Enable LSM instead of checking status

This patch enables the appropriate Linux Security Module (LSM) for the system rather than simply checking it. This brings the role more in line with the STIG requirements and allows it to be used as a more generic role in other non-OpenStack-Ansible deployments. It shouldn't affect OpenStack-Ansible deployments since AppArmor is expected to be running in those deployments. Documentation and release notes are included. Change-Id: Ia017f12be0d60ea74b54396bc8278e4db92295ba
2016-05-25 10:06:02 -05:00 · 2016-05-25 10:06:02 -05:00 · 31424a42af
parent 513408e59f
commit 31424a42af
8 changed files with 151 additions and 52 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -232,6 +232,17 @@ security_postfix_inet_interfaces: localhost       # V-38622
 #
 #security_root_forward_email: user@example.com

+## Linux Security Module (LSM)
+# AppArmor and SELinux provide powerful security controls on a Linux system
+# by setting policies for allowed actions. By setting the following variable
+# to true, the appropriate LSM will be enabled for the Linux distribution:
+#
+#    Ubuntu: AppArmor
+#    CentOS: SELinux
+#
+# See the openstack-ansible-security documentation for more details.
+security_enable_linux_security_module: yes        # V-51337
+
 ## PAM and authentication
 # V-38497 requires that accounts with null passwords aren't allowed to
 # authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@ -143,6 +143,16 @@ deployers can adjust this by changing ``security_disable_ipv6`` to ``yes``.

 Core dumps are also disabled by default in the openstack-ansible-security role.

+Linux Security Module (LSM)
+---------------------------
+
+The STIG requires that SELinux is in enforcing mode to provide additional
+security against attacks. The security role will enable SELinux on CentOS
+systems and enable AppArmor on Ubuntu systems.
+
+For more information on how these changes are applied, refer to the
+documentation for V-51337.
+
 Mail
 ----

--- a/doc/source/developer-notes/V-51337.rst
+++ b/doc/source/developer-notes/V-51337.rst
@ -1,14 +1,39 @@
-Ubuntu loads the AppArmor module by default starting with version 8.04. For
-more information, review the `AppArmor documentation`_ on Ubuntu's site.
-In addition, the OpenStack-Ansible project configures AppArmor policies
-for the LXC containers which run the OpenStack infrastructure.
+The tasks in the security role will enable the Linux Security
+Module (LSM) that is appropriate for the Linux distribution in use.

-The tasks for this STIG will verify that AppArmor is enabled via the
-``apparmor_status``. The playbook will fail if AppArmor is found to be
-disabled on the host.
+For Ubuntu, the default LSM is AppArmor.  Refer to Ubuntu's `AppArmor
+documentation`_ for more details on how AppArmor works. The tasks will enable
+AppArmor and start it immediately on the system.
+
+For CentOS, the default LSM is SELinux. Refer to Red Hat's `Security-Enhanced
+Linux`_ documentation for more details on SELinux. The tasks will enable
+SELinux on the next boot.
+
+.. note::
+
+    **If SELinux was disabled before the security role was applied, the
+    filesystem will be automatically relabeled on the next boot.** For most
+    systems, this process only takes a few minutes. However, it can take
+    additional time to finish on systems with slow disks or a large number of
+    files.
+
+    Deployers are strongly urged to relabel the filesystem if the system has
+    never had SELinux in enforcing mode previously. Rebooting into enforcing
+    mode with a partially-labeled filesystem can lead to unnecessary SELinux
+    policy denials.
+
+Deployers can opt-out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_linux_security_module: False
+
+Setting the variable to ``False`` will prevent the tasks from making any
+adjustments to the LSM status.

 On CentOS 7, the security role will verify that SELinux is in *Enforcing* mode.
 If SELinux is in *Disabled* or *Permissive* mode, the playbook will fail with
 an error message.

