openstack
/
ansible-hardening
Code Issues Proposed changes

Speed up package install/removal 

Instead of breaking up package installations and removals into separate
tasks, this patch moves them all under one task that does two execution
steps.

In addition, the security_enable_chrony variable was added to control the
installation and configuration of chrony. The tox tests for the role were
configured to skip chrony in the gate using a skipped tag, but this caused
the package install/removal task to get skipped.

Docs/release notes are included for the chrony change.

Change-Id: I1def033953b50be3911cd932fd17b10dd2c658b7
This commit is contained in:
Major Hayden 2016-11-03 13:30:52 -05:00
parent 20976bc71e
commit 784a38ec4c
15 changed files with 194 additions and 391 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
defaults/main.yml
View File

@ -152,9 +152,11 @@ security_action_mail_acct: root # V-38680
# and should only be set to 'single' for deployers in extremely high security
# environments. Ubuntu's default is SUSPEND, which will suspend logging.
# **IMMENENT DANGER**
security_admin_space_left_action: SUSPEND # V-54381
security_admin_space_left_action: SUSPEND # V-54381
## Chrony (NTP) configuration
# Install and enable chrony to sync time with NTP servers.
security_enable_chrony: yes # V-38620
# Adjust the following NTP servers if necessary.
security_ntp_servers:
- 0.north-america.pool.ntp.org

7
doc/metadata/rhel6/V-38620.rst
View File

@ -9,6 +9,13 @@ and to serve as an NTP server for NTP clients. Chrony was chosen over ntpd
because it's actively maintained and has some enhancements for virtualized
environments.
Deployers can opt out of the ``chrony`` installation by setting the following
Ansible variable:
.. code-block:: yaml
security_enable_chrony: no
There are two configurations available for users to adjust chrony's default
configuration:

5
releasenotes/notes/chrony-config-variable-7a1a7862c05c9675.yaml Normal file
View File

@ -0,0 +1,5 @@
---
features:
- |
The installation of ``chrony`` is still enabled by default, but it is now
controlled by the ``security_enable_chrony`` variable.

23
tasks/rhel6stig/aide.yml
View File

@ -13,29 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38489 - Install AIDE (with apt)
apt:
name: "{{ item }}"
state: "{{ security_package_state }}"
with_items:
- aide
- aide-common
when: ansible_pkg_mgr == 'apt'
tags:
- aide
- cat2
- V-38489
- name: V-38489 - Install AIDE (with yum)
yum:
name: aide
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'yum'
tags:
- aide
- cat2
- V-38489
- name: Verify that AIDE configuration directory exists
stat:
path: /etc/aide/aide.conf.d

31
tasks/rhel6stig/apt.yml
View File

@ -111,3 +111,34 @@
- package
- cat2
- V-38481
- name: Install required packages
apt:
name: |
{%- set pkg_list = [] %}
{%- for package_dict in item[1] %}
{%- if pkg_list.extend(package_dict.packages) %}{% endif %}
{%- endfor %}
{{ pkg_list }}
state: "{{ item[0] }}"
with_items:
- "{{ stig_packages | selectattr('enabled') | groupby('state') }}"
tags:
- cat1
- auth
- services
- V-38439 # install: aide, aide-common
- V-38620 # install: chrony
- V-38624 # install: logrotate
- V-38631 # install: auditd_pkg
- V-38632 # install: auditd_pkg
- V-38637 # install: debsums
- V-38669 # install: postfix
- V-51337 # install: apparmor
- V-38583 # remove: xinetd
- V-38587 # remove: telnet-server
- V-38591 # remove: rsh-server
- V-38603 # remove: ypserv
- V-38606 # remove: tftp-server
- V-38627 # remove: openldap-servers
- V-38671 # remove: sendmail

32
tasks/rhel6stig/auditd.yml
View File

@ -13,28 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38631/38632 - The operating system must produce audit records (install auditd with apt)
apt:
name: "{{ auditd_pkg }}"
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'apt'
tags:
- auditd
- cat2
- V-38632
- V-38631
- name: V-38631/38632 - The operating system must produce audit records (install auditd with yum)
yum:
name: "{{ auditd_pkg }}"
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'yum'
tags:
- auditd
- cat2
- V-38632
- V-38631
- name: V-38631/38632 - The operating system must produce audit records (start auditd)
service:
name: auditd
@ -95,16 +73,6 @@
- cat2
- V-38636
- name: Ensure debsums package is installed (for V-38637)
apt:
name: debsums
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'apt'
tags:
- auditd
- cat2
- V-38637
# The debsums command returns 0 if the files haven't been altered but it
# returns 2 otherwise. We also will check to see if auditd has been installed
# and fail if it's not installed.

