Merge "Switch from dict to individual variables"
This commit is contained in:
commit
c5ee398b88
@ -50,32 +50,31 @@ initialize_aide: false
|
||||
# will be deployed onto the host and auditd will get the new rules loaded
|
||||
# automatically with augenrules.
|
||||
#
|
||||
auditd_rules:
|
||||
account_modification: yes # V-38531, V-38534, V-38538
|
||||
apparmor_changes: yes # V-38541
|
||||
change_localtime: yes # V-38530
|
||||
change_system_time: yes # V-38635
|
||||
clock_settime: yes # V-38527
|
||||
clock_settimeofday: yes # V-38522
|
||||
clock_stime: yes # V-38525
|
||||
DAC_chmod: no # V-38543
|
||||
DAC_chown: yes # V-38545
|
||||
DAC_lchown: yes # V-38558
|
||||
DAC_fchmod: no # V-38547
|
||||
DAC_fchmodat: no # V-38550
|
||||
DAC_fchown: yes # V-38552
|
||||
DAC_fchownat: yes # V-38554
|
||||
DAC_fremovexattr: yes # V-38556
|
||||
DAC_lremovexattr: yes # V-38559
|
||||
DAC_fsetxattr: yes # V-38557
|
||||
DAC_lsetxattr: yes # V-38561
|
||||
DAC_setxattr: yes # V-38565
|
||||
deletions: no # V-38575
|
||||
failed_access: no # V-38566
|
||||
filesystem_mounts: yes # V-38568
|
||||
kernel_modules: yes # V-38580
|
||||
network_changes: yes # V-38540
|
||||
sudoers: yes # V-38578
|
||||
security_audit_account_modification: yes # V-38531, V-38534, V-38538
|
||||
security_audit_apparmor_changes: yes # V-38541
|
||||
security_audit_change_localtime: yes # V-38530
|
||||
security_audit_change_system_time: yes # V-38635
|
||||
security_audit_clock_settime: yes # V-38527
|
||||
security_audit_clock_settimeofday: yes # V-38522
|
||||
security_audit_clock_stime: yes # V-38525
|
||||
security_audit_DAC_chmod: no # V-38543
|
||||
security_audit_DAC_chown: yes # V-38545
|
||||
security_audit_DAC_lchown: yes # V-38558
|
||||
security_audit_DAC_fchmod: no # V-38547
|
||||
security_audit_DAC_fchmodat: no # V-38550
|
||||
security_audit_DAC_fchown: yes # V-38552
|
||||
security_audit_DAC_fchownat: yes # V-38554
|
||||
security_audit_DAC_fremovexattr: yes # V-38556
|
||||
security_audit_DAC_lremovexattr: yes # V-38559
|
||||
security_audit_DAC_fsetxattr: yes # V-38557
|
||||
security_audit_DAC_lsetxattr: yes # V-38561
|
||||
security_audit_DAC_setxattr: yes # V-38565
|
||||
security_audit_deletions: no # V-38575
|
||||
security_audit_failed_access: no # V-38566
|
||||
security_audit_filesystem_mounts: yes # V-38568
|
||||
security_audit_kernel_modules: yes # V-38580
|
||||
security_audit_network_changes: yes # V-38540
|
||||
security_audit_sudoers: yes # V-38578
|
||||
#
|
||||
# **DANGER**
|
||||
# Changing the options below can cause systems to go offline unexpectedly or
|
||||
@ -150,31 +149,29 @@ disable_core_dumps: yes # V-38675
|
||||
# Setting a 'no' will ensure that this Ansible role does not alter the service
|
||||
# in any way from its current configuration.
|
||||
#
|
||||
disable_services:
