openstack/ansible-hardening
Code Issues Proposed changes
91f19e9eb3
ansible-hardening/vars/main.yml
Major Hayden 782bb48c14
Update to RHEL 7 STIG V1R3 
This patch updates the tasks to match the changes in Version 1,
Release 3 of the RHEL 7 STIG. It adds four new configurations:

  - V-77819 (docs only, manual intervention req'd)
  - V-77821 (disabling DCCP, implemented)
  - V-77823 (docs only, manual intervention req'd)
  - V-77825 (enabling ASLR, implemented)

Closes-Bug: 1729344
Change-Id: I009fb31139e654f839d94781baf3d392c6613f46
2017-11-01 13:31:34 -05:00

347 lines
10 KiB
YAML
Raw Blame History

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Common variables for all distributions
# This file contains variables that apply to all distributions that the
# security role supports. Distribution-specific variables should be placed in:
#
# - vars/redhat.yml
# - vars/ubuntu.yml
## auditd configuration
auditd_config:
- parameter: disk_full_action
value: "{{ security_rhel7_auditd_disk_full_action }}"
config: /etc/audisp/audisp-remote.conf
- parameter: network_failure_action
value: "{{ security_rhel7_auditd_network_failure_action }}"
config: /etc/audisp/audisp-remote.conf
- parameter: space_left
value: "{{ security_rhel7_auditd_space_left }}"
config: /etc/audit/auditd.conf
- parameter: space_left_action
value: "{{ security_rhel7_auditd_space_left_action }}"
config: /etc/audit/auditd.conf
- parameter: action_mail_acct
value: "{{ security_rhel7_auditd_action_mail_acct }}"
config: /etc/audit/auditd.conf
## auditd rules
# This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules
# for various commands and syscalls.
#
# Each dictionary has this structure:
#
# command: the command/syscall to audit (required)
# stig_id: the number/ID from the STIG (required)
# arch_specific: 'yes' if the rule depends on the architecture type,
# otherwise 'no' (required)
# path: the path to the command (optional, default is '/usr/bin')
# distro: restrict deployment to a single Linux distribution (optional,
# should be equal to 'ansible_os_family | lower', such as 'redhat'
# or 'ubuntu')
#
audited_commands:
- command: chsh
stig_id: V-72167
arch_specific: no
- command: chage
stig_id: V-72155
arch_specific: no
- command: chcon
stig_id: V-72139
arch_specific: no
- command: chmod
stig_id: V-72105
arch_specific: yes
- command: chown
stig_id: V-72097
arch_specific: yes
- command: creat
stig_id: V-72123
arch_specific: yes
- command: crontab
stig_id: V-72183
arch_specific: no
- command: delete_module
stig_id: V-72189
arch_specific: yes
- command: fchmod
stig_id: V-72107
arch_specific: yes
- command: fchmodat
stig_id: V-72109
arch_specific: yes
- command: fchown
stig_id: V-72099
arch_specific: yes
- command: fchownat
stig_id: V-72103
arch_specific: yes
- command: fremovexattr
stig_id: V-72119
arch_specific: yes
- command: fsetxattr
stig_id: V-72113
arch_specific: yes
- command: ftruncate
stig_id: V-72133
arch_specific: yes
- command: init_module
stig_id: V-72187
arch_specific: yes
- command: gpasswd
stig_id: V-72153
arch_specific: no
- command: lchown
stig_id: V-72101
arch_specific: yes
- command: lremovexattr
stig_id: V-72121
arch_specific: yes
- command: lsetxattr
stig_id: V-72115
arch_specific: yes
- command: mount
path: /bin
stig_id: V-72171
arch_specific: no
- command: newgrp
stig_id: V-72165
arch_specific: no
- command: open
stig_id: V-72125
arch_specific: yes
- command: openat
stig_id: V-72127
arch_specific: yes
- command: open_by_handle_at
stig_id: V-72129
arch_specific: yes
- command: pam_timestamp_check
path: /sbin
stig_id: V-72185
arch_specific: no
- command: passwd
stig_id: V-72149
arch_specific: no
- command: postdrop
path: /usr/sbin
stig_id: V-72175
arch_specific: no
- command: postqueue
path: /usr/sbin
stig_id: V-72177
arch_specific: no
- command: removexattr
stig_id: V-72117
arch_specific: yes
- command: rename
stig_id: V-72199
arch_specific: yes
- command: renameat
stig_id: V-72201
arch_specific: yes
- command: restorecon
path: /usr/sbin
stig_id: V-72141
arch_specific: no
- command: rmdir
stig_id: V-72203
arch_specific: yes
- command: semanage
path: /usr/sbin
stig_id: V-72135
arch_specific: no
- command: setsebool
path: /usr/sbin
stig_id: V-72137
arch_specific: no
- command: setxattr
stig_id: V-72111
arch_specific: yes
- command: ssh-keysign
path: "{{ ssh_keysign_path }}"
stig_id: V-72179
arch_specific: no
- command: su
path: /bin
stig_id: V-72159
arch_specific: no
- command: sudo
stig_id: V-72161
arch_specific: no
- command: sudoedit
path: /bin
stig_id: V-72169
arch_specific: no
- command: truncate
stig_id: V-72131
arch_specific: yes
- command: umount
path: /bin
stig_id: V-72173
arch_specific: no
- command: unix_chkpwd
path: /sbin
stig_id: V-72151
