openstack/ansible-hardening
Code Issues Proposed changes

Merge "Add scaffolding for contrib tasks"

Browse Source
This commit is contained in:
Zuul 2017-12-01 14:16:46 +00:00 committed by Gerrit Code Review
commit c54fc86bfd
9 changed files with 96 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
defaults/main.yml
View File

@ -370,3 +370,29 @@ security_disable_kdump: yes # V-72057
security_rhel7_disable_dccp: yes # V-77821 security_rhel7_disable_dccp: yes # V-77821
# Enable Address Space Layout Randomization (ASLR). # Enable Address Space Layout Randomization (ASLR).
security_enable_aslr: yes # V-77825 security_enable_aslr: yes # V-77825
###############################################################################
# ____ _ _ _
# / ___|___ _ __ | |_ _ __(_) |__
# | | / _ \| '_ \| __| '__| | '_ \
# | |__| (_) | | | | |_| | | | |_) |
# \____\___/|_| |_|\__|_| |_|_.__/
#
#
# The following configurations apply to tasks that are contributed by
# ansible-hardening developers and may not be part of a hardening standard
# or compliance program. For more information on the 'contrib' tasks, review
# the documentation:
#
# https://docs.openstack.org/ansible-hardening/latest/contrib.html
#
###############################################################################
# To enable the contrib tasks, set this variable to 'yes'.
security_contrib_enabled: no
# Disable IPv6.
# DANGER: This option causes IPv6 networking to be disabled for the ENTIRE
# DANGER: SYSTEM. This will cause downtime for any services that depend on
# DANGER: IPv6 network connectivity.
security_contrib_disable_ipv6: no # C-00001

39
doc/source/contrib.rst Normal file
View File

@ -0,0 +1,39 @@
Additional hardening configurations
===================================
Although the Security Technical Implementation Guide (STIG) contains a very
comprehensive set of security configurations, some ansible-hardening
contributors want to add extra security configurations to the role. The
*contrib* portion of the ansible-hardening role is designed to implement those
configurations as an optional set of tasks.
The *contrib* hardening configurations are disabled by default, but they can
be enabled by setting the following Ansible variable:
.. code-block:: yaml
security_contrib_enabled: yes
The individual tasks are controlled by Ansible variables in
``defaults/main.yml`` that begin with ``security_contrib_``.
Kernel
------
C-00001 - Disable IPv6
~~~~~~~~~~~~~~~~~~~~~~
Some systems do not require IPv6 connectivity and the presence of link local
IPv6 addresses can present an additional attack surface for lateral movement.
Deployers can set the following variable to disable IPv6 on all network
interfaces:
.. code-block:: yaml
security_contrib_disable_ipv6: yes
.. warning::
Deployers should test this change in a test environment before applying it
in a production deployment. Applying this change to a production system
that relies on IPv6 connectivity will cause unexpected downtime.

4
doc/source/domains.rst
View File

@ -1,7 +1,7 @@
.. _hardening_domains_label: .. _hardening_domains_label:
Hardening Domains Hardening Domains (RHEL 7 STIG)
================= ===============================
The STIG divides its hardening requirements into severity levels, but the The STIG divides its hardening requirements into severity levels, but the
security role divides the requirements into system domains to make them easier security role divides the requirements into system domains to make them easier

1
doc/source/index.rst
View File

@ -58,6 +58,7 @@ releases is found within the *Releases* section below.
faq.rst faq.rst
domains.rst domains.rst
controls-rhel7.rst controls-rhel7.rst
contrib.rst
developer-guide.rst developer-guide.rst
Releases Releases

18
tasks/contrib/main.yml Normal file
View File

@ -0,0 +1,18 @@
---
# Copyright 2017, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Notify the deployer that contrib tasks are enabled
debug:
msg: "The contrib tasks are enabled."

4
tasks/main.yml
View File

@ -53,3 +53,7 @@
- always - always
- include: "{{ stig_version }}stig/main.yml" - include: "{{ stig_version }}stig/main.yml"
- include: contrib/main.yml
when:
- security_contrib_enabled | bool

1
tasks/rhel7stig/kernel.yml
View File

@ -46,6 +46,7 @@
- V-72293 - V-72293
- V-72309 - V-72309
- V-72319 - V-72319
- C-00001
- name: Check kdump service - name: Check kdump service
command: systemctl status kdump command: systemctl status kdump

2
tests/test.yml
View File

@ -62,3 +62,5 @@
# this role without causing disruptions on the system. # this role without causing disruptions on the system.
security_enable_virus_scanner: no security_enable_virus_scanner: no
security_run_virus_scanner_update: no security_run_virus_scanner_update: no
# Enable the contrib tasks.
security_contrib_enabled: yes

3
vars/main.yml
View File

@ -344,3 +344,6 @@ sysctl_settings_rhel7:
- name: kernel.randomize_va_space - name: kernel.randomize_va_space
value: 2 value: 2
enabled: "{{ security_enable_aslr | bool }}" enabled: "{{ security_enable_aslr | bool }}"
- name: net.ipv6.conf.all.disable_ipv6
value: 1
enabled: "{{ (security_contrib_enabled | bool) and (security_contrib_disable_ipv6 | bool) }}"