Commit Graph

189 Commits

Author SHA1 Message Date
Dmitriy Rabotyagov b31cd46c18 Disable dynamic motd message
Right now default cloud images of Ubuntu does contain dynamic MOTD
by default, that takes around extra 0.4 sec for establishing connection.

Disabiling MOTD should improve responsivness of hosts and speedup
ansible execution as well.

With that we're keeping static MOTD that has no impact on connection
speed.

Change-Id: Iaf25f6f444055cefd60dd2e3b4d5579f2a6fcdb1
2023-10-26 11:15:46 +00:00
Dmitriy Rabotyagov abfa76ba93 Disable GSSAPIAuthentication for SSH
This implements STIG V-204598 [1] and disables
GSSAPIAuthentication that is enabled by default on EL
systems.
This also should speedup deployments on such systems, as
enabled GSSAPIAuthentication requires some time while
initiating connection.

[1] https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2020-12-08/finding/V-204598

Change-Id: I2d92541ccfc27e91224fd481c3792993428a052e
2023-10-26 11:15:11 +00:00
Dmitriy Rabotyagov db5c6f2d66 Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
2023-07-17 14:25:21 +02:00
Jonathan Rosser a07f0c5a9d Disable UsePriviledgeSeparation directive for sshd
This was deprecated a long time ago in openssh-server 7.4 and has
been generating warnings in the log file ever since.

Change-Id: Ic3f7afadcaa875e6ce871c0ce36b4b11f10a7044
2023-03-16 15:00:39 +00:00
Jonathan Rosser 480dd9d866 Remove references to unsupported operating systems
All references to Gentoo, SUSE, Debian stretch and Centos-7  are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: Id3136a5eed068e317aa1a7b33a1149629dc76d77
2021-06-11 14:14:20 +00:00
Jonathan Rosser b9a9310d7c Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: I3dc2486a0666367d673b23403f2510c94c40eaf4
2021-03-10 16:54:58 +00:00
Zuul 087919c425 Merge "Make possible to avoid aide installation" 2021-02-12 10:33:08 +00:00
Jonathan Rosser b7b945b21e Exclude system directories (/sys, /proc, /dev) from the shosts file search
This halves the number of files examined by the find module on an ubuntu
focal system and nearly halves the runtime of the task on a ceph backed
VM.

Change-Id: I862351badc70fa091bebf55dd2910cccfa731ca2
2021-02-03 11:54:52 +00:00
Dmitriy Rabotyagov 180fc448eb Make possible to avoid aide installation
This patch adds variable `security_rhel7_enable_aide`. When it's False,
all AIDE related tasks would be ommited.

Change-Id: I64af348d9f49922ab51d8cd348d987df4263faa1
2021-02-02 14:12:10 +00:00
Jakob Englisch 7473a45d98 Chrony: new NTP server defaults
This patch drops the offline option because this role usually
applies to always-on machines and the subsystem which detects
if you're online or offline seems to be largely unstable which
causes chronyd to never attempt to synchronize time.

It also drops the minpoll and maxpoll options to leave it to
the defaults of the chronyd service, this is due to the numbers
provided not allowing the system to properly sync up time.

It also adds the 'iburst' option which will send a few quick
bursts when the system first goes up in order to get it to sync
up with time faster.

Change-Id: Iad41ef505f5a1c142ec7ffe07e4a1c08aa614235
2019-01-10 09:48:50 +00:00
Jakob Englisch 06f05b2984 Chrony: add an option to sync the hardware clock
Provide the possibility to allow users to synchronize
the RTC. It is (still) disabled by default, since
certain combinations of linux kernel version and
hardware pieces are subject to cause lockups.

"rtcautotrim 10" and rtcfile have been favoured over
"rtcsync" since "rtcsync" syncs the RTC every 11 seconds
which is not necessary IMO. "rtcautotrim 10" will only
set the time to the RTC if the gap between RTC and
the system clock exceed more than 10 seconds.

Change-Id: I2961bc554eb6caf6e6c78137a33c4fde256ae1ff
2019-01-10 09:47:48 +00:00
Jakob Englisch cca2800ea4 Chrony: make ntp server options configurable
Users may wish to remove the 'offline' option for increased
reliability, since ifup/ifdown scripts are typically not
required in (static) server environments. Futhermore it
enables users to adjust the polling timers to their needs.

