +++ b/doc/source/developer-notes/V-38476.rst @@ -0,0 +1,21 @@ +The STIG talks about yum having the RHN GPG keys installed, but this +requirement has been adapted to check for the Ubuntu signing keys normally +present in Ubuntu 14.04. + +See ``tasks/apt.yml`` for more details:: + + # apt-key list + /etc/apt/trusted.gpg + -------------------- + pub 1024D/437D05B5 2004-09-12 + uid Ubuntu Archive Automatic Signing Key + sub 2048g/79164387 2004-09-12 + + pub 1024D/FBB75451 2004-12-30 + uid Ubuntu CD Image Automatic Signing Key + + pub 4096R/C0B21F32 2012-05-11 + uid Ubuntu Archive Automatic Signing Key (2012) + + pub 4096R/EFE21092 2012-05-11 + uid Ubuntu CD Image Automatic Signing Key (2012) diff --git a/doc/source/developer-notes/V-38477.rst b/doc/source/developer-notes/V-38477.rst new file mode 100644 index 00000000..7df792fa --- /dev/null +++ b/doc/source/developer-notes/V-38477.rst @@ -0,0 +1,10 @@ +**Configuration required** + +Ubuntu doesn't set a limitation on how frequently uses can change passwords. +However, the STIG recommends setting a limit of one password change per day. + +To enable this configuration, use this Ansible variable: + +.. code-block:: yaml + + password_minimum_days: 14 diff --git a/doc/source/developer-notes/V-38478.rst b/doc/source/developer-notes/V-38478.rst new file mode 100644 index 00000000..84e8ee7d --- /dev/null +++ b/doc/source/developer-notes/V-38478.rst @@ -0,0 +1,4 @@ +**Exception** + +Ubuntu doesn't use the Red Hat Network Service, so this requirement doesn't +apply. diff --git a/doc/source/developer-notes/V-38479.rst b/doc/source/developer-notes/V-38479.rst new file mode 100644 index 00000000..16d75124 --- /dev/null +++ b/doc/source/developer-notes/V-38479.rst @@ -0,0 +1,12 @@ +**Configuration required** + +Ubuntu doesn't set a limitation on the age of passwords. +However, the STIG recommends setting a limit of 60 days before a password must +be changed. + +To enable this configuration, use this Ansible variable: + +.. code-block:: yaml + + password_maximum_days: 60 + diff --git a/doc/source/developer-notes/V-38480.rst b/doc/source/developer-notes/V-38480.rst new file mode 100644 index 00000000..3ad15a57 --- /dev/null +++ b/doc/source/developer-notes/V-38480.rst @@ -0,0 +1,10 @@ +**Configuration required** + +After enabling password age limits in V-38479, be sure to configure +warnings for users so they know when their password is approaching expiration. +STIG's recommendation is seven days prior to the expiration. Use an Ansible +variable to configure the warning: + +.. code-block:: yaml + + password_warn_age: 7 diff --git a/doc/source/developer-notes/V-38481.rst b/doc/source/developer-notes/V-38481.rst new file mode 100644 index 00000000..41749604 --- /dev/null +++ b/doc/source/developer-notes/V-38481.rst @@ -0,0 +1,10 @@ +**Exception** + +Operating system patching is left up to the deployer to configure based on +their business requirements and toleration for risk. Enabling automated +updates in Ubuntu can be done with changes to the apt configuration. + +Ubuntu's documentation on `automatic updates`_ covers a few options for +configuring apt. + +.. _automatic_updates: https://help.ubuntu.com/lts/serverguide/automatic-updates.html diff --git a/doc/source/developer-notes/V-38482.rst b/doc/source/developer-notes/V-38482.rst new file mode 100644 index 00000000..344697e5 --- /dev/null +++ b/doc/source/developer-notes/V-38482.rst @@ -0,0 +1,10 @@ +**Exception** + +Password complexity requirements are left up to the deployer. Deployers are +urged to rely on SSH keys as often as possible to avoid problems with +passwords. + +Review the pam_cracklib documentation by running ``man pam_cracklib`` or +read the `detailed documentation from Hal Pomeranz`_. + +.. _detailed documentation from Hal Pomeranz: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html diff --git a/doc/source/developer-notes/V-38483.rst b/doc/source/developer-notes/V-38483.rst new file mode 100644 index 00000000..071c1b7e --- /dev/null +++ b/doc/source/developer-notes/V-38483.rst @@ -0,0 +1,3 @@ +The Ansible task for V-38462 already checks for apt configurations that would +disable any GPG checks when installing packages. However, it's possible for +the root user to override these configurations via command line parameters. diff --git a/doc/source/developer-notes/V-38484.rst b/doc/source/developer-notes/V-38484.rst new file mode 100644 index 00000000..ad9eb08c --- /dev/null +++ b/doc/source/developer-notes/V-38484.rst @@ -0,0 +1,3 @@ +Ubuntu 14.04 already enables the display of the last successful login for a +user immediately after login. An Ansible task ensures this setting is +applied and restarts the ssh daemon if necessary. diff --git a/doc/source/developer-notes/V-38486.rst b/doc/source/developer-notes/V-38486.rst new file mode 100644 index 00000000..df0448e0 --- /dev/null +++ b/doc/source/developer-notes/V-38486.rst @@ -0,0 +1,5 @@ +**Exception** + +System backups are left to the deployer to configure. Deployers are stringly +urged to maintain backups of each system, including log files and critical +configuration information. diff --git a/doc/source/developer-notes/V-38487.rst b/doc/source/developer-notes/V-38487.rst new file mode 100644 index 00000000..071c1b7e --- /dev/null +++ b/doc/source/developer-notes/V-38487.rst @@ -0,0 +1,3 @@ +The Ansible task for V-38462 already checks for apt configurations that would +disable any GPG checks when installing packages. However, it's possible for +the root user to override these configurations via command line parameters. diff --git a/doc/source/developer-notes/V-38488.rst b/doc/source/developer-notes/V-38488.rst new file mode 100644 index 00000000..df0448e0 --- /dev/null +++ b/doc/source/developer-notes/V-38488.rst @@ -0,0 +1,5 @@ +**Exception** + +System backups are left to the deployer to configure. Deployers are stringly +urged to maintain backups of each system, including log files and critical +configuration information. diff --git a/doc/source/developer-notes/V-38489.rst b/doc/source/developer-notes/V-38489.rst new file mode 100644 index 00000000..cf8d9110 --- /dev/null +++ b/doc/source/developer-notes/V-38489.rst @@ -0,0 +1 @@ +The ``aide`` package will be installed by Ansible tasks. diff --git a/doc/source/developer-notes/V-38490.rst b/doc/source/developer-notes/V-38490.rst new file mode 100644 index 00000000..65fe8dab --- /dev/null +++ b/doc/source/developer-notes/V-38490.rst @@ -0,0 +1,9 @@ +**Exception** + +Disabling the ``usb-storage`` module can add extra security, but it's not +necessary on most systems. To disable the ``usb-storage`` module on hosts, +set ``disable_usb_storage`` to ``yes``: + +.. code-block:: yaml + + disable_usb_storage: yes diff --git a/doc/source/developer-notes/V-38491.rst b/doc/source/developer-notes/V-38491.rst new file mode 100644 index 00000000..bdaf6189 --- /dev/null +++ b/doc/source/developer-notes/V-38491.rst @@ -0,0 +1,4 @@ +The Ansible task will check for the presence of ``/etc/hosts.equiv`` and +``/root/.rhosts``. Both of those files could potentially be used with ``rsh`` +for host access, but ``rshd`` is not installed by default with Ubuntu 14.04 +or openstack-ansible. diff --git a/doc/source/developer-notes/V-38492.rst b/doc/source/developer-notes/V-38492.rst new file mode 100644 index 00000000..9e10f5ee --- /dev/null +++ b/doc/source/developer-notes/V-38492.rst @@ -0,0 +1,2 @@ +The virtual consoles mentioned in V-38492 aren't used in Ubuntu 14.04 by +default. diff --git a/doc/source/developer-notes/V-38493.rst b/doc/source/developer-notes/V-38493.rst new file mode 100644 index 00000000..084043b1 --- /dev/null +++ b/doc/source/developer-notes/V-38493.rst @@ -0,0 +1,3 @@ +Ubuntu 14.04 sets the mode of ``/var/log/audit/`` to ``0750`` by default. The +Ansible task for this requirement ensures that the mode is ``0750`` (which +is more strict than the STIG requirement). diff --git a/doc/source/developer-notes/V-38494.rst b/doc/source/developer-notes/V-38494.rst new file mode 100644 index 00000000..092a8113 --- /dev/null +++ b/doc/source/developer-notes/V-38494.rst @@ -0,0 +1,7 @@ +**Exception** + +Removing serial consoles from ``/etc/securetty`` can make troubleshooting +a server extremely difficult. Deployers are urged to use strong physical +security practices to prevent unauthorized users from gaining physical access +to critical hosts. In addition, out-of-band systems that allow for serial +over LAN access should also be heavily secured. diff --git a/doc/source/developer-notes/V-38495.rst b/doc/source/developer-notes/V-38495.rst new file mode 100644 index 00000000..f6c42e3a --- /dev/null +++ b/doc/source/developer-notes/V-38495.rst @@ -0,0 +1,2 @@ +The Ansible tasks will ensure that files in ``/var/log/audit`` are owned +by the root user. diff --git a/doc/source/developer-notes/V-38497.rst b/doc/source/developer-notes/V-38497.rst new file mode 100644 index 00000000..8c4bc5fc --- /dev/null +++ b/doc/source/developer-notes/V-38497.rst @@ -0,0 +1,5 @@ +Making adjustments to PAM configuration can be **very dangerous** for a +production system, so the Ansible task runs a check for text matching +``nullok`` in ``/etc/pam.d/common-auth`` (different than +``/etc/pam.d/system-auth`` found in RHEL 6) and prints a warning if it is +found. diff --git a/doc/source/developer-notes/V-38499.rst b/doc/source/developer-notes/V-38499.rst new file mode 100644 index 00000000..00a1219d --- /dev/null +++ b/doc/source/developer-notes/V-38499.rst @@ -0,0 +1,2 @@ +The Ansible task will search for password hashes in ``/etc/passwd`` using +awk and report a failure if any are found. diff --git a/doc/source/developer-notes/V-38522.rst b/doc/source/developer-notes/V-38522.rst new file mode 100644 index 00000000..1fb1e67a --- /dev/null +++ b/doc/source/developer-notes/V-38522.rst @@ -0,0 +1 @@ +Rules are added for auditing changes to system time made via ``settimeofday``. diff --git a/doc/source/developer-notes/V-38525.rst b/doc/source/developer-notes/V-38525.rst new file mode 100644 index 00000000..eb832856 --- /dev/null +++ b/doc/source/developer-notes/V-38525.rst @@ -0,0 +1 @@ +Rules are added for auditing changes to system time done via ``stime``. diff --git a/doc/source/developer-notes/V-38527.rst b/doc/source/developer-notes/V-38527.rst new file mode 100644 index 00000000..26fb737f --- /dev/null +++ b/doc/source/developer-notes/V-38527.rst @@ -0,0 +1,2 @@ +Rules are added for auditing changes to system time done via +``clock_settime``. diff --git a/doc/source/developer-notes/V-38530.rst b/doc/source/developer-notes/V-38530.rst new file mode 100644 index 00000000..3c3b37c9 --- /dev/null +++ b/doc/source/developer-notes/V-38530.rst @@ -0,0 +1,2 @@ +Rules are added to auditd to log all attempts to change the system time using +``/etc/localtime``. diff --git a/doc/source/developer-notes/V-38531.rst b/doc/source/developer-notes/V-38531.rst new file mode 100644 index 00000000..c3ef2294 --- /dev/null +++ b/doc/source/developer-notes/V-38531.rst @@ -0,0 +1,3 @@ +**Exception** + +The audit rules from V-38534 already