diff --git a/defaults/main.yml b/defaults/main.yml index 3627e657..872ba023 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -50,32 +50,31 @@ initialize_aide: false # will be deployed onto the host and auditd will get the new rules loaded # automatically with augenrules. # -auditd_rules: - account_modification: yes # V-38531, V-38534, V-38538 - apparmor_changes: yes # V-38541 - change_localtime: yes # V-38530 - change_system_time: yes # V-38635 - clock_settime: yes # V-38527 - clock_settimeofday: yes # V-38522 - clock_stime: yes # V-38525 - DAC_chmod: no # V-38543 - DAC_chown: yes # V-38545 - DAC_lchown: yes # V-38558 - DAC_fchmod: no # V-38547 - DAC_fchmodat: no # V-38550 - DAC_fchown: yes # V-38552 - DAC_fchownat: yes # V-38554 - DAC_fremovexattr: yes # V-38556 - DAC_lremovexattr: yes # V-38559 - DAC_fsetxattr: yes # V-38557 - DAC_lsetxattr: yes # V-38561 - DAC_setxattr: yes # V-38565 - deletions: no # V-38575 - failed_access: no # V-38566 - filesystem_mounts: yes # V-38568 - kernel_modules: yes # V-38580 - network_changes: yes # V-38540 - sudoers: yes # V-38578 +security_audit_account_modification: yes # V-38531, V-38534, V-38538 +security_audit_apparmor_changes: yes # V-38541 +security_audit_change_localtime: yes # V-38530 +security_audit_change_system_time: yes # V-38635 +security_audit_clock_settime: yes # V-38527 +security_audit_clock_settimeofday: yes # V-38522 +security_audit_clock_stime: yes # V-38525 +security_audit_DAC_chmod: no # V-38543 +security_audit_DAC_chown: yes # V-38545 +security_audit_DAC_lchown: yes # V-38558 +security_audit_DAC_fchmod: no # V-38547 +security_audit_DAC_fchmodat: no # V-38550 +security_audit_DAC_fchown: yes # V-38552 +security_audit_DAC_fchownat: yes # V-38554 +security_audit_DAC_fremovexattr: yes # V-38556 +security_audit_DAC_lremovexattr: yes # V-38559 +security_audit_DAC_fsetxattr: yes # V-38557 +security_audit_DAC_lsetxattr: yes # V-38561 +security_audit_DAC_setxattr: yes # V-38565 +security_audit_deletions: no # V-38575 +security_audit_failed_access: no # V-38566 +security_audit_filesystem_mounts: yes # V-38568 +security_audit_kernel_modules: yes # V-38580 +security_audit_network_changes: yes # V-38540 +security_audit_sudoers: yes # V-38578 # # **DANGER** # Changing the options below can cause systems to go offline unexpectedly or @@ -150,31 +149,29 @@ disable_core_dumps: yes # V-38675 # Setting a 'no' will ensure that this Ansible role does not alter the service # in any way from its current configuration. # -disable_services: - abrtd: yes # V-38641 - atd: yes # V-38640 - autofs: yes # V-38437 - avahi: yes # V-31618 - bluetooth: yes # V-38691 - qpidd: yes # V-38648 - rsh: yes # V-38594 - ypbind: yes # V-38604 - xinetd: yes # V-38582 +security_disable_abrtd: yes # V-38641 +security_disable_atd: yes # V-38640 +security_disable_autofs: yes # V-38437 +security_disable_avahi: yes # V-31618 +security_disable_bluetooth: yes # V-38691 +security_disable_qpidd: yes # V-38648 +security_disable_rsh: yes # V-38594 +security_disable_ypbind: yes # V-38604 +security_disable_xinetd: yes # V-38582 # # The STIG recommends ensuring that some services aren't installed at ANY time. # Those services are listed here. Setting a boolean here to 'yes' wiil # ensure that the STIG is followed and the service is removed. Setting a # boolean to 'no' means that the playbook will not alter the service. # -remove_services: - ldap-server: yes # V-38627 - rsh-server: yes # V-38591 - sendmail: yes # V-38671 - telnet_server: yes # V-38587 - tftp-server: yes # V-38606 - xinetd: yes # V-38584 - xorg: yes # v-38676 - ypserv: yes # V-38603 +security_remove_ldap_server: yes # V-38627 +security_remove_rsh_server: yes # V-38591 +security_remove_sendmail: yes # V-38671 +security_remove_telnet_server: yes # V-38587 +security_remove_tftp_server: yes # V-38606 +security_remove_xinetd: yes # V-38584 +security_remove_xorg: yes # v-38676 +security_remove_ypserv: yes # V-38603 ## SSH configuration # The following configuration items will adjust how the ssh daemon is @@ -196,13 +193,12 @@ ssh_permit_root_login: 'yes' # V-38613 ## Kernel # Set these booleans to 'yes' to disable the kernel module (following the # STIG requirements). Set the boolean to 'no' to ensure no changes are made. -disable_module: - bluetooth: yes # V-38682 - dccp: yes # V-38514 - rds: yes # V-38516 - sctp: yes # V-38515 - tipc: yes # V-38517 - usb_storage: no # V-38490 +security_disable_module_bluetooth: yes # V-38682 +security_disable_module_dccp: yes # V-38514 +security_disable_module_rds: yes # V-38516 +security_disable_module_sctp: yes # V-38515 +security_disable_module_tipc: yes # V-38517 +security_disable_module_usb_storage: no # V-38490 # # ** DANGER ** # It's strongly recommended to fully understand the effects of changing the @@ -210,8 +206,7 @@ disable_module: # Notes' for each of the STIGs below before making any changes. # ** DANGER ** # -sysctl_tunable: - tcp_syncookies: 1 # V-38539 +security_sysctl_tcp_syncookies: 1 # V-38539 # # Deployers who wish to disable IPv6 entirely must set this configuration # variable to 'yes'. See the documentation for V-38546 before making this diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 9c9d15e0..dbbcc814 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -54,14 +54,17 @@ critical events on a Linux server. Rules for auditd ^^^^^^^^^^^^^^^^ -The openstack-ansible-security creates a file full of audit rules for hosts -and these rules can be configured via the ``auditd_rules`` dictionary in -``defaults/main.yml``. +The openstack-ansible-security role creates a file containing audit rules for +hosts. -Each key within the dictionary refers to a block of rules that perform a -certain function. Setting a value of ``yes`` for these keys will ensure that -the rules are present in the final auditd configuration file. Setting a value -of ``no`` will ensure that they are omitted. +Each group of rules are controlled by Ansible variables that begin with +``security_audit_``. To omit a set of rules on a host, set the variable to +``no``. To include a set of rules on a host, set the variable to ``yes``. + +For example, setting ``security_audit_filesystem_mounts`` to ``yes`` will +ensure that the rules for auditing filesystem mounts are included on each host. +Setting ``security_audit_filesystem_mounts`` to ``no`` will omit that group of +rules on each host. To review the full list of rules and variables, refer to ``templates/osas-auditd.j2``. @@ -109,10 +112,14 @@ Kernel Kernel modules ^^^^^^^^^^^^^^ -Certain kernel modules are restricted by the STIG and those are reflected in -the ``disable_module`` dictionary within ``defaults/main.yml``. A setting of -``yes`` means that the module will be disabled on the next boot and a setting -of ``no`` means that the state of the module will not be changed. +Certain kernel modules are restricted by the STIG because they can become a +security threat to a server. The Ansible tasks will disable most of these +variables in accordance with the STIG. These changes are controlled by Ansible +variables matching the pattern ``security_disable_module_MODULENAME``. Refer to +``defaults/main.yml`` for a full list of these variables. + +A setting of ``yes`` means that the module will be disabled on the next boot +and a setting of ``no`` means that the state of the module will not be changed. All of the defaults are set in accordance with the STIG's requitements with the exception of the ``usb_storage`` kernel module. This module is used @@ -156,8 +163,9 @@ Disabling services ^^^^^^^^^^^^^^^^^^ By default, the role will disable any services that are recommended to be -disabled by the STIG. The list of these services can