Right now default cloud images of Ubuntu does contain dynamic MOTD
by default, that takes around extra 0.4 sec for establishing connection.
Disabiling MOTD should improve responsivness of hosts and speedup
ansible execution as well.
With that we're keeping static MOTD that has no impact on connection
speed.
Change-Id: Iaf25f6f444055cefd60dd2e3b4d5579f2a6fcdb1
This implements STIG V-204598 [1] and disables
GSSAPIAuthentication that is enabled by default on EL
systems.
This also should speedup deployments on such systems, as
enabled GSSAPIAuthentication requires some time while
initiating connection.
[1] https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2020-12-08/finding/V-204598
Change-Id: I2d92541ccfc27e91224fd481c3792993428a052e
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
This was deprecated a long time ago in openssh-server 7.4 and has
been generating warnings in the log file ever since.
Change-Id: Ic3f7afadcaa875e6ce871c0ce36b4b11f10a7044
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: Id3136a5eed068e317aa1a7b33a1149629dc76d77
This halves the number of files examined by the find module on an ubuntu
focal system and nearly halves the runtime of the task on a ceph backed
VM.
Change-Id: I862351badc70fa091bebf55dd2910cccfa731ca2
This patch adds variable `security_rhel7_enable_aide`. When it's False,
all AIDE related tasks would be ommited.
Change-Id: I64af348d9f49922ab51d8cd348d987df4263faa1
This patch drops the offline option because this role usually
applies to always-on machines and the subsystem which detects
if you're online or offline seems to be largely unstable which
causes chronyd to never attempt to synchronize time.
It also drops the minpoll and maxpoll options to leave it to
the defaults of the chronyd service, this is due to the numbers
provided not allowing the system to properly sync up time.
It also adds the 'iburst' option which will send a few quick
bursts when the system first goes up in order to get it to sync
up with time faster.
Change-Id: Iad41ef505f5a1c142ec7ffe07e4a1c08aa614235
Provide the possibility to allow users to synchronize
the RTC. It is (still) disabled by default, since
certain combinations of linux kernel version and
hardware pieces are subject to cause lockups.
"rtcautotrim 10" and rtcfile have been favoured over
"rtcsync" since "rtcsync" syncs the RTC every 11 seconds
which is not necessary IMO. "rtcautotrim 10" will only
set the time to the RTC if the gap between RTC and
the system clock exceed more than 10 seconds.
Change-Id: I2961bc554eb6caf6e6c78137a33c4fde256ae1ff
Users may wish to remove the 'offline' option for increased
reliability, since ifup/ifdown scripts are typically not
required in (static) server environments. Futhermore it
enables users to adjust the polling timers to their needs.
Change-Id: Iafa31c03e98785a574f38bb2206b9bea9550743e
This change adds the option `security_sudoers_nopasswd_check_enable`
when running check "V-71947". This change allows users to skip this
check via ansible extra variable instead of having to skip tags. While
this change has a functional benifit in some environments, it is being
done with the primary intention of providing a better experience to
deploying running clouds where services like cloud-init may be present.
Change-Id: I0d0c95534ace0b00fa64c2f243ad91ce5844d85a
Closes-Bug: #1741225
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Now that infra is moving from Fedora 26 to 27, we need to update
the role to reflect the changing support for Fedora releases.
Change-Id: Icce8fd7ee2f8c54e6eb33beec7af96c4d1d375d6
Signed-off-by: Major Hayden <major@mhtx.net>
PermitRootLogin can be 'yes', 'no', 'without-password',
'prohibit-password' or 'forced-commands-only'.
This patch changes the functionality to ensure that
security_sshd_permit_root_login is one of the above settings - if so, it
will use that value.
Due to the way Ansible handles "no" and "yes", we have to check if the
value is "False" (string equivalent for boolean no), and if so output
"no", otherwise output the string (which would be one of the above
options).
Previously, we could only set this value to 'no'.
Change-Id: I5ee5ff6abc4578d17d4b23d8a2fa1648508ceeed
This patch adds the basic scaffolding for developer-contributed
hardening standards that are outside the scope of the Security
Technical Implementation Guide (STIG). Deployers have the option
to deploy these hardening standards as well.
Change-Id: I33175ffd36a75d27e5ac6c13aaf1584e5fdf23dd
This patch updates the tasks to match the changes in Version 1,
Release 3 of the RHEL 7 STIG. It adds four new configurations:
- V-77819 (docs only, manual intervention req'd)
- V-77821 (disabling DCCP, implemented)
- V-77823 (docs only, manual intervention req'd)
- V-77825 (enabling ASLR, implemented)
Closes-Bug: 1729344
Change-Id: I009fb31139e654f839d94781baf3d392c6613f46
The search for world-writable files is very intensive and causes
some long delays when running playbooks. This patch makes it
optional and updates the documentation to match.
Change-Id: I206f75597c48023a889bd7027daff2eff82b1a16
This patch updates the STIG XML to version 1 release 2.
The new release does not have V-72181 included, so the relevant
tasks and variables have been removed.
