Make hardening compatible with CentOS-8. Dependant patch [1] already
passes hardening and another one resolves issue with installing
non-existent packages. So we should merge this one without passing
CentOS 8 tests not to create circular dependency
[1] https://review.opendev.org/689629
Change-Id: I33160b9a6e8331d6db39824e420033c7ab06780b
Now that infra is moving from Fedora 26 to 27, we need to update
the role to reflect the changing support for Fedora releases.
Change-Id: Icce8fd7ee2f8c54e6eb33beec7af96c4d1d375d6
Signed-off-by: Major Hayden <major@mhtx.net>
The path of chrony.keys on CentOS is different
from the one on Ubuntu. So change the definition
of keyfile to use variable defined in vars.
Change-Id: Ibb54318d5fff452857d917e3b13af6bae26a1b55
Signed-off-by: Yifei Xue <xueyifei@huawei.com>
GRUB_PASSWORD is not understood by vanilla grub2 installations. As such,
we can use the recommended method by setting the superusers
environment variable and using the password_pbkdf2 command
Change-Id: I07df3decf5e70b85a7dc48b8a8d1ca86e8878d09
Link: https://www.gnu.org/software/grub/manual/grub/grub.html#Security
Closes-Bug: 1735709
This patch begins the teardown of the RHEL 6 STIG content from the
ansible-hardening repository. It will still be maintained in
Pike and earlier branches.
This patch also updates the ansible-hardening documentation for the
Queens release and notes that Pike is the latest stable version.
Closes-Bug: 1715745
Change-Id: Iaae52c97a35d82dd807ef78a1a6593ce3aa33540
Add support for the openSUSE Leap distributions. The security rules
are similar to the RedHat and Ubuntu ones. We also replace
ansible_os_family with ansible_pkg_mgr since the former does not
return consistent results across different SUSE distributions especially
on older Ansible versions.
Change-Id: I20ffe17039bb641aad70d8123f0b7e7417a42cba
This patch adjusts main.yml to retrieve a list of all users and a
list of just interactive users using the get_users module.
Change-Id: I4ff3ceeb068e339c62456f2e5c62ec97b72751f4
This patch adds the initial support for Fedora 25 in the security
role. A non-voting gate job is proposed in the following review:
https://review.openstack.org/#/c/467297/
Docs and general cleanup for Fedora/Debian support is coming soon.
Change-Id: Ia6c551d2f33255f7f71f7ba9bb328fc8f17f61e0
Ubuntu 14.04 and CentOS 7 have their daemon inititalization
parameters file in different places. This fixes a bug where
the path in CentOS was incorrect.
Closes-Bug: 1662545
Change-Id: Ie0b30848a73f8a1fbc7fe6a475d93d87a72ce40f
This patch gets the docs adjusted to work with the new RHEL 7 STIG
version 1 release. The new STIG release has changed all of the
numbering, but it maintains a link to (most) of the old STIG IDs in
the XML.
Closes-bug: 1676865
Change-Id: I65023fe63163c9804a3aec9dcdbf23c69bedb604
Chrony was not being installed by the RHEL7 STIG package list when
enabled, causing a failure when the service configuration was
attempted.
This fixes the following failure:
http://cdn.pasteraw.com/7vo74lbz1jyf9qm5010mfqa169a8zpf
Change-Id: I6accac5504abe6fb1f2d0d0db5baa9b5a42a5c70
This patch installs `dracut-fips` and checks to see if the deployer has FIPS
enabled at boot time. Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I9a6da4dc753fbfc3949f0c78e53af3bb5e3083ef
This patch adds a verification check for `pam_lastlogin` in PAM's
configuration.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: Ib2135331efc0cfb6dca581ac7c70fac6dc7d3224
This patch allows deployers to optionally set a GRUB 2 password for accessing
single-user and maintenance runlevels. Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I33d1ef4dec72d196deaca142169675aa5077740b
This patch allows a deployer to optionally enable automatic package updates.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I79d38971ea847096e7f20f0912363deaf5028a74
This patch installs AIDE and optionally initializes the AIDE database. A
cron job is also deployed for CentOS/RHEL since it doesn't come with
the AIDE package itself.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: Iae04c95903960deee2d750037c08b50c4ce4f800
This patch adds configurations for audisp when the disk is rull on the remote
server or when there is a network interruption between the local system and
the remote audisp server.
It also explicitly installs auditd/audisp-plugins to ensure that auditd and
the remote audisp log sender are installed on CentOS/RHEL.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I589ae00a70582ee3f5d48453b3c20f23752adfa6
This patch allows deployers to opt-in for firewalld. The firewalld package
is installed and the service is enabled when `security_enable_firewalld` is
set to `yes`.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I641a8c7e468ed1b7908d2b62296fa309de6979b5
This patch enables SELinux/AppArmor and sets the SELinux targeted policy
on CentOS/RHEL hosts. Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I7e225bc10331e12d2405154d873a578e18532305
This patch creates a common.yml variables file to hold variables
that apply to all distributions supported by the role. It also adds
comments into the existing vars file to instruct developers and
deployers about the proper location for variables.
Implements: blueprint security-rhel7-stig
Change-Id: Idad1cbfe0c6992a6333c4740080764a3ac776628
This commit adds all of the remaining audit rules to the role and
refactors the audit rules (mostly) into a list that jinja2 can
loop over.
Docs will be in a follow-on patch.
Implements: blueprint security-rhel7-stig
Change-Id: I17ca6356ae7819f0721585850e4d70e0bac29ff1
The package variables for clamav somehow ended up in the RHEL 6 vars. This
patch puts them in the right place.
Change-Id: I48705bbb79367fa60745e98850652c0331537322
Enable repo GPG checks causes some CentOS systems to become unable to
retrieve yum metadata. It also causes the security gate jobs to balloon
out to 12 minutes (normally 3-4 mins).
Closes-Bug: 1641729
Change-Id: I229b471bbd9fbe39776b9022671b03da0a659163
The STIG requires that a virus scanner is installed and running. This
won't be popular on many hypervisors or OpenStack control plane servers,
so the tasks are disabled by default.
Implements: blueprint security-rhel7-stig
Change-Id: I3b4803139e63aae3b740e8e150cb552a298c4ece
This patch adds docs and tasks for RHEL-07-030330. Deployers should
specify a host to receive audit logs. The tasks will only take action
when a host is specified with `security_audisp_remote_server`.
Implements: blueprint security-rhel7-stig
Change-Id: Ic37764766f3e254e46bad6b81f274c0a8677ab6a
This patch ensures that screen and ssh packages are installed. It
fulfills the requirmeents of these two STIGs:
* RHEL-07-010072
* RHEL-07-040260
Implements: blueprint security-rhel7-stig
Change-Id: Id30d586bfff8b34554195845a565d491c2ac76e2
This patch removes packages per the requirements of these STIGs:
* RHEL-07-040500
* RHEL-07-020010
* RHEL-07-020000
* RHEL-07-021910
* RHEL-07-040560
Implements: blueprint security-rhel7-stig
Change-Id: I52459d54c578c4e14392bf647268a2237f8df24a
On CentOS the chrony.conf is in /etc/. adding a var to define it.
Depends-On: I1aa3faf88f5953c230693600fcbcb786d49a35e0
Change-Id: Id6afe700f0d908396b4441e6c92dc79e29b228bf
Instead of breaking up package installations and removals into separate
tasks, this patch moves them all under one task that does two execution
steps.
In addition, the security_enable_chrony variable was added to control the
installation and configuration of chrony. The tox tests for the role were
configured to skip chrony in the gate using a skipped tag, but this caused
the package install/removal task to get skipped.
Docs/release notes are included for the chrony change.
Change-Id: I1def033953b50be3911cd932fd17b10dd2c658b7
This patch adds a task and handlers for enabling the audit daemon
during the boot sequence to comply with V-38438. Deployers have
the option to opt-out of the entire change, or they can apply the
change without updating the active grub.cfg file.
Change-Id: Ia8702b8439a5993516397363b21356f1216be403
If a deployer installs AIDE the first time they apply the role
without initializing AIDE and they want to initialize it later,
the handler that does the initialization never fires.
This patch does a few things:
- Ensures AIDE initialization if the initialize_aide bool is True
- Doesn't intialize the AIDE db if it already exists
- Moves the new db into place on Red Hat systems
- Moves the AIDE tasks into its own file with tags
- Prevents AIDE from trawling through /var
Closes-bug: 1616281
Change-Id: I85d65738fde064b06b1147c529b22c3f44a33e94
This patch ensures that the AIDE cron job is present on CentOS 7
and RHEL 7 servers.
Closes-bug: 1614532
Change-Id: I4ce25cb4fcfffcadf5c19fef429488f5f9d8aa8f
CentOS and RHEL 7 both use /boot/grub2/grub.cfg, but the tasks in the
security role expect it to be in /boot/grub/grub.cfg. This patch
adds a variable for the grub configuration file path.
Closes-bug: 1590102
Change-Id: I724d6eb3b716bd9b0006d0d2e5ad201481d52e59
This patch ensures that the tasks can find the right PAM
files to do the checks for V-38574. CentOS systems usually
symlink password-auth to password-auth-ac, but this symlink
is missing in the gate image.
The tasks now look for the password-auth file and this will work
properly on a generic CentOS 7 system as well as within the gate image.
Change-Id: I24281530df8bc939a823ffcc6187882574d266f6
This patch adds initial support for CentOS 7 and Ubuntu 16.04
to the security role. Documentation and tests still need updates
in subsequent patches.
Release notes are included.
Change-Id: Iae936bb307a5938651c55e703d68d39a7716d178
Jonathan Rosser