From f5061fd0222cd068934726231244c2dca82d9d43 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Thu, 5 May 2016 08:32:32 -0500 Subject: [PATCH] Switch from dict to individual variables The dictionary-based variables didn't work properly and this patch changes them to individual variables. If users followed the existing documentation, their environments will be unaffected by this change (they are still broken). The new variables follow the pattern `security_VARIABLENAME` which will soon become the standard for the role to avoid variable name collisions with other playbooks and roles. Release notes are included with this patch. Closes-bug: 1577944 Change-Id: I455f66a0b4f423e2cf0e753b129367427f29479f --- defaults/main.yml | 103 +++++++++--------- doc/source/configuration.rst | 43 +++++--- doc/source/developer-notes/V-38437.rst | 2 +- doc/source/developer-notes/V-38490.rst | 2 +- doc/source/developer-notes/V-38514.rst | 2 +- doc/source/developer-notes/V-38515.rst | 2 +- doc/source/developer-notes/V-38516.rst | 2 +- doc/source/developer-notes/V-38517.rst | 2 +- doc/source/developer-notes/V-38539.rst | 6 + doc/source/developer-notes/V-38543.rst | 6 +- doc/source/developer-notes/V-38566.rst | 2 +- doc/source/developer-notes/V-38575.rst | 2 +- doc/source/developer-notes/V-38582.rst | 2 +- doc/source/developer-notes/V-38584.rst | 2 +- doc/source/developer-notes/V-38587.rst | 11 +- doc/source/developer-notes/V-38591.rst | 10 +- doc/source/developer-notes/V-38603.rst | 2 +- doc/source/developer-notes/V-38606.rst | 2 +- doc/source/developer-notes/V-38627.rst | 2 +- doc/source/developer-notes/V-38648.rst | 2 +- doc/source/developer-notes/V-38671.rst | 2 +- doc/source/developer-notes/V-38676.rst | 2 +- doc/source/developer-notes/V-38691.rst | 2 +- ...ry-variables-removed-957c7b7b2108ba1f.yaml | 9 ++ ...access-audit-logging-789dc01c8bcbef17.yaml | 2 +- tasks/auth.yml | 4 +- tasks/kernel.yml | 14 +-- tasks/services.yml | 26 ++--- templates/osas-auditd.j2 | 50 ++++----- 29 files changed, 174 insertions(+), 144 deletions(-) create mode 100644 releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 3627e657..872ba023 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -50,32 +50,31 @@ initialize_aide: false # will be deployed onto the host and auditd will get the new rules loaded # automatically with augenrules. # -auditd_rules: - account_modification: yes # V-38531, V-38534, V-38538 - apparmor_changes: yes # V-38541 - change_localtime: yes # V-38530 - change_system_time: yes # V-38635 - clock_settime: yes # V-38527 - clock_settimeofday: yes # V-38522 - clock_stime: yes # V-38525 - DAC_chmod: no # V-38543 - DAC_chown: yes # V-38545 - DAC_lchown: yes # V-38558 - DAC_fchmod: no # V-38547 - DAC_fchmodat: no # V-38550 - DAC_fchown: yes # V-38552 - DAC_fchownat: yes # V-38554 - DAC_fremovexattr: yes # V-38556 - DAC_lremovexattr: yes # V-38559 - DAC_fsetxattr: yes # V-38557 - DAC_lsetxattr: yes # V-38561 - DAC_setxattr: yes # V-38565 - deletions: no # V-38575 - failed_access: no # V-38566 - filesystem_mounts: yes # V-38568 - kernel_modules: yes # V-38580 - network_changes: yes # V-38540 - sudoers: yes # V-38578 +security_audit_account_modification: yes # V-38531, V-38534, V-38538 +security_audit_apparmor_changes: yes # V-38541 +security_audit_change_localtime: yes # V-38530 +security_audit_change_system_time: yes # V-38635 +security_audit_clock_settime: yes # V-38527 +security_audit_clock_settimeofday: yes # V-38522 +security_audit_clock_stime: yes # V-38525 +security_audit_DAC_chmod: no # V-38543 +security_audit_DAC_chown: yes # V-38545 +security_audit_DAC_lchown: yes # V-38558 +security_audit_DAC_fchmod: no # V-38547 +security_audit_DAC_fchmodat: no # V-38550 +security_audit_DAC_fchown: yes # V-38552 +security_audit_DAC_fchownat: yes # V-38554 +security_audit_DAC_fremovexattr: yes # V-38556 +security_audit_DAC_lremovexattr: yes # V-38559 +security_audit_DAC_fsetxattr: yes # V-38557 +security_audit_DAC_lsetxattr: yes # V-38561 +security_audit_DAC_setxattr: yes # V-38565 +security_audit_deletions: no # V-38575 +security_audit_failed_access: no # V-38566 +security_audit_filesystem_mounts: yes # V-38568 +security_audit_kernel_modules: yes # V-38580 +security_audit_network_changes: yes # V-38540 +security_audit_sudoers: yes # V-38578 # # **DANGER** # Changing the options below can cause systems to go offline unexpectedly or @@ -150,31 +149,29 @@ disable_core_dumps: yes # V-38675 # Setting a 'no' will ensure that this Ansible role does not alter the service # in any way from its current configuration. # -disable_services: - abrtd: yes # V-38641 - atd: yes # V-38640 - autofs: yes # V-38437 - avahi: yes # V-31618 - bluetooth: yes # V-38691 - qpidd: yes # V-38648 - rsh: yes # V-38594 - ypbind: yes # V-38604 - xinetd: yes # V-38582 +security_disable_abrtd: yes # V-38641 +security_disable_atd: yes # V-38640 +security_disable_autofs: yes # V-38437 +security_disable_avahi: yes # V-31618 +security_disable_bluetooth: yes # V-38691 +security_disable_qpidd: yes # V-38648 +security_disable_rsh: yes # V-38594 +security_disable_ypbind: yes # V-38604 +security_disable_xinetd: yes # V-38582 # # The STIG recommends ensuring that some services aren't installed at ANY time. # Those services are listed here. Setting a boolean here to 'yes' wiil # ensure that the STIG is followed and the service is removed. Setting a # boolean to 'no' means that the playbook will not alter the service. # -remove_services: - ldap-server: yes # V-38627 - rsh-server: yes # V-38591 - sendmail: yes # V-38671 - telnet_server: yes # V-38587 - tftp-server: yes # V-38606 - xinetd: yes # V-38584 - xorg: yes # v-38676 - ypserv: yes # V-38603 +security_remove_ldap_server: yes # V-38627 +security_remove_rsh_server: yes # V-38591 +security_remove_sendmail: yes # V-38671 +security_remove_telnet_server: yes # V-38587 +security_remove_tftp_server: yes # V-38606 +security_remove_xinetd: yes # V-38584 +security_remove_xorg: yes # v-38676 +security_remove_ypserv: yes # V-38603 ## SSH configuration # The following configuration items will adjust how the ssh daemon is @@ -196,13 +193,12 @@ ssh_permit_root_login: 'yes' # V-38613 ## Kernel # Set these booleans to 'yes' to disable the kernel module (following the # STIG requirements). Set the boolean to 'no' to ensure no changes are made. -disable_module: - bluetooth: yes # V-38682 - dccp: yes # V-38514 - rds: yes # V-38516 - sctp: yes # V-38515 - tipc: yes # V-38517 - usb_storage: no # V-38490 +security_disable_module_bluetooth: yes # V-38682 +security_disable_module_dccp: yes # V-38514 +security_disable_module_rds: yes # V-38516 +security_disable_module_sctp: yes # V-38515 +security_disable_module_tipc: yes # V-38517 +security_disable_module_usb_storage: no # V-38490 # # ** DANGER ** # It's strongly recommended to fully understand the effects of changing the @@ -210,8 +206,7 @@ disable_module: # Notes' for each of the STIGs below before making any changes. # ** DANGER ** # -sysctl_tunable: - tcp_syncookies: 1 # V-38539 +security_sysctl_tcp_syncookies: 1 # V-38539 # # Deployers who wish to disable IPv6 entirely must set this configuration # variable to 'yes'. See the documentation for V-38546 before making this diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 9c9d15e0..dbbcc814 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -54,14 +54,17 @@ critical events on a Linux server. Rules for auditd ^^^^^^^^^^^^^^^^ -The openstack-ansible-security creates a file full of audit rules for hosts -and these rules can be configured via the ``auditd_rules`` dictionary in -``defaults/main.yml``. +The openstack-ansible-security role creates a file containing audit rules for +hosts. -Each key within the dictionary refers to a block of rules that perform a -certain function. Setting a value of ``yes`` for these keys will ensure that -the rules are present in the final auditd configuration file. Setting a value -of ``no`` will ensure that they are omitted. +Each group of rules are controlled by Ansible variables that begin with +``security_audit_``. To omit a set of rules on a host, set the variable to +``no``. To include a set of rules on a host, set the variable to ``yes``. + +For example, setting ``security_audit_filesystem_mounts`` to ``yes`` will +ensure that the rules for auditing filesystem mounts are included on each host. +Setting ``security_audit_filesystem_mounts`` to ``no`` will omit that group of +rules on each host. To review the full list of rules and variables, refer to ``templates/osas-auditd.j2``. @@ -109,10 +112,14 @@ Kernel Kernel modules ^^^^^^^^^^^^^^ -Certain kernel modules are restricted by the STIG and those are reflected in -the ``disable_module`` dictionary within ``defaults/main.yml``. A setting of -``yes`` means that the module will be disabled on the next boot and a setting -of ``no`` means that the state of the module will not be changed. +Certain kernel modules are restricted by the STIG because they can become a +security threat to a server. The Ansible tasks will disable most of these +variables in accordance with the STIG. These changes are controlled by Ansible +variables matching the pattern ``security_disable_module_MODULENAME``. Refer to +``defaults/main.yml`` for a full list of these variables. + +A setting of ``yes`` means that the module will be disabled on the next boot +and a setting of ``no`` means that the state of the module will not be changed. All of the defaults are set in accordance with the STIG's requitements with the exception of the ``usb_storage`` kernel module. This module is used @@ -156,8 +163,9 @@ Disabling services ^^^^^^^^^^^^^^^^^^ By default, the role will disable any services that are recommended to be -disabled by the STIG. The list of these services can be found within the -``disable_services`` dictionary in ``defaults/main.yml``. +disabled by the STIG. These changes are controlled by Ansible variables that +match the ``security_disable_SERVICENAME`` pattern. Review these variables in +``defaults/main.yml`` for more details. A setting of ``yes`` for a service will cause the service to be disabled in accordance to the STIG's requirements. @@ -169,10 +177,11 @@ it will remain stopped. Removing services ^^^^^^^^^^^^^^^^^ -The STIG requires that some packages are completely removed from the server. -By default, the role will remove the packages in accordance with the STIG's -requirements. These services are found within the ``remove_services`` -dictionary within ``defaults/main.yml``. +The STIG requires that some packages are completely removed from the server. By +default, the role will remove the packages in accordance with the STIG's +requirements. These changes are controlled by Ansible variables that match the +``security_remove_SERVICENAME`` pattern. Review these variables in +``defaults/main.yml`` for more details. A setting of ``yes`` for a service will cause the package that contains the service to be removed from the system. If the service happens to be running diff --git a/doc/source/developer-notes/V-38437.rst b/doc/source/developer-notes/V-38437.rst index 82dddae3..b98be695 100644 --- a/doc/source/developer-notes/V-38437.rst +++ b/doc/source/developer-notes/V-38437.rst @@ -3,4 +3,4 @@ of this change, adjust the following variable: .. code-block:: yaml - disable_services['autofs'] = no + security_disable_autofs: no diff --git a/doc/source/developer-notes/V-38490.rst b/doc/source/developer-notes/V-38490.rst index 3d3f97dc..db1bb537 100644 --- a/doc/source/developer-notes/V-38490.rst +++ b/doc/source/developer-notes/V-38490.rst @@ -6,6 +6,6 @@ set the following variable to ``yes``: .. code-block:: yaml - disable_module['usb_storage']: yes + security_disable_module_usb_storage: yes **NOTE:** The module will be disabled on the next reboot. diff --git a/doc/source/developer-notes/V-38514.rst b/doc/source/developer-notes/V-38514.rst index f0a4a077..7d4718d3 100644 --- a/doc/source/developer-notes/V-38514.rst +++ b/doc/source/developer-notes/V-38514.rst @@ -6,6 +6,6 @@ To opt-out of this change, simply change the following variable to ``no``: .. code-block:: yaml - disable_module['dccp']: no + security_disable_module_dccp: no **NOTE:** The module will be disabled on the next reboot. diff --git a/doc/source/developer-notes/V-38515.rst b/doc/source/developer-notes/V-38515.rst