634 lines
34 KiB
YAML
634 lines
34 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## STIG version selection
|
|
# During the Ocata development cycle, the role will begin adding the RHEL 7
|
|
# STIG content. By default, all operating systems will use the RHEL 6 STIG
|
|
# until the work has completed.
|
|
#
|
|
# This variable should only be adjusted for testing purposes.
|
|
stig_version: rhel6
|
|
|
|
## APT Cache Options
|
|
# This variable is used across multiple OpenStack-Ansible roles to handle the
|
|
# apt cache updates as efficiently as possible.
|
|
cache_timeout: 600
|
|
|
|
# Set the package install state for distribution packages
|
|
# Options are 'present' and 'latest'
|
|
security_package_state: present
|
|
|
|
###############################################################################
|
|
# ____ _ _ _____ _ __ ____ _____ ___ ____
|
|
# | _ \| | | | ____| | / /_ / ___|_ _|_ _/ ___|
|
|
# | |_) | |_| | _| | | | '_ \ \___ \ | | | | | _
|
|
# | _ <| _ | |___| |___ | (_) | ___) || | | | |_| |
|
|
# |_| \_\_| |_|_____|_____| \___/ |____/ |_| |___\____|
|
|
#
|
|
# The default configurations after this marker apply to the RHEL 6 STIG
|
|
# content in the openstack-ansible-security role. Review the comments below
|
|
# as well as the main openstack-ansible-security documentation:
|
|
#
|
|
# http://docs.openstack.org/developer/openstack-ansible-security/
|
|
#
|
|
###############################################################################
|
|
|
|
## AIDE
|
|
# The default Ubuntu configuration for AIDE will cause it to wander into some
|
|
# terrible places on the system, such as /var/lib/lxc and images in /opt.
|
|
# The following three default exclusions are highly recommended for AIDE to
|
|
# work properly, but additional exclusions can be added to this list if needed.
|
|
security_aide_exclude_dirs:
|
|
- /openstack
|
|
- /opt
|
|
- /run
|
|
- /var
|
|
#
|
|
# By default, the AIDE database won't be initialized immediately since it can
|
|
# consume plenty of CPU and I/O resources while it runs. To initialize the
|
|
# AIDE database immediately when the playbook finishes, set the following
|
|
# variable to 'true':
|
|
security_initialize_aide: false
|
|
|
|
## Audit daemon
|
|
# V-38438 requires that auditd is enabled at boot time with a parameter in the
|
|
# GRUB configuration.
|
|
#
|
|
# If 'security_enable_audit_during_boot' is set to 'yes', then the 'audit=1'
|
|
# parameter will be added in /etc/default/grub.d/.
|
|
# If 'security_enable_grub_update is set to 'yes', the grub.cfg will be
|
|
# updated automatically.
|
|
security_enable_audit_during_boot: yes # V-38438
|
|
security_enable_grub_update: yes # V-38438
|
|
|
|
# The following booleans control the rule sets added to auditd's default
|
|
# set of auditing rules. To see which rules will be added for each boolean,
|
|
# refer to the templates/osas-auditd.j2 file.
|
|
#
|
|
# If the template changes due to booleans being adjusted, the new template
|
|
# will be deployed onto the host and auditd will get the new rules loaded
|
|
# automatically with augenrules.
|
|
#
|
|
security_audit_account_modification: yes # V-38531, V-38534, V-38538
|
|
security_audit_change_localtime: yes # V-38530
|
|
security_audit_change_system_time: yes # V-38635
|
|
security_audit_clock_settime: yes # V-38527
|
|
security_audit_clock_settimeofday: yes # V-38522
|
|
security_audit_clock_stime: yes # V-38525
|
|
security_audit_DAC_chmod: no # V-38543
|
|
security_audit_DAC_chown: no # V-38545
|
|
security_audit_DAC_lchown: no # V-38558
|
|
security_audit_DAC_fchmod: no # V-38547
|
|
security_audit_DAC_fchmodat: no # V-38550
|
|
security_audit_DAC_fchown: no # V-38552
|
|
security_audit_DAC_fchownat: no # V-38554
|
|
security_audit_DAC_fremovexattr: no # V-38556
|
|
security_audit_DAC_lremovexattr: no # V-38559
|
|
security_audit_DAC_fsetxattr: no # V-38557
|
|
security_audit_DAC_lsetxattr: no # V-38561
|
|
security_audit_DAC_setxattr: no # V-38565
|
|
security_audit_deletions: no # V-38575
|
|
security_audit_failed_access: no # V-38566
|
|
security_audit_filesystem_mounts: yes # V-38568
|
|
security_audit_kernel_modules: yes # V-38580
|
|
security_audit_mac_changes: yes # V-38541
|
|
security_audit_network_changes: yes # V-38540
|
|
security_audit_sudoers: yes # V-38578
|
|
#
|
|
# **DANGER**
|
|
# Changing the options below can cause systems to go offline unexpectedly or
|
|
# stop serving requests as a security precaution. Read the developer notes for
|
|
# each STIG prior to adjusting the following variables.
|
|
# **DANGER**
|
|
#
|
|
# Set an action to occur when there is a disk error. Review the
|
|
# documentation for V-38464 before changing this option.
|
|
security_disk_error_action: SYSLOG # V-38464
|
|
#
|
|
# Set an action to occur when the disk is full. Review the documentation for
|
|
# V-38468 before changing this option.
|
|
security_disk_full_action: SYSLOG # V-38468
|
|
#
|
|
# V-38678 - Set the amount of megabytes left when the space_left_action
|
|
# triggers. The STIG guideline doesn't specify a size, but Ubuntu chooses a
|
|
# default of 75MB, which is reasonable.
|
|
security_space_left: 75 # V-38678
|
|
#
|
|
# Set an action to occur when the disk is approaching its capacity.
|
|
# Review the documentation for V-38470 before changing this option.
|
|
security_space_left_action: SYSLOG # V-38470
|
|
#
|
|
# Set the maximum size of a rotated log file. Ubuntu's default
|
|
# matches the STIG requirement of 6MB.
|
|
security_max_log_file: 6 # V 38633
|
|
#
|
|
# Sets the action to take when log files reach the maximum file size.
|
|
# Review the documentation for V-38634 before changing this option.
|
|
security_max_log_file_action: ROTATE # V-38634
|
|
#
|
|
# Set the number of rotated audit logs to keep. Ubuntu has 5 as the default
|
|
# and this matches the STIG's requirements.
|
|
security_num_logs: 5 # V-38636
|
|
#
|
|
# Set the email address of someone who can receive and respond to notifications
|
|
# about low disk space for log volumes.
|
|
security_action_mail_acct: root # V-38680
|
|
#
|
|
# **IMMINENT DANGER**
|
|
# The STIG says that the system should switch to single user mode when the
|
|
# storage capacity gets very low. This can cause serious service disruptions
|
|
# and should only be set to 'single' for deployers in extremely high security
|
|
# environments. Ubuntu's default is SUSPEND, which will suspend logging.
|
|
# **IMMENENT DANGER**
|
|
security_admin_space_left_action: SUSPEND # V-54381
|
|
|
|
## Chrony (NTP) configuration
|
|
# Install and enable chrony to sync time with NTP servers.
|
|
security_enable_chrony: yes # V-38620
|
|
# Adjust the following NTP servers if necessary.
|
|
security_ntp_servers:
|
|
- 0.north-america.pool.ntp.org
|
|
- 1.north-america.pool.ntp.org
|
|
- 2.north-america.pool.ntp.org
|
|
- 3.north-america.pool.ntp.org
|
|
# Chrony limits access to clients that are on certain subnets. Adjust the
|
|
# following subnets here to limit client access to chrony servers.
|
|
security_allowed_ntp_subnets:
|
|
- 10/8
|
|
- 192.168/16
|
|
- 172.16/12
|
|
# Listen for NTP requests only on local interfaces.
|
|
security_ntp_bind_local_interfaces_only: yes
|
|
|
|
## Core dumps
|
|
# V-38675 requires disabling core dumps for all users unless absolutely
|
|
# necessary. Set this variable to 'no' to skip this change.
|
|
security_disable_core_dumps: yes # V-38675
|
|
|
|
## Services
|
|
# The STIG recommends ensuring that some services are running if no services
|
|
# utilizing it are enabled. Setting a boolean to 'yes' here will ensure that
|
|
# a service isn't actively running and will not be started after boot-up.
|
|
# Setting a 'no' will ensure that this Ansible role does not alter the service
|
|
# in any way from its current configuration.
|
|
#
|
|
security_disable_abrtd: yes # V-38641
|
|
security_disable_atd: yes # V-38640
|
|
security_disable_autofs: yes # V-38437
|
|
security_disable_avahi: yes # V-31618
|
|
security_disable_bluetooth: yes # V-38691
|
|
security_disable_netconsole: yes # v-38672
|
|
security_disable_qpidd: yes # V-38648
|
|
security_disable_rdisc: yes # V-38650
|
|
security_disable_rsh: yes # V-38594
|
|
security_disable_ypbind: yes # V-38604
|
|
security_disable_xinetd: yes # V-38582
|
|
#
|
|
# The STIG recommends ensuring that some services aren't installed at ANY time.
|
|
# Those services are listed here. Setting a boolean here to 'yes' wiil
|
|
# ensure that the STIG is followed and the service is removed. Setting a
|
|
# boolean to 'no' means that the playbook will not alter the service.
|
|
#
|
|
security_remove_ldap_server: yes # V-38627
|
|
security_remove_rsh_server: yes # V-38591
|
|
security_remove_sendmail: yes # V-38671
|
|
security_remove_telnet_server: yes # V-38587
|
|
security_remove_tftp_server: yes # V-38606
|
|
security_remove_xinetd: yes # V-38584
|
|
security_remove_xorg: yes # v-38676
|
|
security_remove_ypserv: yes # V-38603
|
|
#
|
|
# The STIG does not allow the system to run a graphical interface. Set this
|
|
# variable to 'no' if you need a graphical interface on the server.
|
|
security_disable_x_windows: yes # V-38674
|
|
|
|
## SSH configuration
|
|
# The following configuration items will adjust how the ssh daemon is
|
|
# configured. The recommendations from the RHEL 6 STIG are shown below, but
|
|
# they can be adjusted to fit a particular environment.
|
|
#
|
|
# Set a 15 minute time out for SSH sessions if there is no activity
|
|
security_ssh_client_alive_interval: 900 # V-38608
|
|
#
|
|
# Timeout ssh sessions as soon as ClientAliveInterval is reached once
|
|
security_ssh_client_alive_count_max: 0 # V-38610
|
|
#
|
|
# The ssh daemon must not permit root logins. The default value of 'yes' is a
|
|
# deviation from the STIG requirements due to how openstack-ansible operates,
|
|
# especially within OpenStack CI gate jobs. See documentation for V-38613 for
|
|
# more details.
|
|
security_ssh_permit_root_login: 'yes' # V-38613
|
|
|
|
## Kernel
|
|
# Set these booleans to 'yes' to disable the kernel module (following the
|
|
# STIG requirements). Set the boolean to 'no' to ensure no changes are made.
|
|
security_disable_module_bluetooth: yes # V-38682
|
|
security_disable_module_dccp: yes # V-38514
|
|
security_disable_module_rds: yes # V-38516
|
|
security_disable_module_sctp: yes # V-38515
|
|
security_disable_module_tipc: yes # V-38517
|
|
security_disable_module_usb_storage: no # V-38490
|
|
security_disable_icmpv4_redirects: no # V-38524
|
|
security_disable_icmpv4_redirects_secure: no # V-38526
|
|
security_disable_icmpv6_redirects: no # V-38548
|
|
#
|
|
# ** DANGER **
|
|
# It's strongly recommended to fully understand the effects of changing the
|
|
# following sysctl tunables. Refer to the documentation under 'Developer
|
|
# Notes' for each of the STIGs below before making any changes.
|
|
# ** DANGER **
|
|
#
|
|
security_sysctl_enable_tcp_syncookies: yes # V-38539
|
|
security_sysctl_enable_martian_logging: no # V-38528
|
|
#
|
|
# Deployers who wish to disable IPv6 entirely must set this configuration
|
|