be found within the -``disable_services`` dictionary in ``defaults/main.yml``. +disabled by the STIG. These changes are controlled by Ansible variables that +match the ``security_disable_SERVICENAME`` pattern. Review these variables in +``defaults/main.yml`` for more details. A setting of ``yes`` for a service will cause the service to be disabled in accordance to the STIG's requirements. @@ -169,10 +177,11 @@ it will remain stopped. Removing services ^^^^^^^^^^^^^^^^^ -The STIG requires that some packages are completely removed from the server. -By default, the role will remove the packages in accordance with the STIG's -requirements. These services are found within the ``remove_services`` -dictionary within ``defaults/main.yml``. +The STIG requires that some packages are completely removed from the server. By +default, the role will remove the packages in accordance with the STIG's +requirements. These changes are controlled by Ansible variables that match the +``security_remove_SERVICENAME`` pattern. Review these variables in +``defaults/main.yml`` for more details. A setting of ``yes`` for a service will cause the package that contains the service to be removed from the system. If the service happens to be running diff --git a/doc/source/developer-notes/V-38437.rst b/doc/source/developer-notes/V-38437.rst index 82dddae3..b98be695 100644 --- a/doc/source/developer-notes/V-38437.rst +++ b/doc/source/developer-notes/V-38437.rst @@ -3,4 +3,4 @@ of this change, adjust the following variable: .. code-block:: yaml - disable_services['autofs'] = no + security_disable_autofs: no diff --git a/doc/source/developer-notes/V-38490.rst b/doc/source/developer-notes/V-38490.rst index 3d3f97dc..db1bb537 100644 --- a/doc/source/developer-notes/V-38490.rst +++ b/doc/source/developer-notes/V-38490.rst @@ -6,6 +6,6 @@ set the following variable to ``yes``: .. code-block:: yaml - disable_module['usb_storage']: yes + security_disable_module_usb_storage: yes **NOTE:** The module will be disabled on the next reboot. diff --git a/doc/source/developer-notes/V-38514.rst b/doc/source/developer-notes/V-38514.rst index f0a4a077..7d4718d3 100644 --- a/doc/source/developer-notes/V-38514.rst +++ b/doc/source/developer-notes/V-38514.rst @@ -6,6 +6,6 @@ To opt-out of this change, simply change the following variable to ``no``: .. code-block:: yaml - disable_module['dccp']: no + security_disable_module_dccp: no **NOTE:** The module will be disabled on the next reboot. diff --git a/doc/source/developer-notes/V-38515.rst b/doc/source/developer-notes/V-38515.rst index 987d1f83..0201988e 100644 --- a/doc/source/developer-notes/V-38515.rst +++ b/doc/source/developer-notes/V-38515.rst @@ -5,6 +5,6 @@ To opt-out of this change, set the following variable to ``no``: .. code-block:: yaml - disable_module['sctp']: no + security_disable_module_sctp: no **NOTE:** The module will be disabled on the next reboot. diff --git a/doc/source/developer-notes/V-38516.rst b/doc/source/developer-notes/V-38516.rst index 83104523..01aa7ced 100644 --- a/doc/source/developer-notes/V-38516.rst +++ b/doc/source/developer-notes/V-38516.rst @@ -8,6 +8,6 @@ To opt-out of this change, set the following variable to ``no``: .. code-block:: yaml - disable_module['rds']: no + security_disable_module_rds: no **NOTE:** The module will be disabled on the next reboot. diff --git a/doc/source/developer-notes/V-38517.rst b/doc/source/developer-notes/V-38517.rst index 61832680..966589dc 100644 --- a/doc/source/developer-notes/V-38517.rst +++ b/doc/source/developer-notes/V-38517.rst @@ -8,6 +8,6 @@ To opt-out of this change, set the following variable to ``no``: .. code-block:: yaml - disable_module['tipc']: no + security_disable_module_tipc: no **NOTE:** The module will be disabled on the next reboot. diff --git a/doc/source/developer-notes/V-38539.rst