Add scaffolding for contrib tasks

This patch adds the basic scaffolding for developer-contributed
hardening standards that are outside the scope of the Security
Technical Implementation Guide (STIG). Deployers have the option
to deploy these hardening standards as well.

Change-Id: I33175ffd36a75d27e5ac6c13aaf1584e5fdf23dd
This commit is contained in:
Major Hayden 2017-11-08 07:28:47 -06:00
parent 89f24106cc
commit 2d407a5399
No known key found for this signature in database
GPG Key ID: 737051E0C1011FB1
9 changed files with 96 additions and 2 deletions

View File

@ -367,3 +367,29 @@ security_disable_kdump: yes # V-72057
security_rhel7_disable_dccp: yes # V-77821
# Enable Address Space Layout Randomization (ASLR).
security_enable_aslr: yes # V-77825
###############################################################################
# ____ _ _ _
# / ___|___ _ __ | |_ _ __(_) |__
# | | / _ \| '_ \| __| '__| | '_ \
# | |__| (_) | | | | |_| | | | |_) |
# \____\___/|_| |_|\__|_| |_|_.__/
#
#
# The following configurations apply to tasks that are contributed by
# ansible-hardening developers and may not be part of a hardening standard
# or compliance program. For more information on the 'contrib' tasks, review
# the documentation:
#
# https://docs.openstack.org/ansible-hardening/latest/contrib.html
#
###############################################################################
# To enable the contrib tasks, set this variable to 'yes'.
security_contrib_enabled: no
# Disable IPv6.
# DANGER: This option causes IPv6 networking to be disabled for the ENTIRE
# DANGER: SYSTEM. This will cause downtime for any services that depend on
# DANGER: IPv6 network connectivity.
security_contrib_disable_ipv6: no # C-00001

39
doc/source/contrib.rst Normal file
View File

@ -0,0 +1,39 @@
Additional hardening configurations
===================================
Although the Security Technical Implementation Guide (STIG) contains a very
comprehensive set of security configurations, some ansible-hardening
contributors want to add extra security configurations to the role. The
*contrib* portion of the ansible-hardening role is designed to implement those
configurations as an optional set of tasks.
The *contrib* hardening configurations are disabled by default, but they can
be enabled by setting the following Ansible variable:
.. code-block:: yaml
security_contrib_enabled: yes
The individual tasks are controlled by Ansible variables in
``defaults/main.yml`` that begin with ``security_contrib_``.
Kernel
------
C-00001 - Disable IPv6
~~~~~~~~~~~~~~~~~~~~~~
Some systems do not require IPv6 connectivity and the presence of link local
IPv6 addresses can present an additional attack surface for lateral movement.
Deployers can set the following variable to disable IPv6 on all network
interfaces:
.. code-block:: yaml
security_contrib_disable_ipv6: yes
.. warning::
Deployers should test this change in a test environment before applying it
in a production deployment. Applying this change to a production system
that relies on IPv6 connectivity will cause unexpected downtime.

View File

@ -1,7 +1,7 @@
.. _hardening-domains-label:
Hardening Domains
=================
Hardening Domains (RHEL 7 STIG)
===============================
The STIG divides its hardening requirements into severity levels, but the
security role divides the requirements into system domains to make them easier

View File

@ -58,6 +58,7 @@ releases is found within the *Releases* section below.
faq.rst
domains.rst
controls-rhel7.rst
contrib.rst
developer-guide.rst
Releases

18
tasks/contrib/main.yml Normal file
View File

@ -0,0 +1,18 @@
---
# Copyright 2017, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Notify the deployer that contrib tasks are enabled
debug:
msg: "The contrib tasks are enabled."

View File

@ -53,3 +53,7 @@
- always
- include: "{{ stig_version }}stig/main.yml"
- include: contrib/main.yml
when:
- security_contrib_enabled | bool

View File

@ -46,6 +46,7 @@
- V-72293
- V-72309
- V-72319
- C-00001
- name: Check kdump service
command: systemctl status kdump

View File

@ -61,3 +61,5 @@
# this role without causing disruptions on the system.
security_enable_virus_scanner: no
security_run_virus_scanner_update: no
# Enable the contrib tasks.
security_contrib_enabled: yes

View File

@ -344,3 +344,6 @@ sysctl_settings_rhel7:
- name: kernel.randomize_va_space
value: 2
enabled: "{{ security_enable_aslr | bool }}"
- name: net.ipv6.conf.all.disable_ipv6
value: 1
enabled: "{{ (security_contrib_enabled | bool) and (security_contrib_disable_ipv6 | bool) }}"