--- # Copyright 2015, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ## APT Cache Options # This variable is used across multiple OpenStack-Ansible roles to handle the # apt cache updates as efficiently as possible. cache_timeout: 600 # Set the package install state for distribution packages # Options are 'present' and 'latest' security_package_state: "latest" ### Default configurations for ansible-hardening ##################### # # All of the configuration items below are documented in the developer notes # found here: # # http://docs.openstack.org/developer/ansible-hardening/ # ############################################################################### ## AIDE # The default Ubuntu configuration for AIDE will cause it to wander into some # terrible places on the system, such as /var/lib/lxc and images in /opt. # The following three default exclusions are highly recommended for AIDE to # work properly, but additional exclusions can be added to this list if needed. security_aide_exclude_dirs: - /openstack - /opt - /run - /var # # By default, the AIDE database won't be initialized immediately since it can # consume plenty of CPU and I/O resources while it runs. To initialize the # AIDE database immediately when the playbook finishes, set the following # variable to 'true': security_initialize_aide: false ## Audit daemon # V-38438 requires that auditd is enabled at boot time with a parameter in the # GRUB configuration. # # If 'security_enable_audit_during_boot' is set to 'yes', then the 'audit=1' # parameter will be added in /etc/default/grub.d/. # If 'security_enable_grub_update is set to 'yes', the grub.cfg will be # updated automatically. security_enable_audit_during_boot: yes # V-38438 security_enable_grub_update: yes # V-38438 # The following booleans control the rule sets added to auditd's default # set of auditing rules. To see which rules will be added for each boolean, # refer to the templates/osas-auditd.j2 file. # # If the template changes due to booleans being adjusted, the new template # will be deployed onto the host and auditd will get the new rules loaded # automatically with augenrules. # security_audit_account_modification: yes # V-38531, V-38534, V-38538 security_audit_change_localtime: yes # V-38530 security_audit_change_system_time: yes # V-38635 security_audit_clock_settime: yes # V-38527 security_audit_clock_settimeofday: yes # V-38522 security_audit_clock_stime: yes # V-38525 security_audit_DAC_chmod: no # V-38543 security_audit_DAC_chown: no # V-38545 security_audit_DAC_lchown: no # V-38558 security_audit_DAC_fchmod: no # V-38547 security_audit_DAC_fchmodat: no # V-38550 security_audit_DAC_fchown: no # V-38552 security_audit_DAC_fchownat: no # V-38554 security_audit_DAC_fremovexattr: no # V-38556 security_audit_DAC_lremovexattr: no # V-38559 security_audit_DAC_fsetxattr: no # V-38557 security_audit_DAC_lsetxattr: no # V-38561 security_audit_DAC_setxattr: no # V-38565 security_audit_deletions: no # V-38575 security_audit_failed_access: no # V-38566 security_audit_filesystem_mounts: yes # V-38568 security_audit_kernel_modules: yes # V-38580 security_audit_mac_changes: yes # V-38541 security_audit_network_changes: yes # V-38540 security_audit_sudoers: yes # V-38578 # # **DANGER** # Changing the options below can cause systems to go offline unexpectedly or # stop serving requests as a security precaution. Read the developer notes for # each STIG prior to adjusting the following variables. # **DANGER** # # Set an action to occur when there is a disk error. Review the # documentation for V-38464 before changing this option. security_disk_error_action: SYSLOG # V-38464 # # Set an action to occur when the disk is full. Review the documentation for # V-38468 before changing this option. security_disk_full_action: SYSLOG # V-38468 # # V-38678 - Set the amount of megabytes left when the space_left_action # triggers. The STIG guideline doesn't specify a size, but Ubuntu chooses a # default of 75MB, which is reasonable. security_space_left: 75 # V-38678 # # Set an action to occur when the disk is approaching its capacity. # Review the documentation for V-38470 before changing this option. security_space_left_action: SYSLOG # V-38470 # # Set the maximum size of a rotated log file. Ubuntu's default # matches the STIG requirement of 6MB. security_max_log_file: 6 # V 38633 # # Sets the action to take when log files reach the maximum file size. # Review the documentation for V-38634 before changing this option. security_max_log_file_action: ROTATE # V-38634 # # Set the number of rotated audit logs to keep. Ubuntu has 5 as the default # and this matches the STIG's requirements. security_num_logs: 5 # V-38636 # # Set the email address of someone who can receive and respond to notifications # about low disk space for log volumes. security_action_mail_acct: root # V-38680 # # **IMMINENT