b/doc/source/developer-notes/V-38539.rst index 4c066ea1..bc97ce98 100644 --- a/doc/source/developer-notes/V-38539.rst +++ b/doc/source/developer-notes/V-38539.rst @@ -9,6 +9,12 @@ events. Putting well-configured hardware network devices in front of OpenStack environments is always recommended and this may allow some deployers to turn off SYN cookies within their environment. +Deployers can disable TCP SYN cookies by setting an Ansible variable: + +.. code-block:: yaml + + security_sysctl_tcp_syncookies: 0 + For more information on TCP SYN cookies and TCP SYN floods, refer to these links: diff --git a/doc/source/developer-notes/V-38543.rst b/doc/source/developer-notes/V-38543.rst index b87898f5..17fe6b19 100644 --- a/doc/source/developer-notes/V-38543.rst +++ b/doc/source/developer-notes/V-38543.rst @@ -8,6 +8,6 @@ These audit rules can be enabled by setting any of the following variables: .. code-block:: yaml - auditd_rules['DAC_chmod']: yes - auditd_rules['DAC_fchmod']: yes - auditd_rules['DAC_fchmodat']: yes + security_audit_DAC_chmod: yes + security_audit_DAC_fchmod: yes + security_audit_DAC_fchmodat: yes diff --git a/doc/source/developer-notes/V-38566.rst b/doc/source/developer-notes/V-38566.rst index 4d2085f6..d5e927d0 100644 --- a/doc/source/developer-notes/V-38566.rst +++ b/doc/source/developer-notes/V-38566.rst @@ -9,4 +9,4 @@ the following Ansible variable: .. code-block:: yaml - auditd_rules['failed_access']: yes + security_auditd_failed_access: yes diff --git a/doc/source/developer-notes/V-38575.rst b/doc/source/developer-notes/V-38575.rst index dd7b89d9..cdf6866e 100644 --- a/doc/source/developer-notes/V-38575.rst +++ b/doc/source/developer-notes/V-38575.rst @@ -10,4 +10,4 @@ following Ansible variable: .. code-block:: yaml - auditd_rules['deletions'] = yes + security_audit_deletions: yes diff --git a/doc/source/developer-notes/V-38582.rst b/doc/source/developer-notes/V-38582.rst index 316cf331..6a133b18 100644 --- a/doc/source/developer-notes/V-38582.rst +++ b/doc/source/developer-notes/V-38582.rst @@ -6,4 +6,4 @@ To opt-out of this change, simply adjust the following configuration item to .. code-block:: yaml - disable_services['xinetd'] = no + security_disable_xinetd: no diff --git a/doc/source/developer-notes/V-38584.rst b/doc/source/developer-notes/V-38584.rst index 3d5821d1..c1fb4d40 100644 --- a/doc/source/developer-notes/V-38584.rst +++ b/doc/source/developer-notes/V-38584.rst @@ -4,4 +4,4 @@ to ``no``: .. code-block:: yaml - remove_services['xinetd'] = no + security_remove_xinetd: no diff --git a/doc/source/developer-notes/V-38587.rst b/doc/source/developer-notes/V-38587.rst index 518b386c..7e38b1d2 100644 --- a/doc/source/developer-notes/V-38587.rst +++ b/doc/source/developer-notes/V-38587.rst @@ -1,3 +1,8 @@ -The telnet server package will be removed by default. To control which -services will be removed, review the ``remove_services`` list in -``defaults/main.yml``. +The ``telnetd`` service will be removed by the Ansible tasks, if it is +installed. To opt-out of this change, adjust the following variable +to ``no``: + +.. code-block:: yaml + + security_remove_telnet_server: no + diff --git a/doc/source/developer-notes/V-38591.rst b/doc/source/developer-notes/V-38591.rst index 665150ca..2af37d86 100644 --- a/doc/source/developer-notes/V-38591.rst +++ b/doc/source/developer-notes/V-38591.rst @@ -1,2 +1,8 @@ -The rshd service will be removed by default. To control what services will -be removed, review the ``remove_services`` list in ``defaults/main.yml``. +The ``rshd`` service will be removed by the Ansible tasks, if it is +installed. To opt-out of this change, adjust the following variable +to ``no``: + +.. code-block:: yaml + + security_remove_rsh_server: no + diff --git a/doc/source/developer-notes/V-38603.rst b/doc/source/developer-notes/V-38603.rst index