openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/defaults/main.yml
Major Hayden 0df416900f GPG verification for packages 
This patch adds the GPG verification requirements for packages from
the following STIGs:

  * RHEL-07-020150
  * RHEL-07-020151
  * RHEL-07-020152

The implementation for CentOS is much more robust due to some shortcomings
with apt on Ubuntu.

Implements: blueprint security-rhel7-stig
Change-Id: Ia125d6386a0d33f7c9d8c7a6de1c6d949018f671
2016-11-07 21:53:09 +00:00

418 lines
19 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## STIG version selection
# During the Ocata development cycle, the role will begin adding the RHEL 7
# STIG content. By default, all operating systems will use the RHEL 6 STIG
# until the work has completed.
#
# This variable should only be adjusted for testing purposes.
stig_version: rhel6
## APT Cache Options
# This variable is used across multiple OpenStack-Ansible roles to handle the
# apt cache updates as efficiently as possible.
cache_timeout: 600
# Set the package install state for distribution packages
# Options are 'present' and 'latest'
security_package_state: "latest"
###############################################################################
# ____ _ _ _____ _ __ ____ _____ ___ ____
# | _ \| | | | ____| | / /_ / ___|_ _|_ _/ ___|
# | |_) | |_| | _| | | | '_ \ \___ \ | | | | | _
# | _ <| _ | |___| |___ | (_) | ___) || | | | |_| |
# |_| \_\_| |_|_____|_____| \___/ |____/ |_| |___\____|
#
# The default configurations after this marker apply to the RHEL 6 STIG
# content in the openstack-ansible-security role. Review the comments below
# as well as the main openstack-ansible-security documentation:
#
# http://docs.openstack.org/developer/openstack-ansible-security/
#
###############################################################################
## AIDE
# The default Ubuntu configuration for AIDE will cause it to wander into some
# terrible places on the system, such as /var/lib/lxc and images in /opt.
# The following three default exclusions are highly recommended for AIDE to
# work properly, but additional exclusions can be added to this list if needed.
security_aide_exclude_dirs:
- /openstack
- /opt
- /run
- /var
#
# By default, the AIDE database won't be initialized immediately since it can
# consume plenty of CPU and I/O resources while it runs. To initialize the
# AIDE database immediately when the playbook finishes, set the following
# variable to 'true':
security_initialize_aide: false
## Audit daemon
# V-38438 requires that auditd is enabled at boot time with a parameter in the
# GRUB configuration.
#
# If 'security_enable_audit_during_boot' is set to 'yes', then the 'audit=1'
# parameter will be added in /etc/default/grub.d/.
# If 'security_enable_grub_update is set to 'yes', the grub.cfg will be
# updated automatically.
security_enable_audit_during_boot: yes # V-38438
security_enable_grub_update: yes # V-38438
# The following booleans control the rule sets added to auditd's default
# set of auditing rules. To see which rules will be added for each boolean,
# refer to the templates/osas-auditd.j2 file.
#
# If the template changes due to booleans being adjusted, the new template
# will be deployed onto the host and auditd will get the new rules loaded
# automatically with augenrules.
#
security_audit_account_modification: yes # V-38531, V-38534, V-38538
security_audit_change_localtime: yes # V-38530
security_audit_change_system_time: yes # V-38635
security_audit_clock_settime: yes # V-38527
security_audit_clock_settimeofday: yes # V-38522
security_audit_clock_stime: yes # V-38525
security_audit_DAC_chmod: no # V-38543
security_audit_DAC_chown: no # V-38545
security_audit_DAC_lchown: no # V-38558
security_audit_DAC_fchmod: no # V-38547
security_audit_DAC_fchmodat: no # V-38550
security_audit_DAC_fchown: no # V-38552
security_audit_DAC_fchownat: no # V-38554
security_audit_DAC_fremovexattr: no # V-38556
security_audit_DAC_lremovexattr: no # V-38559
security_audit_DAC_fsetxattr: no # V-38557
security_audit_DAC_lsetxattr: no # V-38561
security_audit_DAC_setxattr: no # V-38565
security_audit_deletions: no # V-38575
security_audit_failed_access: no # V-38566
security_audit_filesystem_mounts: yes # V-38568
security_audit_kernel_modules: yes # V-38580
security_audit_mac_changes: yes # V-38541
security_audit_network_changes: yes # V-38540
security_audit_sudoers: yes # V-38578
#
# **DANGER**
# Changing the options below can cause systems to go offline unexpectedly or
# stop serving requests as a security precaution. Read the developer notes for
# each STIG prior to adjusting the following variables.
# **DANGER**
#
# Set an action to occur when there is a disk error. Review the
# documentation for V-38464 before changing this option.
security_disk_error_action: SYSLOG # V-38464
#
# Set an action to occur when the disk is full. Review the documentation for
# V-38468 before changing this option.
security_disk_full_action: SYSLOG # V-38468
#
# V-38678 - Set the amount of megabytes left when the space_left_action
# triggers. The STIG guideline doesn't specify a size, but Ubuntu chooses a
# default of 75MB, which is reasonable.
security_space_left: 75 # V-38678
#
# Set an action to occur when the disk is approaching its capacity.
# Review the documentation for V-38470 before changing this option.
security_space_left_action: SYSLOG # V-38470
#
# Set the maximum size of a rotated log file. Ubuntu's default
# matches the STIG requirement of 6MB.
security_max_log_file: 6 # V 38633
#
# Sets the action to take when log files reach the maximum file size.
# Review the documentation for V-38634 before changing this option.
security_max_log_file_action: ROTATE # V-38634
#
# Set the number of rotated audit logs to keep. Ubuntu has 5 as the default
# and this matches the STIG's requirements.
security_num_logs: 5 # V-38636
#
# Set the email address of someone who can receive and respond to notifications
# about low disk space for log volumes.
security_action_mail_acct: root # V-38680
#
# **IMMINENT DANGER**
# The STIG says that the system should switch to single user mode when the
# storage capacity gets very low. This can cause serious service disruptions
# and should only be set to 'single' for deployers in extremely high security
# environments. Ubuntu's default is SUSPEND, which will suspend logging.
# **IMMENENT DANGER**
security_admin_space_left_action: SUSPEND # V-54381
## Chrony (NTP) configuration
# Install and enable chrony to sync time with NTP servers.
security_enable_chrony: yes # V-38620
# Adjust the following NTP servers if necessary.
security_ntp_servers:
- 0.north-america.pool.ntp.org
- 1.north-america.pool.ntp.org
- 2.north-america.pool.ntp.org
- 3.north-america.pool.ntp.org
# Chrony limits access to clients that are on certain subnets. Adjust the
# following subnets here to limit client access to chrony servers.
security_allowed_ntp_subnets:
- 10/8
- 192.168/16
- 172.16/12
# Listen for NTP requests only on local interfaces.
security_ntp_bind_local_interfaces_only: yes
## Core dumps
# V-38675 requires disabling core dumps for all users unless absolutely
# necessary. Set this variable to 'no' to skip this change.
security_disable_core_dumps: yes # V-38675
## Services
# The STIG recommends ensuring that some services are running if no services
# utilizing it are enabled. Setting a boolean to 'yes' here will ensure that
# a service isn't actively running and will not be started after boot-up.
# Setting a 'no' will ensure that this Ansible role does not alter the service
# in any way from its current configuration.
#
security_disable_abrtd: yes # V-38641
security_disable_atd: yes # V-38640
security_disable_autofs: yes # V-38437
security_disable_avahi: yes # V-31618
security_disable_bluetooth: yes # V-38691
security_disable_netconsole: yes # v-38672
security_disable_qpidd: yes # V-38648
security_disable_rdisc: yes # V-38650
security_disable_rsh: yes # V-38594
security_disable_ypbind: yes # V-38604
security_disable_xinetd: yes # V-38582
#
# The STIG recommends ensuring that some services aren't installed at ANY time.
# Those services are listed here. Setting a boolean here to 'yes' wiil
# ensure that the STIG is followed and the service is removed. Setting a
# boolean to 'no' means that the playbook will not alter the service.
#
security_remove_ldap_server: yes # V-38627
security_remove_rsh_server: yes # V-38591
security_remove_sendmail: yes # V-38671
security_remove_telnet_server: yes # V-38587
security_remove_tftp_server: yes # V-38606
security_remove_xinetd: yes # V-38584
security_remove_xorg: yes # v-38676
security_remove_ypserv: yes # V-38603
#
# The STIG does not allow the system to run a graphical interface. Set this
# variable to 'no' if you need a graphical interface on the server.
security_disable_x_windows: yes # V-38674
## SSH configuration
# The following configuration items will adjust how the ssh daemon is
# configured. The recommendations from the RHEL 6 STIG are shown below, but
# they can be adjusted to fit a particular environment.
#
# Set a 15 minute time out for SSH sessions if there is no activity
security_ssh_client_alive_interval: 900 # V-38608
#
# Timeout ssh sessions as soon as ClientAliveInterval is reached once
security_ssh_client_alive_count_max: 0 # V-38610
#
# The ssh daemon must not permit root logins. The default value of 'yes' is a
# deviation from the STIG requirements due to how openstack-ansible operates,
# especially within OpenStack CI gate jobs. See documentation for V-38613 for
# more details.
security_ssh_permit_root_login: 'yes' # V-38613
## Kernel
# Set these booleans to 'yes' to disable the kernel module (following the
# STIG requirements). Set the boolean to 'no' to ensure no changes are made.
security_disable_module_bluetooth: yes # V-38682
security_disable_module_dccp: yes # V-38514
security_disable_module_rds: yes # V-38516
security_disable_module_sctp: yes # V-38515
security_disable_module_tipc: yes # V-38517
security_disable_module_usb_storage: no # V-38490
security_disable_icmpv4_redirects: no # V-38524
security_disable_icmpv4_redirects_secure: no # V-38526
security_disable_icmpv6_redirects: no # V-38548
#
# ** DANGER **
# It's strongly recommended to fully understand the effects of changing the
# following sysctl tunables. Refer to the documentation under 'Developer
# Notes' for each of the STIGs below before making any changes.
# ** DANGER **
#
security_sysctl_enable_tcp_syncookies: yes # V-38539
security_sysctl_enable_martian_logging: no # V-38528
#
# Deployers who wish to disable IPv6 entirely must set this configuration
# variable to 'yes'. See the documentation for V-38546 before making this
# change.
security_disable_ipv6: no # V-38546
# Sets the global challenge ACK counter to a large value such
# that a potential attacker could not reasonably come up against it.
security_set_tcp_challenge_ack_limit: yes # CVE-2016-5696
## Mail
# The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
# configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when
# Ansible installs packages). The default here is 'localhost' to meet the STIG
# requirement, but some deployers may want this set to 'all' if their hosts
# need to receive emails over the network (which isn't common).
#
# See the documentation for V-38622 for more details.
security_postfix_inet_interfaces: localhost # V-38622
#
# Configuring an email address here will cause hosts to forward the root user's
# email to another address.
#
#security_root_forward_email: user@example.com
## Linux Security Module (LSM)
# AppArmor and SELinux provide powerful security controls on a Linux system
# by setting policies for allowed actions. By setting the following variable
# to true, the appropriate LSM will be enabled for the Linux distribution:
#
# Ubuntu: AppArmor
# CentOS: SELinux
#
# See the openstack-ansible-security documentation for more details.
security_enable_linux_security_module: yes # V-51337
## PAM and authentication
# V-38497 requires that accounts with null passwords aren't allowed to
# authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the
# documentation for V-38497 for more details. Set the variable below to 'yes'
# to remove 'nullok_secure' from the PAM configuration or set it to 'no' to
# leave the PAM configuration unaltered.
security_pam_remove_nullok: yes # V-38497