|
||||
abrtd: yes # V-38641
|
||||
atd: yes # V-38640
|
||||
autofs: yes # V-38437
|
||||
avahi: yes # V-31618
|
||||
bluetooth: yes # V-38691
|
||||
qpidd: yes # V-38648
|
||||
rsh: yes # V-38594
|
||||
ypbind: yes # V-38604
|
||||
xinetd: yes # V-38582
|
||||
security_disable_abrtd: yes # V-38641
|
||||
security_disable_atd: yes # V-38640
|
||||
security_disable_autofs: yes # V-38437
|
||||
security_disable_avahi: yes # V-31618
|
||||
security_disable_bluetooth: yes # V-38691
|
||||
security_disable_qpidd: yes # V-38648
|
||||
security_disable_rsh: yes # V-38594
|
||||
security_disable_ypbind: yes # V-38604
|
||||
security_disable_xinetd: yes # V-38582
|
||||
#
|
||||
# The STIG recommends ensuring that some services aren't installed at ANY time.
|
||||
# Those services are listed here. Setting a boolean here to 'yes' wiil
|
||||
# ensure that the STIG is followed and the service is removed. Setting a
|
||||
# boolean to 'no' means that the playbook will not alter the service.
|
||||
#
|
||||
remove_services:
|
||||
ldap-server: yes # V-38627
|
||||
rsh-server: yes # V-38591
|
||||
sendmail: yes # V-38671
|
||||
telnet_server: yes # V-38587
|
||||
tftp-server: yes # V-38606
|
||||
xinetd: yes # V-38584
|
||||
xorg: yes # v-38676
|
||||
ypserv: yes # V-38603
|
||||
security_remove_ldap_server: yes # V-38627
|
||||
security_remove_rsh_server: yes # V-38591
|
||||
security_remove_sendmail: yes # V-38671
|
||||
security_remove_telnet_server: yes # V-38587
|
||||
security_remove_tftp_server: yes # V-38606
|
||||
security_remove_xinetd: yes # V-38584
|
||||
security_remove_xorg: yes # v-38676
|
||||
security_remove_ypserv: yes # V-38603
|
||||
|
||||
## SSH configuration
|
||||
# The following configuration items will adjust how the ssh daemon is
|
||||
@ -196,13 +193,12 @@ ssh_permit_root_login: 'yes' # V-38613
|
||||
## Kernel
|
||||
# Set these booleans to 'yes' to disable the kernel module (following the
|
||||
# STIG requirements). Set the boolean to 'no' to ensure no changes are made.
|
||||
disable_module:
|
||||
bluetooth: yes # V-38682
|
||||
dccp: yes # V-38514
|
||||
rds: yes # V-38516
|
||||
sctp: yes # V-38515
|
||||
tipc: yes # V-38517
|
||||
usb_storage: no # V-38490
|
||||
security_disable_module_bluetooth: yes # V-38682
|
||||
security_disable_module_dccp: yes # V-38514
|
||||
security_disable_module_rds: yes # V-38516
|
||||
security_disable_module_sctp: yes # V-38515
|
||||
security_disable_module_tipc: yes # V-38517
|
||||
security_disable_module_usb_storage: no # V-38490
|
||||
#
|
||||
# ** DANGER **
|
||||
# It's strongly recommended to fully understand the effects of changing the
|
||||
@ -210,8 +206,7 @@ disable_module:
|
||||
# Notes' for each of the STIGs below before making any changes.
|
||||
# ** DANGER **
|
||||
#
|
||||
sysctl_tunable:
|
||||
tcp_syncookies: 1 # V-38539
|
||||
security_sysctl_tcp_syncookies: 1 # V-38539
|
||||
#
|
||||
# Deployers who wish to disable IPv6 entirely must set this configuration
|
||||
# variable to 'yes'. See the documentation for V-38546 before making this
|
||||
|
@ -54,14 +54,17 @@ critical events on a Linux server.
|
||||
Rules for auditd
|
||||
^^^^^^^^^^^^^^^^
|
||||
|
||||
The openstack-ansible-security creates a file full of audit rules for hosts
|
||||
and these rules can be configured via the ``auditd_rules`` dictionary in
|
||||
``defaults/main.yml``.
|
||||
The openstack-ansible-security role creates a file containing audit rules for
|
||||
hosts.
|
||||
|
||||
Each key within the dictionary refers to a block of rules that perform a
|
||||
certain function. Setting a value of ``yes`` for these keys will ensure that
|
||||
the rules are present in the final auditd configuration file. Setting a value
|
||||
of ``no`` will ensure that they are omitted.
