├── .ansible-lint ├── .gitignore ├── .gitreview ├── CONTRIBUTING.rst ├── LICENSE ├── README.md ├── README.rst ├── Vagrantfile ├── bindep.txt ├── defaults └── main.yml ├── doc ├── .gitignore ├── Makefile ├── metadata │ ├── U_Red_Hat_Enterprise_Linux_7_STIG_V1R3_Manual-xccdf.xml │ ├── rhel7 │ │ ├── V-71849.rst │ │ ├── V-71855.rst │ │ ├── V-71859.rst │ │ ├── V-71861.rst │ │ ├── V-71863.rst │ │ ├── V-71891.rst │ │ ├── V-71893.rst │ │ ├── V-71895.rst │ │ ├── V-71897.rst │ │ ├── V-71899.rst │ │ ├── V-71901.rst │ │ ├── V-71903.rst │ │ ├── V-71905.rst │ │ ├── V-71907.rst │ │ ├── V-71909.rst │ │ ├── V-71911.rst │ │ ├── V-71913.rst │ │ ├── V-71915.rst │ │ ├── V-71917.rst │ │ ├── V-71919.rst │ │ ├── V-71921.rst │ │ ├── V-71923.rst │ │ ├── V-71925.rst │ │ ├── V-71927.rst │ │ ├── V-71929.rst │ │ ├── V-71931.rst │ │ ├── V-71933.rst │ │ ├── V-71935.rst │ │ ├── V-71937.rst │ │ ├── V-71939.rst │ │ ├── V-71941.rst │ │ ├── V-71943.rst │ │ ├── V-71945.rst │ │ ├── V-71947.rst │ │ ├── V-71949.rst │ │ ├── V-71951.rst │ │ ├── V-71953.rst │ │ ├── V-71955.rst │ │ ├── V-71957.rst │ │ ├── V-71959.rst │ │ ├── V-71961.rst │ │ ├── V-71963.rst │ │ ├── V-71965.rst │ │ ├── V-71967.rst │ │ ├── V-71969.rst │ │ ├── V-71971.rst │ │ ├── V-71973.rst │ │ ├── V-71975.rst │ │ ├── V-71977.rst │ │ ├── V-71979.rst │ │ ├── V-71981.rst │ │ ├── V-71983.rst │ │ ├── V-71985.rst │ │ ├── V-71987.rst │ │ ├── V-71989.rst │ │ ├── V-71991.rst │ │ ├── V-71993.rst │ │ ├── V-71995.rst │ │ ├── V-71997.rst │ │ ├── V-71999.rst │ │ ├── V-72001.rst │ │ ├── V-72003.rst │ │ ├── V-72005.rst │ │ ├── V-72007.rst │ │ ├── V-72009.rst │ │ ├── V-72011.rst │ │ ├── V-72013.rst │ │ ├── V-72015.rst │ │ ├── V-72017.rst │ │ ├── V-72019.rst │ │ ├── V-72021.rst │ │ ├── V-72023.rst │ │ ├── V-72025.rst │ │ ├── V-72027.rst │ │ ├── V-72029.rst │ │ ├── V-72031.rst │ │ ├── V-72033.rst │ │ ├── V-72035.rst │ │ ├── V-72037.rst │ │ ├── V-72039.rst │ │ ├── V-72041.rst │ │ ├── V-72043.rst │ │ ├── V-72045.rst │ │ ├── V-72047.rst │ │ ├── V-72049.rst │ │ ├── V-72051.rst │ │ ├── V-72053.rst │ │ ├── V-72055.rst │ │ ├── V-72057.rst │ │ ├── V-72059.rst │ │ ├── V-72061.rst │ │ ├── V-72063.rst │ │ ├── V-72065.rst │ │ ├── V-72067.rst │ │ ├── V-72069.rst │ │ ├── V-72071.rst │ │ ├── V-72073.rst │ │ ├── V-72075.rst │ │ ├── V-72077.rst │ │ ├── V-72079.rst │ │ ├── V-72081.rst │ │ ├── V-72083.rst │ │ ├── V-72085.rst │ │ ├── V-72087.rst │ │ ├── V-72089.rst │ │ ├── V-72091.rst │ │ ├── V-72093.rst │ │ ├── V-72095.rst │ │ ├── V-72097.rst │ │ ├── V-72099.rst │ │ ├── V-72101.rst │ │ ├── V-72103.rst │ │ ├── V-72105.rst │ │ ├── V-72107.rst │ │ ├── V-72109.rst │ │ ├── V-72111.rst │ │ ├── V-72113.rst │ │ ├── V-72115.rst │ │ ├── V-72117.rst │ │ ├── V-72119.rst │ │ ├── V-72121.rst │ │ ├── V-72123.rst │ │ ├── V-72125.rst │ │ ├── V-72127.rst │ │ ├── V-72129.rst │ │ ├── V-72131.rst │ │ ├── V-72133.rst │ │ ├── V-72135.rst │ │ ├── V-72137.rst │ │ ├── V-72139.rst │ │ ├── V-72141.rst │ │ ├── V-72143.rst │ │ ├── V-72145.rst │ │ ├── V-72147.rst │ │ ├── V-72149.rst │ │ ├── V-72151.rst │ │ ├── V-72153.rst │ │ ├── V-72155.rst │ │ ├── V-72157.rst │ │ ├── V-72159.rst │ │ ├── V-72161.rst │ │ ├── V-72163.rst │ │ ├── V-72165.rst │ │ ├── V-72167.rst │ │ ├── V-72169.rst │ │ ├── V-72171.rst │ │ ├── V-72173.rst │ │ ├── V-72175.rst │ │ ├── V-72177.rst │ │ ├── V-72179.rst │ │ ├── V-72183.rst │ │ ├── V-72185.rst │ │ ├── V-72187.rst │ │ ├── V-72189.rst │ │ ├── V-72191.rst │ │ ├── V-72193.rst │ │ ├── V-72195.rst │ │ ├── V-72197.rst │ │ ├── V-72199.rst │ │ ├── V-72201.rst │ │ ├── V-72203.rst │ │ ├── V-72205.rst │ │ ├── V-72207.rst │ │ ├── V-72209.rst │ │ ├── V-72211.rst │ │ ├── V-72213.rst │ │ ├── V-72215.rst │ │ ├── V-72217.rst │ │ ├── V-72219.rst │ │ ├── V-72221.rst │ │ ├── V-72223.rst │ │ ├── V-72225.rst │ │ ├── V-72227.rst │ │ ├── V-72229.rst │ │ ├── V-72231.rst │ │ ├── V-72233.rst │ │ ├── V-72235.rst │ │ ├── V-72237.rst │ │ ├── V-72239.rst │ │ ├── V-72241.rst │ │ ├── V-72243.rst │ │ ├── V-72245.rst │ │ ├── V-72247.rst │ │ ├── V-72249.rst │ │ ├── V-72251.rst │ │ ├── V-72253.rst │ │ ├── V-72255.rst │ │ ├── V-72257.rst │ │ ├── V-72259.rst │ │ ├── V-72261.rst │ │ ├── V-72263.rst │ │ ├── V-72265.rst │ │ ├── V-72267.rst │ │ ├── V-72269.rst │ │ ├── V-72271.rst │ │ ├── V-72273.rst │ │ ├── V-72275.rst │ │ ├── V-72277.rst │ │ ├── V-72279.rst │ │ ├── V-72281.rst │ │ ├── V-72283.rst │ │ ├── V-72285.rst │ │ ├── V-72287.rst │ │ ├── V-72289.rst │ │ ├── V-72291.rst │ │ ├── V-72293.rst │ │ ├── V-72295.rst │ │ ├── V-72297.rst │ │ ├── V-72299.rst │ │ ├── V-72301.rst │ │ ├── V-72303.rst │ │ ├── V-72305.rst │ │ ├── V-72307.rst │ │ ├── V-72309.rst │ │ ├── V-72311.rst │ │ ├── V-72313.rst │ │ ├── V-72315.rst │ │ ├── V-72317.rst │ │ ├── V-72319.rst │ │ ├── V-72417.rst │ │ ├── V-72427.rst │ │ ├── V-72433.rst │ │ ├── V-72435.rst │ │ ├── V-73155.rst │ │ ├── V-73157.rst │ │ ├── V-73159.rst │ │ ├── V-73161.rst │ │ ├── V-73163.rst │ │ ├── V-73165.rst │ │ ├── V-73167.rst │ │ ├── V-73171.rst │ │ ├── V-73173.rst │ │ ├── V-73175.rst │ │ ├── V-73177.rst │ │ ├── V-77819.rst │ │ ├── V-77821.rst │ │ ├── V-77823.rst │ │ └── V-77825.rst │ ├── stig_to_rst.py │ ├── template_all_rhel7.j2 │ ├── template_doc_rhel7.j2 │ ├── template_toc_partial_rhel7.j2 │ └── template_toc_rhel7.j2 ├── requirements.txt └── source │ ├── _exts │ └── metadata-docs-rhel7.py │ ├── _static │ ├── .gitkeep │ └── ansible-hardening-logo.png │ ├── _themes │ └── openstack │ │ ├── layout.html │ │ ├── static │ │ ├── basic.css │ │ ├── default.css │ │ ├── header-line.gif │ │ ├── header_bg.jpg │ │ ├── nature.css │ │ ├── openstack_logo.png │ │ └── tweaks.css │ │ └── theme.conf │ ├── conf.py │ ├── contrib.rst │ ├── controls-rhel7.rst │ ├── developer-guide.rst │ ├── deviations.rst │ ├── domains.rst │ ├── faq.rst │ ├── getting-started.rst │ ├── index.rst │ └── rhel7 │ └── domains │ ├── accounts.rst │ ├── aide.rst │ ├── auditd.rst │ ├── auth.rst │ ├── file_perms.rst │ ├── graphical.rst │ ├── kernel.rst │ ├── lsm.rst │ ├── misc.rst │ ├── packages.rst │ └── sshd.rst ├── examples └── playbook.yml ├── files ├── 20auto-upgrades ├── V-38682-modprobe.conf ├── ansible-hardening-disable-dccp.conf ├── dconf-profile-gdm ├── dconf-user-profile ├── login_banner.txt └── zypper-autoupdates ├── handlers └── main.yml ├── library └── get_users ├── manual-test.rc ├── meta ├── main.yml └── openstack-ansible.yml ├── releasenotes ├── notes │ ├── .placeholder │ ├── add-v38438-3f7e905892be4b4f.yaml │ ├── adding-v38526-381a407caa566b14.yaml │ ├── adding-v38548-9c51b30bf9780ff3.yaml │ ├── aide-exclude-run-4d3c97a2d08eb373.yaml │ ├── aide-initialization-fix-16ab0223747d7719.yaml │ ├── allow-custom-epel-release-packages-b409be1aa46ee9c3.yaml │ ├── auditing-mac-policy-changes-fb83e0260a6431ed.yaml │ ├── augenrules-restart-39fe3e1e2de3eaba.yaml │ ├── chrony-config-variable-7a1a7862c05c9675.yaml │ ├── chrony-ntp-server-defaults-7cd2e3a80723e0bd.yaml │ ├── chrony-ntp-server-options-f8f87225a5282e1a.yaml │ ├── chrony-rtc-sync-f46b9a526aec0889.yaml │ ├── conditionally-install-epel-9e8e1b67e5943019.yaml │ ├── configurable-martian-logging-370ede40b036db0b.yaml │ ├── customizable-login-banner-string-d8d5ae874e8e49f3.yaml │ ├── dictionary-variables-removed-957c7b7b2108ba1f.yaml │ ├── disable-check-of-package-checksums-by-default-3543840512c348d6.yaml │ ├── disable-failed-access-audit-logging-789dc01c8bcbef17.yaml │ ├── disable-graphical-interface-5db89cd1bef7e12d.yaml │ ├── disable-netconsole-service-915bb33449b4012c.yaml │ ├── disable-rpm-perms-fix-by-default-b164e39717f0ada7.yaml │ ├── disabling-rdisc-centos-75115b3509941bfa.yaml │ ├── enable-lsm-bae903e463079a3f.yaml │ ├── enable-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml │ ├── enable_aide-d9783c50675cb80f.yaml │ ├── fedora-26-support-70a304f9c97d1b37.yaml │ ├── fedora-27-support-a1e0c670e4fc5626.yaml │ ├── fedora-latest-support-bf58ecd96cc8fbd4.yaml │ ├── fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml │ ├── fix-check-mode-with-tags-bf798856a27c53eb.yaml │ ├── global-ntp-servers-155c1daef3680025.yaml │ ├── handling-sshd-match-stanzas-fa40b97689004e46.yaml │ ├── implemented-v38524-b357edec95128307.yaml │ ├── improved-audit-rule-keys-9fa85f758386446c.yaml │ ├── ntp-bind-local-interfaces-only-05f03de632e81097.yaml │ ├── package-state-6684c5634bdf127a.yaml │ ├── package-state-present-951161faa5384abd.yaml │ ├── password-lifetime-opt-in-c380f0ec81daffd0.yaml │ ├── permitrootlogin_options-a62e33ccc4a69657.yaml │ ├── reduce-auditd-logging-633677a74aee5481.yaml │ ├── remove-v72181-e29b9f5d9c971541.yaml │ ├── rhel-gpg-check-0b483a824314d1b3.yaml │ ├── rhel7-stig-default-f6c7c97498a8b2e7.yaml │ ├── rhel7-stig-v1r3-update-c533ed40ba609ccf.yaml │ ├── search-for-unlabeled-devices-cb047c5f767e93ce.yaml │ ├── shosts-file-search-opt-in-887f600a79eef07e.yaml │ ├── skip-sysctl-when-disabled-b32eca48df5b1437.yaml │ ├── sshd-permit-root-login-without-password-948ec79c6508c19b.yaml │ ├── stig-rhel7-version-1-renumbering-fiesta-aa047fea3ea35e74.yaml │ ├── support-for-centos-xenial-2b89c318cc3df4b0.yaml │ ├── unique-variable-migration-c0639030b495438f.yaml │ └── world-writable-file-search-optional-7420269230a0e22f.yaml └── source │ ├── 2023.2.rst │ ├── _static │ └── .placeholder │ ├── _templates │ └── .placeholder │ ├── conf.py │ ├── index.rst │ ├── newton.rst │ ├── ocata.rst │ ├── pike.rst │ ├── queens.rst │ ├── rocky.rst │ ├── stein.rst │ ├── train.rst │ ├── unreleased.rst │ ├── ussuri.rst │ ├── xena.rst │ └── zed.rst ├── run_tests.sh ├── tasks ├── contrib │ └── main.yml ├── main.yml └── rhel7stig │ ├── accounts.yml │ ├── aide.yml │ ├── apt.yml │ ├── async_tasks.yml │ ├── auditd.yml │ ├── auth.yml │ ├── dnf.yml │ ├── file_perms.yml │ ├── graphical.yml │ ├── kernel.yml │ ├── lsm.yml │ ├── main.yml │ ├── misc.yml │ ├── packages.yml │ ├── rpm.yml │ ├── sshd.yml │ ├── yum.yml │ └── zypper.yml ├── templates ├── ZZ_aide_exclusions.j2 ├── chrony.conf.j2 ├── dconf-gdm-banner-message.j2 ├── dconf-screensaver-lock.j2 ├── dconf-session-user-config-lockout.j2 ├── jail.local.j2 ├── osas-auditd-rhel7.j2 ├── pam_faillock.j2 └── pwquality.conf.j2 ├── test-requirements.txt ├── test_plugins └── el7_tests.py ├── tests ├── inventory └── test.yml ├── tox.ini ├── vars ├── debian.yml ├── main.yml ├── redhat-10.yml ├── redhat-7.yml ├── redhat-8.yml ├── redhat-9.yml └── suse.yml └── zuul.d └── project.yaml /.ansible-lint: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | skip_list: 4 | - "106" 5 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled source # 2 | ################### 3 | *.com 4 | *.class 5 | *.dll 6 | *.exe 7 | *.o 8 | *.so 9 | *.pyc 10 | build/ 11 | dist/ 12 | doc/build/ 13 | deploy-guide/build/ 14 | 15 | # Packages # 16 | ############ 17 | # it's better to unpack these files and commit the raw source 18 | # git has its own built in compression methods 19 | *.7z 20 | *.dmg 21 | *.gz 22 | *.iso 23 | *.jar 24 | *.rar 25 | *.tar 26 | *.zip 27 | 28 | # Logs and databases # 29 | ###################### 30 | *.log 31 | *.sql 32 | *.sqlite 33 | logs/* 34 | 35 | # OS generated files # 36 | ###################### 37 | .DS_Store 38 | .DS_Store? 39 | ._* 40 | .Spotlight-V100 41 | .Trashes 42 | .idea 43 | .tox 44 | *.sublime* 45 | *.egg-info 46 | Icon? 47 | ehthumbs.db 48 | Thumbs.db 49 | .eggs 50 | .coverage 51 | *.retry 52 | 53 | # User driven backup files # 54 | ############################ 55 | *.bak 56 | *.swp 57 | 58 | # Generated by pbr while building docs 59 | ###################################### 60 | AUTHORS 61 | ChangeLog 62 | 63 | # Files created by releasenotes build 64 | releasenotes/build 65 | 66 | # Vagrant artifacts 67 | .vagrant 68 | 69 | # run playbooks tests 70 | playbooks/root-include-playbook.yml 71 | playbooks/include-playbook.yml* 72 | playbooks/logs 73 | 74 | # ignore zanata/sphinx cache on translation job 75 | .zanata-cache/ 76 | doc/source/.doctrees/ 77 | 78 | # ignore fetched upper-contraints file while translation job 79 | upper-constraints.txt 80 | -------------------------------------------------------------------------------- /.gitreview: -------------------------------------------------------------------------------- 1 | [gerrit] 2 | host=review.opendev.org 3 | port=29418 4 | project=openstack/ansible-hardening.git 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.rst: -------------------------------------------------------------------------------- 1 | The source repository for this project can be found at: 2 | 3 | https://opendev.org/openstack/ansible-hardening 4 | 5 | Pull requests submitted through GitHub are not monitored. 