cover all account modifications. diff --git a/doc/source/developer-notes/V-38534.rst b/doc/source/developer-notes/V-38534.rst new file mode 100644 index 00000000..7a16b83c --- /dev/null +++ b/doc/source/developer-notes/V-38534.rst @@ -0,0 +1,3 @@ +Audit rules are added in a task so that any events associated with +account modifications are logged. The new audit rule will be loaded immediately +with ``augenrules --load``. diff --git a/doc/source/developer-notes/V-38536.rst b/doc/source/developer-notes/V-38536.rst new file mode 100644 index 00000000..c3ef2294 --- /dev/null +++ b/doc/source/developer-notes/V-38536.rst @@ -0,0 +1,3 @@ +**Exception** + +The audit rules from V-38534 already cover all account modifications. diff --git a/doc/source/developer-notes/V-38538.rst b/doc/source/developer-notes/V-38538.rst new file mode 100644 index 00000000..c3ef2294 --- /dev/null +++ b/doc/source/developer-notes/V-38538.rst @@ -0,0 +1,3 @@ +**Exception** + +The audit rules from V-38534 already cover all account modifications. diff --git a/doc/source/developer-notes/V-38540.rst b/doc/source/developer-notes/V-38540.rst new file mode 100644 index 00000000..6a356ed1 --- /dev/null +++ b/doc/source/developer-notes/V-38540.rst @@ -0,0 +1,3 @@ +Rules are added for auditing network configuration changes. The path to +Ubuntu's standard network configuration location has replaced the path +to Red Hat's default network configuration location. diff --git a/doc/source/developer-notes/V-38541.rst b/doc/source/developer-notes/V-38541.rst new file mode 100644 index 00000000..2b070433 --- /dev/null +++ b/doc/source/developer-notes/V-38541.rst @@ -0,0 +1,5 @@ +The RHEL 6 STIG requires that changes to SELinux policies and configuration are +audited. However, Ubuntu's preference for Mandatory Access Control (MAC) is +AppArmor and openstack-ansible configures AppArmor by default. + +This requirement has been modified to fit AppArmor on an Ubuntu system. diff --git a/doc/source/developer-notes/V-38547.rst b/doc/source/developer-notes/V-38547.rst new file mode 100644 index 00000000..4a4f9c0e --- /dev/null +++ b/doc/source/developer-notes/V-38547.rst @@ -0,0 +1,2 @@ +Rules are added for auditd to log discretionary access control permission +changes done with fchmod. diff --git a/doc/source/developer-notes/V-38550.rst b/doc/source/developer-notes/V-38550.rst new file mode 100644 index 00000000..7fae784a --- /dev/null +++ b/doc/source/developer-notes/V-38550.rst @@ -0,0 +1,2 @@ +Rules are added for auditing discretionary access control changes made via +fchmodat. diff --git a/doc/source/developer-notes/V-38551.rst b/doc/source/developer-notes/V-38551.rst new file mode 100644 index 00000000..031ababd --- /dev/null +++ b/doc/source/developer-notes/V-38551.rst @@ -0,0 +1,18 @@ +**Exception** + +Filtering IPv6 traffic is left up to the deployer to implement. The +openstack-ansible roles don't configure IPv6 (at this time) and adding +persistent ip6tables rules could harm a running system. + +However, deployers are strongly recommended to implement IPv6 filtering at the +edges of the network via network devices. In addition, deployers should be +aware that link-local IPv6 addresses are configured automatcally by the system +and those addresses could open up new network paths for future attacks. + +For example, if IPv4 access was tightly controlled and segmented, hosts and/or +containers could possibly communicate across these boundaries using IPv6 +link-local addresses. For more detailed information on this security topic, +review Cisco's documentation titled `IPv6 Security Brief`_ that is available +on their website. + +.. _IPv6 Security Brief: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-678658.html diff --git a/doc/source/developer-notes/V-38552.rst b/doc/source/developer-notes/V-38552.rst new file mode 100644 index 00000000..363ed3ab --- /dev/null +++ b/doc/source/developer-notes/V-38552.rst @@ -0,0 +1,2 @@ +Rules are added for auditing discretionary access control changes +made by fchown. diff --git a/doc/source/developer-notes/V-38556.rst b/doc/source/developer-notes/V-38556.rst new file mode 100644 index 00000000..325f654e --- /dev/null +++ b/doc/source/developer-notes/V-38556.rst @@ -0,0 +1,2 @@ +Rules are added for auditing discretionary access control changes made +by fremovexattr. diff --git a/doc/source/developer-notes/V-38557.rst b/doc/source/developer-notes/V-38557.rst new file mode 100644 index 00000000..723f4466 --- /dev/null +++ b/doc/source/developer-notes/V-38557.rst @@ -0,0 +1,2 @@ +Rules are added for auditing discretionary access control changes made via +``fsetxattr``. diff --git a/doc/source/developer-notes/V-38558.rst b/doc/source/developer-notes/V-38558.rst new file mode 100644 index 00000000..e58996c9 --- /dev/null +++ b/doc/source/developer-notes/V-38558.rst @@ -0,0 +1,2 @@ +Rules are added for auditing discretionary access control changes made via +``lchown``. diff --git a/doc/source/developer-notes/V-38559.rst b/doc/source/developer-notes/V-38559.rst new file mode 100644 index 00000000..540899ed --- /dev/null +++ b/doc/source/developer-notes/V-38559.rst @@ -0,0 +1,2 @@ +Rules are added for auditing discretionary access control changes made via +``lremovexattr``. diff --git a/doc/source/developer-notes/V-38561.rst b/doc/source/developer-notes/V-38561.rst new file mode 100644 index 00000000..62d92c26 --- /dev/null +++ b/doc/source/developer-notes/V-38561.rst @@ -0,0 +1,3 @@ +Rules are added to auditd to log all DAC modifications using `lsetxattr`_. + +.. _lsetxattr: http://linux.die.net/man/2/lsetxattr diff --git a/doc/source/developer-notes/V-38563.rst b/doc/source/developer-notes/V-38563.rst new file mode 100644 index 00000000..09642b61 --- /dev/null +++ b/doc/source/developer-notes/V-38563.rst @@ -0,0 +1,3 @@ +Audit rules are added in a task so that any events associated with the +discretionary access controls (DAC) permission modifications are logged. +The new audit rule will be loaded immediately with ``augenrules --load``. diff --git a/doc/source/developer-notes/V-38565.rst b/doc/source/developer-notes/V-38565.rst new file mode 100644 index 00000000..6e6694f5 --- /dev/null +++ b/doc/source/developer-notes/V-38565.rst @@ -0,0 +1,4 @@ +Rules are added so that all permission modifications made via `setxattr`_ are +logged. + +.. _setxattr: http://man7.org/linux/man-pages/man2/setxattr.2.html diff --git a/doc/source/developer-notes/V-38566.rst b/doc/source/developer-notes/V-38566.rst new file mode 100644 index 00000000..7ea51e0a --- /dev/null +++ b/doc/source/developer-notes/V-38566.rst @@ -0,0 +1 @@ +Rules are added for auditd to log failed access attempts to files and programs. diff --git a/doc/source/developer-notes/V-38567.rst b/doc/source/developer-notes/V-38567.rst new file mode 100644 index 00000000..7b598281 --- /dev/null +++ b/doc/source/developer-notes/V-38567.rst @@ -0,0 +1,6 @@ +**Exception** + +Keeping the list of setuid/setgid applications up to date and adding the paths +to those files within the ``audit.rules`` file is challenging. Deployers are +urged to use setuid/setgid sparingly and carefully monitor all applications +with those permissions set. diff --git a/doc/source/developer-notes/V-38568.rst b/doc/source/developer-notes/V-38568.rst new file mode 100644 index 00000000..6b50b462 --- /dev/null +++ b/doc/source/developer-notes/V-38568.rst @@ -0,0 +1 @@ +Rules are added for auditd to log successful filesystem mounts. diff --git a/doc/source/developer-notes/V-38575.rst b/doc/source/developer-notes/V-38575.rst new file mode 100644 index 00000000..83a6edc2 --- /dev/null +++ b/doc/source/developer-notes/V-38575.rst @@ -0,0 +1 @@ +Rules are added for auditing deletions of files and programs. diff --git a/doc/source/developer-notes/V-38578.rst b/doc/source/developer-notes/V-38578.rst new file mode 100644 index 00000000..4e89e176 --- /dev/null +++ b/doc/source/developer-notes/V-38578.rst @@ -0,0 +1 @@ +Rules are added to audit changes to ``/etc/sudoers``. diff --git a/doc/source/developer-notes/V-38581.rst b/doc/source/developer-notes/V-38581.rst new file mode 100644 index 00000000..f602bf2d --- /dev/null +++ b/doc/source/developer-notes/V-38581.rst @@ -0,0 +1 @@ +The group ownership for ``/boot/grub/grub.cfg`` will be set to `root`. diff --git a/doc/source/developer-notes/V-38582.rst b/doc/source/developer-notes/V-38582.rst new file mode 100644 index 00000000..316cf331 --- /dev/null +++ b/doc/source/developer-notes/V-38582.rst @@ -0,0 +1,9 @@ +If the ``xinetd`` package is installed, it will be stopped immediately and +will not start on the next boot. No action is taken if xinetd isn't installed. + +To opt-out of this change, simply adjust the following configuration item to +``no``: + +.. code-block:: yaml + + disable_services['xinetd'] = no diff --git a/doc/source/developer-notes/V-38583.rst b/doc/source/developer-notes/V-38583.rst new file mode 100644 index 00000000..e36b6259 --- /dev/null +++ b/doc/source/developer-notes/V-38583.rst @@ -0,0 +1 @@ +The permissions on ``/boot/grub/grub.cfg`` will be set to ``0644``. diff --git a/doc/source/developer-notes/V-38584.rst b/doc/source/developer-notes/V-38584.rst new file mode 100644 index 00000000..3d5821d1 --- /dev/null +++ b/doc/source/developer-notes/V-38584.rst @@ -0,0 +1,7 @@ +The ``xinetd`` service will be removed by the Ansible tasks, if it is +installed. To opt-out of this change, adjust the following variable +to ``no``: + +.. code-block:: yaml + + remove_services['xinetd'] = no diff --git a/doc/source/developer-notes/V-38585.rst b/doc/source/developer-notes/V-38585.rst new file mode 100644 index 00000000..a741c460 --- /dev/null +++ b/doc/source/developer-notes/V-38585.rst @@ -0,0 +1,6 @@ +**Exception** + +Configuring a password for the bootloader is left up to the deployer to +configure. Each deployer should consider the potential damage to their +system should someone gain unauthorized physical access at the server +itself or via an out-of-band management solution (like IPMI, DRAC, or iLO). diff --git a/doc/source/developer-notes/V-38586.rst b/doc/source/developer-notes/V-38586.rst new file mode 100644 index 00000000..be76e902 --- /dev/null +++ b/doc/source/developer-notes/V-38586.rst @@ -0,0 +1,7 @@ +**Exception** + +As with V-38585, this is left to the deployer to configure bassed on their +exposure to physical threats. If there is a concern around a user gaining +unauthorized physical access and/or gaining access through an out-of-band +access mechanism, deployers are strongly urged to consider applying this +security configuration. diff --git a/doc/source/developer-notes/V-38587.rst b/doc/source/developer-notes/V-38587.rst new file mode 100644 index 00000000..518b386c --- /dev/null +++ b/doc/source/developer-notes/V-38587.rst @@ -0,0 +1,3 @@ +The telnet server package will be removed by default. To control which +services will be removed, review the ``remove_services`` list in +``defaults/main.yml``. diff --git a/doc/source/developer-notes/V-38588.rst b/doc/source/developer-notes/V-38588.rst new file mode 100644 index 