openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/defaults/main.yml
Major Hayden f5061fd022
Switch from dict to individual variables 
The dictionary-based variables didn't work properly and this patch
changes them to individual variables. If users followed the existing
documentation, their environments will be unaffected by this change
(they are still broken).

The new variables follow the pattern `security_VARIABLENAME` which
will soon become the standard for the role to avoid variable name
collisions with other playbooks and roles.

Release notes are included with this patch.

Closes-bug: 1577944

Change-Id: I455f66a0b4f423e2cf0e753b129367427f29479f
2016-05-05 08:32:38 -05:00

308 lines
14 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## APT Cache Options
cache_timeout: 600
### Default configurations for openstack-ansible-security #####################
#
# All of the configuration items below are documented in the developer notes
# found here:
#
# http://docs.openstack.org/developer/openstack-ansible-security/
#
###############################################################################
## AIDE
# The default Ubuntu configuration for AIDE will cause it to wander into some
# terrible places on the system, such as /var/lib/lxc and images in /opt.
# The following three default exclusions are highly recommended for AIDE to
# work properly, but additional exclusions can be added to this list if needed.
aide_exclude_dirs:
- /var/lib/lxc
- /openstack
- /opt
#
# By default, the AIDE database won't be initialized immediately since it can
# consume plenty of CPU and I/O resources while it runs. To initialize the
# AIDE database immediately when the playbook finishes, set the following
# variable to 'true':
initialize_aide: false
## Audit daemon
# The following booleans control the rule sets added to auditd's default
# set of auditing rules. To see which rules will be added for each boolean,
# refer to the templates/osas-auditd.j2 file.
#
# If the template changes due to booleans being adjusted, the new template
# will be deployed onto the host and auditd will get the new rules loaded
# automatically with augenrules.
#
security_audit_account_modification: yes # V-38531, V-38534, V-38538
security_audit_apparmor_changes: yes # V-38541
security_audit_change_localtime: yes # V-38530
security_audit_change_system_time: yes # V-38635
security_audit_clock_settime: yes # V-38527
security_audit_clock_settimeofday: yes # V-38522
security_audit_clock_stime: yes # V-38525
security_audit_DAC_chmod: no # V-38543
security_audit_DAC_chown: yes # V-38545
security_audit_DAC_lchown: yes # V-38558
security_audit_DAC_fchmod: no # V-38547
security_audit_DAC_fchmodat: no # V-38550
security_audit_DAC_fchown: yes # V-38552
security_audit_DAC_fchownat: yes # V-38554
security_audit_DAC_fremovexattr: yes # V-38556
security_audit_DAC_lremovexattr: yes # V-38559
security_audit_DAC_fsetxattr: yes # V-38557
security_audit_DAC_lsetxattr: yes # V-38561
security_audit_DAC_setxattr: yes # V-38565
security_audit_deletions: no # V-38575
security_audit_failed_access: no # V-38566
security_audit_filesystem_mounts: yes # V-38568
security_audit_kernel_modules: yes # V-38580
security_audit_network_changes: yes # V-38540
security_audit_sudoers: yes # V-38578
#
# **DANGER**
# Changing the options below can cause systems to go offline unexpectedly or
# stop serving requests as a security precaution. Read the developer notes for
# each STIG prior to adjusting the following variables.
# **DANGER**
#
# Set an action to occur when there is a disk error. Review the
# documentation for V-38464 before changing this option.
disk_error_action: SYSLOG # V-38464
#
# Set an action to occur when the disk is full. Review the documentation for
# V-38468 before changing this option.
disk_full_action: SYSLOG # V-38468
#
# V-38678 - Set the amount of megabytes left when the space_left_action
# triggers. The STIG guideline doesn't specify a size, but Ubuntu chooses a
# default of 75MB, which is reasonable.
space_left: 75 # V-38678
#
# Set an action to occur when the disk is approaching its capacity.
# Review the documentation for V-38470 before changing this option.
space_left_action: SYSLOG # V-38470
#
# Set the maximum size of a rotated log file. Ubuntu's default
# matches the STIG requirement of 6MB.
max_log_file: 6 # V 38633