index 987d1f83..0201988e 100644 --- a/doc/source/developer-notes/V-38515.rst +++ b/doc/source/developer-notes/V-38515.rst @@ -5,6 +5,6 @@ To opt-out of this change, set the following variable to ``no``: .. code-block:: yaml - disable_module['sctp']: no + security_disable_module_sctp: no **NOTE:** The module will be disabled on the next reboot. diff --git a/doc/source/developer-notes/V-38516.rst b/doc/source/developer-notes/V-38516.rst index 83104523..01aa7ced 100644 --- a/doc/source/developer-notes/V-38516.rst +++ b/doc/source/developer-notes/V-38516.rst @@ -8,6 +8,6 @@ To opt-out of this change, set the following variable to ``no``: .. code-block:: yaml - disable_module['rds']: no + security_disable_module_rds: no **NOTE:** The module will be disabled on the next reboot. diff --git a/doc/source/developer-notes/V-38517.rst b/doc/source/developer-notes/V-38517.rst index 61832680..966589dc 100644 --- a/doc/source/developer-notes/V-38517.rst +++ b/doc/source/developer-notes/V-38517.rst @@ -8,6 +8,6 @@ To opt-out of this change, set the following variable to ``no``: .. code-block:: yaml - disable_module['tipc']: no + security_disable_module_tipc: no **NOTE:** The module will be disabled on the next reboot. diff --git a/doc/source/developer-notes/V-38539.rst b/doc/source/developer-notes/V-38539.rst index 4c066ea1..bc97ce98 100644 --- a/doc/source/developer-notes/V-38539.rst +++ b/doc/source/developer-notes/V-38539.rst @@ -9,6 +9,12 @@ events. Putting well-configured hardware network devices in front of OpenStack environments is always recommended and this may allow some deployers to turn off SYN cookies within their environment. +Deployers can disable TCP SYN cookies by setting an Ansible variable: + +.. code-block:: yaml + + security_sysctl_tcp_syncookies: 0 + For more information on TCP SYN cookies and TCP SYN floods, refer to these links: diff --git a/doc/source/developer-notes/V-38543.rst b/doc/source/developer-notes/V-38543.rst index b87898f5..17fe6b19 100644 --- a/doc/source/developer-notes/V-38543.rst +++ b/doc/source/developer-notes/V-38543.rst @@ -8,6 +8,6 @@ These audit rules can be enabled by setting any of the following variables: .. code-block:: yaml - auditd_rules['DAC_chmod']: yes - auditd_rules['DAC_fchmod']: yes - auditd_rules['DAC_fchmodat']: yes + security_audit_DAC_chmod: yes + security_audit_DAC_fchmod: yes + security_audit_DAC_fchmodat: yes diff --git a/doc/source/developer-notes/V-38566.rst b/doc/source/developer-notes/V-38566.rst index a38dd171..4eb69d68 100644 --- a/doc/source/developer-notes/V-38566.rst +++ b/doc/source/developer-notes/V-38566.rst @@ -8,4 +8,4 @@ the following Ansible variable: .. code-block:: yaml - auditd_rules['failed_access']: yes + security_auditd_failed_access: yes diff --git a/doc/source/developer-notes/V-38575.rst b/doc/source/developer-notes/V-38575.rst index dd7b89d9..cdf6866e 100644 --- a/doc/source/developer-notes/V-38575.rst +++ b/doc/source/developer-notes/V-38575.rst @@ -10,4 +10,4 @@ following Ansible variable: .. code-block:: yaml - auditd_rules['deletions'] = yes + security_audit_deletions: yes diff --git a/doc/source/developer-notes/V-38582.rst b/doc/source/developer-notes/V-38582.rst index 316cf331..6a133b18 100644 --- a/doc/source/developer-notes/V-38582.rst +++ b/doc/source/developer-notes/V-38582.rst @@ -6,4 +6,4 @@ To opt-out of this change, simply adjust the following configuration item to .. code-block:: yaml - disable_services['xinetd'] = no + security_disable_xinetd: no diff --git a/doc/source/developer-notes/V-38584.rst b/doc/source/developer-notes/V-38584.rst index 3d5821d1..c1fb4d40 100644 --- a/doc/source/developer-notes/V-38584.rst +++ b/doc/source/developer-notes/V-38584.rst @@ -4,4 +4,4 @@ to ``no``: .. code-block:: yaml - remove_services['xinetd'] = no + security_remove_xinetd: no diff --git a/doc/source/developer-notes/V-38587.rst b/doc/source/developer-notes/V-38587.rst index 518b386c..7e38b1d2 100644 --- a/doc/source/developer-notes/V-38587.rst +++ b/doc/source/developer-notes/V-38587.rst @@ -1,3 +1,8 @@ -The telnet server package will be removed by default. To