--- # Copyright 2015, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ## STIG version selection # During the Ocata development cycle, the role will begin adding the RHEL 7 # STIG content. By default, all operating systems will use the RHEL 6 STIG # until the work has completed. # # This variable should only be adjusted for testing purposes. stig_version: rhel6 ## APT Cache Options # This variable is used across multiple OpenStack-Ansible roles to handle the # apt cache updates as efficiently as possible. cache_timeout: 600 # Set the package install state for distribution packages # Options are 'present' and 'latest' security_package_state: present ############################################################################### # ____ _ _ _____ _ __ ____ _____ ___ ____ # | _ \| | | | ____| | / /_ / ___|_ _|_ _/ ___| # | |_) | |_| | _| | | | '_ \ \___ \ | | | | | _ # | _ <| _ | |___| |___ | (_) | ___) || | | | |_| | # |_| \_\_| |_|_____|_____| \___/ |____/ |_| |___\____| # # The default configurations after this marker apply to the RHEL 6 STIG # content in the openstack-ansible-security role. Review the comments below # as well as the main openstack-ansible-security documentation: # # http://docs.openstack.org/developer/openstack-ansible-security/ # ############################################################################### ## AIDE # The default Ubuntu configuration for AIDE will cause it to wander into some # terrible places on the system, such as /var/lib/lxc and images in /opt. # The following three default exclusions are highly recommended for AIDE to # work properly, but additional exclusions can be added to this list if needed. security_aide_exclude_dirs: - /openstack - /opt - /run - /var # # By default, the AIDE database won't be initialized immediately since it can # consume plenty of CPU and I/O resources while it runs. To initialize the # AIDE database immediately when the playbook finishes, set the following # variable to 'true': security_initialize_aide: false ## Audit daemon # V-38438 requires that auditd is enabled at boot time with a parameter in the # GRUB configuration. # # If 'security_enable_audit_during_boot' is set to 'yes', then the 'audit=1' # parameter will be added in /etc/default/grub.d/. # If 'security_enable_grub_update is set to 'yes', the grub.cfg will be # updated automatically. security_enable_audit_during_boot: yes # V-38438 security_enable_grub_update: yes # V-38438 # The following booleans control the rule sets added to auditd's default # set of auditing rules. To see which rules will be added for each boolean, # refer to the templates/osas-auditd.j2 file. # # If the template changes due to booleans being adjusted, the new template # will be deployed onto the host and auditd will get the new rules loaded # automatically with augenrules. # security_audit_account_modification: yes # V-38531, V-38534, V-38538 security_audit_change_localtime: yes # V-38530 security_audit_change_system_time: yes # V-38635 security_audit_clock_settime: yes # V-38527 security_audit_clock_settimeofday: yes # V-38522 security_audit_clock_stime: yes # V-38525 security_audit_DAC_chmod: no # V-38543 security_audit_DAC_chown: no # V-38545 security_audit_DAC_lchown: no # V-38558 security_audit_DAC_fchmod: no # V-38547 security_audit_DAC_fchmodat: no # V-38550 security_audit_DAC_fchown: no # V-38552 security_audit_DAC_fchownat: no # V-38554 security_audit_DAC_fremovexattr: no # V-38556 security_audit_DAC_lremovexattr: no # V-38559 security_audit_DAC_fsetxattr: no # V-38557 security_audit_DAC_lsetxattr: no # V-38561 security_audit_DAC_setxattr: no # V-38565 security_audit_deletions: no # V-38575 security_audit_failed_access: no # V-38566 security_audit_filesystem_mounts: yes # V-38568 security_audit_kernel_modules: yes # V-38580 security_audit_mac_changes: yes # V-38541 security_audit_network_changes: yes # V-38540 security_audit_sudoers: yes # V-38578 # # **DANGER** # Changing the options below can cause systems to go offline unexpectedly or # stop serving requests as a