00000000..029f79e5 --- /dev/null +++ b/doc/source/developer-notes/V-38588.rst @@ -0,0 +1,5 @@ +**Exception** + +As with V-38585, this configuration is left up to the deployer to determine +their risk of attacks via physical access or out-of-band access to a server +console. diff --git a/doc/source/developer-notes/V-38590.rst b/doc/source/developer-notes/V-38590.rst new file mode 100644 index 00000000..4662bf00 --- /dev/null +++ b/doc/source/developer-notes/V-38590.rst @@ -0,0 +1,8 @@ +**Exception** + +While providing text screen locking does add additional security, deployers +are strongly urged to limit physical access and out-of-band access to +servers where someone else might be able to join a user's session when +they step away. In addition, if a user is logging in remotely via ssh, +they should lock their entire workstation to prevent unauthorized access +to their system as well as the systems they are actively accessing. diff --git a/doc/source/developer-notes/V-38591.rst b/doc/source/developer-notes/V-38591.rst new file mode 100644 index 00000000..665150ca --- /dev/null +++ b/doc/source/developer-notes/V-38591.rst @@ -0,0 +1,2 @@ +The rshd service will be removed by default. To control what services will +be removed, review the ``remove_services`` list in ``defaults/main.yml``. diff --git a/doc/source/developer-notes/V-38592.rst b/doc/source/developer-notes/V-38592.rst new file mode 100644 index 00000000..0ec38280 --- /dev/null +++ b/doc/source/developer-notes/V-38592.rst @@ -0,0 +1,9 @@ +**Exception** + +Adjusting PAM configurations on a running system carries a fair amount of risk, +and deployers are urged to rely upon ssh keys or centralized authentication +for user authentication. + +Centralized authentication systems provide a benefit of locking a user's +account in all systems they have access to, rather than locking access to only +one system. diff --git a/doc/source/developer-notes/V-38593.rst b/doc/source/developer-notes/V-38593.rst new file mode 100644 index 00000000..bd1a290a --- /dev/null +++ b/doc/source/developer-notes/V-38593.rst @@ -0,0 +1,2 @@ +A default warning banner will replace the contents of ``/etc/issue.net``. To +configure the banner, simply edit ``files/login_banner.txt``. diff --git a/doc/source/developer-notes/V-38595.rst b/doc/source/developer-notes/V-38595.rst new file mode 100644 index 00000000..bd257e6a --- /dev/null +++ b/doc/source/developer-notes/V-38595.rst @@ -0,0 +1,4 @@ +**Exception** + +Use of additional factors for authentication is left up to the deployer, but +it is strongly recommended. diff --git a/doc/source/developer-notes/V-38596.rst b/doc/source/developer-notes/V-38596.rst new file mode 100644 index 00000000..e2ff4dc1 --- /dev/null +++ b/doc/source/developer-notes/V-38596.rst @@ -0,0 +1,3 @@ +The Ansible tasks will set ``kernel.randomize_va_space=2`` immediately and +will also ensure that the setting is applied on the next boot. This setting +is currently the default in Ubuntu 14.04. diff --git a/doc/source/developer-notes/V-38597.rst b/doc/source/developer-notes/V-38597.rst new file mode 100644 index 00000000..b72fd4e4 --- /dev/null +++ b/doc/source/developer-notes/V-38597.rst @@ -0,0 +1,8 @@ +Although Red Hat kernels provide ExecShield, Ubuntu provides Non-Executable +Memory (NX) support and it is enabled by default. There's not an option +to enable or disable it. + +For more information, refer to `Ubuntu's security feature documentation on +NX`_. + +.. _Ubuntu's security feature documentation on NX: https://wiki.ubuntu.com/Security/Features#nx diff --git a/doc/source/developer-notes/V-38599.rst b/doc/source/developer-notes/V-38599.rst new file mode 100644 index 00000000..fdf2b51c --- /dev/null +++ b/doc/source/developer-notes/V-38599.rst @@ -0,0 +1,3 @@ +If the ``vsftpd`` package is installed, a login banner will be applied so that +users will see if after logging in. This package isn't installed by default +in Ubuntu 14.04 and it isn't installed by openstack-ansible either. diff --git a/doc/source/developer-notes/V-38600.rst b/doc/source/developer-notes/V-38600.rst new file mode 100644 index 00000000..3e5634dc --- /dev/null +++ b/doc/source/developer-notes/V-38600.rst @@ -0,0 +1,4 @@ +The Ansible tasks will disable the sending of ICMPv4 redirects by setting +the sysctl variable ``net.ipv4.conf.default.send_redirects=0``. However, +bridging still requires redirects to be enabled, so those interfaces won't +be affected by this change. diff --git a/doc/source/developer-notes/V-38601.rst b/doc/source/developer-notes/V-38601.rst new file mode 100644 index 00000000..9bb669db --- /dev/null +++ b/doc/source/developer-notes/V-38601.rst @@ -0,0 +1 @@ +See the documentation for V-38600 for more details. diff --git a/doc/source/developer-notes/V-38603.rst b/doc/source/developer-notes/V-38603.rst new file mode 100644 index 00000000..a2351b94 --- /dev/null +++ b/doc/source/developer-notes/V-38603.rst @@ -0,0 +1,7 @@ +The ``nis`` package is Ubuntu's equivalent of Red Hat's ``ypserv`` package. +The Ansible tasks will remove the ``nis`` package if it is installed. To +opt-out of this change, adjust the following configuration variable to ``no``: + +.. code-block:: yaml + + remove_services['ypserv'] = no diff --git a/doc/source/developer-notes/V-38604.rst b/doc/source/developer-notes/V-38604.rst new file mode 100644 index 00000000..4daa8c9e --- /dev/null +++ b/doc/source/developer-notes/V-38604.rst @@ -0,0 +1,6 @@ +**Exception** + +The ``ypbind`` service is removed as part of V-38603 where the ``nis`` package +is removed from the system entirely. Since neither Ubuntu nor +openstack-ansible install any NIS-related services, this configuration is +skipped. diff --git a/doc/source/developer-notes/V-38605.rst b/doc/source/developer-notes/V-38605.rst new file mode 100644 index 00000000..8977ddb0 --- /dev/null +++ b/doc/source/developer-notes/V-38605.rst @@ -0,0 +1,4 @@ +The ``cron`` service is running by default in Ubuntu and is required for +openstack-ansible's services to function properly. The Ansible tasks in +this role will ensure that ``cron`` is running and is configured to start +at boot time. diff --git a/doc/source/developer-notes/V-38606.rst b/doc/source/developer-notes/V-38606.rst new file mode 100644 index 00000000..950d3b4d --- /dev/null +++ b/doc/source/developer-notes/V-38606.rst @@ -0,0 +1,6 @@ +The ``tftpd`` package in Ubuntu will be removed. To opt-out, adjust the +following configuration variable to ``no``: + +.. code-block:: yaml + + remove_services['tftp-server'] = no diff --git a/doc/source/developer-notes/V-38607.rst b/doc/source/developer-notes/V-38607.rst new file mode 100644 index 00000000..3dcee345 --- /dev/null +++ b/doc/source/developer-notes/V-38607.rst @@ -0,0 +1 @@ +The tasks in sshd.yml will ensure that SSH does uses protocol version 2. \ No newline at end of file diff --git a/doc/source/developer-notes/V-38608.rst b/doc/source/developer-notes/V-38608.rst new file mode 100644 index 00000000..b04c3041 --- /dev/null +++ b/doc/source/developer-notes/V-38608.rst @@ -0,0 +1,9 @@ +The ``ClientAliveInterval`` in the ssh configuration will be set to 15 minutes +as recommended by the STIG. However, this time is configurable by setting +``ssh_client_alive_interval`` to another value, in seconds. + +To change to 10 minutes, adjust the configuration item to 600 seconds: + +.. code-block:: yaml + + ssh_client_alive_interval = 600 diff --git a/doc/source/developer-notes/V-38609.rst b/doc/source/developer-notes/V-38609.rst new file mode 100644 index 00000000..a75ea9ca --- /dev/null +++ b/doc/source/developer-notes/V-38609.rst @@ -0,0 +1,3 @@ +The ``tftpd`` service is removed by V-38606 and it is not installed by +Ubuntu or openstack-ansible by default. For this reason, it's recommended +to remove the service by using the Ansible task from V-38606. diff --git a/doc/source/developer-notes/V-38610.rst b/doc/source/developer-notes/V-38610.rst new file mode 100644 index 00000000..0b43faf1 --- /dev/null +++ b/doc/source/developer-notes/V-38610.rst @@ -0,0 +1,8 @@ +The STIG recommends setting ``ClientAliveCountMax`` to ensure that ssh +connections will close after reaching the ``ClientAliveInterval`` one +time. To change this setting, simply change this configuration option +to something other than ``0``: + +.. code-block:: yaml + + ssh_client_alive_count_max = 0 diff --git a/doc/source/developer-notes/V-38611.rst b/doc/source/developer-notes/V-38611.rst new file mode 100644 index 00000000..7bfbec56 --- /dev/null +++ b/doc/source/developer-notes/V-38611.rst @@ -0,0 +1,3 @@ +By default, Ubuntu configures the ssh daemon so that rsh's .rhosts files are +ignored. The Ansible tasks will ensure that this setting hasn't changed +from the default. diff --git a/doc/source/developer-notes/V-38612.rst b/doc/source/developer-notes/V-38612.rst new file mode 100644 index 00000000..7a9c5d12 --- /dev/null +++ b/doc/source/developer-notes/V-38612.rst @@ -0,0 +1 @@ +The tasks in sshd.yml will ensure that SSH does not allow host based authentication. \ No newline at end of file diff --git a/doc/source/developer-notes/V-38613.rst b/doc/source/developer-notes/V-38613.rst new file mode 100644 index 00000000..1d445bfb --- /dev/null +++ b/doc/source/developer-notes/V-38613.rst @@ -0,0 +1,15 @@ +Although the STIG recommends disabling root logins via ssh, the default in +this role is to allow it. The openstack-ansible deployment uses the root +user by default at this time, but that may change later and allow for this +configuration to be set. + +To disallow root logins via ssh, simply adjust this configuration variable: + +.. code-block:: yaml + + ssh_permit_root_login = 'no' + +**NOTE:** The quotes around ``'no'`` or ``'yes'`` are very important. Ansible +will treat ``no`` and ``yes`` as booleans by default and that will cause a +``True`` to land in your sshd configuration file. This will causes errors +during sshd's startup. diff --git a/doc/source/developer-notes/V-38614.rst b/doc/source/developer-notes/V-38614.rst new file mode 100644 index 00000000..572b1060 --- /dev/null +++ b/doc/source/developer-notes/V-38614.rst @@ -0,0 +1 @@ +The tasks in sshd.yml will ensure that SSH does not allow empty passwords. \ No newline at end of file diff --git a/doc/source/developer-notes/V-38615.rst b/doc/source/developer-notes/V-38615.rst new file mode 100644 index 00000000..702271dd --- /dev/null +++ b/doc/source/developer-notes/V-38615.rst @@ -0,0 +1,3 @@ +The ssh daemon will be configured so that a warning banner will be displayed +after login. To configure the banner, edit the ``files/login_banner.txt`` +file. diff --git a/doc/source/developer-notes/V-38616.rst b/doc/source/developer-notes/V-38616.rst new file mode 100644 index 00000000..50c8e6cf --- /dev/null +++ b/doc/source/developer-notes/V-38616.rst @@ -0,0 +1,2 @@ +The ssh daemon will be configured to disallow user environment settings that +may allow users to bypass access restrictions in some cases. diff --git a/doc/source/developer-notes/V-38617.rst b/doc/source/developer-notes/V-38617.rst new file mode 