6 | 7 | To start contributing to OpenStack, follow the steps in the contribution guide 8 | to set up and use Gerrit: 9 | 10 | https://docs.openstack.org/contributors/code-and-documentation/quick-start.html 11 | 12 | Bugs should be filed on Launchpad: 13 | 14 | https://bugs.launchpad.net/openstack-ansible 15 | 16 | For more specific information about contributing to this repository, see the 17 | openstack-ansible contributor guide: 18 | 19 | https://docs.openstack.org/openstack-ansible/latest/contributor/contributing.html 20 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | ======================== 2 | Team and repository tags 3 | ======================== 4 | 5 | .. image:: https://governance.openstack.org/tc/badges/ansible-hardening.svg 6 | :target: https://governance.openstack.org/tc/reference/tags/index.html 7 | 8 | .. Change things from this point on 9 | 10 | Security hardening for OpenStack-Ansible 11 | ---------------------------------------- 12 | 13 | Documentation for ansible-hardening is available in the `official 14 | OpenStack documentation site`_. 15 | 16 | .. _official OpenStack documentation site: https://docs.openstack.org/ansible-hardening/latest/ 17 | 18 | Other Information 19 | ------------------ 20 | 21 | Learn more about ansible-hardening content can be found in the online 22 | documentation. 23 | 24 | * Documentation: https://docs.openstack.org/ansible-hardening/latest/ 25 | * Source: https://opendev.org/openstack/ansible-hardening/ 26 | * Release Notes: https://docs.openstack.org/releasenotes/ansible-hardening/ 27 | -------------------------------------------------------------------------------- /bindep.txt: -------------------------------------------------------------------------------- 1 | # This file facilitates OpenStack-CI package installation 2 | # before the execution of any tests. 3 | # 4 | # See the following for details: 5 | # - https://docs.openstack.org/infra/bindep/ 6 | # - https://opendev.org/opendev/bindep/ 7 | # 8 | # Even if the role does not make use of this facility, it 9 | # is better to have this file empty, otherwise OpenStack-CI 10 | # will fall back to installing its default packages which 11 | # will potentially be detrimental to the tests executed. 