|
||||
Each group of rules are controlled by Ansible variables that begin with
|
||||
``security_audit_``. To omit a set of rules on a host, set the variable to
|
||||
``no``. To include a set of rules on a host, set the variable to ``yes``.
|
||||
|
||||
For example, setting ``security_audit_filesystem_mounts`` to ``yes`` will
|
||||
ensure that the rules for auditing filesystem mounts are included on each host.
|
||||
Setting ``security_audit_filesystem_mounts`` to ``no`` will omit that group of
|
||||
rules on each host.
|
||||
|
||||
To review the full list of rules and variables, refer to
|
||||
``templates/osas-auditd.j2``.
|
||||
@ -109,10 +112,14 @@ Kernel
|
||||
Kernel modules
|
||||
^^^^^^^^^^^^^^
|
||||
|
||||
Certain kernel modules are restricted by the STIG and those are reflected in
|
||||
the ``disable_module`` dictionary within ``defaults/main.yml``. A setting of
|
||||
``yes`` means that the module will be disabled on the next boot and a setting
|
||||
of ``no`` means that the state of the module will not be changed.
|
||||
Certain kernel modules are restricted by the STIG because they can become a
|
||||
security threat to a server. The Ansible tasks will disable most of these
|
||||
variables in accordance with the STIG. These changes are controlled by Ansible
|
||||
variables matching the pattern ``security_disable_module_MODULENAME``. Refer to
|
||||
``defaults/main.yml`` for a full list of these variables.
|
||||
|
||||
A setting of ``yes`` means that the module will be disabled on the next boot
|
||||
and a setting of ``no`` means that the state of the module will not be changed.
|
||||
|
||||
All of the defaults are set in accordance with the STIG's requitements with
|
||||
the exception of the ``usb_storage`` kernel module. This module is used
|
||||
@ -156,8 +163,9 @@ Disabling services
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
By default, the role will disable any services that are recommended to be
|
||||
disabled by the STIG. The list of these services can be found within the
|
||||
``disable_services`` dictionary in ``defaults/main.yml``.
|
||||
disabled by the STIG. These changes are controlled by Ansible variables that
|
||||
match the ``security_disable_SERVICENAME`` pattern. Review these variables in
|
||||
``defaults/main.yml`` for more details.
|
||||
|
||||
A setting of ``yes`` for a service will cause the service to be disabled in
|
||||
accordance to the STIG's requirements.
|
||||
@ -169,10 +177,11 @@ it will remain stopped.
|
||||
Removing services
|
||||
^^^^^^^^^^^^^^^^^
|
||||
|
||||
The STIG requires that some packages are completely removed from the server.
|
||||
By default, the role will remove the packages in accordance with the STIG's
|
||||
requirements. These services are found within the ``remove_services``
|
||||
dictionary within ``defaults/main.yml``.
|
||||
The STIG requires that some packages are completely removed from the server. By
|
||||
default, the role will remove the packages in accordance with the STIG's
|
||||
requirements. These changes are controlled by Ansible variables that match the
|
||||
``security_remove_SERVICENAME`` pattern. Review these variables in
|
||||
``defaults/main.yml`` for more details.
|
||||
|
||||
A setting of ``yes`` for a service will cause the package that contains the
|
||||
service to be removed from the system. If the service happens to be running
|
||||
|
@ -3,4 +3,4 @@ of this change, adjust the following variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
disable_services['autofs'] = no
|
||||
security_disable_autofs: no
|
||||
|
@ -6,6 +6,6 @@ set the following variable to ``yes``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
disable_module['usb_storage']: yes
|
||||
security_disable_module_usb_storage: yes
|
||||
|
||||
**NOTE:** The module will be disabled on the next reboot.
|
||||
|
@ -6,6 +6,6 @@ To opt-out of this change, simply change the following variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
disable_module['dccp']: no
|
||||
security_disable_module_dccp: no
|
||||
|
||||
**NOTE:** The module will be disabled on the next reboot.
|
||||
|
@ -5,6 +5,6 @@ To opt-out of this change, set the following variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