61
tasks/rhel6stig/auth.yml
View File

@ -182,19 +182,6 @@
- cat2
- V-38500
# Opt-in required for fail2ban (see documentation and defaults/main.yml)
# Ubuntu doesn't offer pam_faillock, but fail2ban provides a decent alternative
# for ssh-based authentication. See the documentation for details.
- name: V-38501 - The system must disable accounts after excessive login failures (install fail2ban)
apt:
name: fail2ban
state: "{{ security_package_state }}"
when: security_install_fail2ban | bool
tags:
- auth
- cat2
- V-38501
# Ban the offending IP for 15 minutes to meet the spirit of the STIG.
# Yes, the bantime we want to modify has two spaces before the equal sign.
- name: V-38501 - The system must disable accounts after excessive login failures (configure fail2ban)
@ -209,54 +196,6 @@
- cat2
- V-38501
- name: V-38591 - Remove rshd with apt
apt:
name: rsh-server
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_rsh_server | bool
tags:
- auth
- cat1
- V-38591
- name: V-38591 - Remove rshd with yum
yum:
name: rsh-server
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_rsh_server | bool
tags:
- auth
- cat1
- V-38591
- name: V-38587 - Remove telnet-server with apt
apt:
name: "{{ telnet_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_telnet_server | bool
tags:
- auth
- cat1
- V-38587
- name: V-38587 - Remove telnet-server with yum
yum:
name: "{{ telnet_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_telnet_server | bool
tags:
- auth
- cat1
- V-38587
- name: Search /etc/passwd for password hashes (for V-38499)
shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l"
register: v38499_result

31
tasks/rhel6stig/lsm.yml
View File

@ -13,21 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Install packages for AppArmor support (for V-51337)
apt:
name: "{{ item }}"
state: "{{ security_package_state }}"
with_items:
- apparmor
- apparmor-profiles
- apparmor-utils
when:
- ansible_os_family == "Debian"
- security_enable_linux_security_module | bool
tags:
- cat2
- V-51337
- name: Ensure AppArmor is running (for V-51337)
service:
name: apparmor
@ -41,22 +26,6 @@
- cat2
- V-51337
- name: Install packages for SELinux support (for V-51337)
yum:
name: "{{ item }}"
state: "{{ security_package_state }}"
with_items:
- libselinux-python
- policycoreutils-python
- selinux-policy
- selinux-policy-targeted
when:
- ansible_os_family == "RedHat"
- security_enable_linux_security_module | bool
tags:
- cat2
- V-51337
- name: Ensure SELinux is in enforcing mode on the next reboot (for V-51337)
selinux:
state: enforcing

20
tasks/rhel6stig/mail.yml
View File

@ -13,26 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with apt)
apt:
name: postfix
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'apt'
tags:
- mail
- cat3
- V-38669
- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with yum)
yum:
name: postfix
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'yum'
tags:
- mail
- cat3
- V-38669
- name: V-38669 - The postfix service must be enabled for mail delivery (enable postfix)
service:
name: postfix

56
tasks/rhel6stig/misc.yml
View File

@ -40,75 +40,31 @@
- cat2
- V-38619
- name: V-38620 - Synchronize system clock (installing chrony with apt)
apt:
name: chrony
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- V-38620
- name: V-38620 - Synchronize system clock (installing chrony with yum)
yum:
name: chrony
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- V-38620
- name: V-38620 - Synchronize system clock (enable chrony)
service:
name: "{{ chrony_service }}"
state: started
enabled: yes
when: not check_mode
when:
- not check_mode
- security_enable_chrony | bool
tags:
- cat2
- V-38620
- name: Check for chrony.conf
stat:
path: /etc/chrony/chrony.conf
register: chrony_conf
tags:
- always
- V-38620
- name: V-38620 - Synchronize system clock (configuration file)
template:
src: chrony.conf.j2
dest: /etc/chrony/chrony.conf
when: chrony_conf.stat.exists | bool
when:
- not check_mode
- security_enable_chrony | bool
notify:
- restart chrony
tags:
- cat2
- V-38620
# The STIG only requires that logrotate is installed and configured in cron.
# The openstack-ansible project will configure logs to be rotated weekly and
# compressed with each run. We won't change the interval here, but we will
# ensure that logrotate is installed (to meet the STIG requirement).
- name: V-38624 - System logs must be rotated daily (install logrotate with apt)
apt:
name: logrotate
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'apt'
tags:
- cat3
- V-38624
- name: V-38624 - System logs must be rotated daily (install logrotate with yum)
yum:
name: logrotate
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'yum'
tags:
- cat3
- V-38624
- name: Check for logrotate cron job (for V-38624)
stat:
path: /etc/cron.daily/logrotate