#
# V-38501 requires that failed login attempts must lock a user account using
# pam_faillock, but Ubuntu doesn't package that PAM module. Instead, fail2ban
# can be installed to lock out IP addresses with failed logins for 15 minutes.
# Set the variable below to 'yes' to install and configure fail2ban.
security_install_fail2ban: no # V-38501
#
# The STIG requires bans to last 15 minutes. Adjust the following variable
# to set the time an IP is banned by fail2ban (in seconds).
security_fail2ban_bantime: 900 # V-38501
## Password complexity and aging
# V-38475 - There is no password length requirement by default in Ubuntu 14.04.
# To set a password length requirement, uncomment
# security_password_minimum_length below. The STIG recommendation is 14
# characters.
#security_password_minimum_length: 14 # V-38475
# V-38477 - There is no password change limitation set by default in Ubuntu. To
# set the minimum number of days between password changes, uncomment the
# security_password_minimum_days variable below. The STIG recommendation is 1
# day.
#security_password_minimum_days: 1 # V-38477
# V-38479 - There is no age limit on password by default in Ubuntu. Uncomment
# line below to use the STIG recommendation of 60 days.
#security_password_maximum_days: 60 # V-38479
# V-38480 - To warn users before their password expires, uncomment the line
# below and they will be warned 7 days prior (following the STIG).
#security_password_warn_age: 7 # V-38480
# V-38684 - Setting the maximum number of simultaneous logins per user. The
# STIG sets a limit of 10.
#security_max_simultaneous_logins: 10 # V-38684
# V-38692 - Lock accounts that are inactive for 35 days.
#security_inactive_account_lock_days: 35 # V-38692
## sudo
# V-58901 requires that 'NOPASSWD' and '!authenticate' do not appear in any
# sudoers files since they could lead to a compromise. Set the following
# variables to 'yes' to comment out any lines found with these prohibited
# parameters or leave them set to 'no' (the default) to leave sudoers files
# unaltered. Deployers are urged to review the documentation for this STIG
# before making changes.
security_sudoers_remove_nopasswd: no # V-58901
security_sudoers_remove_authenticate: no # V-58901
## umask settings
# The STIG recommends changing various default umask settings for users and
# daemons via different methods. However, this could cause serious issues for
# production OpenStack environements which haven't been tested with these
# changes.
#
# The variables below are set to match the STIG requirements, but they are
# commented out to ensure they require deployers to opt-in for each change. To
# opt in for one of the changes below, simply uncomment the line and run the
# playbook. Deployers are strongly advised to review the documentation for
# these changes and review their systems to ensure these changes won't cause
# service disruptions.
#
# V-38642 - Set umask for daemons in init scripts to 027 or 022
#security_umask_daemons_init: 027 # V-38642
#
# V-38645 - System default umask in /etc/login.defs must be 077
#security_umask_login_defs: 077 # V-38645
#
# V-38649 - System default umask for csh must be 077
#security_umask_csh: 077 # V-38649
#
# V-38651 - System default umask for bash must be 077
#security_umask_bash: 077 # V-38651
## Unattended upgrades (APT) configuration
security_unattended_upgrades_enabled: false
security_unattended_upgrades_notifications: false
###############################################################################
# ____ _ _ _____ _ _____ ____ _____ ___ ____
# | _ \| | | | ____| | |___ | / ___|_ _|_ _/ ___|
# | |_) | |_| | _| | | / / \___ \ | | | | | _
# | _ <| _ | |___| |___ / / ___) || | | | |_| |
# |_| \_\_| |_|_____|_____| /_/ |____/ |_| |___\____|
#
# UNDER ACTIVE DEVELOPMENT
#
# The default configurations after this marker apply to the RHEL 7 STIG
# content in the openstack-ansible-security role. This content is still under
# active development and will not be applied to systems by default until
# the development work is complete.
#
###############################################################################
## Authentication (auth)
# Disallow logins from accounts with blank/null passwords via PAM.
security_disallow_blank_password_login: yes # RHEL-07-010260
## File permissions (file_perms)
# Reset file permissions and ownership for files installed via RPM packages.
security_reset_perm_ownership: yes # RHEL-07-010010
## Graphical interfaces (graphical)
# Disable automatic gdm logins
security_disable_gdm_automatic_login: yes # RHEL-07-010430
# Disable timed gdm logins for guests
security_disable_gdm_timed_login: yes # RHEL-07-010431
## Packages (packages)
# Remove packages from the system as required by the STIG. Set any of these
# to 'no' to skip their removal.
security_rhel7_remove_rsh_server: yes # RHEL-07-020000
security_rhel7_remove_telnet_server: yes # RHEL-07-021910
security_rhel7_remove_tftp_server: yes # RHEL-07-040500
security_rhel7_remove_xorg: yes # RHEL-07-040560
security_rhel7_remove_ypserv: yes # RHEL-07-020010
## RPM (rpm)
# Enable GPG checks for remotely and locally installed packages. This includes
# RHEL-07-020150, RHEL-07-020151, and RHEL-07-020152.
security_enable_gpgcheck: yes # RHEL-07-020150
## ssh server (sshd)
# Prevent users from logging in over ssh if they have an empty password.
security_sshd_disallow_empty_password: yes # RHEL-07-010270
View Git Blame Copy Permalink