disable_module['sctp']: no
|
||||
security_disable_module_sctp: no
|
||||
|
||||
**NOTE:** The module will be disabled on the next reboot.
|
||||
|
@ -8,6 +8,6 @@ To opt-out of this change, set the following variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
disable_module['rds']: no
|
||||
security_disable_module_rds: no
|
||||
|
||||
**NOTE:** The module will be disabled on the next reboot.
|
||||
|
@ -8,6 +8,6 @@ To opt-out of this change, set the following variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
disable_module['tipc']: no
|
||||
security_disable_module_tipc: no
|
||||
|
||||
**NOTE:** The module will be disabled on the next reboot.
|
||||
|
@ -9,6 +9,12 @@ events. Putting well-configured hardware network devices in front of OpenStack
|
||||
environments is always recommended and this may allow some deployers to turn
|
||||
off SYN cookies within their environment.
|
||||
|
||||
Deployers can disable TCP SYN cookies by setting an Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_sysctl_tcp_syncookies: 0
|
||||
|
||||
For more information on TCP SYN cookies and TCP SYN floods, refer to these
|
||||
links:
|
||||
|
||||
|
@ -8,6 +8,6 @@ These audit rules can be enabled by setting any of the following variables:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
auditd_rules['DAC_chmod']: yes
|
||||
auditd_rules['DAC_fchmod']: yes
|
||||
auditd_rules['DAC_fchmodat']: yes
|
||||
security_audit_DAC_chmod: yes
|
||||
security_audit_DAC_fchmod: yes
|
||||
security_audit_DAC_fchmodat: yes
|
||||
|
@ -9,4 +9,4 @@ the following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
auditd_rules['failed_access']: yes
|
||||
security_auditd_failed_access: yes
|
||||
|
@ -10,4 +10,4 @@ following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
auditd_rules['deletions'] = yes
|
||||
security_audit_deletions: yes
|
||||
|
@ -6,4 +6,4 @@ To opt-out of this change, simply adjust the following configuration item to
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
disable_services['xinetd'] = no
|
||||
security_disable_xinetd: no
|
||||
|
@ -4,4 +4,4 @@ to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
remove_services['xinetd'] = no
|
||||
security_remove_xinetd: no
|
||||
|
@ -1,3 +1,8 @@
|
||||
The telnet server package will be removed by default. To control which
|
||||
services will be removed, review the ``remove_services`` list in
|
||||
``defaults/main.yml``.
|
||||
The ``telnetd`` service will be removed by the Ansible tasks, if it is
|
||||
installed. To opt-out of this change, adjust the following variable
|
||||
to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_remove_telnet_server: no
|
||||
|
||||
|
@ -1,2 +1,8 @@
|
||||
The rshd service will be removed by default. To control what services will
|
||||
be removed, review the ``remove_services`` list in ``defaults/main.yml``.
|
||||
The ``rshd`` service will be removed by the Ansible tasks, if it is
|
||||
installed. To opt-out of this change, adjust the following variable
|
||||
to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_remove_rsh_server: no
|
||||
|
||||
|
@ -4,4 +4,4 @@ opt-out of this change, adjust the following configuration variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
remove_services['ypserv'] = no
|
||||
security_remove_ypserv: no
|
||||
|
@ -3,4 +3,4 @@ following configuration variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
remove_services['tftp-server'] = no
|
||||
security_remove_tftp_server: no
|
||||
|
@ -5,4 +5,4 @@ To opt-out of this change, set the following Ansible variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
remove_services['ldap-server']: no
|
||||
security_remove_ldap_server: no
|
||||
|
@ -8,4 +8,4 @@ To opt-out of this change, adjust the following Ansible variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
disable_services['qpidd']: no
|
||||
security_disable_qpidd: no
|
||||
|
@ -6,4 +6,4 @@ To opt-out of this change, adjust the following Ansible variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
remove_services['sendmail']: no
|
||||
security_remove_sendmail: no
|
||||
|
@ -5,4 +5,4 @@ To opt-out of the change, set the following Ansible variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
remove_services['xorg']: no
|
||||
security_remove_xorg: no
|
||||
|
@ -6,4 +6,4 @@ To opt-out of this change, adjust the following Ansible variable to ``no``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
disable_services['bluetooth']: no
|
||||
security_disable_bluetooth: no
|
||||
|
@ -0,0 +1,9 @@
|
||||
---
|
||||
fixes:
|
||||
- The dictionary-based variables in ``defaults/main.yml`` are now individual
|
||||
variables. The dictionary-based variables could not be changed as the
|
||||
documentation instructed. Instead it was required to override the entire
|
||||
dictionary. Deployers must use the new variable names to enable or disable
|
||||
the security configuration changes applied by the security role. For more
|
||||
information, see
|
||||
`Launchpad Bug 1577944 <https://bugs.launchpad.net/openstack-ansible/+bug/1577944>`_.
