Commit Graph

46 Commits

Author SHA1 Message Date
Dmitriy Rabotyagov 037e5493b6 Remove commandkey from chrony config
Since version 2.2 chorny has removed commandkey options and
it's not a valid option for any currently supported distro.

Change-Id: I7c02cf6b7575a9ab753d85cdd6582f209f39be1b
2023-05-23 19:00:23 +02:00
Dmitriy Rabotyagov aa1feb4527 Clean out SSH options we managing
With current behaviour we duplicate SSH options and don't care if same
thing is defined anywhere down the line.
With that change we change how options are defined - instead of the
template we use a list of mappings. With that
we can select and remove options that playbook supposed to manage.

With that we also keep playbook idempotency. As side effect we still
can have options duplicated but only if they have exact same value.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/840353
Change-Id: I140606f7e724fbe2a4f0b03f6a0501da7bdd5964
Closes-Bug: #1958649
2022-05-20 07:53:05 +00:00
Jonathan Rosser b9a9310d7c Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: I3dc2486a0666367d673b23403f2510c94c40eaf4
2021-03-10 16:54:58 +00:00
Dmitriy Rabotyagov 64ea421bba Ensure that motd is not displayed twice
motd is handled by default with pam_motd.so module. Setting Banner option
for sshd_config makes motd to be shown twice, which is excessive

Change-Id: I4e8bdbe8f482f61235b4b14a619e4ed91b01f2f4
2020-08-05 14:09:46 +03:00
Marc Gariepy ef1b417032 Switch to rtcsync for chrony
when setting security_ntp_sync_rtc to true, chrony will sync rtc every
11 minutes.

using rtcfile + rtcautotrim locks access to rtc clock for other tools,
like hwclock or timedatectl so it's hard to validate that the clock is
really synced.

Change-Id: I72fd18d36ab139d7140281374b5c2b89f7cb460a
2019-01-15 09:35:09 -05:00
Jakob Englisch 06f05b2984 Chrony: add an option to sync the hardware clock
Provide the possibility to allow users to synchronize
the RTC. It is (still) disabled by default, since
certain combinations of linux kernel version and
hardware pieces are subject to cause lockups.

"rtcautotrim 10" and rtcfile have been favoured over
"rtcsync" since "rtcsync" syncs the RTC every 11 seconds
which is not necessary IMO. "rtcautotrim 10" will only
set the time to the RTC if the gap between RTC and
the system clock exceed more than 10 seconds.

Change-Id: I2961bc554eb6caf6e6c78137a33c4fde256ae1ff
2019-01-10 09:47:48 +00:00
Jakob Englisch cca2800ea4 Chrony: make ntp server options configurable
Users may wish to remove the 'offline' option for increased
reliability, since ifup/ifdown scripts are typically not
required in (static) server environments. Futhermore it
enables users to adjust the polling timers to their needs.

Change-Id: Iafa31c03e98785a574f38bb2206b9bea9550743e
2019-01-10 00:09:56 +01:00
Marc Gariepy 0c4b71f494 Add makestep to chronyd config.
This change will adjust the clock at once if the clock is offsetted for more
than 1 sec when chronyd starts.

Change-Id: Ia8bb5d2b75dfbff33eb7de3a293d943632e6860e
2018-08-20 15:08:17 -04:00
Yifei Xue 8025799fe6 Fix the path of chrony.keys
The path of chrony.keys on CentOS is different
from the one on Ubuntu. So change the definition
of keyfile to use variable defined in vars.

Change-Id: Ibb54318d5fff452857d917e3b13af6bae26a1b55
Signed-off-by: Yifei Xue <xueyifei@huawei.com>
2017-12-22 10:01:58 +08:00
Andy McCrae f32cb3c081 Change PermitRootLogin to allow alternate options
PermitRootLogin can be 'yes', 'no', 'without-password',
'prohibit-password' or 'forced-commands-only'.
This patch changes the functionality to ensure that
security_sshd_permit_root_login is one of the above settings - if so, it
will use that value.

Due to the way Ansible handles "no" and "yes", we have to check if the
value is "False" (string equivalent for boolean no), and if so output
"no", otherwise output the string (which would be one of the above
options).

Previously, we could only set this value to 'no'.

Change-Id: I5ee5ff6abc4578d17d4b23d8a2fa1648508ceeed
2017-11-09 15:18:28 +00:00
Zuul 75f78685e8 Merge "Fix logic error" 2017-10-20 16:12:24 +00:00
Jean-Philippe Evrard 2cf232ae62 Fix logic error
if security_sshd_permit_root_login is not set to yes, we should
override this and template a "no", instead of templating a "no"
when the value is set to yes.

Change-Id: I747a8818762119eee63fa03d175b66ae4021f6da
Closes-Bug: #1685194
2017-10-16 13:06:19 +00:00
Major Hayden 645ab573bf
Remove RHEL 6 STIG auditd template
One file was missed when the RHEL 6 content was removed. This
template is no longer needed.

Change-Id: I0f6921a9b7cfd43662544ba164062c7b8ffd2852
2017-09-21 16:04:12 -05:00
Logan V 2a4875f2cd Re-adding the missing NTP default vars
Some of the NTP defaults used to deploy chrony were shared between
both the RHEL6 and RHEL7 STIG tasks, however the required defaults
for these vars were removed in
Iaae52c97a35d82dd807ef78a1a6593ce3aa33540.

Since they are still needed by the RHEL7 STIG chrony deployment
we will need to add them back.

I also removed a reference to "security_disable_ipv6" in the chrony
config file which was used to determine if Chrony should bind ::1 for
its management socket. Since the "security_disable_ipv6" var no longer
exists, we will unconditionally bind the ::1 management address.

Change-Id: Ic80bda5fbf5cb4424e305ff9839121416b8bea19
2017-09-13 16:10:01 +00:00
Major Hayden 38270e7870 [Docs] Replace security role references
This patch changes any reference of openstack-ansible-security to
ansible-hardening.

Change-Id: Ib264e31a926c05380b0d1dcd630ad8f3fd1e58f3
2017-06-12 18:59:28 +00:00
Major Hayden dccce1d5cc
Handle RHEL 7 STIG renumbering
This patch gets the docs adjusted to work with the new RHEL 7 STIG
version 1 release. The new STIG release has changed all of the
numbering, but it maintains a link to (most) of the old STIG IDs in
the XML.

Closes-bug: 1676865
Change-Id: I65023fe63163c9804a3aec9dcdbf23c69bedb604
2017-04-04 07:22:12 -05:00
Shannon Mitchell 4cb2fa4eaa Enable ntp client functionality with chronyd
Using 'bindaddress' in the /etc/chrony/chrony.conf disables both
client and server ntp functionality as it cannot get the ntp
responses from peer servers.  The default install will leave the
servers unsynced with an ntp source causing them to skew over
time and eventually break services that rely on synced time.
Setting 'port 0' will disable the server functionality.  Using
'bindcmdaddress' will still chronc<->chronyd communictions over
localhost only.  This should allow client functionality and
disable server functionality.

Change-Id: Ie9b6e73333d9469a17e4cee06f21aa99b2b3df7e
Closes-Bug: #1656086
2017-02-24 16:15:23 +00:00
Major Hayden 3942b20fb1 Unblock security role gate
This patch addresses two issues that are blocking the security role
CI jobs from completing:

The OpenStack CI image is missing the default audit.rules file and this
causes augenrules to fail when it loads new rules. The first line in
the default rules file deletes existing rules and this must be in
place before loading new rulesets. The contents of the default file
are now in the template file, which is safer anyway. The default
file provided by the OS is removed.

The task that updates the apt cache in test.yml was running more than
once during the CI job run when the gate ran slowly. That's fine, but
it breaks the idempotence checks. A `changed_when` is added to the task
to ensure that the idempotence tests aren't affected by an apt cache
update.

Change-Id: I9c2b50389cc2e4fa81717dcceccf6da1d973d34c
2017-01-03 12:19:46 -06:00
Major Hayden 14fa6e5060 Enable chrony [+Docs]
This patch enables chrony and performs basic configuration to meet the
STIG requirements.

These tasks can't be enabled in OpenStack CI due to conflicts with existing
NTP daemons in the CI image.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: If6736c0f4a16de1ba41a4cfa00f5f72f8baf0054
2016-12-09 10:32:24 +00:00
Major Hayden fa657903bc Apply pam_faillock restrictions [+Docs]
This patch applies pam_faillock restrictions to Red Hat and CentOS servers.
It's an optional change since it could cause issues with existing production
deployments.

Ubuntu doesn't have pam_faillock, but it may be possible to use fail2ban to
achieve some of the same goals later.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: Ib2d22deff2d97786b84a550313f6ca08cf10cef8
2016-12-05 08:47:59 +00:00
Major Hayden 8ad68162f3 Set minimum password length [+Docs]
This patch allows deployers to opt in for a minimum password
length restriction. Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: Ia1d5d6677233ae21ce585b4a363d130e1bb003fa
2016-12-02 19:57:14 +00:00
Jenkins a53ad667ae Merge "Set auditd failure flag [+Docs]" 2016-12-01 00:16:30 +00:00
Major Hayden 0eece28000 Set auditd failure flag [+Docs]
This patch sets the auditd failure flag and controls what
auditd does when there is an auditing failure. Changing this setting
can cause a system to go offline and this is noted thoroughly in
the documentation.

Implements: blueprint security-rhel7-stig
Change-Id: I3eb76804a0335596afd3591ae0133fca7568d0cb
2016-11-29 16:20:32 -06:00
Major Hayden c59d5b6936 Apply password quality rules
This patch applies password quality rules and satisfies the following
controls:

 - RHEL-07-010090
 - RHEL-07-010100
 - RHEL-07-010110
 - RHEL-07-010120
 - RHEL-07-010130
 - RHEL-07-010140
 - RHEL-07-010150
 - RHEL-07-010160

Each password quality requirement can be turned on/off with variables
and there is one master switch variable that turns them all off. The
master switch is off by default because these rules can cause problems
with existing systems if users aren't aware of the new requirements.

This will be explained in detail in the docs in the follow-on patch.

Implements: blueprint security-rhel7-stig
Change-Id: I3023715933321f11668c060046c065c17d7d2c6b
2016-11-29 13:21:51 -06:00
Jenkins b116bf93b3 Merge "Enable graphical login banner" 2016-11-19 00:54:39 +00:00
Jenkins 3b2c5bf47f Merge "Refactor auditd rules" 2016-11-18 19:57:42 +00:00
Major Hayden 85630fd27f Enable graphical login banner
This patch enables login warning banners on graphical logins. Docs
will be in a follow-on patch.

Implements: blueprint security-rhel7-stig
Change-Id: I9aa7e2c2691b0d2c0659826037909bf43cef0505
2016-11-18 13:48:43 -06:00
Major Hayden ff5bbe1233 Refactor auditd rules
This commit adds all of the remaining audit rules to the role and
refactors the audit rules (mostly) into a list that jinja2 can
loop over.

Docs will be in a follow-on patch.

Implements: blueprint security-rhel7-stig
Change-Id: I17ca6356ae7819f0721585850e4d70e0bac29ff1
2016-11-18 12:39:00 -06:00
Major Hayden 5fbc456807 Set graphical session locks
This patch applies the graphical session lock settings from the following
STIG controls:

  - RHEL-07-010060
  - RHEL-07-010070
  - RHEL-07-010071
  - RHEL-07-010073
  - RHEL-07-010074

Docs will be provided in a follow-on patch.

Implements: blueprint security-rhel7-stig
Change-Id: I306ea5e2e274a2ca63158ba8b039686b27a5d923
2016-11-14 08:15:49 -06:00
Jenkins 92fac736bb Merge "Add template for audit rules" 2016-11-13 22:20:47 +00:00
Major Hayden 09487fd13d Add template for audit rules
This patch adds audit rules for the following STIG controls:

  - RHEL-07-030492
  - RHEL-07-030510
  - RHEL-07-030511
  - RHEL-07-030512
  - RHEL-07-030513
  - RHEL-07-030514
  - RHEL-07-030521
  - RHEL-07-030522
  - RHEL-07-030523
  - RHEL-07-030524
  - RHEL-07-030525
  - RHEL-07-030526
  - RHEL-07-030530
  - RHEL-07-030531
  - RHEL-07-030540
  - RHEL-07-030541
  - RHEL-07-030550
  - RHEL-07-030560
  - RHEL-07-030561
  - RHEL-07-030630
  - RHEL-07-030670
  - RHEL-07-030671
  - RHEL-07-030672
  - RHEL-07-030673
  - RHEL-07-030674
  - RHEL-07-030750
  - RHEL-07-030751
  - RHEL-07-030752
  - RHEL-07-030753
  - RHEL-07-030754

Implements: blueprint security-rhel7-stig
Change-Id: I538d3013720d107d0a0a83a0bf0d1dea16cf7692
2016-11-10 13:31:01 -06:00
Major Hayden 365ad6529c Configure sshd based on the RHEL 7 STIG
This patch adds several configurations for sshd per the STIG's requirements.
The following STIG requirements are met with this patch:

  - RHEL-07-010270
  - RHEL-07-010440
  - RHEL-07-010441
  - RHEL-07-010442
  - RHEL-07-040110
  - RHEL-07-040170
  - RHEL-07-040190
  - RHEL-07-040191
  - RHEL-07-040301
  - RHEL-07-040310
  - RHEL-07-040332
  - RHEL-07-040334
  - RHEL-07-040334
  - RHEL-07-040540
  - RHEL-07-040590
  - RHEL-07-040620
  - RHEL-07-040690
  - RHEL-07-040700
  - RHEL-07-040670
  - RHEL-07-040680

Only two tasks are needed for all of this work and this should speed up
the deployment nicely.

Documentation will be updated in a follow-on patch.

Implements: blueprint security-rhel7-stig
Change-Id: I80579533eac2dd983f6d370445d9796d7c22eefc
2016-11-09 17:44:08 +00:00
Major Hayden c93b1676cc Add network conf auditing on CentOS
This patch adds in auditing for /etc/sysconfig/network.

Closes-bug: 1622674
Change-Id: I0de15a130161ed1f8a6bdb2a7de33c55b91d6609
2016-09-12 14:51:58 -05:00
Major Hayden 98fdd520a0 Disable DAC change auditing
This patch disables all of the discretionary access control (DAC)
auditing in auditd. This should reduce the volume of logs created
during deployments and during OpenStack CI jobs.

The patch also corrects an incorrect key in the audit logs for
V-38568.

Closes-Bug: 1620849
Change-Id: I193f739647cfb7d0ce395984b51867bf6bd46cd8
2016-09-07 07:38:11 -05:00
Qing Wu Wang 5e70944bef Add audit rules to support ppc64le architecture.
Add 'ppc64' arch in osas-auditd.j2 to support ppc64le architecture.

Change-Id: Idb730325334a428e91c3eee44b7ca0980548da99
2016-07-25 04:23:01 -05:00
Major Hayden 44e6056a93 Add key fields to audit rules
This patch adjusts the key fields in the audit rules that are added
by the security rule to make it easier to link a log entry with the
audit rules that caused it. Deployers with overflowing logs should
be able to narrow down the rule much more easily.

Closes-Bug: 1590911

Change-Id: I39c673d515467f685004463e914a0a1aaec3c153
2016-06-09 13:42:21 -05:00
Major Hayden 40634db731 Add /etc/apparmor.d/ for auditing
As noted in https://review.openstack.org/319438 , the /etc/apparmor.d/
directory was missing from the auditd rules applied for V-38541.

Change-Id: I564b72d103fa13af4562e4b21d68ef6097cecf37
2016-05-31 18:30:57 +00:00
Major Hayden 7b313ee1bc Adding audit rule for SELinux policy modifications
This patch fixes the auditd rules template so that AppArmor and SELinux
policy modifications are logged, depending on which Linux distribution
is in use. The security_audit_apparmor_changes variable has been renamed
to security_audit_mac_changes to be more generic.

Documentation updates and a release note are included.

Closes-bug: 1584187

Change-Id: I0955e2cb8a05af4afd36aaca518322a9df6d1ff7
2016-05-27 13:28:02 +00:00
Jenkins a73aee2fc9 Merge "Add new parameter 'security_ntp_bind_local_interfaces_only'" 2016-05-27 12:52:11 +00:00
Christian Berendt 3114703ebb Add new parameter 'security_ntp_bind_local_interfaces_only'
With the parameter 'security_ntp_bind_local_interfaces_only' it is possible
to configure if chronyd should listen on all available network interfaces for
NTP requests.

Change-Id: I7e56d60df7c7214e753d1ca86aceed05849addef
2016-05-27 11:08:17 +00:00
Christian Berendt 750260d3bd Use ansible_managed variable in templates
Change-Id: I7cb7ee0885c26bc4b9196ca44fe5dc318b9ef739
2016-05-19 13:57:16 +02:00
Major Hayden fa2800419e Migrate to unique variable names
This patch migrates all of the remaining non-unique variable names
in the security role to a pattern that begins with `security_*`.
This will reduce potential variable collisions with other roles.

This is a breaking change for deployers and users who are moving
from the liberty or stable/mitaka branches to master. Release notes
are included with additional details to help with the transition.

Closes-Bug: 1578326

Change-Id: Ib716e81e6fed971b21dc5579ae1a871736e21189
2016-05-09 16:18:48 -05:00
Major Hayden f5061fd022
Switch from dict to individual variables
The dictionary-based variables didn't work properly and this patch
changes them to individual variables. If users followed the existing
documentation, their environments will be unaffected by this change
(they are still broken).

The new variables follow the pattern `security_VARIABLENAME` which
will soon become the standard for the role to avoid variable name
collisions with other playbooks and roles.

Release notes are included with this patch.

Closes-bug: 1577944

Change-Id: I455f66a0b4f423e2cf0e753b129367427f29479f
2016-05-05 08:32:38 -05:00
Major Hayden d5d5069366 Move template that was missed with rename
Change-Id: Icea1158eca4269bb59e5618f87a8c085aff9cd66
2015-11-02 10:20:20 -06:00
Major Hayden 53f9b60e58 V-51391: Initialize AIDE
Closes-bug: 1505793

Implements: blueprint security-hardening

Change-Id: Ia15368c0af184054c5be60c893c751e449b8770a
2015-10-19 07:32:22 -05:00
Jesse Pretorius 58ac7a8a7a Enable role testing and make structure ansible-galaxy compatible
This patch adds the bits needed to implement automated syntax/lint
role testing. It also moves the role into the base repository so
that the role becomes fully compatible with ansible-galaxy to
improve the role's consumability.

Change-Id: Ia79cd5dedbbe50dfdf46688830a989ff0897832a
2015-10-09 11:47:23 +00:00