a2351b94..a93d693c 100644 --- a/doc/source/developer-notes/V-38603.rst +++ b/doc/source/developer-notes/V-38603.rst @@ -4,4 +4,4 @@ opt-out of this change, adjust the following configuration variable to ``no``: .. code-block:: yaml - remove_services['ypserv'] = no + security_remove_ypserv: no diff --git a/doc/source/developer-notes/V-38606.rst b/doc/source/developer-notes/V-38606.rst index 950d3b4d..d2e8e66c 100644 --- a/doc/source/developer-notes/V-38606.rst +++ b/doc/source/developer-notes/V-38606.rst @@ -3,4 +3,4 @@ following configuration variable to ``no``: .. code-block:: yaml - remove_services['tftp-server'] = no + security_remove_tftp_server: no diff --git a/doc/source/developer-notes/V-38627.rst b/doc/source/developer-notes/V-38627.rst index 879c5c21..b45a6c4b 100644 --- a/doc/source/developer-notes/V-38627.rst +++ b/doc/source/developer-notes/V-38627.rst @@ -5,4 +5,4 @@ To opt-out of this change, set the following Ansible variable to ``no``: .. code-block:: yaml - remove_services['ldap-server']: no + security_remove_ldap_server: no diff --git a/doc/source/developer-notes/V-38648.rst b/doc/source/developer-notes/V-38648.rst index 1aada79a..5b7a43ee 100644 --- a/doc/source/developer-notes/V-38648.rst +++ b/doc/source/developer-notes/V-38648.rst @@ -8,4 +8,4 @@ To opt-out of this change, adjust the following Ansible variable to ``no``: .. code-block:: yaml - disable_services['qpidd']: no + security_disable_qpidd: no diff --git a/doc/source/developer-notes/V-38671.rst b/doc/source/developer-notes/V-38671.rst index 18ffa0a6..b70b78e0 100644 --- a/doc/source/developer-notes/V-38671.rst +++ b/doc/source/developer-notes/V-38671.rst @@ -6,4 +6,4 @@ To opt-out of this change, adjust the following Ansible variable to ``no``: .. code-block:: yaml - remove_services['sendmail']: no + security_remove_sendmail: no diff --git a/doc/source/developer-notes/V-38676.rst b/doc/source/developer-notes/V-38676.rst index d9bde368..9e285bb2 100644 --- a/doc/source/developer-notes/V-38676.rst +++ b/doc/source/developer-notes/V-38676.rst @@ -5,4 +5,4 @@ To opt-out of the change, set the following Ansible variable to ``no``: .. code-block:: yaml - remove_services['xorg']: no + security_remove_xorg: no diff --git a/doc/source/developer-notes/V-38691.rst b/doc/source/developer-notes/V-38691.rst index a47d6750..a8900001 100644 --- a/doc/source/developer-notes/V-38691.rst +++ b/doc/source/developer-notes/V-38691.rst @@ -6,4 +6,4 @@ To opt-out of this change, adjust the following Ansible variable to ``no``: .. code-block:: yaml - disable_services['bluetooth']: no + security_disable_bluetooth: no diff --git a/releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml b/releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml new file mode 100644 index 00000000..6386acaa --- /dev/null +++ b/releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - The dictionary-based variables in ``defaults/main.yml`` are now individual + variables. The dictionary-based variables could not be changed as the + documentation instructed. Instead it was required to override the entire + dictionary. Deployers must use the new variable names to enable or disable + the security configuration changes applied by the security role. For more + information, see + `Launchpad Bug 1577944 `_. diff --git a/releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml b/releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml index 1aa33395..e6038500 100644 --- a/releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml +++ b/releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml @@ -1,6 +1,6 @@ --- fixes: - Failed access logging is now disabled by default and can be enabled by - changing ``auditd_rules['failed_access']`` to ``yes``. The rsyslog daemon + changing ``security_audit_failed_access`` to ``yes``. The rsyslog daemon