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
fixes:
|
||||
- Failed access logging is now disabled by default and can be enabled by
|
||||
changing ``auditd_rules['failed_access']`` to ``yes``. The rsyslog daemon
|
||||
changing ``security_audit_failed_access`` to ``yes``. The rsyslog daemon
|
||||
checks for the existence of log files regularly and this audit rule was
|
||||
triggered very frequently, which led to very large audit logs.
|
||||
|
@ -195,7 +195,7 @@
|
||||
apt:
|
||||
name: rsh-server
|
||||
state: absent
|
||||
when: remove_services['rsh-server'] | bool
|
||||
when: security_remove_rsh_server | bool
|
||||
tags:
|
||||
- auth
|
||||
- cat1
|
||||
@ -205,7 +205,7 @@
|
||||
apt:
|
||||
name: telnetd
|
||||
state: absent
|
||||
when: remove_services['telnet_server'] | bool
|
||||
when: security_remove_telnet_server | bool
|
||||
tags:
|
||||
- auth
|
||||
- cat1
|
||||
|
@ -52,7 +52,7 @@
|
||||
- name: V-38539 - Enable TCP syncookies
|
||||
sysctl:
|
||||
name: net.ipv4.tcp_syncookies
|
||||
value: "{{ sysctl_tunable['tcp_syncookies'] }}"
|
||||
value: "{{ security_sysctl_tcp_syncookies }}"
|
||||
state: present
|
||||
sysctl_set: yes
|
||||
tags:
|
||||
@ -99,7 +99,7 @@
|
||||
dest: /etc/modprobe.d/V-38490-disable-usb-storage.conf
|
||||
line: "install usb-storage /bin/true"
|
||||
create: yes
|
||||
when: disable_module['usb_storage'] | bool
|
||||
when: security_disable_module_usb_storage | bool
|
||||
tags:
|
||||
- kernel
|
||||
- cat2
|
||||
@ -110,7 +110,7 @@
|
||||
dest: /etc/modprobe.d/V-38514-disable-dccp.conf
|
||||
line: "install dccp /bin/true"
|
||||
create: yes
|
||||
when: disable_module['dccp'] | bool
|
||||
when: security_disable_module_dccp | bool
|
||||
tags:
|
||||
- kernel
|
||||
- cat2
|
||||
@ -121,7 +121,7 @@
|
||||
dest: /etc/modprobe.d/V-38515-disable-sctp.conf
|
||||
line: "install sctp /bin/true"
|
||||
create: yes
|
||||
when: disable_module['sctp'] | bool
|
||||
when: security_disable_module_sctp | bool
|
||||
tags:
|
||||
- kernel
|
||||
- cat2
|
||||
@ -132,7 +132,7 @@
|
||||
dest: /etc/modprobe.d/V-38516-disable-rds.conf
|
||||
line: "install rds /bin/true"
|
||||
create: yes
|
||||
when: disable_module['rds'] | bool
|
||||
when: security_disable_module_rds | bool
|
||||
tags:
|
||||
- kernel
|
||||
- cat3
|
||||
@ -143,7 +143,7 @@
|
||||
dest: /etc/modprobe.d/V-38517-disable-tipc.conf
|
||||
line: "install tipc /bin/true"
|
||||
create: yes
|
||||
when: disable_module['tipc'] | bool
|
||||
when: security_disable_module_tipc | bool
|
||||
tags:
|
||||
- kernel
|
||||
- cat2
|
||||
@ -168,7 +168,7 @@
|
||||
copy:
|
||||
src: V-38682-modprobe.conf
|
||||
dest: /etc/modprobe.d/disable-bluetooth.conf
|
||||
when: disable_module['bluetooth'] | bool
|
||||
when: security_disable_module_bluetooth | bool
|
||||
tags:
|
||||
- kernel
|
||||
- cat2
|
||||
|
@ -29,7 +29,7 @@
|
||||
name: autofs
|
||||
state: stopped
|
||||
enabled: no
|
||||
when: disable_services['autofs'] | bool and 'autofs' in sysv_services.stdout
|
||||
when: security_disable_autofs | bool and 'autofs' in sysv_services.stdout
|
||||
tags:
|
||||
- services
|
||||
- cat3
|
||||
@ -40,7 +40,7 @@
|
||||
name: abrtd
|
||||
state: stopped
|
||||
enabled: no
|
||||
when: disable_services['abrtd'] | bool and 'abrtd' in sysv_services.stdout
|
||||
when: security_disable_abrtd | bool and 'abrtd' in sysv_services.stdout
|
||||
tags:
|
||||
- services
|
||||