 .. _AppArmor documentation: https://help.ubuntu.com/community/AppArmor
+.. _Security-Enhanced Linux: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/
--- a/releasenotes/notes/enable-lsm-bae903e463079a3f.yaml
+++ b/releasenotes/notes/enable-lsm-bae903e463079a3f.yaml
@ -0,0 +1,14 @@
+---
+features:
+  - |
+    The Linux Security Module (LSM) that is appropriate for the Linux
+    distribution in use will be automatically enabled by the security role by
+    default. Deployers can opt out of this change by setting the following
+    Ansible variable:
+
+    .. code-block:: yaml
+
+        security_enable_linux_security_module: False
+
+    The documentation for STIG V-51337 has more information about how each
+    LSM is enabled along with special notes for SELinux.
--- a/tasks/lsm.yml
+++ b/tasks/lsm.yml
@ -0,0 +1,81 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Install packages for AppArmor support (for V-51337)
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - apparmor
+    - apparmor-profiles
+    - apparmor-utils
+  when:
+    - ansible_os_family == "Debian"
+    - security_enable_linux_security_module | bool
+  tags:
+    - cat2
+    - V-51337
+
+- name: Ensure AppArmor is running (for V-51337)
+  service:
+    name: apparmor
+    state: started
+    enabled: yes
+  when:
+    - ansible_os_family == "Debian"
+    - security_enable_linux_security_module | bool
+  tags:
+    - cat2
+    - V-51337
+
+- name: Install packages for SELinux support (for V-51337)
+  yum:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - libselinux-python
+    - policycoreutils-python
+    - selinux-policy
+    - selinux-policy-targeted
+  when:
+    - ansible_os_family == "RedHat"
+    - security_enable_linux_security_module | bool
+  tags:
+    - cat2
+    - V-51337
+
+- name: Ensure SELinux is in enforcing mode on the next reboot (for V-51337)
+  selinux:
+    state: enforcing
+    policy: targeted
+  register: selinux_status_change
+  when:
+    - ansible_os_family == "RedHat"
+    - security_enable_linux_security_module | bool
+  tags:
+    - cat2
+    - V-51337
+
+- name: Relabel files on next boot if SELinux mode changed (for V-51337)
+  file:
+    path: /.autorelabel
+    state: touch
+  when:
+    - ansible_os_family == "RedHat"
+    - security_enable_linux_security_module | bool
+    - selinux_status_change | changed
+  tags:
+    - cat2
+    - V-51337
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -55,6 +55,7 @@
  - include: console.yml
  - include: file_perms.yml
  - include: kernel.yml
+  - include: lsm.yml
  - include: mail.yml
  - include: misc.yml
  - include: nfsd.yml
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@ -412,44 +412,3 @@
  tags:
    - cat2
    - V-38674
-
- name: Check if AppArmor is running (for V-51337)
-  shell: "apparmor_status 2>&1 | head -n 1"
-  register: v51337_result
-  changed_when: False
-  always_run: True
-  when: ansible_pkg_mgr == 'apt'
-  tags:
-    - cat2
-    - V-51337
-
- name: V-51337 - The system must use a Linux Security Module at boot time
-  fail:
-    msg: "FAILED: AppArmor isn't enabled"
-  when:
-    - ansible_pkg_mgr == 'apt'
-    - "'apparmor module is loaded' not in v51337_result.stdout"
-  tags:
-    - cat2
-    - V-51337
-
-
- name: Check if SELinux is enforcing (for V-51337)
-  command: getenforce
-  register: v51337_result
-  changed_when: False
-  always_run: True
-  when: ansible_pkg_mgr == 'yum'
-  tags:
-    - cat2
-    - V-51337
-
- name: V-51337 - The system must use a Linux Security Module at boot time
-  fail:
-    msg: "FAILED: SELinux is not in enforcing mode."
-  when:
-    - ansible_pkg_mgr == 'yum'
-    - "'Enforcing' not in v51337_result.stdout"
-  tags:
-    - cat2
-    - V-51337
--- a/tox.ini
+++ b/tox.ini
@ -105,9 +105,7 @@ commands =
 # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building
 #                   images with apt config Apt::Get::AllowUnauthenticated set
 #                   to true.
-# NOTE(mhayden):    V-51337: OpenStack infra images don't have AppArmor
-#                   enabled, so it must be skipped.
-#                   V-38674: OpenStack infra images have graphical target
+# NOTE(mhayden):    V-38674: OpenStack infra images have graphical target
 #                   enabled, so it must be skipped.
 #                   V-38574: OpenStack infra images have non-standard pam
 #                   configurations that don't match a standard CentOS 7 server
@ -118,7 +116,7 @@ commands =
              {homedir}/.ansible/plugins
    ansible-playbook -i {toxinidir}/tests/inventory \
                     -e "rolename={toxinidir}" \
-                     --skip-tag V-38462,V-51337,V-38574,V-38674 \
+                     --skip-tag V-38462,V-38574,V-38674 \
                     {toxinidir}/tests/test.yml