100644 index 00000000..072acace --- /dev/null +++ b/doc/source/developer-notes/V-38617.rst @@ -0,0 +1,2 @@ +The ssh daemon will be configured to use the approved list of ciphers as +recommended by the STIG. diff --git a/doc/source/developer-notes/V-38618.rst b/doc/source/developer-notes/V-38618.rst new file mode 100644 index 00000000..14531666 --- /dev/null +++ b/doc/source/developer-notes/V-38618.rst @@ -0,0 +1 @@ +The avahi daemon will be disabled if the package is installed. diff --git a/doc/source/developer-notes/V-38619.rst b/doc/source/developer-notes/V-38619.rst new file mode 100644 index 00000000..8e1eecbb --- /dev/null +++ b/doc/source/developer-notes/V-38619.rst @@ -0,0 +1,2 @@ +The Ansible tasks will check for ``.netrc`` files on the system and print +a failure warning if any are found. diff --git a/doc/source/developer-notes/V-38620.rst b/doc/source/developer-notes/V-38620.rst new file mode 100644 index 00000000..64877916 --- /dev/null +++ b/doc/source/developer-notes/V-38620.rst @@ -0,0 +1,20 @@ +The ``chrony`` service is installed to manage clock synchronization for hosts +and to serve as an NTP server for NTP clients. Chrony was chosen over ntpd +because it's actively maintained and has some enhancements for virtualized +environments. + +There are two configurations available for users to adjust chrony's default +configuration: + +The ``ntp_servers`` variable is a list of NTP servers that +chrony should use to synchronize time. They are set to North American NTP +servers by default. + +The ``allowed_ntp_subnets`` variable is a list of subnets (in CIDR notation) +that are allowed to reach your servers running chrony. A sane default is +chosen (all RFC1918 networks are allowed), but this can be easily adjusted. + +For more information on chrony, review the `chrony documentation`_ at the +upstream site, or run `man chrony` on a host with chrony installed. + +.. _chrony documentation: http://chrony.tuxfamily.org/faq.html diff --git a/doc/source/developer-notes/V-38628.rst b/doc/source/developer-notes/V-38628.rst new file mode 100644 index 00000000..d45851d7 --- /dev/null +++ b/doc/source/developer-notes/V-38628.rst @@ -0,0 +1 @@ +This STIG requirement overlaps with V-38632. diff --git a/doc/source/developer-notes/V-38631.rst b/doc/source/developer-notes/V-38631.rst new file mode 100644 index 00000000..d45851d7 --- /dev/null +++ b/doc/source/developer-notes/V-38631.rst @@ -0,0 +1 @@ +This STIG requirement overlaps with V-38632. diff --git a/doc/source/developer-notes/V-38632.rst b/doc/source/developer-notes/V-38632.rst new file mode 100644 index 00000000..628e3852 --- /dev/null +++ b/doc/source/developer-notes/V-38632.rst @@ -0,0 +1,3 @@ +The tasks in auth.yml will install `auditd`_ and ensure it is running. + +.. _auditd: http://people.redhat.com/sgrubb/audit/ diff --git a/doc/source/developer-notes/V-38635.rst b/doc/source/developer-notes/V-38635.rst new file mode 100644 index 00000000..0b3241ab --- /dev/null +++ b/doc/source/developer-notes/V-38635.rst @@ -0,0 +1,3 @@ +Audit rules are added in a task so that any events associated with altering +system time are logged. The new audit rule will be loaded immediately with +``augenrules --load``. diff --git a/doc/source/developer-notes/V-38640.rst b/doc/source/developer-notes/V-38640.rst new file mode 100644 index 00000000..577c6903 --- /dev/null +++ b/doc/source/developer-notes/V-38640.rst @@ -0,0 +1 @@ +services.yml reads a list of services and their desired state from the 'defaults/main.yml' cat3_services variable. With this list the tasks will ensure the services are in the state desired by their corresponding STIG requirement. \ No newline at end of file diff --git a/doc/source/developer-notes/V-38641.rst b/doc/source/developer-notes/V-38641.rst new file mode 100644 index 00000000..577c6903 --- /dev/null +++ b/doc/source/developer-notes/V-38641.rst @@ -0,0 +1 @@ +services.yml reads a list of services and their desired state from the 'defaults/main.yml' cat3_services variable. With this list the tasks will ensure the services are in the state desired by their corresponding STIG requirement. \ No newline at end of file diff --git a/doc/source/developer-notes/V-38645.rst b/doc/source/developer-notes/V-38645.rst new file mode 100644 index 00000000..8eff4ebc --- /dev/null +++ b/doc/source/developer-notes/V-38645.rst @@ -0,0 +1,4 @@ +Audit rules are added in a task so that any events associated with the +discretionary access controls (DAC) permission modifications via chown +are logged. The new audit rule will be loaded immediately with +``augenrules --load``. diff --git a/doc/source/developer-notes/V-38650.rst b/doc/source/developer-notes/V-38650.rst new file mode 100644 index 00000000..f876925c --- /dev/null +++ b/doc/source/developer-notes/V-38650.rst @@ -0,0 +1,3 @@ +Audit rules are added in a task so that any events associated with the loading +or unloading of a kernel module are logged. The new audit rule will be +loaded immediately with ``augenrules --load``. diff --git a/doc/source/developer-notes/V-38653.rst b/doc/source/developer-notes/V-38653.rst new file mode 100644 index 00000000..d00ca4f3 --- /dev/null +++ b/doc/source/developer-notes/V-38653.rst @@ -0,0 +1,5 @@ +**Exception** + +The openstack-ansible project doesn't install snmpd by default, and neither +does Ubuntu 14.04. Deployers are strongly recommended to use SNMPv3 with +strong passwords for all connectivity if they choose to install snmpd. diff --git a/doc/source/developer-notes/V-38666.rst b/doc/source/developer-notes/V-38666.rst new file mode 100644 index 00000000..585cf5b3 --- /dev/null +++ b/doc/source/developer-notes/V-38666.rst @@ -0,0 +1,10 @@ +**Exception** + +Installing an antivirus program on openstack-ansible infrastructure is left +up to the deployer. There are strong arguments against virus scanners due to +detection failures and performance impacts. + +For deployers who require an antivirus solution, refer to the suggestions and +examples in `Ubuntu's documentation on antivirus software`_. + +.. _Ubuntu's documentation on antivirus software: https://help.ubuntu.com/community/Antivirus diff --git a/doc/source/developer-notes/V-38668.rst b/doc/source/developer-notes/V-38668.rst new file mode 100644 index 00000000..d5e8ec77 --- /dev/null +++ b/doc/source/developer-notes/V-38668.rst @@ -0,0 +1,3 @@ +The control-alt-delete keyboard sequence is disable by an Ansible task in +``/etc/init/control-alt-delete.conf``. A reboot is recommended to apply the +change. diff --git a/doc/source/developer-notes/V-38669.rst b/doc/source/developer-notes/V-38669.rst new file mode 100644 index 00000000..c192168c --- /dev/null +++ b/doc/source/developer-notes/V-38669.rst @@ -0,0 +1,4 @@ +The ``postfix`` package will be installed and configured to run at boot time. +Review the documentation for V-38446 to ensure that root's email is +forwarded to an email account that can monitor for critical alerts and other +notifications. diff --git a/doc/source/developer-notes/V-38673.rst b/doc/source/developer-notes/V-38673.rst new file mode 100644 index 00000000..c6b11189 --- /dev/null +++ b/doc/source/developer-notes/V-38673.rst @@ -0,0 +1,8 @@ +**Exception** + +Installing AIDE on Ubuntu isn't an issue, but there's a bug that causes AIDE +to wander into individual LXC infrastructure container filesystems. This +causes AIDE runs to take an extremely long time to complete and also adds +files into AIDE's database that shouldn't be included. + +This security configuration will be revisited at a later date. diff --git a/doc/source/developer-notes/V-38677.rst b/doc/source/developer-notes/V-38677.rst new file mode 100644 index 00000000..183cd2b4 --- /dev/null +++ b/doc/source/developer-notes/V-38677.rst @@ -0,0 +1 @@ +The tasks in nfsd.yml first check to see if the system has nfs exports. If so, it then checks for the presence of 'insecure_locks'. \ No newline at end of file diff --git a/doc/source/developer-notes/V-38701.rst b/doc/source/developer-notes/V-38701.rst new file mode 100644 index 00000000..1ecc417c --- /dev/null +++ b/doc/source/developer-notes/V-38701.rst @@ -0,0 +1,4 @@ +**Exception** + +Neither Ubuntu 14.04 nor openstack-ansible adds a tftp daemon to the system. +The xinetd service is also not installed. diff --git a/doc/source/developer-notes/V-51363.rst b/doc/source/developer-notes/V-51363.rst new file mode 100644 index 00000000..8f44a7d1 --- /dev/null +++ b/doc/source/developer-notes/V-51363.rst @@ -0,0 +1,4 @@ +The openstack-ansible project configures AppArmor to limit the actions of +containers and reduce the changes (and potential damages) of a container +breakout. The RHEL 6 STIG mentions SELinux but the existing SELinux policies +provided with Ubuntu aren't as well maintained as those provided with RHEL. diff --git a/doc/source/developer-notes/V-51369.rst b/doc/source/developer-notes/V-51369.rst new file mode 100644 index 00000000..75f8905b --- /dev/null +++ b/doc/source/developer-notes/V-51369.rst @@ -0,0 +1,6 @@ +Although SELinux is available on Ubuntu 14.04, the policies aren't maintained +as well as they are on Red Hat-based systems. The openstack-ansible has +chosen to use the more Ubuntu-compatible Linux security module, AppArmor. + +AppArmor roles are configured in openstack-ansible to limit the chances of +container breakout and the potential damage done in case it does occur. diff --git a/doc/source/getting-started.rst b/doc/source/getting-started.rst new file mode 100644 index 00000000..3541223b --- /dev/null +++ b/doc/source/getting-started.rst @@ -0,0 +1,8 @@ +.. include:: +`Home `__ |raquo| Security hardening for openstack-ansible + +Getting started +=============== + +Content coming soon. It's a bit difficult to add in this role into +openstack-ansible at the moment but that's being fixed soon. diff --git a/doc/source/index.rst b/doc/source/index.rst new file mode 100644 index 00000000..b5712211 --- /dev/null +++ b/doc/source/index.rst @@ -0,0 +1,47 @@ +Security hardening for openstack-ansible +======================================== + +The openstack-ansible-security role provides security hardening for `OpenStack`_ +environments deployed with `openstack-ansible`_. The role has multiple goals: + +* Provide additional security in a highly configurable, integrated way +* Make it easier for organizations to meet the requirements of compliance + programs, such as `Payment Card Industry Data Security Standard (PCI-DSS)`_ +* Document all changes to allow deployers to make educated decisions on which + security configuration changes to apply. + +At this time, the role follows the requirements of the US Government's +`Security Technical Implementation Guide (STIG)`_ for Red Hat Enterprise Linux 6. +Since openstack-ansible only supports Ubuntu 14.04 (as of late 2015), many of +the configuration changes in the STIG will be adapted to fit an Ubuntu 14.04 +system. Those adaptations are noted within the playbook tasks themselves and +also within this documentation. + +The easiest method for reviewing the STIG configurations and the relevant +metadata is