security precaution. Read the developer notes for # each STIG prior to adjusting the following variables. # **DANGER** # # Set an action to occur when there is a disk error. Review the # documentation for V-38464 before changing this option. security_disk_error_action: SYSLOG # V-38464 # # Set an action to occur when the disk is full. Review the documentation for # V-38468 before changing this option. security_disk_full_action: SYSLOG # V-38468 # # V-38678 - Set the amount of megabytes left when the space_left_action # triggers. The STIG guideline doesn't specify a size, but Ubuntu chooses a # default of 75MB, which is reasonable. security_space_left: 75 # V-38678 # # Set an action to occur when the disk is approaching its capacity. # Review the documentation for V-38470 before changing this option. security_space_left_action: SYSLOG # V-38470 # # Set the maximum size of a rotated log file. Ubuntu's default # matches the STIG requirement of 6MB. security_max_log_file: 6 # V 38633 # # Sets the action to take when log files reach the maximum file size. # Review the documentation for V-38634 before changing this option. security_max_log_file_action: ROTATE # V-38634 # # Set the number of rotated audit logs to keep. Ubuntu has 5 as the default # and this matches the STIG's requirements. security_num_logs: 5 # V-38636 # # Set the email address of someone who can receive and respond to notifications # about low disk space for log volumes. security_action_mail_acct: root # V-38680 # # **IMMINENT DANGER** # The STIG says that the system should switch to single user mode when the # storage capacity gets very low. This can cause serious service disruptions # and should only be set to 'single' for deployers in extremely high security # environments. Ubuntu's default is SUSPEND, which will suspend logging. # **IMMENENT DANGER** security_admin_space_left_action: SUSPEND # V-54381 ## Chrony (NTP) configuration # Install and enable chrony to sync time with NTP servers. security_enable_chrony: yes # V-38620 # Adjust the following NTP servers if necessary. security_ntp_servers: - 0.north-america.pool.ntp.org - 1.north-america.pool.ntp.org - 2.north-america.pool.ntp.org - 3.north-america.pool.ntp.org # Chrony limits access to clients that are on certain subnets. Adjust the # following subnets here to limit client access to chrony servers. security_allowed_ntp_subnets: - 10/8 - 192.168/16 - 172.16/12 # Listen for NTP requests only on local interfaces. security_ntp_bind_local_interfaces_only: yes ## Core dumps # V-38675 requires disabling core dumps for all users unless absolutely # necessary. Set this variable to 'no' to skip this change. security_disable_core_dumps: yes # V-38675 ## Services # The STIG recommends ensuring that some services are running if no services # utilizing it are enabled. Setting a boolean to 'yes' here will ensure that # a service isn't actively running and will not be started after boot-up. # Setting a 'no' will ensure that this Ansible role does not alter the service # in any way from its current configuration. # security_disable_abrtd: yes # V-38641 security_disable_atd: yes # V-38640 security_disable_autofs: yes # V-38437 security_disable_avahi: yes # V-31618 security_disable_bluetooth: yes # V-38691 security_disable_netconsole: yes # v-38672 security_disable_qpidd: yes # V-38648 security_disable_rdisc: yes # V-38650 security_disable_rsh: yes # V-38594 security_disable_ypbind: yes # V-38604 security_disable_xinetd: yes # V-38582 # # The STIG recommends ensuring that some services aren't installed at ANY time. # Those services are listed here. Setting a boolean here to 'yes' wiil # ensure that the STIG is followed and the service is removed. Setting a # boolean to 'no' means that the playbook will not alter the service. # security_remove_ldap_server: yes # V-38627 security_remove_rsh_server: yes # V-38591 security_remove_sendmail: yes # V-38671 security_remove_telnet_server: yes # V-38587 security_remove_tftp_server: yes # V-38606 security_remove_xinetd: yes # V-38584 security_remove_xorg: yes # v-38676 security_remove_ypserv: yes # V-38603 # # The STIG does not allow the system to run a graphical interface. Set this # variable to 'no' if you need a graphical interface on the server. security_disable_x_windows: yes # V-38674 ## SSH configuration # The following configuration items will adjust how the ssh daemon is # configured. The recommendations from the RHEL 6 STIG are shown below, but # they can be adjusted to fit a particular environment. # # Set a 15 minute time out for SSH sessions if there is no activity security_ssh_client_alive_interval: 900 # V-38608 # # Timeout ssh sessions as soon as ClientAliveInterval is reached once security_ssh_client_alive_count_max: 0 # V-38610 # # The ssh daemon must not permit root logins. The default value of 'yes' is a # deviation from the STIG requirements due to how openstack-ansible operates, # especially within OpenStack CI gate jobs. See documentation for V-38613 for # more details. security_ssh_permit_root_login: 'yes' # V-38613 ## Kernel # Set these booleans to 'yes' to disable the kernel module (following the # STIG requirements). Set the boolean to 'no' to ensure no changes are made. security_disable_module_bluetooth: yes # V-38682 security_disable_module_dccp: yes # V-38514 security_disable_module_rds: yes # V-38516 security_disable_module_sctp: yes # V-38515 security_disable_module_tipc: yes # V-38517 security_disable_module_usb_storage: no # V-38490 security_disable_icmpv4_redirects: no # V-38524 security_disable_icmpv4_redirects_secure: no # V-38526 security_disable_icmpv6_redirects: no # V-38548 # # ** DANGER ** # It's strongly recommended to fully understand the effects of changing the # following sysctl tunables. Refer to the documentation under 'Developer # Notes' for each of the STIGs below before making any changes. # ** DANGER ** # security_sysctl_enable_tcp_syncookies: yes # V-38539 security_sysctl_enable_martian_logging: no # V-38528 # # Deployers who wish to disable IPv6 entirely must set this configuration # variable to 'yes'. See the documentation for V-38546 before making this # change. security_disable_ipv6: no # V-38546 # Sets the global challenge ACK counter to a large value such # that a potential attacker could not reasonably come up against it. security_set_tcp_challenge_ack_limit: yes # CVE-2016-5696 ## Mail # The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will # configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when # Ansible installs packages). The default here is 'localhost' to meet the STIG # requirement, but some deployers may want this set to 'all' if their hosts # need to receive emails over the network (which isn't common). # # See the documentation for V-38622 for more details. security_postfix_inet_interfaces: localhost # V-38622 # # Configuring an email address here will cause hosts to forward the root user's # email to another address. # #security_root_forward_email: user@example.com ## Linux Security Module (LSM) # AppArmor and SELinux provide powerful security controls on a Linux system # by setting policies for allowed actions. By setting the following variable # to true, the appropriate LSM will be enabled for the Linux distribution: # # Ubuntu: AppArmor # CentOS: SELinux # # See the openstack-ansible-security documentation for more details. security_enable_linux_security_module: yes # V-51337 ## PAM and authentication # V-38497 requires that accounts with null passwords aren't allowed to # authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the # documentation for V-38497 for more details. Set the variable below to 'yes' # to remove 'nullok_secure' from the PAM configuration or set it to 'no' to # leave the PAM configuration unaltered. security_pam_remove_nullok: yes # V-38497 # # V-38501 requires that failed login attempts must lock a user account using # pam_faillock, but Ubuntu doesn't package that PAM module. Instead, fail2ban # can be installed to lock out IP addresses with failed logins for 15 minutes. # Set the variable below to 'yes' to install and configure fail2ban. security_install_fail2ban: no # V-38501 # # The STIG requires bans to last 15 minutes. Adjust the following variable # to set the time an IP is banned by fail2ban (in seconds). security_fail2ban_bantime: 900 # V-38501 ## Password complexity and aging # V-38475 - There is no password length requirement by default in Ubuntu 14.04. # To set a password length requirement, uncomment # security_password_minimum_length below. The STIG recommendation is 14 # characters. #security_password_minimum_length: 14 # V-38475 # V-38477 - There is no password change limitation set by default in Ubuntu. To # set the minimum number of days between password changes, uncomment the # security_password_minimum_days variable below. The STIG recommendation is 1 # day. #security_password_minimum_days: 1 # V-38477 # V-38479 - There is no age limit on password by default in Ubuntu. Uncomment # line below to use the STIG recommendation of 60 days. #security_password_maximum_days: 60 # V-38479 # V-38480 - To warn users before their password expires, uncomment the line # below and they will be warned 7 days prior (following the STIG). #security_password_warn_age: 7 # V-38480 # V-38684 - Setting the maximum number of simultaneous logins per user. The # STIG sets a limit of 10. #security_max_simultaneous_logins: 10 # V-38684 # V-38692 - Lock accounts that are inactive for 35 days. #security_inactive_account_lock_days: 35 # V-38692 ## sudo # V-58901 requires that 'NOPASSWD' and '!authenticate' do not appear in any # sudoers files since they could lead to a compromise. Set the following # variables to 'yes' to comment out any lines found with these prohibited # parameters or leave them set to 'no' (the default) to leave sudoers files # unaltered. Deployers are urged to review the documentation for this STIG # before making changes. security_sudoers_remove_nopasswd: no # V-58901 security_sudoers_remove_authenticate: no # V-58901 ## umask settings # The STIG recommends changing various default umask settings for users and # daemons via different methods. However, this could cause serious issues for # production OpenStack environements which haven't been tested with these # changes. # # The variables below are set to match the STIG requirements, but they are # commented out to ensure they require deployers to opt-in for each change. To # opt in for one of the changes below, simply uncomment the line and run the # playbook. Deployers are strongly advised to review the documentation for # these changes and review their systems to ensure these changes won't cause # service disruptions. # # V-38642 - Set umask for daemons in init scripts to 027 or 022 #security_umask_daemons_init: 027 # V-38642 # # V-38645 - System default umask in /etc/login.defs must be 077 #security_umask_login_defs: 077 # V-38645 # # V-38649 - System default umask for csh must be 077 #security_umask_csh: 077 # V-38649 # # V-38651 - System default umask for bash must be 077 #security_umask_bash: 077 # V-38651 ## Unattended upgrades (APT) configuration security_unattended_upgrades_enabled: false security_unattended_upgrades_notifications: false ############################################################################### # ____ _ _ _____ _ _____ ____ _____ ___ ____ # | _ \| | | | ____| | |___ | / ___|_ _|_ _/ ___| # | |_) | |_| | _| | | / / \___ \ | | | | | _ # | _ <| _ | |___| |___ / / ___) || | | | |_| | # |_| \_\_| |_|_____|_____| /_/ |____/ |_| |___\____| # # UNDER ACTIVE DEVELOPMENT # # The default configurations after this marker apply to the RHEL 7 STIG # content in the openstack-ansible-security role. This content is still under # active development and will not be applied to systems by default until # the development work is complete. # ############################################################################### ## Audit daemon (auditd) # Send audit records to a different system using audisp. #security_audisp_remote_server: '10.0.21.1' # RHEL-07-030330 # Encrypt audit records when they are transmitted