# variable to 'yes'. See the documentation for V-38546 before making this
|
|
# change.
|
|
security_disable_ipv6: no # V-38546
|
|
|
|
# Sets the global challenge ACK counter to a large value such
|
|
# that a potential attacker could not reasonably come up against it.
|
|
security_set_tcp_challenge_ack_limit: yes # CVE-2016-5696
|
|
|
|
## Mail
|
|
# The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
|
|
# configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when
|
|
# Ansible installs packages). The default here is 'localhost' to meet the STIG
|
|
# requirement, but some deployers may want this set to 'all' if their hosts
|
|
# need to receive emails over the network (which isn't common).
|
|
#
|
|
# See the documentation for V-38622 for more details.
|
|
security_postfix_inet_interfaces: localhost # V-38622
|
|
#
|
|
# Configuring an email address here will cause hosts to forward the root user's
|
|
# email to another address.
|
|
#
|
|
#security_root_forward_email: user@example.com
|
|
|
|
## Linux Security Module (LSM)
|
|
# AppArmor and SELinux provide powerful security controls on a Linux system
|
|
# by setting policies for allowed actions. By setting the following variable
|
|
# to true, the appropriate LSM will be enabled for the Linux distribution:
|
|
#
|
|
# Ubuntu: AppArmor
|
|
# CentOS: SELinux
|
|
#
|
|
# See the openstack-ansible-security documentation for more details.
|
|
security_enable_linux_security_module: yes # V-51337
|
|
|
|
## PAM and authentication
|
|
# V-38497 requires that accounts with null passwords aren't allowed to
|
|
# authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the
|
|
# documentation for V-38497 for more details. Set the variable below to 'yes'
|
|
# to remove 'nullok_secure' from the PAM configuration or set it to 'no' to
|
|
# leave the PAM configuration unaltered.
|
|
security_pam_remove_nullok: yes # V-38497
|
|
#
|
|
# V-38501 requires that failed login attempts must lock a user account using
|
|
# pam_faillock, but Ubuntu doesn't package that PAM module. Instead, fail2ban
|
|
# can be installed to lock out IP addresses with failed logins for 15 minutes.
|
|
# Set the variable below to 'yes' to install and configure fail2ban.
|
|
security_install_fail2ban: no # V-38501
|
|
#
|
|
# The STIG requires bans to last 15 minutes. Adjust the following variable
|
|
# to set the time an IP is banned by fail2ban (in seconds).
|
|
security_fail2ban_bantime: 900 # V-38501
|
|
|
|
## Password complexity and aging
|
|
# V-38475 - There is no password length requirement by default in Ubuntu 14.04.
|
|
# To set a password length requirement, uncomment
|
|
# security_password_minimum_length below. The STIG recommendation is 14
|
|
# characters.
|
|
#security_password_minimum_length: 14 # V-38475
|
|
# V-38477 - There is no password change limitation set by default in Ubuntu. To
|
|
# set the minimum number of days between password changes, uncomment the
|
|
# security_password_minimum_days variable below. The STIG recommendation is 1
|
|
# day.
|
|
#security_password_minimum_days: 1 # V-38477
|
|
# V-38479 - There is no age limit on password by default in Ubuntu. Uncomment
|
|
# line below to use the STIG recommendation of 60 days.
|
|
#security_password_maximum_days: 60 # V-38479
|
|
# V-38480 - To warn users before their password expires, uncomment the line
|
|
# below and they will be warned 7 days prior (following the STIG).
|
|
#security_password_warn_age: 7 # V-38480
|
|
# V-38684 - Setting the maximum number of simultaneous logins per user. The
|
|
# STIG sets a limit of 10.
|
|
#security_max_simultaneous_logins: 10 # V-38684
|
|
# V-38692 - Lock accounts that are inactive for 35 days.
|
|
#security_inactive_account_lock_days: 35 # V-38692
|
|
|
|
## sudo
|
|
# V-58901 requires that 'NOPASSWD' and '!authenticate' do not appear in any
|
|
# sudoers files since they could lead to a compromise. Set the following
|
|
# variables to 'yes' to comment out any lines found with these prohibited
|
|
# parameters or leave them set to 'no' (the default) to leave sudoers files
|
|
# unaltered. Deployers are urged to review the documentation for this STIG
|
|
# before making changes.
|
|
security_sudoers_remove_nopasswd: no # V-58901
|
|
security_sudoers_remove_authenticate: no # V-58901
|
|
|
|
## umask settings
|
|
# The STIG recommends changing various default umask settings for users and
|
|
# daemons via different methods. However, this could cause serious issues for
|
|
# production OpenStack environements which haven't been tested with these
|
|
# changes.
|
|
#
|
|
# The variables below are set to match the STIG requirements, but they are
|
|
# commented out to ensure they require deployers to opt-in for each change. To
|
|
# opt in for one of the changes below, simply uncomment the line and run the
|
|
# playbook. Deployers are strongly advised to review the documentation for
|
|
# these changes and review their systems to ensure these changes won't cause
|
|
# service disruptions.
|
|
#
|
|
# V-38642 - Set umask for daemons in init scripts to 027 or 022
|
|
#security_umask_daemons_init: 027 # V-38642
|
|
#
|
|
# V-38645 - System default umask in /etc/login.defs must be 077
|
|
#security_umask_login_defs: 077 # V-38645
|
|
#
|
|
# V-38649 - System default umask for csh must be 077
|
|
#security_umask_csh: 077 # V-38649
|
|
#
|
|
# V-38651 - System default umask for bash must be 077
|
|
#security_umask_bash: 077 # V-38651
|
|
|
|
## Unattended upgrades (APT) configuration
|
|
security_unattended_upgrades_enabled: false
|
|
security_unattended_upgrades_notifications: false
|
|
|
|
###############################################################################
|
|
# ____ _ _ _____ _ _____ ____ _____ ___ ____
|
|
# | _ \| | | | ____| | |___ | / ___|_ _|_ _/ ___|
|
|
# | |_) | |_| | _| | | / / \___ \ | | | | | _
|
|
# | _ <| _ | |___| |___ / / ___) || | | | |_| |
|
|
# |_| \_\_| |_|_____|_____| /_/ |____/ |_| |___\____|
|
|
#
|
|
# UNDER ACTIVE DEVELOPMENT
|
|
#
|
|
# The default configurations after this marker apply to the RHEL 7 STIG
|
|
# content in the openstack-ansible-security role. This content is still under
|
|
# active development and will not be applied to systems by default until
|
|
# the development work is complete.
|
|
#
|
|
###############################################################################
|
|
|
|
## AIDE (aide)
|
|
# Initialize the AIDE database immediately (may take time).
|
|
security_rhel7_initialize_aide: no # RHEL-07-020130
|
|
|
|
## Audit daemon (auditd)
|
|
# Send audit records to a different system using audisp.
|
|
#security_audisp_remote_server: '10.0.21.1' # RHEL-07-030330
|
|
# Encrypt audit records when they are transmitted over the network.
|
|
#security_audisp_enable_krb5: yes # RHEL-07-030331
|
|
# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
|
|
security_rhel7_audit_failure_flag: 1 # RHEL-07-030090
|
|
# Set the action to take when the disk is full or network events cannot be sent.
|
|
security_rhel7_auditd_disk_full_action: syslog # RHEL-07-030340
|
|
security_rhel7_auditd_network_failure_action: syslog # RHEL-07-030340
|
|
# Size of remaining disk space (in MB) that triggers alerts.
|
|
security_rhel7_auditd_space_left: "{{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # RHEL-07-030350
|
|
# Add audit rules for commands/syscalls.
|
|
security_rhel7_audit_chsh: yes # RHEL-07-030525
|
|
security_rhel7_audit_chage: yes # RHEL-07-030513
|
|
security_rhel7_audit_chcon: yes # RHEL-07-030443
|
|
security_rhel7_audit_chmod: no # RHEL-07-030390
|
|
security_rhel7_audit_chown: no # RHEL-07-030380
|
|
security_rhel7_audit_creat: yes # RHEL-07-030420
|
|
security_rhel7_audit_crontab: yes # RHEL-07-030561
|
|
security_rhel7_audit_delete_module: yes # RHEL-07-030671
|
|
security_rhel7_audit_fchmod: no # RHEL-07-030391
|
|
security_rhel7_audit_fchmodat: no # RHEL-07-030392
|
|
security_rhel7_audit_fchown: no # RHEL-07-030381
|
|
security_rhel7_audit_fchownat: no # RHEL-07-030383
|
|
security_rhel7_audit_fremovexattr: no # RHEL-07-030404
|
|
security_rhel7_audit_fsetxattr: no # RHEL-07-030401
|
|
security_rhel7_audit_ftruncate: yes # RHEL-07-030425
|
|
security_rhel7_audit_init_module: yes # RHEL-07-030670
|
|
security_rhel7_audit_gpasswd: yes # RHEL-07-030512
|
|
security_rhel7_audit_lchown: no # RHEL-07-030382
|
|
security_rhel7_audit_lremovexattr: no # RHEL-07-030405
|
|
security_rhel7_audit_lsetxattr: no # RHEL-07-030402
|
|
security_rhel7_audit_mount: yes # RHEL-07-030530
|
|
security_rhel7_audit_newgrp: yes # RHEL-07-030524
|
|
security_rhel7_audit_open: yes # RHEL-07-030421
|
|
security_rhel7_audit_openat: yes # RHEL-07-030422
|
|
security_rhel7_audit_open_by_handle_at: yes # RHEL-07-030423
|
|
security_rhel7_audit_pam_timestamp_check: yes # RHEL-07-030630
|
|
security_rhel7_audit_passwd: yes # RHEL-07-030510
|
|
security_rhel7_audit_postdrop: yes # RHEL-07-030540
|
|
security_rhel7_audit_postqueue: yes # RHEL-07-030541
|
|
security_rhel7_audit_pt_chown: yes # RHEL-07-030560
|
|
security_rhel7_audit_removexattr: no # RHEL-07-030403
|
|
security_rhel7_audit_rename: yes # RHEL-07-030750
|
|
security_rhel7_audit_renameat: yes # RHEL-07-030751
|
|
security_rhel7_audit_restorecon: yes # RHEL-07-030444
|
|
security_rhel7_audit_rmdir: yes # RHEL-07-030752
|
|
security_rhel7_audit_semanage: yes # RHEL-07-030441
|
|
security_rhel7_audit_setsebool: yes # RHEL-07-030442
|
|
security_rhel7_audit_setxattr: no # RHEL-07-030400
|
|
security_rhel7_audit_ssh_keysign: yes # RHEL-07-030550
|
|
security_rhel7_audit_su: yes # RHEL-07-030521
|
|
security_rhel7_audit_sudo: yes # RHEL-07-030522
|
|
security_rhel7_audit_sudoedit: yes # RHEL-07-030526
|
|
security_rhel7_audit_truncate: yes # RHEL-07-030424
|
|
security_rhel7_audit_umount: yes # RHEL-07-030531
|
|
security_rhel7_audit_unix_chkpwd: yes # RHEL-07-030511
|
|
security_rhel7_audit_unlink: yes # RHEL-07-030753
|
|
security_rhel7_audit_unlinkat: yes # RHEL-07-030754
|
|
security_rhel7_audit_userhelper: yes # RHEL-07-030514
|
|
# Add audit rules for other events.
|
|
security_rhel7_audit_account_access: yes # RHEL-07-030490
|
|
security_rhel7_audit_sudo_config_changes: yes # RHEL-07-030523
|
|
security_rhel7_audit_insmod: yes # RHEL-07-030672
|
|
security_rhel7_audit_rmmod: yes # RHEL-07-030673
|
|
security_rhel7_audit_modprobe: yes # RHEL-07-030674
|
|
security_rhel7_audit_account_actions: yes # RHEL-07-030710
|
|
|
|
## Authentication (auth)
|
|
# Disallow logins from accounts with blank/null passwords via PAM.
|
|
security_disallow_blank_password_login: yes # RHEL-07-010260
|
|
# Apply password quality rules.
|
|
# NOTE: The security_pwquality_apply_rules variable is a "master switch".
|
|
# Set the 'security_pwquality_apply_rules' variable to 'yes' to apply all of
|
|
# the password quality rules. Each rule can be disabled with a value of 'no'.
|
|
security_pwquality_apply_rules: no
|
|
security_pwquality_require_uppercase: yes # RHEL-07-010090
|
|
security_pwquality_require_lowercase: yes # RHEL-07-010100
|
|
security_pwquality_require_numeric: yes # RHEL-07-010110
|
|
security_pwquality_require_special: yes # RHEL-07-010120
|
|
security_pwquality_require_characters_changed: yes # RHEL-07-010130
|
|
security_pwquality_require_character_classes_changed: yes # RHEL-07-010140
|
|
security_pwquality_limit_repeated_characters: yes # RHEL-07-010150
|
|
security_pwquality_limit_repeated_character_classes: yes # RHEL-07-010160
|
|
security_pwquality_require_minimum_password_length: no # RHEL-07-010250
|
|
# Ensure passwords are stored using SHA512.
|
|
security_password_encrypt_method: SHA512 # RHEL-07-010180
|
|
# Ensure user/group admin utilities only store encrypted passwords.
|
|
security_libuser_crypt_style_sha512: yes # RHEL-07-010190
|
|
# Set a minimum/maximum lifetime limit for user passwords.
|
|
#security_password_min_lifetime_days: 1 # RHEL-07-010200
|
|
#security_password_max_lifetime_days: 60 # RHEL-07-010220
|
|
# Set a timeout (in seconds) to cache NSS authenticators with sssd.
|
|
security_nss_cached_authenticator_timeout: 86400 # RHEL-07-010400
|
|
# Set a timeout (in days) to cache PAM/ssh authenticators with sssd.
|
|
security_pam_offline_credentials_expiration_days: 1 # RHEL-07-010401 / RHEL-07-010402
|
|
# Set a delay (in seconds) between failed login attempts.
|
|
security_shadow_utils_fail_delay: 4 # RHEL-07-010420
|
|
# Set a umask for all authenticated users.
|
|
security_shadow_utils_umask: 077 # RHEL-07-020230
|
|
# Create home directories for new users by default.
|
|
security_shadow_utils_create_home: yes # RHEL-07-020630
|
|
# How many old user password to remember to prevent password re-use.
|
|
#security_password_remember_password: 5 # RHEL-07-010240
|
|
# Disable user accounts if the password expires.
|
|
security_disable_account_if_password_expires: no # RHEL-07-010280
|
|
# Lock user accounts with excessive login failures. See documentation.
|
|
security_pam_faillock_enable: no # RHEL-07-010371 / RHEL-07-010372 / RHEL-07-010373
|
|
security_pam_faillock_interval: 900
|
|
security_pam_faillock_attempts: 3
|
|
security_pam_faillock_deny_root: yes # RHEL-07-010373
|
|
security_pam_faillock_unlock_time: 604800 # RHEL-07-010372
|
|
# Limit the number of concurrent connections per account.
|
|
#security_rhel7_concurrent_session_limit: 10 # RHEL-07-040010
|
|
|
|
## File permissions (file_perms)
|
|
# Reset file permissions and ownership for files installed via RPM packages.
|
|
security_reset_perm_ownership: yes # RHEL-07-010010
|
|
# Search for files/directories owned by invalid users or groups.
|
|
security_search_for_invalid_owner: no # RHEL-07-020360
|
|
security_search_for_invalid_group_owner: no # RHEL-07-020370
|
|
|
|
## Graphical interfaces (graphical)
|
|
# Disable automatic gdm logins
|
|
security_disable_gdm_automatic_login: yes # RHEL-07-010430
|
|
# Disable timed gdm logins for guests
|
|
security_disable_gdm_timed_login: yes # RHEL-07-010431
|
|
# Enable session locking for graphical logins.
|
|
security_lock_session: no # RHEL-07-010060
|
|
# Set a timer (in seconds) when an inactive session is locked.
|
|
security_lock_session_inactive_delay: 900 # RHEL-07-010070
|
|
# Prevent users from modifying session lock settings.
|
|
security_lock_session_override_user: yes # RHEL-07-010071
|
|
# Lock a session (start screensaver) when a session is inactive.
|
|
security_lock_session_when_inactive: yes # RHEL-07-010073
|
|
# Time after screensaver starts when user login is required.
|
|
security_lock_session_screensaver_lock_delay: 5 # RHEL-07-010074
|
|
# Enable a login banner and set the text for the banner.
|
|
security_enable_graphical_login_message: yes # RHEL-07-010030
|
|
security_enable_graphical_login_message_text: >
|
|
You are accessing a secured system and your actions will be logged along
|
|
with identifying information. Disconnect immediately if you are not an
|
|
authorized user of this system.
|
|
|
|
## Linux Security Module (lsm)
|
|
# Enable SELinux on Red Hat/CentOS and AppArmor on Ubuntu.
|
|
security_rhel7_enable_linux_security_module: yes # RHEL-07-020210 / RHEL-07-020211
|
|
|
|
## Miscellaneous (misc)
|
|
# Disable the autofs service.
|
|
security_rhel7_disable_autofs: yes # RHEL-07-020161
|
|
# Enable virus scanning with clamav
|
|
security_enable_virus_scanner: no # RHEL-07-030810
|
|
# Disable ctrl-alt-delete key sequence on the console.
|
|
security_rhel7_disable_ctrl_alt_delete: yes # RHEL-07-020220
|
|
# Install and enable firewalld for iptables management.
|
|
security_enable_firewalld: no # RHEL-07-040290
|
|
# Rate limit TCP connections to 25/min and burstable to 100.
|
|
security_enable_firewalld_rate_limit: no # RHEL-07-040250
|
|
security_enable_firewalld_rate_limit_per_minute: 25
|
|
security_enable_firewalld_rate_limit_burst: 100
|
|
# Require authentication in GRUB to boot into single-user or maintenance modes.
|
|
security_require_grub_authentication: no # RHEL-07-010460 / RHEL-07-010470
|
|
# The default password for grub authentication is 'secrete'.
|
|
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B
|
|
|
|
## Packages (packages)
|
|
# Remove packages from the system as required by the STIG. Set any of these
|
|
# to 'no' to skip their removal.
|
|
security_rhel7_remove_rsh_server: yes # RHEL-07-020000
|
|
security_rhel7_remove_telnet_server: yes # RHEL-07-021910
|
|
security_rhel7_remove_tftp_server: yes # RHEL-07-040500
|
|
security_rhel7_remove_xorg: yes # RHEL-07-040560
|
|
security_rhel7_remove_ypserv: yes # RHEL-07-020010
|
|
# Automatically remove dependencies when removing packages.
|
|
security_package_clean_on_remove: no # RHEL-07-020200
|
|
# Automatically update packages.
|
|
security_rhel7_automatic_package_updates: no # RHEL-07-020250
|
|
|
|
## RPM (rpm)
|
|
# Enable GPG checks for packages and repository data.
|
|
security_enable_gpgcheck_packages: yes # RHEL-07-020150
|
|
security_enable_gpgcheck_packages_local: yes # RHEL-07-020151
|
|
security_enable_gpgcheck_repo: no # RHEL-07-020152
|
|
|
|
## ssh server (sshd)
|
|
# Ensure sshd is running and enabled at boot time.
|
|
security_enable_sshd: yes # RHEL-07-040261
|
|
# Disallow logins from users with empty/null passwords.
|
|
security_sshd_disallow_empty_password: yes # RHEL-07-010270 / RHEL-07-010440
|
|
# Disallow users from overriding the ssh environment variables.
|
|
security_sshd_disallow_environment_override: yes # RHEL-07-010441
|
|
# Disallow host based authentication.
|
|
security_sshd_disallow_host_based_auth: yes # RHEL-07-010442
|
|
# Set a list of allowed ssh ciphers.
|
|
security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # RHEL-07-040110
|
|
# Specify a text file to be displayed as the banner/MOTD for all sessions.
|
|
security_sshd_banner_file: /etc/motd # RHEL-07-010040 / RHEL-07-040170
|
|
# Set the interval for max session length and the number of intervals to allow.
|
|
security_sshd_client_alive_interval: 600 # RHEL-07-040190
|
|
security_sshd_client_alive_count_max: 0 # RHEL-07-040191
|
|
# Print the last login for a user when they log in over ssh.
|
|
security_sshd_print_last_log: yes # RHEL-07-040301
|
|
# Permit direct root logins
|
|
security_sshd_permit_root_login: no # RHEL-07-040310
|
|
# Disallow authentication using known hosts authentication.
|
|
security_sshd_disallow_known_hosts_auth: yes # RHEL-07-040332 / RHEL-07-040333
|
|
# Disallow rhosts authentication.
|
|
security_sshd_disallow_rhosts_auth: yes # RHEL-07-040334
|
|
# Enable X11 forwarding.
|
|
security_sshd_enable_x11_forwarding: yes # RHEL-07-040540
|
|
# Set the allowed ssh protocols.
|
|
security_sshd_protocol: 2 # RHEL-07-040590
|
|
# Set the list of allowed Message Authentication Codes (MACs) for ssh.
|
|
security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512' # RHEL-07-040620
|
|
# Disallow Generic Security Service Application Program Interface (GSSAPI) auth.
|
|
security_sshd_disallow_gssapi: yes # RHEL-07-040660
|
|
# Disallow compression or delay after login.
|
|
security_sshd_compression: 'delayed' # RHEL-07-040700
|
|
# Require privilege separation at every opportunity.
|
|
security_sshd_enable_privilege_separation: yes # RHEL-07-040690
|
|
# Require strict mode checking of home directory configuration files.
|
|
security_sshd_enable_strict_modes: yes # RHEL-07-040680
|
|
# Disallow Kerberos authentication.
|
|
security_sshd_disable_kerberos_auth: yes # RHEL-07-040670
|
|
|
|
## Kernel settings (kernel)
|
|
# Disallow forwarding IPv4/IPv6 source routed packets on all interfaces
|
|
# immediately and by default on new interfaces.
|
|
security_disallow_source_routed_packet_forward_ipv4: yes # RHEL-07-040350 / RHEL-07-040351
|
|
security_disallow_source_routed_packet_forward_ipv6: yes # RHEL-07-040860
|
|
# Disallow responses to IPv4 ICMP echoes sent to broadcast address.
|
|
security_disallow_echoes_broadcast_address: yes # RHEL-07-040380
|
|
# Disallow IPV4 ICMP redirects on all interfaces immediately and by default on
|
|
# new interfaces.
|
|
security_disallow_icmp_redirects: yes # RHEL-07-040410 / RHEL-07-040420 / RHEL-07-040421
|
|
# Disallow IP forwarding.
|
|
security_disallow_ip_forwarding: no # RHEL-07-040730
|
|
# Disable USB storage support.
|
|
security_rhel7_disable_usb_storage: yes # RHEL-07-020160
|
|
# Disable kdump.
|
|
security_disable_kdump: yes # RHEL-07-021230
|