through the `STIG Viewer`_ service provided by `UCF`_. + +.. _OpenStack: http://www.openstack.org/ +.. _openstack-ansible: http://docs.openstack.org/developer/openstack-ansible/ +.. _Payment Card Industry Data Security Standard (PCI-DSS): https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard +.. _Security Technical Implementation Guide (STIG): https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide +.. _STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/ +.. _UCF: http://www.unifiedcompliance.com/ + +Table of Contents +================= + +.. toctree:: + :maxdepth: 2 + + getting-started.rst + writing-docs.rst + configurations.rst + + +Indices and tables +================== + +* :ref:`genindex` +* :ref:`modindex` +* :ref:`search` + diff --git a/doc/source/writing-docs.rst b/doc/source/writing-docs.rst new file mode 100644 index 00000000..8a828024 --- /dev/null +++ b/doc/source/writing-docs.rst @@ -0,0 +1,12 @@ +.. include:: +`Home `__ |raquo| Security hardening for openstack-ansible + +Writing docs for openstack-ansible-security +=========================================== + +The configurations-cat[number].rst files are automatically generated with the +``stigcsv-to-rst.py`` script and the ``rhel6stig.csv``. + +Each hardening configuration does an import from the developer-notes directory +and looks for a file called ``[STIG_ID].rst``. As an example, the +documentation for V-38476 would live in ``developer-notes/V-38476.rst``. diff --git a/openstack-ansible-security/README.md b/openstack-ansible-security/README.md new file mode 100644 index 00000000..b4de62b2 --- /dev/null +++ b/openstack-ansible-security/README.md @@ -0,0 +1,39 @@ +openstack-ansible-security +========================== + +The goal of the openstack-ansible-security role is to improve security within [openstack-ansible](https://github.com/openstack/openstack-ansible) deployments. The role is based on the [Security Technical Implementation Guide (STIG)](http://iase.disa.mil/stigs/Pages/index.aspx) for [Red Hat Enterprise Linux 6](https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/). + +Requirements +------------ + +This role can be used with or without the openstack-ansible role. It requires +Ansible 1.8 at a minimum. + +Role Variables +-------------- + +All of the variables for this role are in `defaults/main.yml`. + +Dependencies +------------ + +This role has no dependencies. + +Example Playbook +---------------- + +Using the role is fairly straightforward: + + - hosts: servers + roles: + - openstack-ansible-security + +License +------- + +Apache 2.0 + +Author Information +------------------ + +For more information, join `#openstack-ansible` on Freenode. diff --git a/openstack-ansible-security/defaults/main.yml b/openstack-ansible-security/defaults/main.yml new file mode 100644 index 00000000..7d247c16 --- /dev/null +++ b/openstack-ansible-security/defaults/main.yml @@ -0,0 +1,157 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +cat3_services: + - name: abrtd + state: stopped + enabled: no + + - name: atd + state: stopped + enabled: no + +## Disabling services +# The STIG recommends ensuring that some services are running if no services +# utilizing it are enabled. Setting a boolean to 'yes' here will ensure that +# a service isn't actively running and will not be started after boot-up. +# Setting a 'no' will ensure that this Ansible role does not alter the service +# in any way from its current configuration. +# +disable_services: + abrtd: yes # V-38641 + atd: yes # V-38640 + autofs: yes # V-38437 + avahi: yes # V-31618 + ypbind: yes # V-38604 + xinetd: yes # V-38582 + +## Removing services +# The STIG recommends ensuring that some services aren't installed at any time. +# Those services are listed here. Setting a boolean here to 'yes' wiil +# ensure that the STIG is followed and the service is removed. Setting a +# boolean to 'no' means that the playbook will not alter the service. +# +remove_services: + ypserv: yes # V-38603 + rsh-server: yes # V-38591 + telnet_server: yes # V-38587 + tftp-server: yes # V-38606 + xinetd: yes # V-38584 + +## Additional rules for auditd +# The following booleans control the rule sets added to auditd's default +# set of auditing rules. To see which rules will be added for each boolean, +# refer to the templates/osas-auditd.j2 file. +# +# If the template changes due to booleans being adjusted, the new template +# will be deployed onto the host and auditd will get the new rules loaded +# automatically with augenrules. +# +auditd_rules: + account_modification: yes # V-38531, V-38534, V-38538 + apparmor_changes: yes # V-38541 + change_localtime: yes # V-38530 + change_system_time: yes # V-38635 + clock_settime: yes # V-38527 + clock_settimeofday: yes # V-38522 + clock_stime: yes # V-38525 + DAC_chmod: yes # V-38543 + DAC_chown: yes # V-38545 + DAC_lchown: yes # V-38558 + DAC_fchmod: yes # V-38547 + DAC_fchmodat: yes # V-38550 + DAC_fchown: yes # V-38552 + DAC_fchownat: yes # V-38554 + DAC_fremovexattr: yes # V-38556 + DAC_lremovexattr: yes # V-38559 + DAC_fsetxattr: yes # V-38557 + DAC_lsetxattr: yes # V-38561 + DAC_setxattr: yes # V-38565 + deletions: yes # V-38575 + failed_access: yes # V-38566 + filesystem_mounts: yes # V-38568 + kernel_modules: yes # V-38580 + network_changes: yes # V-38540 + sudoers: yes # V-38578 + +## SSH configuration +# The following configuration items will adjust how the ssh daemon is +# configured. The recommendations from the RHEL 6 STIG are shown below, but +# they can be adjusted to fit a particular environment. +# +# V-38608 - Set a 15 minute time out for SSH sessions if there is no activity +ssh_client_alive_interval: 900 +# V-38610 - Timeout ssh sessions as soon as ClientAliveInterval is reached once +ssh_client_alive_count_max: 0 +# V-38613 - The ssh daemon must not permit root logins +# Deviation from the STIG due to operational requirements in openstack-ansible. +# See documentation for V-38613 for more details. +ssh_permit_root_login: 'yes' + +## Chrony configuration +# Adjust the following NTP servers if necessary. +ntp_servers: + - 0.north-america.pool.ntp.org + - 1.north-america.pool.ntp.org + - 2.north-america.pool.ntp.org + - 3.north-america.pool.ntp.org +# Chrony limits access to clients that are on certain subnets. Adjust the +# following subnets here to limit client access to chrony servers. +allowed_ntp_subnets: + - 10/8 + - 192.168/16 + - 172.16/12 + +## Mail configuration +# Configuring an email address here will cause hosts to forward the root user's +# email to another address. +#root_forward_email: user@example.com + +## Auditd configuration +# **DANGER** +# Set an action to occur when there is a disk error. Review the +# documentation for V-38464 before changing this option. +# **DANGER** +disk_error_action: SYSLOG # V-38464 +# **DANGER** +# Set an action to occur when the disk is full. Review the documentation for +# V-38468 before changing this option. +# **DANGER** +disk_full_action: SYSLOG # V-38468 +# **DANGER** +# Set an action to occur when the disk is approaching its capacity. +# Review the documentation for V-38470 before changing this option. +# **DANGER** +space_left_action: SYSLOG # V-38470 + +## Authentication +# V-38475 - There is no password length requirement by default in Ubuntu +# 14.04. To set a password length requirement, uncomment +# password_minimum_length below. The STIG recommendation is 14 characters. +#password_minimum_length: 14 # V-38475 +# V-38477 - There is no password change limitation set by default in Ubuntu. +# To set the minimum number of days between password changes, uncomment +# the password_minimum_days variable below. The STIG recommendation is 1 day. +#password_minimum_days: 1 # V-38477 +# V-38479 - There is no age limit on password by default in Ubuntu. Uncomment +# line below to use the STIG recommendation of 60 days. +#password_maximum_days: 60 # V-38479 +# V-38480 - To warn users before their password expires, uncomment the line +# below and they will be warned 7 days prior (following the STIG). +#password_warn_age: 7 # V-38480 + +## Kernel modules +# V-38490 - Set the line below to yes to disable usb-storage +disable_usb_storage: no diff --git a/openstack-ansible-security/files/login_banner.txt b/openstack-ansible-security/files/login_banner.txt new file mode 100644 index 00000000..057856ee --- /dev/null +++ b/openstack-ansible-security/files/login_banner.txt @@ -0,0 +1,6 @@ +------------------------------------------------------------------------------ +* WARNING * +* You are accessing a secured system and your actions will be logged along * +* with identifying information. Disconnect immediately if you are not an * +* authorized user of this system. * +------------------------------------------------------------------------------ diff --git a/openstack-ansible-security/handlers/main.yml b/openstack-ansible-security/handlers/main.yml new file mode 100644 index 00000000..afd1d6fb --- /dev/null +++ b/openstack-ansible-security/handlers/main.yml @@ -0,0 +1,42 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Restarting services ######################################################## +- name: restart auditd + service: + name: auditd + state: restarted + +- name: restart chrony + service: + name: chrony + state: restarted + +- name: restart ssh + service: + name: ssh + state: restarted + +- name: restart vsftpd + service: + name: vsftpd + state: restarted + +# Miscellaneous ############################################################## +- name: generate auditd rules + command: augenrules --load + +- name: rehash aliases + command: newaliases diff --git a/openstack-ansible-security/meta/main.yml b/openstack-ansible-security/meta/main.yml new file mode 100644 index 00000000..b7f8f827 --- /dev/null +++ b/openstack-ansible-security/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: OpenStack + description: Security hardening role for OpenStack Ansible + company: OpenStack + license: Apache + min_ansible_version: 1.8 + platforms: + - name: Ubuntu + versions: + - trusty + categories: + - cloud + - secuity + - system +dependencies: [] diff --git a/openstack-ansible-security/tasks/apt.yml b/openstack-ansible-security/tasks/apt.yml new file mode 100644 index 00000000..0b09d76a --- /dev/null +++ b/openstack-ansible-security/tasks/apt.yml @@ -0,0 +1,60 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Notes for V-38476 ########################################################### +# +# These GPG keys are valid as of Ubuntu 14.04 in late 2015, but they could +# change or additional keys may be added in the future. +# +- name: Gather current GPG keys for apt (for V-38476) + command: apt-key list + register: v38476_result + changed_when: "v38476_result.rc != 0" + +- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. + debug: + msg: "FAILED: Missing Ubuntu 14.04 Archive signing keys" + when: "'437D05B5' not in v38476_result.stdout or 'C0B21F32' not in v38476_result.stdout" + tags: + - apt + - cat1 + - V-38476 + +# Notes for V-38462 ########################################################### +# +# Ubuntu checks packages against GPG signatures by default. It can be turned +# off for all package installations by a setting in /etc/apt/apt.conf.d and we +# search for that here. Users can pass an argument on the apt command line +# to bypass the checks as well, but that's outside the scope of this check +# and remediation. +# +- name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/ (for V-38462) + command: grep -r AllowUnauthenticated /etc/apt/apt.conf.d/ + register: v38462_result + failed_when: "'No such file' in v38462_result.stderr" + changed_when: "v38462_result.rc == 0" + tags: + - auth + - cat1 + - V-38462 + +- name: V-38462 - Package management tool must verify authenticity of packages + debug: + msg: "FAILED: Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified." + when: "v38462_result.rc == 0" + tags: + - auth + - cat1 + - V-38462 diff --git a/openstack-ansible-security/tasks/auditd.yml b/openstack-ansible-security/tasks/auditd.yml new file mode 100644 index 00000000..a78455df --- /dev/null +++ b/openstack-ansible-security/tasks/auditd.yml @@ -0,0 +1,116 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: V-38631/38632 - The operating system must produce audit records (install auditd) + apt: + name: auditd + state: latest + cache_valid_time: 3600 + update_cache: yes + tags: + - auditd + - cat2 + - V-38632 + - V-38631 + +- name: V-38631/38632 - The operating system must produce audit records (start auditd) + service: + name: auditd + state: started + enabled: true + tags: + - auditd + - cat2 + - V-38632 + - V-38631 + +- name: V-38445 - Audit log files must be group-owned by root + file: + dest: /var/log/audit/ + group: root + recurse: true + tags: + - auditd + - cat2 + - V-38445 + +- name: V-38464 - The audit system must take action for disk errors + lineinfile: + dest: /etc/audit/auditd.conf + regexp: "^(#)?disk_error_action" + line: "disk_error_action = {{ disk_error_action }}" + notify: + - restart auditd + tags: + - auditd + - cat2 + - V-38464 + +- name: V-38468 - The audit system must take action when the disk is full + lineinfile: + dest: /etc/audit/auditd.conf + regexp: "^(#)?disk_full_action" + line: "disk_full_action = {{ disk_full_action }}" + notify: + - restart auditd + tags: + - auditd + - cat2 + - V-38468 + +- name: V-38470 - The audit system must take action when the disk is almost full + lineinfile: + dest: /etc/audit/auditd.conf + regexp: "^(#)?space_left_action" + line: "space_left_action = {{ space_left_action }}" + notify: + - restart auditd + tags: + - auditd + - cat2 + - V-38470 + +- name: V-38495 - Audit log files must be owned by root + file: + dest: /var/log/audit/ + owner: root + recurse: true + tags: + - auditd + - cat2 + - V-38495 + +- name: Auditd rules (includes several STIGs) + template: + src: osas-auditd.j2 + dest: /etc/audit/rules.d/osas-auditd.rules + notify: + - generate auditd rules + tags: + - auditd + - cat3 + +- name: V-38471 - Forward auditd records to syslog + lineinfile: + dest: /etc/audisp/plugins.d/syslog.conf + regexp: "^(#)?active" + line: "active = yes" + state: present + notify: + - restart auditd + tags: + - auditd + - cat3 + - V-38471 diff --git a/openstack-ansible-security/tasks/auth.yml b/openstack-ansible-security/tasks/auth.yml new file mode 100644 index 00000000..465e24ab --- /dev/null +++ b/openstack-ansible-security/tasks/auth.yml @@ -0,0 +1,211 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: V-38475 - Set minimum length for passwords + lineinfile: + dest: /etc/login.defs + regexp: "^(#)?PASS_MIN_LEN" + line: "PASS_MIN_LEN {{ password_minimum_length }}" + when: password_minimum_length is defined + tags: + - auth + - cat2 + - V-38475 + +- name: V-38477 - Set minimum time for password changes + lineinfile: + dest: /etc/login.defs + regexp: "^(#)?PASS_MIN_DAYS" + line: "PASS_MIN_DAYS {{ password_minimum_days }}" + when: password_minimum_days is defined + tags: + - auth + - cat2 + - V-38477 + +- name: V-38479 - Set maximum age for passwords + lineinfile: + dest: /etc/login.defs + regexp: "^(#)?PASS_MAX_DAYS" + line: "PASS_MAX_DAYS {{ password_maximum_days }}" + when: password_maximum_days is defined + tags: + - auth + - cat2 + - V-38479 + +- name: V-38480 - Warn users prior to password expiration + lineinfile: + dest: /etc/login.defs + regexp: "^(#)?PASS_WARN_DAYS" + line: "PASS_WARN_DAYS {{ password_warn_age }}" + when: password_warn_age is defined + tags: + - auth + - cat3 + - V-38480 + +# RHEL 6 keeps this content in /etc/pam.d/system-auth, but Ubuntu keeps it in +# /etc/pam.d/common-auth +- name: V-38497 - The system must not have accounts configured with blank or null passwords. + command: grep nullok /etc/pam.d/common-auth + register: v38497_result + changed_when: v38497_result.rc != 0 + failed_when: "'No such file' in v38497_result.stderr" + tags: + - auth + - cat1 + - V-38497 + +# Print a warning about making a change. We ought to figure out a better way +# to capture this later. +- name: V-38497 - The system must not have accounts configured with blank or null passwords. + debug: + msg: "FAILED: Remove 'nullok' from /etc/pam.d/system-auth for better security." + when: "v38497_result.rc == 0" + tags: + - auth + - cat1 + - V-38497 + +- name: Check if /etc/hosts.equiv exists (for V-38491) + stat: + path: /etc/hosts.equiv + register: v38491_equiv_check + changed_when: v38491_equiv_check.stat.exists == True + tags: + - auth + - cat1 + - V-38491 + +- name: Check if root has a .rhosts file (for V-38491) + stat: + path: /root/.rhosts + register: v38491_rhosts_check + changed_when: v38491_rhosts_check.stat.exists == True + tags: + - auth + - cat1 + - V-38491 + +- name: V-38491 - No .rhosts or hosts.equiv present on system + debug: + msg: "FAILED: Remove all .rhosts and hosts.equiv files" + when: v38491_equiv_check.stat.exists == True or v38491_rhosts_check.stat.exists == True + tags: + - auth + - cat1 + - V-38491 + +- name: V-38591 - Remove rshd + apt: + name: rsh-server + state: absent + when: remove_services['rsh-server'] | bool + tags: + - auth + - cat1 + - V-38591 + +- name: V-38587 - Remove telnet-server + apt: + name: telnetd + state: absent + when: remove_services['telnet_server'] | bool + tags: + - auth + - cat1 + - V-38587 + +- name: Search /etc/passwd for password hashes (for V-38499) + shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l" + register: v38499_result + changed_when: "v38499_result.stdout != '0'" + failed_when: "'No such file' in v38499_result.stderr" + tags: + - auth + - cat2 + - V-38499 + +- name: V-38499 - The /etc/passwd file must not contain password hashes + debug: + msg: "FAILED: Remove password hashes from /etc/password to remediate" + when: "v38499_result.stdout != '0'" + tags: + - auth + - cat2 + - V-38499 + +- name: V-38450 - The /etc/passwd file must be owned by root + file: + path: /etc/passwd + owner: root + tags: + - auth + - cat2 + - V-38450 + +- name: V-38451 - The /etc/passwd file must be group-owned by root + file: + path: /etc/passwd + group: root + tags: + - auth + - cat2 + - V-38451 + +- name: V38457 - The /etc/passwd file must have mode 0644 or less permissive + file: + path: /etc/passwd + mode: 0644 + tags: + - auth + - cat2 + - V-38457 + +- name: Check if vsftpd installed (for V-38599) + shell: dpkg --status vsftpd + register: v38599_result + changed_when: v38599_result.rc == 0 + failed_when: v38599_result.rc > 1 + tags: + - auth + - cat2 + - V-38599 + +- name: Copy login banner (for V-38599) + copy: + src: login_banner.txt + dest: /etc/issue.net + when: v38599_result.rc == 0 + notify: + - restart vsftpd + tags: + - auth + - cat2 + - V-38599 + +- name: V-38599 - Set warning banner for FTPS/FTP logins + lineinfile: + dest: /etc/vsftpd/vsftpd.conf + regexp: "^(#)?banner_file" + line: "banner_file=/etc/issue.net" + when: v38599_result.rc == 0 + notify: + - restart vsftpd + tags: + - auth + - cat2 + - V-38599 diff --git a/openstack-ansible-security/tasks/boot.yml b/openstack-ansible-security/tasks/boot.yml new file mode 100644 index 00000000..6f289ac1 --- /dev/null +++ b/openstack-ansible-security/tasks/boot.yml @@ -0,0 +1,32 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: V-38581 - Bootloader configuration files must be group-owned by root + file: + path: /boot/grub/grub.cfg + group: root + tags: + - boot + - cat2 + - V-38581 + +- name: V-38582 - Bootloader configuration files must have mode 0644 or less + file: + path: /boot/grub/grub.cfg + mode: 0644 + tags: + - boot + - cat2 + - V-38582 diff --git a/openstack-ansible-security/tasks/console.yml b/openstack-ansible-security/tasks/console.yml new file mode 100644 index 00000000..d9c1abb5 --- /dev/null +++ b/openstack-ansible-security/tasks/console.yml @@ -0,0 +1,34 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled + lineinfile: + dest: /etc/init/control-alt-delete.conf + regexp: '^(#)?exec shutdown -r now "Control-Alt-Delete pressed"' + line: '#exec shutdown -r now "Control-Alt-Delete pressed"' + state: present + tags: + - console + - cat1 + - V-38668 + +- name: V-38593 - Display a login banner for console prompts + copy: + src: login_banner.txt + dest: /etc/issue.net + tags: + - console + - cat2 + - V-38593 diff --git a/openstack-ansible-security/tasks/file_perms.yml b/openstack-ansible-security/tasks/file_perms.yml new file mode 100644 index 00000000..c9f6c0e2 --- /dev/null +++ b/openstack-ansible-security/tasks/file_perms.yml @@ -0,0 +1,70 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: V-38443 - The /etc/gshadow file must be owned by root + file: + dest: /etc/gshadow + owner: root + tags: + - file_perms + - cat2 + - V-38443 + +- name: V-38448 - The /etc/gshadow file must be group-owned by root + file: + dest: /etc/gshadow + group: root + tags: + - file_perms + - cat2 + - V-38448 + +- name: V-38449 - The /etc/gshadow file must have mode 0000 + file: + dest: /etc/gshadow + mode: 0000 + tags: + - file_perms + - cat2 + - V-38449 + +- name: V-38459 - The /etc/group file must be group-owned by root + file: + dest: /etc/group + owner: root + group: root + tags: + - file_perms + - cat2 + - V-38459 + +- name: V-38461 - The /etc/group file must have mode 0644 or less + file: + dest: /etc/group + mode: 0644 + tags: + - file_perms + - cat2 + - V-38461 + +- name: V-38493 - Audit log directories must have mode 0755 or less + file: + dest: /var/log/audit/ + state: directory + mode: 0750 + tags: + - file_perms + - cat2 + - V-38493 diff --git a/openstack-ansible-security/tasks/kernel.yml b/openstack-ansible-security/tasks/kernel.yml new file mode 100644 index 00000000..467bad5f --- /dev/null +++ b/openstack-ansible-security/tasks/kernel.yml @@ -0,0 +1,59 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the default in Ubuntu 14.04 +- name: V-38596 - Enable virtual address space randomization + sysctl: + name: kernel.randomize_va_space + value: 2 + state: present + sysctl_set: yes + tags: + - kernel + - cat2 + - V-38596 + +- name: V-38600 - Disable sending ICMPv4 redirects + sysctl: + name: net.ipv4.conf.default.send_redirects + value: 0 + state: present + sysctl_set: yes + tags: + - kernel + - cat2 + - V-38600 + +- name: V-38601 - Disable sending ICMPv4 redirects on all interfaces + sysctl: + name: net.ipv4.conf.all.send_redirects + value: 0 + state: present + sysctl_set: yes + tags: + - kernel + - cat2 + - V-38601 + +- name: V-38490 - Disable usb-storage module + lineinfile: + dest: /etc/modprobe.d/disable-usb-storage.conf + line: "install usb-storage /bin/true" + create: yes + when: disable_usb_storage is defined and disable_usb_storage | bool + tags: + - kernel + - cat2 + - V-38490 diff --git a/openstack-ansible-security/tasks/mail.yml b/openstack-ansible-security/tasks/mail.yml new file mode 100644 index 00000000..b8824be2 --- /dev/null +++ b/openstack-ansible-security/tasks/mail.yml @@ -0,0 +1,48 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix) + apt: + name: postfix + state: latest + tags: + - mail + - cat3 + - V-38669 + +- name: V-38669 - The postfix service must be enabled for mail delivery (ebable postfix) + service: + name: postfix + state: started + enabled: yes + tags: + - mail + - cat3 + - V-38669 + +# Be sure to set root_forward_email so that this task is executed. See the +# documentation for more details. +- name: V-38446 - Mail system must forward root's email + lineinfile: + dest: /etc/aliases + regexp: "^root" + line: "root: {{ root_forward_email }}" + when: root_forward_email is defined + notify: + - rehash aliases + tags: + - mail + - cat2 + - V-38446 diff --git a/openstack-ansible-security/tasks/main.yml b/openstack-ansible-security/tasks/main.yml new file mode 100644 index 00000000..126e0804 --- /dev/null +++ b/openstack-ansible-security/tasks/main.yml @@ -0,0 +1,27 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + - include: apt.yml + - include: auditd.yml + - include: auth.yml + - include: boot.yml + - include: console.yml + - include: file_perms.yml + - include: kernel.yml + - include: mail.yml + - include: misc.yml + - include: nfsd.yml + - include: services.yml + - include: sshd.yml diff --git a/openstack-ansible-security/tasks/misc.yml b/openstack-ansible-security/tasks/misc.yml new file mode 100644 index 00000000..f3aeae3b --- /dev/null +++ b/openstack-ansible-security/tasks/misc.yml @@ -0,0 +1,53 @@ +--- + +- name: Install AIDE + apt: + name: aide + state: latest + tags: + - cat2 + - V-38489 + +- name: Search for .netrc files (for V-38619) + shell: find /root /home -xdev -name .netrc | wc -l + register: v38619_result + changed_when: v38619_result.rc != 0 + failed_when: "'No such file' in v38619_result.stdout" + tags: + - cat2 + - V-38619 + +- name: V-38619 - There must be no .netrc files on the system + debug: + msg: "FAILED: .netrc files found -- they must be removed" + when: v38619_result.stdout != '0' + tags: + - cat2 + - V-38619 + +- name: V-38620 - Synchronize system clock (installing chrony) + apt: + name: chrony + state: latest + tags: + - cat2 + - V-38620 + +- name: V-38620 - Synchronize system clock (enable chrony) + service: + name: chrony + state: started + enabled: yes + tags: + - cat2 + - V-38620 + +- name: V-38620 - Synchronize system clock (configuration file) + template: + src: chrony.conf.j2 + dest: /etc/chrony/chrony.conf + notify: + - restart chrony + tags: + - cat2 + - V38620 diff --git a/openstack-ansible-security/tasks/nfsd.yml b/openstack-ansible-security/tasks/nfsd.yml new file mode 100644 index 00000000..b174c8eb --- /dev/null +++ b/openstack-ansible-security/tasks/nfsd.yml @@ -0,0 +1,66 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Generate a list of services +- name: Check if /etc/exports exists + stat: + path: /etc/exports + register: exports + always_run: yes + tags: + - nfs + - cat1 + - cat2 + - cat3 + +- name: Check if 'all_squash' appears in /etc/exports (for V-38460) + shell: grep all_squash /etc/exports + register: v38460_result + changed_when: v38460_result.rc == 0 + when: exports.stat.exists + tags: + - nfs + - cat3 + - V-38460 + +- name: V-38460 - The NFS server must not have the all_squash option enabled + debug: + msg: "FAILED: Remove all_squash from /etc/exports" + changed_when: v38460_result.rc == 0 + when: exports.stat.exists and v38460_result.rc == 0 + tags: + - nfs + - cat3 + - V-38460 + +- name: Check if 'insecure_locks' appears in /etc/exports (for V-38677) + shell: grep insecure_locks /etc/exports + register: v38677_result + changed_when: v38677_result.rc == 0 + when: exports.stat.exists + tags: + - nfs + - cat3 + - V-38677 + +- name: V-38677 - The NFS server must not have the insecure_locks option enabled + debug: + msg: "FAILED: Remove insecure_locks from /etc/exports" + changed_when: v38677_result.rc == 0 + when: exports.stat.exists and v38677_result.rc == 0 + tags: + - nfs + - cat3 + - V-38677 diff --git a/openstack-ansible-security/tasks/services.yml b/openstack-ansible-security/tasks/services.yml new file mode 100644 index 00000000..7138105c --- /dev/null +++ b/openstack-ansible-security/tasks/services.yml @@ -0,0 +1,120 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Generate list of sysv_services + shell: "chkconfig --list | sed '/^$/ d ; /xinetd based services:/ d ; /^\t/ d' | awk '{print $1}'" + register: sysv_services + changed_when: false + tags: + - services + - cat1 + - cat2 + - cat3 + +- name: V-38437 - Automated file system mounting tools must be disabled + service: + name: autofs + state: stopped + enabled: no + when: disable_services['autofs'] | bool and 'autofs' in sysv_services.stdout + tags: + - services + - cat3 + - V-38437 + +- name: V-38641 - The atd service must be disabled + service: + name: atd + state: stopped + enabled: no + when: disable_services['atd'] | bool and 'atd' in sysv_services.stdout + tags: + - services + - cat3 + - V-38641 + +- name: V-38640 - The abrt service must be disabled + service: + name: abrtd + state: stopped + enabled: no + when: disable_services['abrtd'] | bool and 'abrtd' in sysv_services.stdout + tags: + - services + - cat3 + - V-38640 + +- name: V-38582 - xinetd must be disabled if not in use + service: + name: xinetd + state: stopped + enabled: no + when: disable_services['xinetd'] | bool and 'xinetd' in sysv_services.stdout + tags: + - services + - cat2 + - V-38582 + +- name: V-38584 - xinetd must be uninstalled if not in use + apt: + name: xinetd + state: absent + when: remove_services['xinetd'] | bool + tags: + - services + - cat3 + - V-38584 + +# Ubuntu's equivalent of Red Hat's ypserv package is 'nis' +- name: V-38603 - Remove ypserv (nis) package + apt: + name: nis + state: absent + when: remove_services['ypserv'] | bool + tags: + - services + - cat2 + - V-38603 + +- name: V-38605 - The cron service must be running + service: + name: cron + state: started + enabled: yes + tags: + - services + - cat2 + - V-38605 + +- name: V-38606 - The tftp-server package must not be installed unless required + apt: + name: tftpd + state: absent + when: remove_services['tftp-server'] | bool + tags: + - services + - cat2 + - V-38606 + +- name: V-38618 - avahi must be disabled + service: + name: avahi-daemon + state: stopped + enabled: no + when: disable_services['avahi'] | bool and 'avahi' in sysv_services.stdout + tags: + - services + - cat3 + - V-38618 diff --git a/openstack-ansible-security/tasks/sshd.yml b/openstack-ansible-security/tasks/sshd.yml new file mode 100644 index 00000000..44f00a2c --- /dev/null +++ b/openstack-ansible-security/tasks/sshd.yml @@ -0,0 +1,160 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: V-38484 - User must get date/time of last successful login + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?PrintLastLog' + line: 'PrintLastLog yes' + notify: + - restart ssh + tags: + - ssh + - cat2 + - V-38484 + +- name: V-38607 - The SSH daemon must be configured to use only the SSHv2 protocol + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?Protocol \d' + line: 'Protocol 2' + notify: + - restart ssh + tags: + - ssh + - cat1 + - V-38607 + +- name: V-38614 - The SSH daemon must not allow authentication using an empty password + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?PermitEmptyPasswords' + line: 'PermitEmptyPasswords no' + notify: + - restart ssh + tags: + - ssh + - cat1 + - V-38614 + +- name: V-38612 Medium The SSH daemon must not allow host-based authentication + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?HostbasedAuthentication' + line: 'HostbasedAuthentication no' + notify: + - restart ssh + tags: + - ssh + - cat2 + - V-38612 + +- name: V-38608 - Set a timeout interval for idle ssh sessions + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?ClientAliveInterval' + line: 'ClientAliveInterval {{ ssh_client_alive_interval }}' + notify: + - restart ssh + tags: + - ssh + - cat2 + - V-38608 + +- name: V-38610 - Set a timeout count on idle ssh sessions + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?ClientAliveCountMax' + line: 'ClientAliveCountMax {{ ssh_client_alive_count_max }}' + notify: + - restart ssh + tags: + - ssh + - cat2 + - V-38610 + +- name: V-38611 - The sshd daemon must ignore .rhosts files + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?IgnoreRhosts' + line: 'IgnoreRhosts yes' + notify: + - restart ssh + tags: + - ssh + - cat2 + - V-38611 + +- name: V-38613 - The ssh daemon must not permit root logins + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?PermitRootLogin' + line: 'PermitRootLogin {{ ssh_permit_root_login }}' + notify: + - restart ssh + tags: + - ssh + - cat2 + - V-38613 + +- name: Copy the login banner for sshd (for V-38615) + copy: + src: login_banner.txt + dest: /etc/issue.net + tags: + - ssh + - cat2 + - V-38615 + +- name: V-38615 - The ssh daemon must display a login banner + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?Banner' + line: 'Banner /etc/issue.net' + tags: + - ssh + - cat2 + - V-38615 + +- name: V-38616 - The ssh daemon must not permit user environment settings + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?PermitUserEnvironment' + line: 'PermitUserEnvironment no' + tags: + - ssh + - cat3 + - V-38616 + +- name: V-38617 - The ssh daemon must be configured to use approved ciphers + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?Ciphers' + line: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' + tags: + - ssh + - cat2 + - V-38617 diff --git a/openstack-ansible-security/templates/chrony.conf.j2 b/openstack-ansible-security/templates/chrony.conf.j2 new file mode 100644 index 00000000..d9d11518 --- /dev/null +++ b/openstack-ansible-security/templates/chrony.conf.j2 @@ -0,0 +1,93 @@ +# This the default chrony.conf file for the Debian chrony package. After +# editing this file use the command 'invoke-rc.d chrony restart' to make +# your changes take effect. John Hasler 1998-2008 + +# See www.pool.ntp.org for an explanation of these servers. Please +# consider joining the project if possible. If you can't or don't want to +# use these servers I suggest that you try your ISP's nameservers. We mark +# the servers 'offline' so that chronyd won't try to connect when the link +# is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc +# commands to switch