- cat3
|
||||
@ -51,7 +51,7 @@
|
||||
name: atd
|
||||
state: stopped
|
||||
enabled: no
|
||||
when: disable_services['atd'] | bool and 'atd' in sysv_services.stdout
|
||||
when: security_disable_atd | bool and 'atd' in sysv_services.stdout
|
||||
tags:
|
||||
- services
|
||||
- cat3
|
||||
@ -62,7 +62,7 @@
|
||||
name: qpidd
|
||||
state: stopped
|
||||
enabled: no
|
||||
when: disable_services['qpidd'] | bool and 'qpidd' in sysv_services.stdout
|
||||
when: security_disable_qpidd | bool and 'qpidd' in sysv_services.stdout
|
||||
tags:
|
||||
- services
|
||||
- cat3
|
||||
@ -73,7 +73,7 @@
|
||||
name: bluetooth
|
||||
state: stopped
|
||||
enabled: no
|
||||
when: disable_services['bluetooth'] | bool and 'bluetooth' in sysv_services.stdout
|
||||
when: security_disable_bluetooth | bool and 'bluetooth' in sysv_services.stdout
|
||||
tags:
|
||||
- services
|
||||
- cat2
|
||||
@ -84,7 +84,7 @@
|
||||
name: xinetd
|
||||
state: stopped
|
||||
enabled: no
|
||||
when: disable_services['xinetd'] | bool and 'xinetd' in sysv_services.stdout
|
||||
when: security_disable_xinetd | bool and 'xinetd' in sysv_services.stdout
|
||||
tags:
|
||||
- services
|
||||
- cat2
|
||||
@ -94,7 +94,7 @@
|
||||
apt:
|
||||
name: xinetd
|
||||
state: absent
|
||||
when: remove_services['xinetd'] | bool
|
||||
when: security_remove_xinetd | bool
|
||||
tags:
|
||||
- services
|
||||
- cat3
|
||||
@ -105,7 +105,7 @@
|
||||
apt:
|
||||
name: nis
|
||||
state: absent
|
||||
when: remove_services['ypserv'] | bool
|
||||
when: security_remove_ypserv | bool
|
||||
tags:
|
||||
- services
|
||||
- cat2
|
||||
@ -125,7 +125,7 @@
|
||||
apt:
|
||||
name: tftpd
|
||||
state: absent
|
||||
when: remove_services['tftp-server'] | bool
|
||||
when: security_remove_tftp_server | bool
|
||||
tags:
|
||||
- services
|
||||
- cat2
|
||||
@ -136,7 +136,7 @@
|
||||
name: avahi-daemon
|
||||
state: stopped
|
||||
enabled: no
|
||||
when: disable_services['avahi'] | bool and 'avahi' in sysv_services.stdout
|
||||
when: security_disable_avahi | bool and 'avahi' in sysv_services.stdout
|
||||
tags:
|
||||
- services
|
||||
- cat3
|
||||
@ -146,7 +146,7 @@
|
||||
apt:
|
||||
name: slapd
|
||||
state: absent
|
||||
when: remove_services['ldap-server'] | bool
|
||||
when: security_remove_ldap_server | bool
|
||||
tags:
|
||||
- services
|
||||
- cat3
|
||||
@ -156,7 +156,7 @@
|
||||
apt:
|
||||
name: sendmail
|
||||
state: absent
|
||||
when: remove_services['sendmail'] | bool
|
||||
when: security_remove_sendmail | bool
|
||||
tags:
|
||||
- services
|
||||
- cat2
|
||||
@ -166,7 +166,7 @@
|
||||
apt:
|
||||
name: xserver-xorg
|
||||
state: absent
|
||||
when: remove_services['xorg'] | bool
|
||||
when: security_remove_xorg | bool
|
||||
tags:
|
||||
- services
|
||||
- cat3
|
||||
|
@ -1,31 +1,31 @@
|
||||
{% if auditd_rules['clock_settimeofday'] | bool %}
|
||||
{% if security_audit_clock_settimeofday | bool %}
|
||||
# RHEL 6 STIG V-38522
|
||||
# Audits changes to system time via settimeofday
|
||||
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
|
||||
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['clock_stime'] | bool %}
|
||||
{% if security_audit_clock_stime | bool %}
|
||||
# RHEL 6 STIG V-38525
|
||||
# Audits changes to system time via stime
|
||||
-a always,exit -F arch=b32 -S stime -k audit_time_rules
|
||||
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['clock_settime'] | bool %}
|
||||
{% if security_audit_clock_settime | bool %}
|
||||
# RHEL 6 STIG V-38527
|
||||
# Audits changes to system time via clock_settime
|
||||
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
|
||||
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['change_localtime'] | bool %}
|
||||
{% if security_audit_change_localtime | bool %}
|
||||
# RHEL 6 STIG V-38530
|
||||
# Audits clock changes made via /etc/localtime
|
||||
-w /etc/localtime -p wa -k audit_time_rules
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['account_modification'] | bool %}
|
||||
{% if security_audit_account_modification | bool %}
|
||||
# RHEL 6 STIG V-38531, V-38534, V-38536, V-38538
|
||||
# Audits account modifications and terminations
|
||||
-w /etc/group -p wa -k audit_account_changes
|
||||
@ -35,7 +35,7 @@
|
||||
-w /etc/security/opasswd -p wa -k audit_account_changes
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['network_changes'] | bool %}
|
||||
{% if security_audit_network_changes | bool %}
|
||||
# RHEL 6 STIG V-38540
|
||||
# Audits network configuration changes
|
||||
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications
|
||||
@ -46,13 +46,13 @@
|
||||
-w /etc/network -p wa -k audit_network_modifications
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['apparmor_changes'] | bool %}
|
||||
{% if security_audit_apparmor_changes | bool %}
|
||||
# RHEL 6 STIG V-38541
|
||||
# Audits changes to AppArmor policies
|
||||
-w /etc/apparmor/ -p wa -k MAC-policy
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['DAC_chmod'] | bool %}
|
||||
{% if security_audit_DAC_chmod | bool %}
|
||||
# RHEL 6 STIG V-38543
|
||||
# Audits DAC changes via chmod
|
||||
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
|
||||
@ -61,7 +61,7 @@
|
||||
-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['DAC_chown'] | bool %}
|
||||
{% if security_audit_DAC_chown | bool %}
|
||||
# RHEL 6 STIG V-38545
|
||||
# Audits DAC changes via chown
|
||||
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
|
||||
@ -70,7 +70,7 @@
|
||||
-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['DAC_fchmod'] | bool %}
|
||||
{% if security_audit_DAC_fchmod | bool %}
|
||||
# RHEL 6 STIG V-38547
|
||||
# Audits DAC changes via fchmod
|
||||
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
|
||||
@ -79,7 +79,7 @@
|
||||
-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['DAC_fchmodat'] | bool %}
|
||||
{% if security_audit_DAC_fchmodat | bool %}
|
||||
# RHEL 6 STIG V-38550
|
||||
# Audits DAC changes via fchmodat
|
||||
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
|
||||
@ -88,7 +88,7 @@
|
||||
-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['DAC_fchown'] | bool %}
|
||||
{% if security_audit_DAC_fchown | bool %}
|
||||
# RHEL 6 STIG V-38552
|
||||
# Audits DAC changes via fchown
|
||||
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
|
||||
@ -97,7 +97,7 @@
|
||||
-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['DAC_fchownat'] | bool %}
|
||||
{% if security_audit_DAC_fchownat | bool %}
|
||||
# RHEL 6 STIG V-38554
|
||||
# Audits DAC changes via fchownat
|
||||
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
|
||||
@ -106,7 +106,7 @@
|
||||
-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['DAC_fremovexattr'] | bool %}
|
||||
{% if security_audit_DAC_fremovexattr | bool %}
|
||||
# RHEL 6 STIG V-38556
|
||||
# Audits DAC changes via fremovexattr
|
||||
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
|
||||
@ -115,7 +115,7 @@
|
||||
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['DAC_fsetxattr'] | bool %}
|
||||
{% if security_audit_DAC_fsetxattr | bool %}
|
||||
# RHEL 6 STIG V-38557
|
||||
# Audits DAC changes via fsetxattr
|
||||
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
|
||||
@ -124,7 +124,7 @@
|
||||
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['DAC_lchown'] | bool %}
|
||||
{% if security_audit_DAC_lchown | bool %}
|
||||
# RHEL 6 STIG V-38558
|
||||
# Audits DAC changes via lchown
|
||||
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
|
||||
@ -133,7 +133,7 @@
|
||||
-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['DAC_lremovexattr'] | bool %}
|
||||
{% if security_audit_DAC_lremovexattr | bool %}
|
||||
# RHEL 6 STIG V-38559
|
||||
# Audits DAC changes via lremovexattr
|
||||
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
|
||||
@ -142,7 +142,7 @@
|
||||
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['DAC_lsetxattr'] | bool %}
|
||||
{% if security_audit_DAC_lsetxattr | bool %}
|
||||
# RHEL 6 STIG V-38561
|
||||
# Audits DAC changes via lsetxattr
|
||||
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
|
||||
@ -151,7 +151,7 @@
|
||||
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['DAC_setxattr'] | bool %}
|
||||
{% if security_audit_DAC_setxattr | bool %}
|
||||
# RHEL 6 STIG V-38565
|
||||
# Audits DAC changes via setxattr
|
||||
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
|
||||
@ -160,7 +160,7 @@
|
||||
-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['failed_access'] | bool %}
|
||||
{% if security_audit_failed_access | bool %}
|
||||
# RHEL 6 STIG V-38566
|
||||
# Audits failed attempts to access files and programs
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
|
||||
@ -173,7 +173,7 @@
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['filesystem_mounts'] | bool %}
|
||||
{% if security_audit_filesystem_mounts | bool %}
|
||||
# RHEL 6 STIG V-38568
|
||||
# Audits filesystem mounts
|
||||
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
|
||||
@ -182,7 +182,7 @@
|
||||
-a always,exit -F arch=b64 -S mount -F auid=0 -k export
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['deletions'] %}
|
||||
{% if security_audit_deletions | bool %}
|
||||
# RHEL 6 STIG V-38575
|
||||
# Audits deletion of files and programs
|
||||
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
|
||||
@ -191,13 +191,13 @@
|
||||
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['sudoers'] %}
|
||||
{% if security_audit_sudoers | bool %}
|
||||
# RHEL 6 STIG V-38578
|
||||
# Audits /etc/sudoers changes
|
||||
-w /etc/sudoers -p wa -k actions
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['kernel_modules'] | bool %}
|
||||
{% if security_audit_kernel_modules | bool %}
|
||||
# RHEL 6 STIG V-38580
|
||||
# Audits kernel module loading/unloading
|
||||
-w /sbin/insmod -p x -k modules
|
||||
@ -207,7 +207,7 @@
|
||||
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
|
||||
{% endif %}
|
||||
|
||||
{% if auditd_rules['change_system_time'] | bool %}
|
||||
{% if security_audit_change_system_time | bool %}
|
||||
# RHEL 6 STIG V-38635
|
||||
# Audits system time changes
|
||||
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
|
||||
|
Loading…
x
Reference in New Issue
Block a user