checks for the existence of log files regularly and this audit rule was triggered very frequently, which led to very large audit logs. diff --git a/tasks/auth.yml b/tasks/auth.yml index ec921d5a..e721131c 100644 --- a/tasks/auth.yml +++ b/tasks/auth.yml @@ -195,7 +195,7 @@ apt: name: rsh-server state: absent - when: remove_services['rsh-server'] | bool + when: security_remove_rsh_server | bool tags: - auth - cat1 @@ -205,7 +205,7 @@ apt: name: telnetd state: absent - when: remove_services['telnet_server'] | bool + when: security_remove_telnet_server | bool tags: - auth - cat1 diff --git a/tasks/kernel.yml b/tasks/kernel.yml index c028d10b..fcf45d1c 100644 --- a/tasks/kernel.yml +++ b/tasks/kernel.yml @@ -52,7 +52,7 @@ - name: V-38539 - Enable TCP syncookies sysctl: name: net.ipv4.tcp_syncookies - value: "{{ sysctl_tunable['tcp_syncookies'] }}" + value: "{{ security_sysctl_tcp_syncookies }}" state: present sysctl_set: yes tags: @@ -99,7 +99,7 @@ dest: /etc/modprobe.d/V-38490-disable-usb-storage.conf line: "install usb-storage /bin/true" create: yes - when: disable_module['usb_storage'] | bool + when: security_disable_module_usb_storage | bool tags: - kernel - cat2 @@ -110,7 +110,7 @@ dest: /etc/modprobe.d/V-38514-disable-dccp.conf line: "install dccp /bin/true" create: yes - when: disable_module['dccp'] | bool + when: security_disable_module_dccp | bool tags: - kernel - cat2 @@ -121,7 +121,7 @@ dest: /etc/modprobe.d/V-38515-disable-sctp.conf line: "install sctp /bin/true" create: yes - when: disable_module['sctp'] | bool + when: security_disable_module_sctp | bool tags: - kernel - cat2 @@ -132,7 +132,7 @@ dest: /etc/modprobe.d/V-38516-disable-rds.conf line: "install rds /bin/true" create: yes - when: disable_module['rds'] | bool + when: security_disable_module_rds | bool tags: - kernel - cat3 @@ -143,7 +143,7 @@ dest: /etc/modprobe.d/V-38517-disable-tipc.conf line: "install tipc /bin/true" create: yes - when: disable_module['tipc'] | bool + when: security_disable_module_tipc | bool tags: - kernel - cat2 @@ -168,7 +168,7 @@ copy: src: V-38682-modprobe.conf dest: /etc/modprobe.d/disable-bluetooth.conf - when: disable_module['bluetooth'] | bool + when: security_disable_module_bluetooth | bool tags: - kernel - cat2 diff --git a/tasks/services.yml b/tasks/services.yml index e26884a6..55977452 100644 --- a/tasks/services.yml +++ b/tasks/services.yml @@ -29,7 +29,7 @@ name: autofs state: stopped enabled: no - when: disable_services['autofs'] | bool and 'autofs' in sysv_services.stdout + when: security_disable_autofs | bool and 'autofs' in sysv_services.stdout tags: - services - cat3 @@ -40,7 +40,7 @@ name: abrtd state: stopped enabled: no - when: disable_services['abrtd'] | bool and 'abrtd' in sysv_services.stdout + when: security_disable_abrtd | bool and 'abrtd' in sysv_services.stdout tags: - services - cat3 @@ -51,7 +51,7 @@ name: atd state: stopped enabled: no - when: disable_services['atd'] | bool and 'atd' in sysv_services.stdout + when: security_disable_atd | bool and 'atd' in sysv_services.stdout tags: - services - cat3 @@ -62,7 +62,7 @@ name: qpidd state: stopped enabled: no - when: disable_services['qpidd'] | bool and 'qpidd' in sysv_services.stdout + when: security_disable_qpidd | bool and 'qpidd' in sysv_services.stdout tags: - services - cat3 @@ -73,7 +73,7 @@ name: bluetooth state: stopped enabled: no - when: disable_services['bluetooth'] | bool and 'bluetooth' in sysv_services.stdout + when: security_disable_bluetooth | bool and 'bluetooth' in sysv_services.stdout tags: - services - cat2 @@ -84,7 +84,7 @@ name: xinetd state: stopped enabled: no - when: disable_services['xinetd'] | bool and 'xinetd' in sysv_services.stdout + when: security_disable_xinetd | bool and 'xinetd' in sysv_services.stdout tags: - services - cat2 @@ -94,7 +94,7 @@ apt: name: xinetd state: absent - when: remove_services['xinetd'] | bool + when: security_remove_xinetd | bool tags: - services - cat3 @@ -105,7 +105,7 @@ apt: name: nis state: absent - when: remove_services['ypserv'] | bool + when: security_remove_ypserv | bool tags: - services - cat2 @@ -125,7 +125,7 @@ apt: name: tftpd state: absent - when: remove_services['tftp-server'] | bool + when: security_remove_tftp_server | bool tags: - services - cat2 @@ -136,7 +136,7 @@ name: avahi-daemon state: stopped enabled: no - when: disable_services['avahi'] | bool and 'avahi' in sysv_services.stdout + when: security_disable_avahi | bool and 'avahi' in sysv_services.stdout tags: - services - cat3 @@ -146,7 +146,7 @@ apt: name: slapd state: absent - when: remove_services['ldap-server'] | bool + when: security_remove_ldap_server | bool tags: - services - cat3 @@ -156,7 +156,7 @@ apt: name: sendmail state: absent - when: remove_services['sendmail'] | bool + when: security_remove_sendmail | bool tags: - services - cat2 @@ -166,7 +166,7 @@ apt: name: xserver-xorg state: absent - when: remove_services['xorg'] | bool + when: security_remove_xorg | bool tags: - services - cat3 diff --git a/templates/osas-auditd.j2 b/templates/osas-auditd.j2 index b567c62d..ae2edd96 100644 --- a/templates/osas-auditd.j2 +++ b/templates/osas-auditd.j2 @@ -1,31 +1,31 @@ -{% if auditd_rules['clock_settimeofday'] | bool %} +{% if security_audit_clock_settimeofday | bool %} # RHEL 6 STIG V-38522 # Audits changes to system time via settimeofday -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules {% endif %} -{% if auditd_rules['clock_stime'] | bool %} +{% if security_audit_clock_stime | bool %} # RHEL 6 STIG V-38525 # Audits changes to system time via stime -a always,exit -F arch=b32 -S stime -k audit_time_rules -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules {% endif %} -{% if auditd_rules['clock_settime'] | bool %} +{% if security_audit_clock_settime | bool %} # RHEL 6 STIG V-38527 # Audits changes to system time via clock_settime -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules {% endif %} -{% if auditd_rules['change_localtime'] | bool %} +{% if security_audit_change_localtime | bool %} # RHEL 6 STIG V-38530 # Audits clock changes made via /etc/localtime -w /etc/localtime -p wa -k audit_time_rules {% endif %} -{% if auditd_rules['account_modification'] | bool %} +{% if security_audit_account_modification | bool %} # RHEL 6 STIG V-38531, V-38534, V-38536, V-38538 # Audits account modifications and terminations -w /etc/group -p wa -k audit_account_changes @@ -35,7 +35,7 @@ -w /etc/security/opasswd -p wa -k audit_account_changes {% endif %} -{% if auditd_rules['network_changes'] | bool %} +{% if security_audit_network_changes | bool %} # RHEL 6 STIG V-38540 # Audits network configuration changes -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications @@ -46,13 +46,13 @@ -w /etc/network -p wa -k audit_network_modifications {% endif %} -{% if auditd_rules['apparmor_changes'] | bool %} +{% if security_audit_apparmor_changes | bool %} # RHEL 6 STIG V-38541 # Audits changes to AppArmor policies -w /etc/apparmor/ -p wa -k MAC-policy {% endif %} -{% if auditd_rules['DAC_chmod'] | bool %} +{% if security_audit_DAC_chmod | bool %} # RHEL 6 STIG V-38543 # Audits DAC changes via chmod -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -61,7 +61,7 @@ -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_chown'] | bool %} +{% if security_audit_DAC_chown | bool %} # RHEL 6 STIG V-38545 # Audits DAC changes via chown -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -70,7 +70,7 @@ -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_fchmod'] | bool %} +{% if security_audit_DAC_fchmod | bool %} # RHEL 6 STIG V-38547 # Audits DAC changes via fchmod -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -79,7 +79,7 @@ -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_fchmodat'] | bool %} +{% if security_audit_DAC_fchmodat | bool %} # RHEL 6 STIG V-38550 # Audits DAC changes via fchmodat -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -88,7 +88,7 @@ -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_fchown'] | bool %} +{% if security_audit_DAC_fchown | bool %} # RHEL 6 STIG V-38552 # Audits DAC changes via fchown -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -97,7 +97,7 @@ -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_fchownat'] | bool %} +{% if security_audit_DAC_fchownat | bool %} # RHEL 6 STIG V-38554 # Audits DAC changes via fchownat -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -106,7 +106,7 @@ -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_fremovexattr'] | bool %} +{% if security_audit_DAC_fremovexattr | bool %} # RHEL 6 STIG V-38556 # Audits DAC changes via fremovexattr -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -115,7 +115,7 @@ -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_fsetxattr'] | bool %} +{% if security_audit_DAC_fsetxattr | bool %} # RHEL 6 STIG V-38557 # Audits DAC changes via fsetxattr -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -124,7 +124,7 @@ -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_lchown'] | bool %} +{% if security_audit_DAC_lchown | bool %} # RHEL 6 STIG V-38558 # Audits DAC changes via lchown -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -133,7 +133,7 @@ -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_lremovexattr'] | bool %} +{% if security_audit_DAC_lremovexattr | bool %} # RHEL 6 STIG V-38559 # Audits DAC changes via lremovexattr -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -142,7 +142,7 @@ -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_lsetxattr'] | bool %} +{% if security_audit_DAC_lsetxattr | bool %} # RHEL 6 STIG V-38561 # Audits DAC changes via lsetxattr -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -151,7 +151,7 @@ -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_setxattr'] | bool %} +{% if security_audit_DAC_setxattr | bool %} # RHEL 6 STIG V-38565 # Audits DAC changes via setxattr -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -160,7 +160,7 @@ -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['failed_access'] | bool %} +{% if security_audit_failed_access | bool %} # RHEL 6 STIG V-38566 # Audits failed attempts to access files and programs -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access @@ -173,7 +173,7 @@ -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access {% endif %} -{% if auditd_rules['filesystem_mounts'] | bool %} +{% if security_audit_filesystem_mounts | bool %} # RHEL 6 STIG V-38568 # Audits filesystem mounts -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export @@ -182,7 +182,7 @@ -a always,exit -F arch=b64 -S mount -F auid=0 -k export {% endif %} -{% if auditd_rules['deletions'] %} +{% if security_audit_deletions | bool %} # RHEL 6 STIG V-38575 # Audits deletion of files and programs -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete @@ -191,13 +191,13 @@ -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete {% endif %} -{% if auditd_rules['sudoers'] %} +{% if security_audit_sudoers | bool %} # RHEL 6 STIG V-38578 # Audits /etc/sudoers changes -w /etc/sudoers -p wa -k actions {% endif %} -{% if auditd_rules['kernel_modules'] | bool %} +{% if security_audit_kernel_modules | bool %} # RHEL 6 STIG V-38580 # Audits kernel module loading/unloading -w /sbin/insmod -p x -k modules @@ -207,7 +207,7 @@ -a always,exit -F arch=b64 -S init_module -S delete_module -k modules {% endif %} -{% if auditd_rules['change_system_time'] | bool %} +{% if security_audit_change_system_time | bool %} # RHEL 6 STIG V-38635 # Audits system time changes -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules