Merge "Disable repo GPG checks by default"
This commit is contained in:
commit
598923356c
|
@ -463,9 +463,10 @@ security_rhel7_remove_ypserv: yes # RHEL-07-020010
|
|||
security_package_clean_on_remove: no # RHEL-07-020200
|
||||
|
||||
## RPM (rpm)
|
||||
# Enable GPG checks for remotely and locally installed packages. This includes
|
||||
# RHEL-07-020150, RHEL-07-020151, and RHEL-07-020152.
|
||||
security_enable_gpgcheck: yes # RHEL-07-020150
|
||||
# Enable GPG checks for packages and repository data.
|
||||
security_enable_gpgcheck_packages: yes # RHEL-07-020150
|
||||
security_enable_gpgcheck_packages_local: yes # RHEL-07-020151
|
||||
security_enable_gpgcheck_repo: no # RHEL-07-020152
|
||||
|
||||
## ssh server (sshd)
|
||||
# Disallow logins from users with empty/null passwords.
|
||||
|
|
|
@ -12,13 +12,6 @@ On CentOS 7 systems, the tasks set the ``gpgcheck`` option to ``1`` in the
|
|||
``/etc/yum.conf`` file. This enables GPG checks for all packages installed
|
||||
with ``yum``.
|
||||
|
||||
Deployers can opt-out of this change by setting the following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_enable_gpgcheck: no
|
||||
|
||||
Note that setting this variable also affects two other STIG configurations:
|
||||
|
||||
* :ref:`stig-RHEL-07-020151`
|
||||
* :ref:`stig-RHEL-07-020152`
|
||||
Setting ``security_enable_gpgcheck_packages`` to ``no`` will skip the
|
||||
``AllowUnauthenticated`` string check on Ubuntu and it will set ``gpgcheck=0``
|
||||
in ``/etc/yum.conf`` on CentOS systems.
|
||||
|
|
|
@ -12,13 +12,6 @@ On CentOS 7 systems, the tasks set the ``localpkg_gpgcheck`` option to ``1`` in
|
|||
the ``/etc/yum.conf`` file. This enables GPG checks for all packages installed
|
||||
locally with ``yum``.
|
||||
|
||||
Deployers can opt-out of this change by setting the following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_enable_gpgcheck: no
|
||||
|
||||
Note that setting this variable also affects two other STIG configurations:
|
||||
|
||||
* :ref:`stig-RHEL-07-020150`
|
||||
* :ref:`stig-RHEL-07-020152`
|
||||
Setting ``security_enable_gpgcheck_packages_local`` to ``no`` will skip the
|
||||
``no-debsig`` adjustment on Ubuntu and it will set ``local_gpgcheck=0`` in
|
||||
``/etc/yum.conf`` on CentOS systems.
|
||||
|
|
|
@ -4,20 +4,18 @@ status: implemented
|
|||
tag: packages
|
||||
---
|
||||
|
||||
On Ubuntu systems, the tasks check for the ``AllowUnauthenticated`` string
|
||||
anywhere in the apt configuration files found within ``/etc/apt/apt.conf.d/``.
|
||||
If the string is found, a warning is printed on the console.
|
||||
The STIG requires that repository XML files are verified during ``yum`` runs.
|
||||
|
||||
On CentOS 7 systems, the tasks set the ``repo_gpgcheck`` option to ``1`` in the
|
||||
``/etc/yum.conf`` file. This enables GPG checks for all repository metadata.
|
||||
.. warning::
|
||||
|
||||
Deployers can opt-out of this change by setting the following Ansible variable:
|
||||
This setting is disabled by default because it can cause issues with CentOS
|
||||
systems and prevent them from retrieving repository information. Deployers
|
||||
who choose to enable this setting should test it thoroughly on
|
||||
non-production environments before applying it to production systems.
|
||||
|
||||
Deployers can override this default and opt in for the change by setting the
|
||||
following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_enable_gpgcheck: no
|
||||
|
||||
Note that setting this variable also affects two other STIG configurations:
|
||||
|
||||
* :ref:`stig-RHEL-07-020150`
|
||||
* :ref:`stig-RHEL-07-020151`
|
||||
security_enable_gpgcheck_repo: yes
|
||||
|
|
|
@ -72,11 +72,12 @@
|
|||
- name: RHEL-07-020150 - Package management tool must verify authenticity of packages
|
||||
debug:
|
||||
msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
|
||||
when: "gpgcheck_result.rc == 0"
|
||||
when:
|
||||
- security_enable_gpgcheck_packages | bool
|
||||
- gpgcheck_result.rc == 0
|
||||
tags:
|
||||
- high
|
||||
- RHEL-07-020150
|
||||
- RHEL-07-020152
|
||||
|
||||
- name: RHEL-07-020151 - Package management tool must verify authenticity of locally-installed packages
|
||||
lineinfile:
|
||||
|
@ -85,7 +86,7 @@
|
|||
line: "#no-debsig"
|
||||
state: present
|
||||
when:
|
||||
- security_enable_gpgcheck | bool
|
||||
- security_enable_gpgcheck_packages_local | bool
|
||||
tags:
|
||||
- high
|
||||
- RHEL-07-020151
|
||||
|
|
|
@ -60,19 +60,13 @@
|
|||
- high
|
||||
- RHEL-07-010020
|
||||
|
||||
# This covers RHEL-07-020150, RHEL-07-020151, and RHEL-07-020152.
|
||||
- name: RHEL-07-020150 - Require digital signatures for all packages
|
||||
lineinfile:
|
||||
dest: /etc/yum.conf
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
state: present
|
||||
with_items:
|
||||
- { regexp: "^gpgcheck.*", line: "gpgcheck=1" }
|
||||
- { regexp: "^localpkg_gpgcheck.*", line: "localpkg_gpgcheck=1" }
|
||||
- { regexp: "^repo_gpgcheck.*", line: "repo_gpgcheck=1" }
|
||||
when:
|
||||
- security_enable_gpgcheck | bool
|
||||
with_items: "{{ rpm_gpgchecks | default([]) }}"
|
||||
tags:
|
||||
- rpm
|
||||
- high
|
||||
|
|
|
@ -126,3 +126,11 @@ stig_packages_rhel7:
|
|||
- ypserv
|
||||
state: absent
|
||||
enabled: "{{ security_rhel7_remove_ypserv }}"
|
||||
|
||||
rpm_gpgchecks:
|
||||
- regexp: "^gpgcheck.*"
|
||||
line: "gpgcheck={{ security_enable_gpgcheck_packages | bool | ternary('1', 0) }}"
|
||||
- regexp: "^localpkg_gpgcheck.*"
|
||||
line: "localpkg_gpgcheck={{ security_enable_gpgcheck_packages_local | bool | ternary('1', 0) }}"
|
||||
- regexp: "^repo_gpgcheck.*"
|
||||
line: "repo_gpgcheck={{ security_enable_gpgcheck_repo | bool | ternary('1', 0) }}"
|
||||
|
|
Loading…
Reference in New Issue