Closes-Bug: 1718772
Change-Id: I441dbacdfa82e49c0c24f86e303706ae79c7d4dd
Some of the NTP defaults used to deploy chrony were shared between
both the RHEL6 and RHEL7 STIG tasks, however the required defaults
for these vars were removed in
Iaae52c97a35d82dd807ef78a1a6593ce3aa33540.
Since they are still needed by the RHEL7 STIG chrony deployment
we will need to add them back.
I also removed a reference to "security_disable_ipv6" in the chrony
config file which was used to determine if Chrony should bind ::1 for
its management socket. Since the "security_disable_ipv6" var no longer
exists, we will unconditionally bind the ::1 management address.
Change-Id: Ic80bda5fbf5cb4424e305ff9839121416b8bea19
The security_ntp_servers variable was accidentally removed with
the RHEL 6 STIG removal and this patch puts it back.
Closes-Bug: 1716703
Change-Id: I2cce0d5a2f9ede5f54829a6de6824a1567214c0c
This patch begins the teardown of the RHEL 6 STIG content from the
ansible-hardening repository. It will still be maintained in
Pike and earlier branches.
This patch also updates the ansible-hardening documentation for the
Queens release and notes that Pike is the latest stable version.
Closes-Bug: 1715745
Change-Id: Iaae52c97a35d82dd807ef78a1a6593ce3aa33540
This patch re-organizes the defaults/main.yml by:
* Moving RHEL 7 STIG content to the top
* Explaining better how to use `stig_version`
Closes-Bug: 1702183
Change-Id: Ib5eab8fc3129ea1b6745b4b84ab1195dbbbceebf
This patch allows deployers to provide a custom name/URL for the
traditional epel-release package.
Related-bug: 1702167
Change-Id: Ie5e30776d2d25a8c254f88c16e17ea15aa38ef26
The current behavior of the hardening role is to install the
epel-release package on all deployments. This patch changes
the logic to only install the EPEL repository if the deployer
has asked for ClamAV to be installed.
The patch also provides an option to disable the installation
of EPEL entirely using a variable.
Closes-Bug: 1702167
Change-Id: I9c5e6048f95636faf2a6d71ac9217ba69ca41296
This patch changes the tasks for V-71927 and V-71931 to actually set
the minimum password age on user accounts rather than printing
useless debug messages.
Change-Id: I3e085160baef1ecc12a3c96f08ede3845c68449f
This patch disables the ClamAV database update in the gate jobs. The
update often fails due to upstream server issues.
Change-Id: I39cfcc102bc98895823b4de9df930e6f273aaf15
This patch makes it easier for deployers to customize their login
banner and it also fixes some documentation bugs around how to
configure the graphical login banner.
Closes-bug: 1679749
Change-Id: I755de63cc3965f065077c983dbf1015ad93dfa6c
This patch gets the docs adjusted to work with the new RHEL 7 STIG
version 1 release. The new STIG release has changed all of the
numbering, but it maintains a link to (most) of the old STIG IDs in
the XML.
Closes-bug: 1676865
Change-Id: I65023fe63163c9804a3aec9dcdbf23c69bedb604
This patch makes the search for .shosts/shosts.equiv files an opt in
operation.
Closes-Bug: 1665568
Change-Id: Ide0c69a4112981e75defeaa317609e6a5f930225
Although setting file permissions and ownership based on the contents
of the RPM database is a good practice, it causes significant
deployment delays and can cause issues if a system administrator has
intentionally changed file permissions or ownership to meet their
specific needs.
This patch disables the tasks that set the permissions/ownership back
to their original values but leaves them enabled in the gate job.
Change-Id: I185f6755d9bddf58e23d6512f4728522c36306c0
This patch enables the RHEL 7 STIG content tasks as the default.
Documentation has also been updated to reflect the change and provide
more concise information about what is available with each release.
The OpenStack-Ansible repo is still set to use the RHEL 6 STIG until
some issues with individual roles are resolved.
Implements: blueprint security-rhel7-stig
Change-Id: Ic72d97b87c0fb16646e5a31030404e1a9ad6a469
Changing the default umask causes issues with OpenStack-Ansible
deployments in roles where directories are created without a mode
specified. It also may surprise some users on non-OpenStack systems
who expect the default umask to match the default from the OS.
This patch makes the change an opt-in change and it updates the
documentation to reflect that.
Related-bug: 1656003
Change-Id: I0931a34b1114e3a57e0eb5914124eed589ded541
This patch sets the mode, owner, and group owner for each home directory to
the correct values.
The STIG also requires ownership/permission changes for files/directories
within each user's home directory, but these changes can be highly disruptive
for certain users.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I1c4a8dfb1e752d4426b471325cd09b2abf5a4ca7
This patch adds tasks that check for postfix and set restrictions for mail
relaying.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I8c0ae38f2264fae20fe9055fde47e9abbb355767
This patch enables chrony and performs basic configuration to meet the
STIG requirements.
These tasks can't be enabled in OpenStack CI due to conflicts with existing
NTP daemons in the CI image.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: If6736c0f4a16de1ba41a4cfa00f5f72f8baf0054
This patch sets a session timeout for 10 minutes using the TMOUT environment
variable. Deployers can adjust the timeout from the default if needed.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: Iccb49d5fe4517b053e8dcf63a783de04513cf85f