it on when a dialup link comes up and off when it goes +# down. Code in /etc/init.d/chrony attempts to determine whether or not +# the link is up at boot time and set the online status accordingly. If +# you have an always-on connection such as cable omit the 'offline' +# directive and chronyd will default to online. +# +# Note that if Chrony tries to go "online" and dns lookup of the servers +# fails they will be discarded. Thus under some circumstances it is +# better to use IP numbers than host names. + +{% for ntp_server in ntp_servers %} +server {{ ntp_server }} offline minpoll 8 +{% endfor %} + +# Look here for the admin password needed for chronyc. The initial +# password is generated by a random process at install time. You may +# change it if you wish. + +keyfile /etc/chrony/chrony.keys + +# Set runtime command key. Note that if you change the key (not the +# password) to anything other than 1 you will need to edit +# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony +# and /etc/cron.weekly/chrony as these scripts use it to get the password. + +commandkey 1 + +# I moved the driftfile to /var/lib/chrony to comply with the Debian +# filesystem standard. + +driftfile /var/lib/chrony/chrony.drift + +# Comment this line out to turn off logging. + +log tracking measurements statistics +logdir /var/log/chrony + +# Stop bad estimates upsetting machine clock. + +maxupdateskew 100.0 + +# Dump measurements when daemon exits. + +dumponexit + +# Specify directory for dumping measurements. + +dumpdir /var/lib/chrony + +# Let computer be a server when it is unsynchronised. + +local stratum 10 + +# Allow computers on the unrouted nets to use the server. + +{% for subnet in allowed_ntp_subnets %} +allow {{ subnet }} +{% endfor %} + +# This directive forces `chronyd' to send a message to syslog if it +# makes a system clock adjustment larger than a threshold value in seconds. + +logchange 0.5 + +# This directive defines an email address to which mail should be sent +# if chronyd applies a correction exceeding a particular threshold to the +# system clock. + +# mailonchange root@localhost 0.5 + +# This directive tells chrony to regulate the real-time clock and tells it +# Where to store related data. It may not work on some newer motherboards +# that use the HPET real-time clock. It requires enhanced real-time +# support in the kernel. I've commented it out because with certain +# combinations of motherboard and kernel it is reported to cause lockups. + +# rtcfile /var/lib/chrony/chrony.rtc + +# If the last line of this file reads 'rtconutc' chrony will assume that +# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent +# chrony will assume local time. The line (if any) was written by the +# chrony postinst based on what it found in /etc/default/rcS. You may +# change it if necessary. +rtconutc diff --git a/openstack-ansible-security/templates/osas-auditd.j2 b/openstack-ansible-security/templates/osas-auditd.j2 new file mode 100644 index 00000000..b567c62d --- /dev/null +++ b/openstack-ansible-security/templates/osas-auditd.j2 @@ -0,0 +1,215 @@ +{% if auditd_rules['clock_settimeofday'] | bool %} +# RHEL 6 STIG V-38522 +# Audits changes to system time via settimeofday +-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules +-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules +{% endif %} + +{% if auditd_rules['clock_stime'] | bool %} +# RHEL 6 STIG V-38525 +# Audits changes to system time via stime +-a always,exit -F arch=b32 -S stime -k audit_time_rules +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules +{% endif %} + +{% if auditd_rules['clock_settime'] | bool %} +# RHEL 6 STIG V-38527 +# Audits changes to system time via clock_settime +-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules +-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules +{% endif %} + +{% if auditd_rules['change_localtime'] | bool %} +# RHEL 6 STIG V-38530 +# Audits clock changes made via /etc/localtime +-w /etc/localtime -p wa -k audit_time_rules +{% endif %} + +{% if auditd_rules['account_modification'] | bool %} +# RHEL 6 STIG V-38531, V-38534, V-38536, V-38538 +# Audits account modifications and terminations +-w /etc/group -p wa -k audit_account_changes +-w /etc/passwd -p wa -k audit_account_changes +-w /etc/gshadow -p wa -k audit_account_changes +-w /etc/shadow -p wa -k audit_account_changes +-w /etc/security/opasswd -p wa -k audit_account_changes +{% endif %} + +{% if auditd_rules['network_changes'] | bool %} +# RHEL 6 STIG V-38540 +# Audits network configuration changes +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications +-w /etc/issue -p wa -k audit_network_modifications +-w /etc/issue.net -p wa -k audit_network_modifications +-w /etc/hosts -p wa -k audit_network_modifications +-w /etc/network -p wa -k audit_network_modifications +{% endif %} + +{% if auditd_rules['apparmor_changes'] | bool %} +# RHEL 6 STIG V-38541 +# Audits changes to AppArmor policies +-w /etc/apparmor/ -p wa -k MAC-policy +{% endif %} + +{% if auditd_rules['DAC_chmod'] | bool %} +# RHEL 6 STIG V-38543 +# Audits DAC changes via chmod +-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod +{% endif %} + +{% if auditd_rules['DAC_chown'] | bool %} +# RHEL 6 STIG V-38545 +# Audits DAC changes via chown +-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod +{% endif %} + +{% if auditd_rules['DAC_fchmod'] | bool %} +# RHEL 6 STIG V-38547 +# Audits DAC changes via fchmod +-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod +{% endif %} + +{% if auditd_rules['DAC_fchmodat'] | bool %} +# RHEL 6 STIG V-38550 +# Audits DAC changes via fchmodat +-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod +{% endif %} + +{% if auditd_rules['DAC_fchown'] | bool %} +# RHEL 6 STIG V-38552 +# Audits DAC changes via fchown +-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod +{% endif %} + +{% if auditd_rules['DAC_fchownat'] | bool %} +# RHEL 6 STIG V-38554 +# Audits DAC changes via fchownat +-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod +{% endif %} + +{% if auditd_rules['DAC_fremovexattr'] | bool %} +# RHEL 6 STIG V-38556 +# Audits DAC changes via fremovexattr +-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod +{% endif %} + +{% if auditd_rules['DAC_fsetxattr'] | bool %} +# RHEL 6 STIG V-38557 +# Audits DAC changes via fsetxattr +-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod +{% endif %} + +{% if auditd_rules['DAC_lchown'] | bool %} +# RHEL 6 STIG V-38558 +# Audits DAC changes via lchown +-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod +{% endif %} + +{% if auditd_rules['DAC_lremovexattr'] | bool %} +# RHEL 6 STIG V-38559 +# Audits DAC changes via lremovexattr +-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod +{% endif %} + +{% if auditd_rules['DAC_lsetxattr'] | bool %} +# RHEL 6 STIG V-38561 +# Audits DAC changes via lsetxattr +-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod +{% endif %} + +{% if auditd_rules['DAC_setxattr'] | bool %} +# RHEL 6 STIG V-38565 +# Audits DAC changes via setxattr +-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod +{% endif %} + +{% if auditd_rules['failed_access'] | bool %} +# RHEL 6 STIG V-38566 +# Audits failed attempts to access files and programs +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access +{% endif %} + +{% if auditd_rules['filesystem_mounts'] | bool %} +# RHEL 6 STIG V-38568 +# Audits filesystem mounts +-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export +-a always,exit -F arch=b32 -S mount -F auid=0 -k export +-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export +-a always,exit -F arch=b64 -S mount -F auid=0 -k export +{% endif %} + +{% if auditd_rules['deletions'] %} +# RHEL 6 STIG V-38575 +# Audits deletion of files and programs +-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete +-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete +-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete +{% endif %} + +{% if auditd_rules['sudoers'] %} +# RHEL 6 STIG V-38578 +# Audits /etc/sudoers changes +-w /etc/sudoers -p wa -k actions +{% endif %} + +{% if auditd_rules['kernel_modules'] | bool %} +# RHEL 6 STIG V-38580 +# Audits kernel module loading/unloading +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules +{% endif %} + +{% if auditd_rules['change_system_time'] | bool %} +# RHEL 6 STIG V-38635 +# Audits system time changes +-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules +-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules +{% endif %} diff --git a/openstack-ansible-security/vars/main.yml b/openstack-ansible-security/vars/main.yml new file mode 100644 index 00000000..00cd54af --- /dev/null +++ b/openstack-ansible-security/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for openstack-ansible-security diff --git a/setup.cfg b/setup.cfg new file mode 100644 index 00000000..701b5168 --- /dev/null +++ b/setup.cfg @@ -0,0 +1,24 @@ +[metadata] +name = openstack-ansible-security +summary = Security hardening role for openstack-ansible +description-file = + README.rst +author = OpenStack +author-email = openstack-dev@lists.openstack.org +home-page = http://www.openstack.org/ +classifier = + Intended Audience :: Developers + Intended Audience :: System Administrators + License :: OSI Approved :: Apache Software License + Operating System :: POSIX :: Linux + +[build_sphinx] +all_files = 1 +build-dir = doc/build +source-dir = doc/source + +[pbr] +warnerrors = True + +[wheel] +universal = 1 diff --git a/setup.py b/setup.py new file mode 100644 index 00000000..70c2b3f3 --- /dev/null +++ b/setup.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +# Copyright (c) 2013 Hewlett-Packard Development Company, L.P. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# THIS FILE IS MANAGED BY THE GLOBAL REQUIREMENTS REPO - DO NOT EDIT +import setuptools + +setuptools.setup( + setup_requires=['pbr'], + pbr=True) diff --git a/tox.ini b/tox.ini new file mode 100644 index 00000000..f42daf56 --- /dev/null +++ b/tox.ini @@ -0,0 +1,41 @@ +[tox] +minversion = 1.6 +skipsdist = True +envlist = docs,pep8 + +[testenv] +usedevelop = True +install_command = pip install -U {opts} {packages} +setenv = VIRTUAL_ENV={envdir} +deps = -r{toxinidir}/dev-requirements.txt + +[testenv:docs] +commands= + python setup.py build_sphinx + +# environment used by the -infra templated docs job +[testenv:venv] +deps = -r{toxinidir}/dev-requirements.txt +commands = {posargs} + +# Run hacking/flake8 check for all python files +[testenv:pep8] +deps = flake8 +whitelist_externals = bash +commands = + bash -c "grep -Irl \ + -e '!/usr/bin/env python' \ + -e '!/bin/python' \ + -e '!/usr/bin/python' \ + --exclude-dir '.*' \ + --exclude-dir '*.egg' \ + --exclude-dir '*.egg-info' \ + --exclude 'tox.ini' \ + --exclude '*.sh' \ + {toxinidir} | xargs flake8 --verbose" + +[flake8] +# Ignores the following rules due to how ansible modules work in general +# F403 'from ansible.module_utils.basic import *' used; unable to detect undefined names +# H303 No wildcard (*) import. +ignore=F403,H303