41
tasks/rhel6stig/rpm.yml
View File

@ -86,16 +86,6 @@
- cat1
- V-38462
- name: V-38481 - Install yum-cron for automatic updates
yum:
name: yum-cron
state: "{{ security_package_state }}"
when: security_unattended_upgrades_enabled | bool
tags:
- package
- cat2
- V-38481
- name: V-38481 - System security patches and updates must be installed and up-to-date
lineinfile:
dest: /etc/yum/yum-cron.conf
@ -107,3 +97,34 @@
- package
- cat2
- V-38481
- name: Add or remove packages based on STIG requirements
yum:
name: |
{%- set pkg_list = [] %}
{%- for package_dict in item[1] %}
{%- if pkg_list.extend(package_dict.packages) %}{% endif %}
{%- endfor %}
{{ pkg_list }}
state: "{{ item[0] }}"
with_items:
- "{{ stig_packages | selectattr('enabled') | groupby('state') }}"
tags:
- cat1
- auth
- services
- V-38439 # install: aide, aide-common
- V-38481 # install: yum-cron
- V-38620 # install: chrony
- V-38624 # install: logrotate
- V-38631 # install: auditd_pkg
- V-38632 # install: auditd_pkg
- V-38669 # install: postfix
- V-51337 # install: SELinux
- V-38583 # remove: xinetd
- V-38587 # remove: telnet-server
- V-38591 # remove: rsh-server
- V-38603 # remove: ypserv
- V-38606 # remove: tftp-server
- V-38627 # remove: openldap-servers
- V-38671 # remove: sendmail

145
tasks/rhel6stig/services.yml
View File

@ -117,55 +117,6 @@
- cat2
- V-38582
- name: V-38584 - xinetd must be uninstalled if not in use (apt)
apt:
name: xinetd
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_xinetd | bool
tags:
- services
- cat3
- V-38584
- name: V-38584 - xinetd must be uninstalled if not in use (yum)
yum:
name: xinetd
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_xinetd | bool
tags:
- services
- cat3
- V-38584
# Ubuntu's equivalent of Red Hat's ypserv package is 'nis'
- name: V-38603 - Remove ypserv package with apt
apt:
name: "{{ ypserv_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_ypserv | bool
tags:
- services
- cat2
- V-38603
- name: V-38603 - Remove ypserv package with yum
yum:
name: "{{ ypserv_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_ypserv | bool
tags:
- services
- cat2
- V-38603
- name: V-38605 - The cron service must be running
service:
name: "{{ cron_service }}"
@ -176,30 +127,6 @@
- cat2
- V-38605
- name: V-38606 - The tftp-server package must not be installed unless required (apt)
apt:
name: "{{ tftp_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_tftp_server | bool
tags:
- services
- cat2
- V-38606
- name: V-38606 - The tftp-server package must not be installed unless required (yum)
yum:
name: "{{ tftp_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_tftp_server | bool
tags:
- services
- cat2
- V-38606
- name: V-38618 - avahi must be disabled
service:
name: avahi-daemon
@ -213,30 +140,6 @@
- cat3
- V-38618
- name: V-38627 - Remove LDAP servers unless required (apt)
apt:
name: "{{ ldap_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_ldap_server | bool
tags:
- services
- cat3
- V-38627
- name: V-38627 - Remove LDAP servers unless required (yum)
yum:
name: "{{ ldap_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_ldap_server | bool
tags:
- services
- cat3
- V-38627
- name: V-38650 - rdisc must be disabled
service:
name: rdisc
@ -250,30 +153,6 @@
- cat3
- V-38650
- name: V-38671 - Remove sendmail with apt
apt:
name: sendmail
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_sendmail | bool
tags:
- services
- cat2
- V-38671
- name: V-38671 - Remove sendmail with yum
yum:
name: sendmail
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_sendmail | bool
tags:
- services
- cat2
- V-38671
- name: V-38672 - netconsole must be disabled
service:
name: netconsole
@ -286,27 +165,3 @@
- services
- cat3
- V-38672
- name: V-38676 - The X windows package must not be installed (apt)
apt:
name: "{{ xserver_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_xorg | bool
tags:
- services
- cat3
- V-38676
- name: V-38676 - The X windows package must not be installed (yum)
yum:
name: "{{ xserver_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_xorg | bool
tags:
- services
- cat3
- V-38676