arch_specific: no
- command: unlink
stig_id: V-72205
arch_specific: yes
- command: unlinkat
stig_id: V-72207
arch_specific: yes
- command: userhelper
path: /usr/sbin
stig_id: V-72157
arch_specific: no
## Password quality settings
# This variable is used in main/rhel7stig/auth.yml to set password quality
# requirements.
#
# Each dictionary has this structure:
#
# parameter: the pwquality parameter to set
# value: the value of the parameter
# stig_id: the STIG id number
# description: description of the control from the STIG
# enabled: whether the change should be applied
#
password_quality_rhel7:
- parameter: ucredit
value: -1
stig_id: V-71903
description: "Password must contain at least one upper-case character"
enabled: "{{ security_pwquality_require_uppercase }}"
- parameter: lcredit
value: -1
stig_id: V-71905
description: "Password must contain at least one lower-case character"
enabled: "{{ security_pwquality_require_lowercase }}"
- parameter: dcredit
value: -1
stig_id: V-71907
description: "Password must contain at least one numeric character"
enabled: "{{ security_pwquality_require_numeric }}"
- parameter: ocredit
value: -1
stig_id: V-71909
description: "Password must contain at least one special character"
enabled: "{{ security_pwquality_require_special }}"
- parameter: difok
value: 8
stig_id: V-71911
description: "Password must have at least eight characters changed"
enabled: "{{ security_pwquality_require_characters_changed }}"
- parameter: minclass
value: 4
stig_id: V-71913
description: "Password must have at least four character classes changed"
enabled: "{{ security_pwquality_require_character_classes_changed }}"
- parameter: maxrepeat
value: 3
stig_id: V-71915
description: "Password must have at most three characters repeated consecutively"
enabled: "{{ security_pwquality_limit_repeated_characters }}"
- parameter: maxclassrepeat
value: 4
stig_id: V-71917
description: "Password must have at most four characters in the same character class repeated consecutively"
enabled: "{{ security_pwquality_limit_repeated_character_classes }}"
- parameter: minlen
value: 15
stig_id: V-71935
description: "Passwords must be a minimum of 15 characters in length"
enabled: "{{ security_pwquality_require_minimum_password_length }}"
## shadow-utils settings
# This variable is used in main/rhel7stig/auth.yml to set shadow file-related
# configurations in /etc/login.defs.
#
# Each dictionary has this structure:
#
# parameter: the parameter to set
# value: the value for the parameter
# stig_id: the STIG ID number for the requirement
#
shadow_utils_rhel7:
- parameter: ENCRYPT_METHOD
value: "{{ security_password_encrypt_method | default('') }}"
stig_id: V-71921
ansible_os_family: all
- parameter: PASS_MIN_DAYS
value: "{{ security_password_min_lifetime_days | default('') }}"
stig_id: V-71925
ansible_os_family: all
- parameter: PASS_MAX_DAYS
value: "{{ security_password_max_lifetime_days | default('') }}"
stig_id: V-71929
ansible_os_family: all
- parameter: FAIL_DELAY
value: "{{ security_shadow_utils_fail_delay | default('') }}"
stig_id: V-71951
ansible_os_family: RedHat
- parameter: UMASK
value: "{{ security_shadow_utils_umask | default('') }}"
stig_id: V-71995
ansible_os_family: all
- parameter: CREATE_HOME
value: "{{ security_shadow_utils_create_home | default('') }}"
stig_id: V-72013
ansible_os_family: all
## sysctl settings
# This variable is used in main/rhel7stig/kernel.yml to set sysctl
# configurations on hosts.
#
# Each dictionary has this structure:
#
# name: the sysctl configuration name
# value: the value to set for the sysctl configuration
# enabled: yes or no
# - 'yes' (ensure the variable is set)
# - 'no' (the role will not alter the configuration)
#
sysctl_settings_rhel7:
- name: net.ipv4.conf.all.accept_source_route
value: 0
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
- name: net.ipv4.conf.default.accept_source_route
value: 0
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}"
- name: net.ipv4.icmp_echo_ignore_broadcasts
value: 1
enabled: "{{ security_disallow_echoes_broadcast_address | bool }}"
- name: net.ipv4.conf.all.send_redirects
value: 0
enabled: "{{ security_disallow_icmp_redirects | bool }}"
- name: net.ipv4.conf.default.send_redirects
value: 0
enabled: "{{ security_disallow_icmp_redirects | bool }}"
- name: net.ipv4.ip_forward
value: 0
enabled: "{{ security_disallow_ip_forwarding | bool }}"
- name: net.ipv6.conf.all.accept_source_route
value: 0
enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}"
- name: net.ipv4.conf.default.accept_redirects
value: 0
enabled: "{{ security_disallow_icmp_redirects | bool }}"
- name: kernel.randomize_va_space
value: 2
enabled: "{{ security_enable_aslr | bool }}"
View Git Blame Copy Permalink