openstack
/
ansible-hardening
Code Issues Proposed changes

Enable chrony [+Docs] 

This patch enables chrony and performs basic configuration to meet the
STIG requirements.

These tasks can't be enabled in OpenStack CI due to conflicts with existing
NTP daemons in the CI image.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: If6736c0f4a16de1ba41a4cfa00f5f72f8baf0054
This commit is contained in:
Major Hayden 2016-12-06 14:29:31 -06:00 committed by Andy McCrae
parent b1435ff429
commit 14fa6e5060
5 changed files with 59 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@ -562,6 +562,8 @@ security_require_grub_authentication: no # RHEL-07-010460 /
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B
# Set session timeout.
security_rhel7_session_timeout: 600 # RHEL-07-040160
# Enable chrony for NTP time synchronization.
security_rhel7_enable_chrony: yes # RHEL-07-040210
## Packages (packages)
# Remove packages from the system as required by the STIG. Set any of these

22
doc/metadata/rhel7/RHEL-07-040210.rst
View File

@ -1,7 +1,25 @@
---
id: RHEL-07-040210
status: not implemented
status: implemented
tag: misc
---
This STIG requirement is not yet implemented.
The tasks in the security role make the following changes on each host:
* The ``chrony`` package is installed.
* The service (``chronyd`` on Red Hat and CentOS, ``chrony`` on Ubuntu) is
started and enabled at boot time.
* A configuration file template is deployed that includes ``maxpoll 10`` on
each server line.
Deployers can opt out of these changes by setting the following Ansible
variable:
.. code-block:: yaml
security_rhel7_enable_chrony: no
.. note::
Although the STIG mentions the traditional ``ntpd`` service, this role uses
``chrony``, which is a more modern implementation.

34
tasks/rhel7stig/misc.yml
View File

@ -151,6 +151,40 @@
- misc
- RHEL-07-040160
- name: Start and enable chrony
service:
name: "{{ chrony_service }}"
state: started
enabled: yes
when:
- not check_mode
- security_rhel7_enable_chrony | bool
tags:
- medium
- misc
- RHEL-07-040210
- name: Check if chrony configuration file exists
stat:
path: "{{ chrony_conf_file }}"
register: chrony_conf_check
tags:
- always
- name: V-38620 - Synchronize system clock (configuration file)
template:
src: chrony.conf.j2
dest: "{{ chrony_conf_file }}"
when:
- chrony_conf_check.stat.exists
- security_rhel7_enable_chrony | bool
notify:
- restart chrony
tags:
- medium
- misc
- RHEL-07-040210
# Returns 0 if installed, 3 if not installed
- name: Check firewalld status
command: systemctl status firewalld

2
templates/chrony.conf.j2
View File

@ -20,7 +20,7 @@
# better to use IP numbers than host names.
{% for ntp_server in security_ntp_servers %}
server {{ ntp_server }} offline minpoll 8
server {{ ntp_server }} offline maxpoll 10 minpoll 8
{% endfor %}
# Look here for the admin password needed for chronyc. The initial

11
tox.ini
View File

@ -127,15 +127,8 @@ deps =
{[testenv:ansible]deps}
setenv =
{[testenv]setenv}
# NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now
# building images with apt config
# Apt::Get::AllowUnauthenticated set to true.
# NOTE(mhayden): Skipping V-38660 since openstack-infra has SNMP v1/2 in
# the images. This can be added back in once
# https://review.openstack.org/354819 merges.
# NOTE(mhayden): Skipping V-38620 since chrony cannot start with ntpd
# running in the gate images.
ANSIBLE_PARAMETERS=-e stig_version=rhel7
# NOTE(mhayden): Disabling chrony since it causes conflicts in CI.
ANSIBLE_PARAMETERS=-e stig_version=rhel7 -e security_rhel7_enable_chrony=no
commands =
{[testenv:tests_clone]commands}
bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"