over the network. #security_audisp_enable_krb5: yes # RHEL-07-030331 # Add audit rules for commands/syscalls. security_rhel7_audit_chsh: yes # RHEL-07-030525 security_rhel7_audit_chage: yes # RHEL-07-030513 security_rhel7_audit_chcon: yes # RHEL-07-030443 security_rhel7_audit_chmod: no # RHEL-07-030390 security_rhel7_audit_chown: no # RHEL-07-030380 security_rhel7_audit_creat: yes # RHEL-07-030420 security_rhel7_audit_crontab: yes # RHEL-07-030561 security_rhel7_audit_delete_module: yes # RHEL-07-030671 security_rhel7_audit_fchmod: no # RHEL-07-030391 security_rhel7_audit_fchmodat: no # RHEL-07-030392 security_rhel7_audit_fchown: no # RHEL-07-030381 security_rhel7_audit_fchownat: no # RHEL-07-030383 security_rhel7_audit_fremovexattr: no # RHEL-07-030404 security_rhel7_audit_fsetxattr: no # RHEL-07-030401 security_rhel7_audit_ftruncate: yes # RHEL-07-030425 security_rhel7_audit_init_module: yes # RHEL-07-030670 security_rhel7_audit_gpasswd: yes # RHEL-07-030512 security_rhel7_audit_lchown: no # RHEL-07-030382 security_rhel7_audit_lremovexattr: no # RHEL-07-030405 security_rhel7_audit_lsetxattr: no # RHEL-07-030402 security_rhel7_audit_mount: yes # RHEL-07-030530 security_rhel7_audit_newgrp: yes # RHEL-07-030524 security_rhel7_audit_open: yes # RHEL-07-030421 security_rhel7_audit_openat: yes # RHEL-07-030422 security_rhel7_audit_open_by_handle_at: yes # RHEL-07-030423 security_rhel7_audit_pam_timestamp_check: yes # RHEL-07-030630 security_rhel7_audit_passwd: yes # RHEL-07-030510 security_rhel7_audit_postdrop: yes # RHEL-07-030540 security_rhel7_audit_postqueue: yes # RHEL-07-030541 security_rhel7_audit_pt_chown: yes # RHEL-07-030560 security_rhel7_audit_removexattr: no # RHEL-07-030403 security_rhel7_audit_rename: yes # RHEL-07-030750 security_rhel7_audit_renameat: yes # RHEL-07-030751 security_rhel7_audit_restorecon: yes # RHEL-07-030444 security_rhel7_audit_rmdir: yes # RHEL-07-030752 security_rhel7_audit_semanage: yes # RHEL-07-030441 security_rhel7_audit_setsebool: yes # RHEL-07-030442 security_rhel7_audit_setxattr: no # RHEL-07-030400 security_rhel7_audit_ssh_keysign: yes # RHEL-07-030550 security_rhel7_audit_su: yes # RHEL-07-030521 security_rhel7_audit_sudo: yes # RHEL-07-030522 security_rhel7_audit_sudoedit: yes # RHEL-07-030526 security_rhel7_audit_truncate: yes # RHEL-07-030424 security_rhel7_audit_umount: yes # RHEL-07-030531 security_rhel7_audit_unix_chkpwd: yes # RHEL-07-030511 security_rhel7_audit_unlink: yes # RHEL-07-030753 security_rhel7_audit_unlinkat: yes # RHEL-07-030754 security_rhel7_audit_userhelper: yes # RHEL-07-030514 # Add audit rules for other events. security_rhel7_audit_account_access: yes # RHEL-07-030490 security_rhel7_audit_sudo_config_changes: yes # RHEL-07-030523 security_rhel7_audit_insmod: yes # RHEL-07-030672 security_rhel7_audit_rmmod: yes # RHEL-07-030673 security_rhel7_audit_modprobe: yes # RHEL-07-030674 security_rhel7_audit_account_actions: yes # RHEL-07-030710 ## Authentication (auth) # Disallow logins from accounts with blank/null passwords via PAM. security_disallow_blank_password_login: yes # RHEL-07-010260 ## File permissions (file_perms) # Reset file permissions and ownership for files installed via RPM packages. security_reset_perm_ownership: yes # RHEL-07-010010 ## Graphical interfaces (graphical) # Disable automatic gdm logins security_disable_gdm_automatic_login: yes # RHEL-07-010430 # Disable timed gdm logins for guests security_disable_gdm_timed_login: yes # RHEL-07-010431 # Enable session locking for graphical logins. security_lock_session: no # RHEL-07-010060 # Set a timer (in seconds) when an inactive session is locked. security_lock_session_inactive_delay: 900 # RHEL-07-010070 # Prevent users from modifying session lock settings. security_lock_session_override_user: yes # RHEL-07-010071 # Lock a session (start screensaver) when a session is inactive. security_lock_session_when_inactive: yes # RHEL-07-010073 # Time after screensaver starts when user login is required. security_lock_session_screensaver_lock_delay: 5 # RHEL-07-010074 # Enable a login banner and set the text for the banner. security_enable_graphical_login_message: yes # RHEL-07-010030 security_enable_graphical_login_message_text: > You are accessing a secured system and your actions will be logged along with identifying information. Disconnect immediately if you are not an authorized user of this system. ## Miscellaneous (misc) # Enable virus scanning with clamav security_enable_virus_scanner: no # RHEL-07-030810 ## Packages (packages) # Remove packages from the system as required by the STIG. Set any of these # to 'no' to skip their removal. security_rhel7_remove_rsh_server: yes # RHEL-07-020000 security_rhel7_remove_telnet_server: yes # RHEL-07-021910 security_rhel7_remove_tftp_server: yes # RHEL-07-040500 security_rhel7_remove_xorg: yes # RHEL-07-040560 security_rhel7_remove_ypserv: yes # RHEL-07-020010 # Automatically remove dependencies when removing packages. security_package_clean_on_remove: no # RHEL-07-020200 ## RPM (rpm) # Enable GPG checks for packages and repository data. security_enable_gpgcheck_packages: yes # RHEL-07-020150 security_enable_gpgcheck_packages_local: yes # RHEL-07-020151 security_enable_gpgcheck_repo: no # RHEL-07-020152 ## ssh server (sshd) # Disallow logins from users with empty/null passwords. security_sshd_disallow_empty_password: yes # RHEL-07-010270 / RHEL-07-010440 # Disallow users from overriding the ssh environment variables. security_sshd_disallow_environment_override: yes # RHEL-07-010441 # Disallow host based authentication. security_sshd_disallow_host_based_auth: yes # RHEL-07-010442 # Set a list of allowed ssh ciphers. security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # RHEL-07-040110 # Specify a text file to be displayed as the banner/MOTD for all sessions. security_sshd_banner_file: /etc/issue.net # RHEL-07-040170 # Set the interval for max session length and the number of intervals to allow. security_sshd_client_alive_interval: 600 # RHEL-07-040190 security_sshd_client_alive_count_max: 0 # RHEL-07-040191 # Print the last login for a user when they log in over ssh. security_sshd_print_last_log: yes # RHEL-07-040301 # Permit direct root logins security_sshd_permit_root_login: no # RHEL-07-040310 # Disallow authentication using known hosts authentication. security_sshd_disallow_known_hosts_auth: yes # RHEL-07-040332 / RHEL-07-040333 # Disallow rhosts authentication. security_sshd_disallow_rhosts_auth: yes # RHEL-07-040334 # Enable X11 forwarding. security_sshd_enable_x11_forwarding: yes # RHEL-07-040540 # Set the allowed ssh protocols. security_sshd_protocol: 2 # RHEL-07-040590 # Set the list of allowed Message Authentication Codes (MACs) for ssh. security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512' # RHEL-07-040620 # Disallow Generic Security Service Application Program Interface (GSSAPI) auth. security_sshd_disallow_gssapi: yes # RHEL-07-040660 # Disallow compression or delay after login. security_sshd_compression: 'delayed' # RHEL-07-040700 # Require privilege separation at every opportunity. security_sshd_enable_privilege_separation: yes # RHEL-07-040690 # Require strict mode checking of home directory configuration files. security_sshd_enable_strict_modes: yes # RHEL-07-040680 # Disallow Kerberos authentication. security_sshd_disable_kerberos_auth: yes # RHEL-07-040670 ## sysctl settings (kernel) # Disallow forwarding IPv4/IPv6 source routed packets on all interfaces # immediately and by default on new interfaces. security_disallow_source_routed_packet_forward_ipv4: yes # RHEL-07-040350 / RHEL-07-040351 security_disallow_source_routed_packet_forward_ipv6: yes # RHEL-07-040860 # Disallow responses to IPv4 ICMP echoes sent to broadcast address. security_disallow_echoes_broadcast_address: yes # RHEL-07-040380 # Disallow IPV4 ICMP redirects on all interfaces immediately and by default on # new interfaces. security_disallow_icmp_redirects: yes # RHEL-07-040410 / RHEL-07-040420 / RHEL-07-040421 # Disallow IP forwarding. security_disallow_ip_forwarding: no # RHEL-07-040730