4
tox.ini
View File

@ -117,7 +117,7 @@ setenv =
# https://review.openstack.org/354819 merges.
# NOTE(mhayden): Skipping V-38620 since chrony cannot start with ntpd
# running in the gate images.
ANSIBLE_PARAMETERS=--skip-tags V-38462,V-38660,V-38620
ANSIBLE_PARAMETERS=--skip-tags V-38462,V-38660 -e security_enable_chrony=no
commands =
{[testenv:tests_clone]commands}
bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
@ -136,7 +136,7 @@ setenv =
# https://review.openstack.org/354819 merges.
# NOTE(mhayden): Skipping V-38620 since chrony cannot start with ntpd
# running in the gate images.
ANSIBLE_PARAMETERS=--skip-tags V-38462,V-38660,V-38620 -e stig_version=rhel7
ANSIBLE_PARAMETERS=-e stig_version=rhel7
commands =
{[testenv:tests_clone]commands}
bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"

62
vars/redhat.yml
View File

@ -21,14 +21,6 @@ grub_conf_file: /boot/grub2/grub.cfg
aide_cron_job_path: /etc/cron.d/aide
aide_database_file: /var/lib/aide/aide.db.gz
# Package names
auditd_pkg: audit
ldap_server_pkg: openldap-servers
telnet_server_pkg: telnet-server
tftp_pkg: tftp-server
xserver_pkg: xorg-x11-server-Xorg
ypserv_pkg: ypserv
# Service names
cron_service: crond
ssh_service: sshd
@ -36,3 +28,57 @@ chrony_service: chronyd
# Commands
grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
# Packages to add or remove
stig_packages:
- packages:
- audit
- aide
- chrony
- logrotate
- postfix
state: "{{ security_package_state }}"
enabled: True
- packages:
- libselinux-python
- policycoreutils-python
- selinux-policy
- selinux-policy-targeted
state: "{{ security_package_state }}"
enabled: "{{ security_enable_linux_security_module }}"
- packages:
- yum-cron
state: "{{ security_package_state }}"
enabled: "{{ security_unattended_upgrades_enabled }}"
- packages:
- xinetd
state: absent
enabled: "{{ security_remove_xinetd }}"
- packages:
- ypserv
state: absent
enabled: "{{ security_remove_ypserv }}"
- packages:
- tftp-server
state: absent
enabled: "{{ security_remove_tftp_server }}"
- packages:
- openldap-servers
state: absent
enabled: "{{ security_remove_ldap_server }}"
- packages:
- sendmail
state: absent
enabled: "{{ security_remove_sendmail }}"
- packages:
- xorg-x11-server-Xorg
state: absent
enabled: "{{ security_remove_xorg }}"
- packages:
- rsh-server
state: absent
enabled: "{{ security_remove_rsh_server }}"
- packages:
- telnet-server
state: absent
enabled: "{{ security_remove_telnet_server }}"

63
vars/ubuntu.yml
View File

@ -24,14 +24,6 @@ grub_conf_file: /boot/grub/grub.cfg
aide_cron_job_path: /etc/cron.daily/aide
aide_database_file: /var/lib/aide/aide.db
# Package names
auditd_pkg: auditd
ldap_server_pkg: slapd
telnet_server_pkg: telnetd
tftp_pkg: tftpd
xserver_pkg: xorg-xserver
ypserv_pkg: nis
# Service name
cron_service: cron
ssh_service: ssh
@ -39,3 +31,58 @@ chrony_service: chrony
# Commands
grub_update_cmd: "update-grub"
# Packages to add or remove
stig_packages:
- packages:
- auditd
- aide
- aide-common
- chrony
- debsums
- logrotate
- postfix
state: "{{ security_package_state }}"
enabled: True
- packages:
- apparmor
- apparmor-profiles
- apparmor-utils
state: "{{ security_package_state }}"
enabled: "{{ security_enable_linux_security_module }}"
- packages:
- fail2ban
state: "{{ security_package_state }}"
enabled: "{{ security_install_fail2ban }}"
- packages:
- xinetd
state: absent
enabled: "{{ security_remove_xinetd }}"
- packages:
- nis
state: absent
enabled: "{{ security_remove_ypserv }}"
- packages:
- tftpd
state: absent
enabled: "{{ security_remove_tftp_server }}"
- packages:
- slapd
state: absent
enabled: "{{ security_remove_ldap_server }}"
- packages:
- sendmail
state: absent
enabled: "{{ security_remove_sendmail }}"
- packages:
- xorg-xserver
state: absent
enabled: "{{ security_remove_xorg }}"
- packages:
- rsh-server
state: absent
enabled: "{{ security_remove_rsh_server }}"
- packages:
- telnetd
state: absent
enabled: "{{ security_remove_telnet_server }}"