control which -services will be removed, review the ``remove_services`` list in -``defaults/main.yml``. +The ``telnetd`` service will be removed by the Ansible tasks, if it is +installed. To opt-out of this change, adjust the following variable +to ``no``: + +.. code-block:: yaml + + security_remove_telnet_server: no + diff --git a/doc/source/developer-notes/V-38591.rst b/doc/source/developer-notes/V-38591.rst index 665150ca..2af37d86 100644 --- a/doc/source/developer-notes/V-38591.rst +++ b/doc/source/developer-notes/V-38591.rst @@ -1,2 +1,8 @@ -The rshd service will be removed by default. To control what services will -be removed, review the ``remove_services`` list in ``defaults/main.yml``. +The ``rshd`` service will be removed by the Ansible tasks, if it is +installed. To opt-out of this change, adjust the following variable +to ``no``: + +.. code-block:: yaml + + security_remove_rsh_server: no + diff --git a/doc/source/developer-notes/V-38603.rst b/doc/source/developer-notes/V-38603.rst index a2351b94..a93d693c 100644 --- a/doc/source/developer-notes/V-38603.rst +++ b/doc/source/developer-notes/V-38603.rst @@ -4,4 +4,4 @@ opt-out of this change, adjust the following configuration variable to ``no``: .. code-block:: yaml - remove_services['ypserv'] = no + security_remove_ypserv: no diff --git a/doc/source/developer-notes/V-38606.rst b/doc/source/developer-notes/V-38606.rst index 950d3b4d..d2e8e66c 100644 --- a/doc/source/developer-notes/V-38606.rst +++ b/doc/source/developer-notes/V-38606.rst @@ -3,4 +3,4 @@ following configuration variable to ``no``: .. code-block:: yaml - remove_services['tftp-server'] = no + security_remove_tftp_server: no diff --git a/doc/source/developer-notes/V-38627.rst b/doc/source/developer-notes/V-38627.rst index 879c5c21..b45a6c4b 100644 --- a/doc/source/developer-notes/V-38627.rst +++ b/doc/source/developer-notes/V-38627.rst @@ -5,4 +5,4 @@ To opt-out of this change, set the following Ansible variable to ``no``: .. code-block:: yaml - remove_services['ldap-server']: no + security_remove_ldap_server: no diff --git a/doc/source/developer-notes/V-38648.rst b/doc/source/developer-notes/V-38648.rst index 1aada79a..5b7a43ee 100644 --- a/doc/source/developer-notes/V-38648.rst +++ b/doc/source/developer-notes/V-38648.rst @@ -8,4 +8,4 @@ To opt-out of this change, adjust the following Ansible variable to ``no``: .. code-block:: yaml - disable_services['qpidd']: no + security_disable_qpidd: no diff --git a/doc/source/developer-notes/V-38671.rst b/doc/source/developer-notes/V-38671.rst index 18ffa0a6..b70b78e0 100644 --- a/doc/source/developer-notes/V-38671.rst +++ b/doc/source/developer-notes/V-38671.rst @@ -6,4 +6,4 @@ To opt-out of this change, adjust the following Ansible variable to ``no``: .. code-block:: yaml - remove_services['sendmail']: no + security_remove_sendmail: no diff --git a/doc/source/developer-notes/V-38676.rst b/doc/source/developer-notes/V-38676.rst index d9bde368..9e285bb2 100644 --- a/doc/source/developer-notes/V-38676.rst +++ b/doc/source/developer-notes/V-38676.rst @@ -5,4 +5,4 @@ To opt-out of the change, set the following Ansible variable to ``no``: .. code-block:: yaml - remove_services['xorg']: no + security_remove_xorg: no diff --git a/doc/source/developer-notes/V-38691.rst b/doc/source/developer-notes/V-38691.rst index a47d6750..a8900001 100644 --- a/doc/source/developer-notes/V-38691.rst +++ b/doc/source/developer-notes/V-38691.rst @@ -6,4 +6,4 @@ To opt-out of this change, adjust the following Ansible variable to ``no``: .. code-block:: yaml - disable_services['bluetooth']: no + security_disable_bluetooth: no diff --git a/releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml b/releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml new file mode 100644 index 00000000..6386acaa --- /dev/null +++ b/releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - The dictionary-based variables in ``defaults/main.yml`` are now individual + variables. The dictionary-based variables could not be changed as the + documentation instructed. Instead it was required to override the entire + dictionary. Deployers must use the new variable names to enable or disable + the security configuration changes applied by the security role. For more + information, see + `Launchpad Bug 1577944 `_. diff --git a/releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml b/releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml index 1aa33395..e6038500 100644 --- a/releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml +++ b/releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml @@ -1,6 +1,6 @@ --- fixes: - Failed access logging is now disabled by default and can be enabled by - changing ``auditd_rules['failed_access']`` to ``yes``. The rsyslog daemon + changing ``security_audit_failed_access`` to ``yes``. The rsyslog daemon checks for the existence of log files regularly and this audit rule was triggered very frequently, which led to very large audit logs. diff --git a/tasks/auth.yml b/tasks/auth.yml index ec921d5a..e721131c 100644 --- a/tasks/auth.yml +++ b/tasks/auth.yml @@ -195,7 +195,7 @@ apt: name: rsh-server state: absent - when: remove_services['rsh-server'] | bool + when: security_remove_rsh_server | bool tags: - auth - cat1 @@ -205,7 +205,7 @@ apt: name: telnetd state: absent - when: remove_services['telnet_server'] | bool + when: security_remove_telnet_server | bool tags: - auth - cat1 diff --git a/tasks/kernel.yml b/tasks/kernel.yml index c028d10b..fcf45d1c 100644 --- a/tasks/kernel.yml +++ b/tasks/kernel.yml @@ -52,7 +52,7 @@ - name: V-38539 - Enable TCP syncookies sysctl: name: net.ipv4.tcp_syncookies - value: "{{ sysctl_tunable['tcp_syncookies'] }}" + value: "{{ security_sysctl_tcp_syncookies }}" state: present sysctl_set: yes tags: @@ -99,7 +99,7 @@ dest: /etc/modprobe.d/V-38490-disable-usb-storage.conf line: "install usb-storage /bin/true" create: yes - when: disable_module['usb_storage'] | bool + when: security_disable_module_usb_storage | bool tags: - kernel - cat2 @@ -110,7 +110,7 @@ dest: /etc/modprobe.d/V-38514-disable-dccp.conf line: "install dccp /bin/true" create: yes - when: disable_module['dccp'] | bool + when: security_disable_module_dccp | bool tags: - kernel - cat2 @@ -121,7 +121,7 @@ dest: /etc/modprobe.d/V-38515-disable-sctp.conf line: "install sctp /bin/true" create: yes - when: disable_module['sctp'] | bool + when: security_disable_module_sctp | bool tags: - kernel - cat2 @@ -132,7 +132,7 @@ dest: /etc/modprobe.d/V-38516-disable-rds.conf line: "install rds /bin/true" create: yes - when: disable_module['rds'] | bool + when: security_disable_module_rds | bool tags: - kernel - cat3 @@ -143,7 +143,7 @@ dest: /etc/modprobe.d/V-38517-disable-tipc.conf line: "install tipc /bin/true" create: yes - when: disable_module['tipc'] | bool + when: security_disable_module_tipc | bool tags: - kernel - cat2 @@ -168,7 +168,7 @@ copy: src: V-38682-modprobe.conf dest: /etc/modprobe.d/disable-bluetooth.conf - when: disable_module['bluetooth'] | bool + when: security_disable_module_bluetooth | bool tags: - kernel - cat2 diff --git a/tasks/services.yml b/tasks/services.yml index e26884a6..55977452 100644 --- a/tasks/services.yml +++ b/tasks/services.yml @@ -29,7 +29,7 @@ name: autofs state: stopped enabled: no - when: disable_services['autofs'] | bool and 'autofs' in sysv_services.stdout + when: security_disable_autofs | bool and 'autofs' in sysv_services.stdout tags: - services - cat3 @@ -40,7 +40,7 @@ name: abrtd state: stopped enabled: no - when: disable_services['abrtd'] | bool and 'abrtd' in sysv_services.stdout + when: security_disable_abrtd | bool and 'abrtd' in sysv_services.stdout tags: - services - cat3 @@ -51,7 +51,7 @@ name: atd state: stopped enabled: no - when: disable_services['atd'] | bool and 'atd' in sysv_services.stdout + when: security_disable_atd | bool and 'atd' in sysv_services.stdout tags: - services - cat3 @@ -62,7 +62,7 @@ name: qpidd state: stopped enabled: no - when: disable_services['qpidd'] | bool and 'qpidd' in sysv_services.stdout + when: security_disable_qpidd | bool and 'qpidd' in sysv_services.stdout tags: - services - cat3 @@ -73,7 +73,7 @@ name: bluetooth state: stopped enabled: no - when: disable_services['bluetooth'] | bool and 'bluetooth' in sysv_services.stdout + when: security_disable_bluetooth | bool and 'bluetooth' in sysv_services.stdout tags: - services - cat2 @@ -84,7 +84,7 @@ name: xinetd state: stopped enabled: no - when: disable_services['xinetd'] | bool and 'xinetd' in sysv_services.stdout + when: security_disable_xinetd | bool and 'xinetd' in sysv_services.stdout tags: - services - cat2 @@ -94,7 +94,7 @@ apt: name: xinetd state: absent - when: remove_services['xinetd'] | bool + when: security_remove_xinetd | bool tags: - services - cat3 @@ -105,7 +105,7 @@ apt: name: nis state: absent - when: remove_services['ypserv'] | bool + when: security_remove_ypserv | bool tags: - services - cat2 @@ -125,7 +125,7 @@ apt: name: tftpd state: absent - when: remove_services['tftp-server'] | bool + when: security_remove_tftp_server | bool tags: - services - cat2 @@ -136,7 +136,7 @@ name: avahi-daemon state: stopped enabled: no - when: disable_services['avahi'] | bool and 'avahi' in sysv_services.stdout + when: security_disable_avahi | bool and 'avahi' in sysv_services.stdout tags: - services - cat3 @@ -146,7 +146,7 @@ apt: name: slapd state: absent - when: remove_services['ldap-server'] | bool + when: security_remove_ldap_server | bool tags: - services - cat3 @@ -156,7 +156,7 @@ apt: name: sendmail state: absent - when: remove_services['sendmail'] | bool + when: security_remove_sendmail | bool tags: - services - cat2 @@ -166,7 +166,7 @@ apt: name: xserver-xorg state: absent - when: remove_services['xorg'] | bool + when: security_remove_xorg | bool tags: - services - cat3 diff --git a/templates/osas-auditd.j2 b/templates/osas-auditd.j2 index b567c62d..ae2edd96 100644 --- a/templates/osas-auditd.j2 +++ b/templates/osas-auditd.j2 @@ -1,31 +1,31 @@ -{% if auditd_rules['clock_settimeofday'] | bool %} +{% if security_audit_clock_settimeofday | bool %} # RHEL 6 STIG V-38522 # Audits changes to system time via settimeofday -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules {% endif %} -{% if auditd_rules['clock_stime'] | bool %} +{% if security_audit_clock_stime | bool %} # RHEL 6 STIG V-38525 # Audits changes to system time via stime -a always,exit -F arch=b32 -S stime -k audit_time_rules -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules {% endif %} -{% if auditd_rules['clock_settime'] | bool %} +{% if security_audit_clock_settime | bool %} # RHEL 6 STIG V-38527 # Audits changes to system time via clock_settime -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules {% endif %} -{% if auditd_rules['change_localtime'] | bool %} +{% if security_audit_change_localtime | bool %} # RHEL 6 STIG V-38530 # Audits clock changes made via /etc/localtime -w /etc/localtime -p wa -k audit_time_rules {% endif %} -{% if auditd_rules['account_modification'] | bool %} +{% if security_audit_account_modification | bool %} # RHEL 6 STIG V-38531, V-38534, V-38536, V-38538 # Audits account modifications and terminations -w /etc/group -p wa -k audit_account_changes @@ -35,7 +35,7 @@ -w /etc/security/opasswd -p wa -k audit_account_changes {% endif %} -{% if auditd_rules['network_changes'] | bool %} +{% if security_audit_network_changes | bool %} # RHEL 6 STIG V-38540 # Audits network configuration changes -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications @@ -46,13 +46,13 @@ -w /etc/network -p wa -k audit_network_modifications {% endif %} -{% if auditd_rules['apparmor_changes'] | bool %} +{% if security_audit_apparmor_changes | bool %} # RHEL 6 STIG V-38541 # Audits changes to AppArmor policies -w /etc/apparmor/ -p wa -k MAC-policy {% endif %} -{% if auditd_rules['DAC_chmod'] | bool %} +{% if security_audit_DAC_chmod | bool %} # RHEL 6 STIG V-38543 # Audits DAC changes via chmod -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -61,7 +61,7 @@ -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_chown'] | bool %} +{% if security_audit_DAC_chown | bool %} # RHEL 6 STIG V-38545 # Audits DAC changes via chown -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -70,7 +70,7 @@ -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_fchmod'] | bool %} +{% if security_audit_DAC_fchmod | bool %} # RHEL 6 STIG V-38547 # Audits DAC changes via fchmod -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -79,7 +79,7 @@ -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_fchmodat'] | bool %} +{% if security_audit_DAC_fchmodat | bool %} # RHEL 6 STIG V-38550 # Audits DAC changes via fchmodat -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -88,7 +88,7 @@ -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_fchown'] | bool %} +{% if security_audit_DAC_fchown | bool %} # RHEL 6 STIG V-38552 # Audits DAC changes via fchown -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -97,7 +97,7 @@ -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_fchownat'] | bool %} +{% if security_audit_DAC_fchownat | bool %} # RHEL 6 STIG V-38554 # Audits DAC changes via fchownat -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -106,7 +106,7 @@ -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_fremovexattr'] | bool %} +{% if security_audit_DAC_fremovexattr | bool %} # RHEL 6 STIG V-38556 # Audits DAC changes via fremovexattr -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -115,7 +115,7 @@ -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_fsetxattr'] | bool %} +{% if security_audit_DAC_fsetxattr | bool %} # RHEL 6 STIG V-38557 # Audits DAC changes via fsetxattr -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -124,7 +124,7 @@ -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_lchown'] | bool %} +{% if security_audit_DAC_lchown | bool %} # RHEL 6 STIG V-38558 # Audits DAC changes via lchown -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -133,7 +133,7 @@ -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_lremovexattr'] | bool %} +{% if security_audit_DAC_lremovexattr | bool %} # RHEL 6 STIG V-38559 # Audits DAC changes via lremovexattr -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -142,7 +142,7 @@ -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_lsetxattr'] | bool %} +{% if security_audit_DAC_lsetxattr | bool %} # RHEL 6 STIG V-38561 # Audits DAC changes via lsetxattr -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -151,7 +151,7 @@ -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['DAC_setxattr'] | bool %} +{% if security_audit_DAC_setxattr | bool %} # RHEL 6 STIG V-38565 # Audits DAC changes via setxattr -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -160,7 +160,7 @@ -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod {% endif %} -{% if auditd_rules['failed_access'] | bool %} +{% if security_audit_failed_access | bool %} # RHEL 6 STIG V-38566 # Audits failed attempts to access files and programs -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access @@ -173,7 +173,7 @@ -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access {% endif %} -{% if auditd_rules['filesystem_mounts'] | bool %} +{% if security_audit_filesystem_mounts | bool %} # RHEL 6 STIG V-38568 # Audits filesystem mounts -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export @@ -182,7 +182,7 @@ -a always,exit -F arch=b64 -S mount -F auid=0 -k export {% endif %} -{% if auditd_rules['deletions'] %} +{% if security_audit_deletions | bool %} # RHEL 6 STIG V-38575 # Audits deletion of files and programs -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete @@ -191,13 +191,13 @@ -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete {% endif %} -{% if auditd_rules['sudoers'] %} +{% if security_audit_sudoers | bool %} # RHEL 6 STIG V-38578 # Audits /etc/sudoers changes -w /etc/sudoers -p wa -k actions {% endif %} -{% if auditd_rules['kernel_modules'] | bool %} +{% if security_audit_kernel_modules | bool %} # RHEL 6 STIG V-38580 # Audits kernel module loading/unloading -w /sbin/insmod -p x -k modules @@ -207,7 +207,7 @@ -a always,exit -F arch=b64 -S init_module -S delete_module -k modules {% endif %} -{% if auditd_rules['change_system_time'] | bool %} +{% if security_audit_change_system_time | bool %} # RHEL 6 STIG V-38635 # Audits system time changes -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules