From 8868011d4cd039e926e7a6f843d65f1c3b0ecf38 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Mon, 14 Nov 2016 15:20:04 -0600 Subject: [PATCH] Disable repo GPG checks by default Enable repo GPG checks causes some CentOS systems to become unable to retrieve yum metadata. It also causes the security gate jobs to balloon out to 12 minutes (normally 3-4 mins). Closes-Bug: 1641729 Change-Id: I229b471bbd9fbe39776b9022671b03da0a659163 --- defaults/main.yml | 7 ++++--- doc/metadata/rhel7/RHEL-07-020150.rst | 13 +++---------- doc/metadata/rhel7/RHEL-07-020151.rst | 13 +++---------- doc/metadata/rhel7/RHEL-07-020152.rst | 22 ++++++++++------------ tasks/rhel7stig/apt.yml | 7 ++++--- tasks/rhel7stig/rpm.yml | 8 +------- vars/redhat.yml | 8 ++++++++ 7 files changed, 33 insertions(+), 45 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 71d6d626..b7fadb4b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -449,9 +449,10 @@ security_rhel7_remove_ypserv: yes # RHEL-07-020010 security_package_clean_on_remove: no # RHEL-07-020200 ## RPM (rpm) -# Enable GPG checks for remotely and locally installed packages. This includes -# RHEL-07-020150, RHEL-07-020151, and RHEL-07-020152. -security_enable_gpgcheck: yes # RHEL-07-020150 +# Enable GPG checks for packages and repository data. +security_enable_gpgcheck_packages: yes # RHEL-07-020150 +security_enable_gpgcheck_packages_local: yes # RHEL-07-020151 +security_enable_gpgcheck_repo: no # RHEL-07-020152 ## ssh server (sshd) # Disallow logins from users with empty/null passwords. diff --git a/doc/metadata/rhel7/RHEL-07-020150.rst b/doc/metadata/rhel7/RHEL-07-020150.rst index ae8f6494..d6d3b89a 100644 --- a/doc/metadata/rhel7/RHEL-07-020150.rst +++ b/doc/metadata/rhel7/RHEL-07-020150.rst @@ -12,13 +12,6 @@ On CentOS 7 systems, the tasks set the ``gpgcheck`` option to ``1`` in the ``/etc/yum.conf`` file. This enables GPG checks for all packages installed with ``yum``. -Deployers can opt-out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_enable_gpgcheck: no - -Note that setting this variable also affects two other STIG configurations: - -* :ref:`stig-RHEL-07-020151` -* :ref:`stig-RHEL-07-020152` +Setting ``security_enable_gpgcheck_packages`` to ``no`` will skip the +``AllowUnauthenticated`` string check on Ubuntu and it will set ``gpgcheck=0`` +in ``/etc/yum.conf`` on CentOS systems. diff --git a/doc/metadata/rhel7/RHEL-07-020151.rst b/doc/metadata/rhel7/RHEL-07-020151.rst index fb16792d..09684f37 100644 --- a/doc/metadata/rhel7/RHEL-07-020151.rst +++ b/doc/metadata/rhel7/RHEL-07-020151.rst @@ -12,13 +12,6 @@ On CentOS 7 systems, the tasks set the ``localpkg_gpgcheck`` option to ``1`` in the ``/etc/yum.conf`` file. This enables GPG checks for all packages installed locally with ``yum``. -Deployers can opt-out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_enable_gpgcheck: no - -Note that setting this variable also affects two other STIG configurations: - -* :ref:`stig-RHEL-07-020150` -* :ref:`stig-RHEL-07-020152` +Setting ``security_enable_gpgcheck_packages_local`` to ``no`` will skip the +``no-debsig`` adjustment on Ubuntu and it will set ``local_gpgcheck=0`` in +``/etc/yum.conf`` on CentOS systems. diff --git a/doc/metadata/rhel7/RHEL-07-020152.rst b/doc/metadata/rhel7/RHEL-07-020152.rst index 912d2f0e..4fa7c750 100644 --- a/doc/metadata/rhel7/RHEL-07-020152.rst +++ b/doc/metadata/rhel7/RHEL-07-020152.rst @@ -4,20 +4,18 @@ status: implemented tag: packages --- -On Ubuntu systems, the tasks check for the ``AllowUnauthenticated`` string -anywhere in the apt configuration files found within ``/etc/apt/apt.conf.d/``. -If the string is found, a warning is printed on the console. +The STIG requires that repository XML files are verified during ``yum`` runs. -On CentOS 7 systems, the tasks set the ``repo_gpgcheck`` option to ``1`` in the -``/etc/yum.conf`` file. This enables GPG checks for all repository metadata. +.. warning:: -Deployers can opt-out of this change by setting the following Ansible variable: + This setting is disabled by default because it can cause issues with CentOS + systems and prevent them from retrieving repository information. Deployers + who choose to enable this setting should test it thoroughly on + non-production environments before applying it to production systems. + +Deployers can override this default and opt in for the change by setting the +following Ansible variable: .. code-block:: yaml - security_enable_gpgcheck: no - -Note that setting this variable also affects two other STIG configurations: - -* :ref:`stig-RHEL-07-020150` -* :ref:`stig-RHEL-07-020151` + security_enable_gpgcheck_repo: yes diff --git a/tasks/rhel7stig/apt.yml b/tasks/rhel7stig/apt.yml index 842230eb..567371e4 100644 --- a/tasks/rhel7stig/apt.yml +++ b/tasks/rhel7stig/apt.yml @@ -72,11 +72,12 @@ - name: RHEL-07-020150 - Package management tool must verify authenticity of packages debug: msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified." - when: "gpgcheck_result.rc == 0" + when: + - security_enable_gpgcheck_packages | bool + - gpgcheck_result.rc == 0 tags: - high - RHEL-07-020150 - - RHEL-07-020152 - name: RHEL-07-020151 - Package management tool must verify authenticity of locally-installed packages lineinfile: @@ -85,7 +86,7 @@ line: "#no-debsig" state: present when: - - security_enable_gpgcheck | bool + - security_enable_gpgcheck_packages_local | bool tags: - high - RHEL-07-020151 diff --git a/tasks/rhel7stig/rpm.yml b/tasks/rhel7stig/rpm.yml index 1565c97f..bde9b8b2 100644 --- a/tasks/rhel7stig/rpm.yml +++ b/tasks/rhel7stig/rpm.yml @@ -60,19 +60,13 @@ - high - RHEL-07-010020 -# This covers RHEL-07-020150, RHEL-07-020151, and RHEL-07-020152. - name: RHEL-07-020150 - Require digital signatures for all packages lineinfile: dest: /etc/yum.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present - with_items: - - { regexp: "^gpgcheck.*", line: "gpgcheck=1" } - - { regexp: "^localpkg_gpgcheck.*", line: "localpkg_gpgcheck=1" } - - { regexp: "^repo_gpgcheck.*", line: "repo_gpgcheck=1" } - when: - - security_enable_gpgcheck | bool + with_items: "{{ rpm_gpgchecks | default([]) }}" tags: - rpm - high diff --git a/vars/redhat.yml b/vars/redhat.yml index 1e715428..b28118bb 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -113,3 +113,11 @@ stig_packages_rhel7: - ypserv state: absent enabled: "{{ security_rhel7_remove_ypserv }}" + +rpm_gpgchecks: + - regexp: "^gpgcheck.*" + line: "gpgcheck={{ security_enable_gpgcheck_packages | bool | ternary('1', 0) }}" + - regexp: "^localpkg_gpgcheck.*" + line: "localpkg_gpgcheck={{ security_enable_gpgcheck_packages_local | bool | ternary('1', 0) }}" + - regexp: "^repo_gpgcheck.*" + line: "repo_gpgcheck={{ security_enable_gpgcheck_repo | bool | ternary('1', 0) }}"