#
# Sets the action to take when log files reach the maximum file size.
# Review the documentation for V-38634 before changing this option.
max_log_file_action: ROTATE # V-38634
#
# Set the number of rotated audit logs to keep. Ubuntu has 5 as the default
# and this matches the STIG's requirements.
num_logs: 5 # V-38636
#
# Set the email address of someone who can receive and respond to notifications
# about low disk space for log volumes.
action_mail_acct: root # V-38680
#
# **IMMINENT DANGER**
# The STIG says that the system should switch to single user mode when the
# storage capacity gets very low. This can cause serious service disruptions
# and should only be set to 'single' for deployers in extremely high security
# environments. Ubuntu's default is SUSPEND, which will suspend logging.
# **IMMENENT DANGER**
admin_space_left_action: SUSPEND # V-54381
## Chrony (NTP) configuration
# Adjust the following NTP servers if necessary.
ntp_servers:
- 0.north-america.pool.ntp.org
- 1.north-america.pool.ntp.org
- 2.north-america.pool.ntp.org
- 3.north-america.pool.ntp.org
# Chrony limits access to clients that are on certain subnets. Adjust the
# following subnets here to limit client access to chrony servers.
allowed_ntp_subnets:
- 10/8
- 192.168/16
- 172.16/12
## Core dumps
# V-38675 requires disabling core dumps for all users unless absolutely
# necessary. Set this variable to 'no' to skip this change.
disable_core_dumps: yes # V-38675
## Services
# The STIG recommends ensuring that some services are running if no services
# utilizing it are enabled. Setting a boolean to 'yes' here will ensure that
# a service isn't actively running and will not be started after boot-up.
# Setting a 'no' will ensure that this Ansible role does not alter the service
# in any way from its current configuration.
#
security_disable_abrtd: yes # V-38641
security_disable_atd: yes # V-38640
security_disable_autofs: yes # V-38437
security_disable_avahi: yes # V-31618
security_disable_bluetooth: yes # V-38691
security_disable_qpidd: yes # V-38648
security_disable_rsh: yes # V-38594
security_disable_ypbind: yes # V-38604
security_disable_xinetd: yes # V-38582
#
# The STIG recommends ensuring that some services aren't installed at ANY time.
# Those services are listed here. Setting a boolean here to 'yes' wiil
# ensure that the STIG is followed and the service is removed. Setting a
# boolean to 'no' means that the playbook will not alter the service.
#
security_remove_ldap_server: yes # V-38627
security_remove_rsh_server: yes # V-38591
security_remove_sendmail: yes # V-38671
security_remove_telnet_server: yes # V-38587
security_remove_tftp_server: yes # V-38606
security_remove_xinetd: yes # V-38584
security_remove_xorg: yes # v-38676
security_remove_ypserv: yes # V-38603
## SSH configuration
# The following configuration items will adjust how the ssh daemon is
# configured. The recommendations from the RHEL 6 STIG are shown below, but
# they can be adjusted to fit a particular environment.
#
# Set a 15 minute time out for SSH sessions if there is no activity
ssh_client_alive_interval: 900 # V-38608
#
# Timeout ssh sessions as soon as ClientAliveInterval is reached once
ssh_client_alive_count_max: 0 # V-38610
#
# The ssh daemon must not permit root logins. The default value of 'yes' is a
# deviation from the STIG requirements due to how openstack-ansible operates,
# especially within OpenStack CI gate jobs. See documentation for V-38613 for
# more details.
ssh_permit_root_login: 'yes' # V-38613
## Kernel
# Set these booleans to 'yes' to disable the kernel module (following the
# STIG requirements). Set the boolean to 'no' to ensure no changes are made.
security_disable_module_bluetooth: yes # V-38682
security_disable_module_dccp: yes # V-38514
security_disable_module_rds: yes # V-38516
security_disable_module_sctp: yes # V-38515
security_disable_module_tipc: yes # V-38517
security_disable_module_usb_storage: no # V-38490
#
# ** DANGER **
# It's strongly recommended to fully understand the effects of changing the
# following sysctl tunables. Refer to the documentation under 'Developer
# Notes' for each of the STIGs below before making any changes.
# ** DANGER **
#
security_sysctl_tcp_syncookies: 1 # V-38539
#
# Deployers who wish to disable IPv6 entirely must set this configuration
# variable to 'yes'. See the documentation for V-38546 before making this
# change.
disable_ipv6: no # V-38546
## Mail
# The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
# configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when
# Ansible installs packages). The default here is 'localhost' to meet the STIG
# requirement, but some deployers may want this set to 'all' if their hosts
# need to receive emails over the network (which isn't common).
#
# See the documentation for V-38622 for more details.
postfix_inet_interfaces: localhost # V-38622
#
# Configuring an email address here will cause hosts to forward the root user's
# email to another address.
#
#root_forward_email: user@example.com
## PAM and authentication
# V-38497 requires that accounts with null passwords aren't allowed to
# authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the
# documentation for V-38497 for more details. Set the variable below to 'yes'
# to remove 'nullok_secure' from the PAM configuration or set it to 'no' to
# leave the PAM configuration unaltered.
pam_remove_nullok: yes # V-38497
#
# V-38501 requires that failed login attempts must lock a user account using
# pam_faillock, but Ubuntu doesn't package that PAM module. Instead, fail2ban
# can be installed to lock out IP addresses with failed logins for 15 minutes.
# Set the variable below to 'yes' to install and configure fail2ban.
install_fail2ban: no # V-38501
#
# The STIG requires bans to last 15 minutes. Adjust the following variable
# to set the time an IP is banned by fail2ban (in seconds).
fail2ban_bantime: 900 # V-38501
## Password complexity and aging
# V-38475 - There is no password length requirement by default in Ubuntu
# 14.04. To set a password length requirement, uncomment
# password_minimum_length below. The STIG recommendation is 14 characters.
#password_minimum_length: 14 # V-38475
# V-38477 - There is no password change limitation set by default in Ubuntu.
# To set the minimum number of days between password changes, uncomment
# the password_minimum_days variable below. The STIG recommendation is 1 day.
#password_minimum_days: 1 # V-38477
# V-38479 - There is no age limit on password by default in Ubuntu. Uncomment
# line below to use the STIG recommendation of 60 days.
#password_maximum_days: 60 # V-38479
# V-38480 - To warn users before their password expires, uncomment the line
# below and they will be warned 7 days prior (following the STIG).
#password_warn_age: 7 # V-38480
# V-38684 - Setting the maximum number of simultaneous logins per user. The
# STIG sets a limit of 10.
#max_simultaneous_logins: 10 # V-38684
# V-38692 - Lock accounts that are inactive for 35 days.
#inactive_account_lock_days: 35 # V-38692
## sudo
# V-58901 requires that 'NOPASSWD' and '!authenticate' do not appear in any
# sudoers files since they could lead to a compromise. Set the following
# variables to 'yes' to comment out any lines found with these prohibited
# parameters or leave them set to 'no' (the default) to leave sudoers files
# unaltered. Deployers are urged to review the documentation for this STIG
# before making changes.
sudoers_remove_nopasswd: no # V-58901
sudoers_remove_authenticate: no # V-58901
## umask settings
# The STIG recommends changing various default umask settings for users and
# daemons via different methods. However, this could cause serious issues for
# production OpenStack environements which haven't been tested with these
# changes.
#
# The variables below are set to match the STIG requirements, but they are
# commented out to ensure they require deployers to opt-in for each change. To
# opt in for one of the changes below, simply uncomment the line and run the
# playbook. Deployers are strongly advised to review the documentation for
# these changes and review their systems to ensure these changes won't cause
# service disruptions.
#
# V-38642 - Set umask for daemons in init scripts to 027 or 022
#umask_daemons_init: 027 # V-38642
#
# V-38645 - System default umask in /etc/login.defs must be 077
#umask_login_defs: 077 # V-38645
#
# V-38649 - System default umask for csh must be 077
#umask_csh: 077 # V-38649
#
# V-38651 - System default umask for bash must be 077
#umask_bash: 077 # V-38651
## Unattended upgrades (APT) configuration
unattended_upgrades_enabled: false
unattended_upgrades_notifications: false
View Git Blame Copy Permalink