DANGER** # The STIG says that the system should switch to single user mode when the # storage capacity gets very low. This can cause serious service disruptions # and should only be set to 'single' for deployers in extremely high security # environments. Ubuntu's default is SUSPEND, which will suspend logging. # **IMMENENT DANGER** security_admin_space_left_action: SUSPEND # V-54381 ## Chrony (NTP) configuration # Install and enable chrony to sync time with NTP servers. security_enable_chrony: yes # V-38620 # Adjust the following NTP servers if necessary. security_ntp_servers: - 0.north-america.pool.ntp.org - 1.north-america.pool.ntp.org - 2.north-america.pool.ntp.org - 3.north-america.pool.ntp.org # Chrony limits access to clients that are on certain subnets. Adjust the # following subnets here to limit client access to chrony servers. security_allowed_ntp_subnets: - 10/8 - 192.168/16 - 172.16/12 # Listen for NTP requests only on local interfaces. security_ntp_bind_local_interfaces_only: yes ## Core dumps # V-38675 requires disabling core dumps for all users unless absolutely # necessary. Set this variable to 'no' to skip this change. security_disable_core_dumps: yes # V-38675 ## Services # The STIG recommends ensuring that some services are running if no services # utilizing it are enabled. Setting a boolean to 'yes' here will ensure that # a service isn't actively running and will not be started after boot-up. # Setting a 'no' will ensure that this Ansible role does not alter the service # in any way from its current configuration. # security_disable_abrtd: yes # V-38641 security_disable_atd: yes # V-38640 security_disable_autofs: yes # V-38437 security_disable_avahi: yes # V-31618 security_disable_bluetooth: yes # V-38691 security_disable_netconsole: yes # v-38672 security_disable_qpidd: yes # V-38648 security_disable_rdisc: yes # V-38650 security_disable_rsh: yes # V-38594 security_disable_ypbind: yes # V-38604 security_disable_xinetd: yes # V-38582 # # The STIG recommends ensuring that some services aren't installed at ANY time. # Those services are listed here. Setting a boolean here to 'yes' wiil # ensure that the STIG is followed and the service is removed. Setting a # boolean to 'no' means that the playbook will not alter the service. # security_remove_ldap_server: yes # V-38627 security_remove_rsh_server: yes # V-38591 security_remove_sendmail: yes # V-38671 security_remove_telnet_server: yes # V-38587 security_remove_tftp_server: yes # V-38606 security_remove_xinetd: yes # V-38584 security_remove_xorg: yes # v-38676 security_remove_ypserv: yes # V-38603 # # The STIG does not allow the system to run a graphical interface. Set this # variable to 'no' if you need a graphical interface on the server. security_disable_x_windows: yes # V-38674 ## SSH configuration # The following configuration items will adjust how the ssh daemon is # configured. The recommendations from the RHEL 6 STIG are shown below, but # they can be adjusted to fit a particular environment. # # Set a 15 minute time out for SSH sessions if there is no activity security_ssh_client_alive_interval: 900 # V-38608 # # Timeout ssh sessions as soon as ClientAliveInterval is reached once security_ssh_client_alive_count_max: 0 # V-38610 # # The ssh daemon must not permit root logins. The default value of # 'without-password' is a deviation from the STIG requirements due to how # OpenStack-Ansible operates, especially within OpenStack CI gate jobs. See # documentation for V-38613 for more details. security_ssh_permit_root_login: 'without-password' # V-38613 ## Kernel # Set these booleans to 'yes' to disable the kernel module (following the # STIG requirements). Set the boolean to 'no' to ensure no changes are made. security_disable_module_bluetooth: yes # V-38682 security_disable_module_dccp: yes # V-38514 security_disable_module_rds: yes # V-38516 security_disable_module_sctp: yes # V-38515 security_disable_module_tipc: yes # V-38517 security_disable_module_usb_storage: no # V-38490 security_disable_icmpv4_redirects: no # V-38524 security_disable_icmpv4_redirects_secure: no # V-38526 security_disable_icmpv6_redirects: no # V-38548 # # ** DANGER ** # It's strongly recommended to fully understand the effects of changing the # following sysctl tunables. Refer to the documentation under 'Developer # Notes' for each of the STIGs below before making any changes. # ** DANGER ** # security_sysctl_enable_tcp_syncookies: yes # V-38539 security_sysctl_enable_martian_logging: no # V-38528 # # Deployers who wish to disable IPv6 entirely must set this configuration # variable to 'yes'. See the documentation for V-38546 before making this # change. security_disable_ipv6: no # V-38546 # Sets the global challenge ACK counter to a large value such # that a potential attacker could not reasonably come up against it. security_set_tcp_challenge_ack_limit: yes # CVE-2016-5696 ## Mail # The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will # configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when # Ansible installs packages). The default here is 'localhost' to meet the STIG # requirement, but some deployers may want this set to 'all' if their hosts # need to receive emails over the network (which isn't common). # # See the documentation for V-38622 for more details. security_postfix_inet_interfaces: localhost # V-38622 # # Configuring an email address here will cause hosts to forward the root user's # email to another address. # #security_root_forward_email: user@example.com ## Linux Security Module (LSM) # AppArmor and SELinux provide powerful security controls on a Linux system # by setting policies for allowed actions. By setting the following variable # to true, the appropriate LSM will be enabled for the Linux distribution: # # Ubuntu: AppArmor # CentOS: SELinux # # See the ansible-hardening documentation for more details. security_enable_linux_security_module: yes # V-51337 ## PAM and authentication # V-38497 requires that accounts with null passwords aren't allowed to # authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the # documentation for V-38497 for more details. Set the variable below to 'yes' # to remove 'nullok_secure' from the PAM configuration or set it to 'no' to # leave the PAM configuration unaltered. security_pam_remove_nullok: yes # V-38497 # # V-38501 requires that failed login attempts must lock a user account using # pam_faillock, but Ubuntu doesn't package that PAM module. Instead, fail2ban # can be installed to lock out IP addresses with failed logins for 15 minutes. # Set the variable below to 'yes' to install and configure fail2ban. security_install_fail2ban: no # V-38501 # # The STIG requires bans to last 15 minutes. Adjust the following variable # to set the time an IP is banned by fail2ban (in seconds). security_fail2ban_bantime: 900 # V-38501 ## Password complexity and aging # V-38475 - There is no password length requirement by default in Ubuntu 14.04. # To set a password length requirement, uncomment # security_password_minimum_length below. The STIG recommendation is 14 # characters. #security_password_minimum_length: 14 # V-38475 # V-38477 - There is no password change limitation set by default in Ubuntu. To # set the minimum number of days between password changes, uncomment the # security_password_minimum_days variable below. The STIG recommendation is 1 # day. #security_password_minimum_days: 1 # V-38477 # V-38479 - There is no age limit on password by default in Ubuntu. Uncomment # line below to use the STIG recommendation of 60 days. #security_password_maximum_days: 60 # V-38479 # V-38480 - To warn users before their password expires, uncomment the line # below and they will be warned 7 days prior (following the STIG). #security_password_warn_age: 7 # V-38480 # V-38684 - Setting the maximum number of simultaneous logins per user. The # STIG sets a limit of 10. #security_max_simultaneous_logins: 10 # V-38684 # V-38692 - Lock accounts that are inactive for 35 days. #security_inactive_account_lock_days: 35 # V-38692 ## sudo # V-58901 requires that 'NOPASSWD' and '!authenticate' do not appear in any # sudoers files since they could lead to a compromise. Set the following # variables to 'yes' to comment out any lines found with these prohibited # parameters or leave them set to 'no' (the default) to leave sudoers files # unaltered. Deployers are urged to review the documentation for this STIG # before making changes. security_sudoers_remove_nopasswd: no # V-58901 security_sudoers_remove_authenticate: no # V-58901 ## umask settings # The STIG recommends changing various default umask settings for users and # daemons via different methods. However, this could cause serious issues for # production OpenStack environements which haven't been tested with these # changes. # # The variables below are set to match the STIG requirements, but they are # commented out to ensure they require deployers to opt-in for each change. To # opt in for one of the changes below, simply uncomment the line and run the # playbook. Deployers are strongly advised to review the documentation for # these changes and review their systems to ensure these changes won't cause # service disruptions. # # V-38642 - Set umask for daemons in init scripts to 027 or 022 #security_umask_daemons_init: 027 # V-38642 # # V-38645 - System default umask in /etc/login.defs must be 077 #security_umask_login_defs: 077 # V-38645 # # V-38649 - System default umask for csh must be 077 #security_umask_csh: 077 # V-38649 # # V-38651 - System default umask for bash must be 077 #security_umask_bash: 077 # V-38651 ## Unattended upgrades (APT) configuration security_unattended_upgrades_enabled: false security_unattended_upgrades_notifications: false