Change-Id: Iafa31c03e98785a574f38bb2206b9bea9550743e
2019-01-10 00:09:56 +01:00
Kevin Carter 1cafaf8cce Add option to skip sudoers NOPASSWD check
This change adds the option `security_sudoers_nopasswd_check_enable`
when running check "V-71947". This change allows users to skip this
check via ansible extra variable instead of having to skip tags. While
this change has a functional benifit in some environments, it is being
done with the primary intention of providing a better experience to
deploying running clouds where services like cloud-init may be present.

Change-Id: I0d0c95534ace0b00fa64c2f243ad91ce5844d85a
Closes-Bug: #1741225
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-07-31 03:18:27 +00:00
Major Hayden a10fae4fe1 Replace Fedora 26 with 27
Now that infra is moving from Fedora 26 to 27, we need to update
the role to reflect the changing support for Fedora releases.

Change-Id: Icce8fd7ee2f8c54e6eb33beec7af96c4d1d375d6
Signed-off-by: Major Hayden <major@mhtx.net>
2018-03-07 13:30:45 +00:00
Zuul c54fc86bfd Merge "Add scaffolding for contrib tasks" 2017-12-01 14:16:46 +00:00
Zuul 422b793b80 Merge "Change PermitRootLogin to allow alternate options" 2017-11-14 16:34:28 +00:00
Andy McCrae f32cb3c081 Change PermitRootLogin to allow alternate options
PermitRootLogin can be 'yes', 'no', 'without-password',
'prohibit-password' or 'forced-commands-only'.
This patch changes the functionality to ensure that
security_sshd_permit_root_login is one of the above settings - if so, it
will use that value.

Due to the way Ansible handles "no" and "yes", we have to check if the
value is "False" (string equivalent for boolean no), and if so output
"no", otherwise output the string (which would be one of the above
options).

Previously, we could only set this value to 'no'.

Change-Id: I5ee5ff6abc4578d17d4b23d8a2fa1648508ceeed
2017-11-09 15:18:28 +00:00
Major Hayden 2d407a5399
Add scaffolding for contrib tasks
This patch adds the basic scaffolding for developer-contributed
hardening standards that are outside the scope of the Security
Technical Implementation Guide (STIG). Deployers have the option
to deploy these hardening standards as well.

Change-Id: I33175ffd36a75d27e5ac6c13aaf1584e5fdf23dd
2017-11-08 07:28:47 -06:00
Zuul dc194a1ac4 Merge "Optionally search for world-writable files" 2017-11-06 16:44:10 +00:00
Zuul ff73470848 Merge "Make check of package checksums configurable" 2017-11-06 13:16:55 +00:00
Christian Berendt baa5db7768 Make check of package checksums configurable
Change-Id: I9ac64d7995223a20b956d0a1b83bd1a60e556c03
2017-11-02 09:01:35 +01:00
Major Hayden 782bb48c14
Update to RHEL 7 STIG V1R3
This patch updates the tasks to match the changes in Version 1,
Release 3 of the RHEL 7 STIG. It adds four new configurations:

  - V-77819 (docs only, manual intervention req'd)
  - V-77821 (disabling DCCP, implemented)
  - V-77823 (docs only, manual intervention req'd)
  - V-77825 (enabling ASLR, implemented)

Closes-Bug: 1729344
Change-Id: I009fb31139e654f839d94781baf3d392c6613f46
2017-11-01 13:31:34 -05:00
Major Hayden a84b6847fc
Optionally search for world-writable files
The search for world-writable files is very intensive and causes
some long delays when running playbooks. This patch makes it
optional and updates the documentation to match.

Change-Id: I206f75597c48023a889bd7027daff2eff82b1a16
2017-10-30 13:56:13 -05:00
Major Hayden ba98871f4b
Update to RHEL 7 V1R2 STIG
This patch updates the STIG XML to version 1 release 2.

The new release does not have V-72181 included, so the relevant
tasks and variables have been removed.

Closes-Bug: 1718772
Change-Id: I441dbacdfa82e49c0c24f86e303706ae79c7d4dd
2017-09-21 16:02:42 -05:00
Logan V 2a4875f2cd Re-adding the missing NTP default vars
Some of the NTP defaults used to deploy chrony were shared between
both the RHEL6 and RHEL7 STIG tasks, however the required defaults
for these vars were removed in
Iaae52c97a35d82dd807ef78a1a6593ce3aa33540.

Since they are still needed by the RHEL7 STIG chrony deployment
we will need to add them back.

I also removed a reference to "security_disable_ipv6" in the chrony
config file which was used to determine if Chrony should bind ::1 for
its management socket. Since the "security_disable_ipv6" var no longer
exists, we will unconditionally bind the ::1 management address.

Change-Id: Ic80bda5fbf5cb4424e305ff9839121416b8bea19
2017-09-13 16:10:01 +00:00
Major Hayden 69481cc72b
Make default NTP servers more global
This patch uses a more global list of NTP servers as the default
for chrony.

Change-Id: I09b80082af2712a1feea47823e0f2996ec17aea4
2017-09-12 09:54:33 -06:00
Major Hayden 8dee735213
Restore security_ntp_servers variable default
The security_ntp_servers variable was accidentally removed with
the RHEL 6 STIG removal and this patch puts it back.

Closes-Bug: 1716703
Change-Id: I2cce0d5a2f9ede5f54829a6de6824a1567214c0c
2017-09-12 09:42:28 -06:00
Major Hayden 0c0767b3f1
Queens doc updates + removal of RHEL 6 STIG
This patch begins the teardown of the RHEL 6 STIG content from the
ansible-hardening repository. It will still be maintained in
Pike and earlier branches.

This patch also updates the ansible-hardening documentation for the
Queens release and notes that Pike is the latest stable version.

Closes-Bug: 1715745
Change-Id: Iaae52c97a35d82dd807ef78a1a6593ce3aa33540
2017-09-12 08:19:54 -06:00
Major Hayden b352760fd1
Fedora 26 support
This patch adds support for Fedora 26.

Depends-On: Ic4ea169908fec86623dbe91859ec524e48683ab7
Change-Id: I590bed829d9e3b7a6df477a00b65bfc10fc64dae
2017-08-28 07:33:16 -05:00
Marc Gariepy 3c632174e9 Change default prohibit root sshd password auth
Change-Id: Ib195041cd84bafa0cc7ca1d2ca42041618ce181d
2017-08-16 14:05:18 +00:00
Major Hayden 36b36b3ce8 Re-organize defaults/main.yml
This patch re-organizes the defaults/main.yml by:

* Moving RHEL 7 STIG content to the top
* Explaining better how to use `stig_version`

Closes-Bug: 1702183
Change-Id: Ib5eab8fc3129ea1b6745b4b84ab1195dbbbceebf
2017-07-12 18:15:18 +00:00
Major Hayden bcce655e08 Allow epel-release package name customization
This patch allows deployers to provide a custom name/URL for the
traditional epel-release package.

Related-bug: 1702167
Change-Id: Ie5e30776d2d25a8c254f88c16e17ea15aa38ef26
2017-07-12 18:14:58 +00:00
Major Hayden a64c833a71 Conditionally install EPEL if needed
The current behavior of the hardening role is to install the
epel-release package on all deployments. This patch changes
the logic to only install the EPEL repository if the deployer
has asked for ClamAV to be installed.

The patch also provides an option to disable the installation
of EPEL entirely using a variable.

Closes-Bug: 1702167
Change-Id: I9c5e6048f95636faf2a6d71ac9217ba69ca41296
2017-07-12 15:40:33 +00:00
Major Hayden 3699f90710 Actually set min/max password lifetime for account
This patch changes the tasks for V-71927 and V-71931 to actually set
the minimum password age on user accounts rather than printing
useless debug messages.

Change-Id: I3e085160baef1ecc12a3c96f08ede3845c68449f
2017-06-13 06:32:47 +00:00
Major Hayden 38270e7870 [Docs] Replace security role references
This patch changes any reference of openstack-ansible-security to
ansible-hardening.

Change-Id: Ib264e31a926c05380b0d1dcd630ad8f3fd1e58f3
2017-06-12 18:59:28 +00:00
Major Hayden 40c744c86d Add more test coverage
This commit cleans up the testing variables and enables more tasks in
the CI jobs.

Change-Id: Ia937928e46b8ffefc54b499b8d8383ad4d81d907
2017-05-24 19:51:20 +00:00
Major Hayden ab9357dd54
Skip ClamAV db update in gate
This patch disables the ClamAV database update in the gate jobs. The
update often fails due to upstream server issues.

Change-Id: I39cfcc102bc98895823b4de9df930e6f273aaf15
2017-04-21 14:27:16 -05:00
Major Hayden 005fa52c66
Make login banner customizable
This patch makes it easier for deployers to customize their login
banner and it also fixes some documentation bugs around how to
configure the graphical login banner.

Closes-bug: 1679749
Change-Id: I755de63cc3965f065077c983dbf1015ad93dfa6c
2017-04-05 08:32:39 -05:00
Major Hayden dccce1d5cc
Handle RHEL 7 STIG renumbering
This patch gets the docs adjusted to work with the new RHEL 7 STIG
version 1 release. The new STIG release has changed all of the
numbering, but it maintains a link to (most) of the old STIG IDs in
the XML.

Closes-bug: 1676865
Change-Id: I65023fe63163c9804a3aec9dcdbf23c69bedb604
2017-04-04 07:22:12 -05:00
Major Hayden 9efb8153f1
Make .shosts search/removal opt in
This patch makes the search for .shosts/shosts.equiv files an opt in
operation.

Closes-Bug: 1665568
Change-Id: Ide0c69a4112981e75defeaa317609e6a5f930225
2017-03-07 12:14:15 -06:00
Major Hayden 7caec98c14 Disable file perm/ownership reset
Although setting file permissions and ownership based on the contents
of the RPM database is a good practice, it causes significant
deployment delays and can cause issues if a system administrator has
intentionally changed file permissions or ownership to meet their
specific needs.

This patch disables the tasks that set the permissions/ownership back
to their original values but leaves them enabled in the gate job.

Change-Id: I185f6755d9bddf58e23d6512f4728522c36306c0
2017-03-04 15:27:45 +00:00
Jenkins 8b1db9e5e7 Merge "Enable RHEL 7 STIG tasks as default [+Docs]" 2017-01-16 13:05:27 +00:00
Major Hayden 6f6c08f4c3 Enable RHEL 7 STIG tasks as default [+Docs]
This patch enables the RHEL 7 STIG content tasks as the default.
Documentation has also been updated to reflect the change and provide
more concise information about what is available with each release.

The OpenStack-Ansible repo is still set to use the RHEL 6 STIG until
some issues with individual roles are resolved.

Implements: blueprint security-rhel7-stig
Change-Id: Ic72d97b87c0fb16646e5a31030404e1a9ad6a469
2017-01-13 19:06:07 +00:00
Major Hayden cd0fad3d88 Make umask change opt-in
Changing the default umask causes issues with OpenStack-Ansible
deployments in roles where directories are created without a mode
specified. It also may surprise some users on non-OpenStack systems
who expect the default umask to match the default from the OS.

This patch makes the change an opt-in change and it updates the
documentation to reflect that.

Related-bug: 1656003
Change-Id: I0931a34b1114e3a57e0eb5914124eed589ded541
2017-01-13 13:22:06 +00:00
Major Hayden 5fdee29c70 Set home dir mode/owner/group owner [+Docs]
This patch sets the mode, owner, and group owner for each home directory to
the correct values.

The STIG also requires ownership/permission changes for files/directories
within each user's home directory, but these changes can be highly disruptive
for certain users.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I1c4a8dfb1e752d4426b471325cd09b2abf5a4ca7
2016-12-15 14:36:20 +00:00
Major Hayden fc2c356bc4 Restrict mail relaying [+Docs]
This patch adds tasks that check for postfix and set restrictions for mail
relaying.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I8c0ae38f2264fae20fe9055fde47e9abbb355767
2016-12-09 10:53:41 +00:00
Major Hayden 14fa6e5060 Enable chrony [+Docs]
This patch enables chrony and performs basic configuration to meet the
STIG requirements.

These tasks can't be enabled in OpenStack CI due to conflicts with existing
NTP daemons in the CI image.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: If6736c0f4a16de1ba41a4cfa00f5f72f8baf0054
2016-12-09 10:32:24 +00:00
Major Hayden b1435ff429 Set TMOUT variable for all sessions [+Docs]
This patch sets a session timeout for 10 minutes using the TMOUT environment
variable. Deployers can adjust the timeout from the default if needed.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: Iccb49d5fe4517b053e8dcf63a783de04513cf85f
2016-12-09 10:04:50 +00:00
Jenkins 52d8ec6f2a Merge "Remove .shosts/shosts.equiv files [+Docs]" 2016-12-09 03:51:29 +00:00
Jenkins ba8d9bb7ca Merge "Set space_left_action in auditd [+Docs]" 2016-12-08 23:04:00 +00:00