12 | 13 | # The gcc compiler 14 | gcc 15 | 16 | # Base requirements for Ubuntu 17 | git-core [platform:dpkg] 18 | libssl-dev [platform:dpkg] 19 | libffi-dev [platform:dpkg] 20 | python3 [platform:dpkg] 21 | python3-apt [platform:dpkg] 22 | python3-dev [platform:dpkg] 23 | 24 | # Base requirements for RPM distros 25 | gcc-c++ [platform:rpm] 26 | git [platform:rpm] 27 | libffi-devel [platform:rpm] 28 | openssl-devel [platform:rpm] 29 | python3-devel [platform:rpm] 30 | 31 | # For SELinux 32 | python3-libselinux [platform:redhat] 33 | python3-libsemanage [platform:redhat] 34 | 35 | # Required for compressing collected log files in CI 36 | gzip 37 | # Required to build language docs 38 | gettext 39 | 40 | # libsrvg2 is needed for sphinxcontrib-svg2pdfconverter in docs builds. 41 | librsvg2-tools [doc platform:rpm] 42 | librsvg2-bin [doc platform:dpkg] 43 | -------------------------------------------------------------------------------- /doc/.gitignore: -------------------------------------------------------------------------------- 1 | # Auto-generated documentation 2 | source/auto_* 3 | source/rhel7/auto_* 4 | source/rhel7/domains/auto_* 5 | 6 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71849.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71849 3 | status: opt-in 4 | tag: file_perms 5 | --- 6 | 7 | .. note:: 8 | 9 | Ubuntu's ``debsums`` command does not support verification of permissions 10 | and ownership for files that were installed by packages. This STIG 11 | requirement will be skipped on Ubuntu. 12 | 13 | The STIG requires that all files owned by an installed package must have their 14 | permissions, user ownership, and group ownership set back to the vendor 15 | defaults. 16 | 17 | Although this is a good practice, it can cause issues if permissions or 18 | ownership were intentionally set after the packages were installed. It also 19 | causes significant delays in deployments. Therefore, this STIG is not applied 20 | by default. 21 | 22 | Deployers may opt in for the change by setting the following Ansible variable: 23 | 24 | .. code-block:: yaml 25 | 26 | security_reset_perm_ownership: yes 27 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71855.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71855 3 | status: opt-in 4 | tag: packages 5 | --- 6 | 7 | Ansible tasks will check the ``rpm -Va`` output (on CentOS, RHEL, openSUSE and SLE) or 8 | the output of ``debsums`` (on Ubuntu) to see if any files installed from packages 9 | have been altered. The tasks will print a list of files that have changed 10 | since their package was installed. 11 | 12 | Deployers should be most concerned with any checksum failures for binaries and 13 | their libraries. These are most often a sign of system compromise or poor 14 | system administration practices. 15 | 16 | Configuration files may appear in the list as well, but these are often less 17 | concerning since some of these files are adjusted by the security role itself. 18 | 19 | Generating and validating checksums of all files installed by packages consume a 20 | significant amount of disk I/O and could impact the performance of a production system. 21 | It can also delay the playbook's completion. Therefore, the check is disabled by default. 22 | 23 | Deployers can enable the check by setting the following Ansible variable: 24 | 25 | .. code-block:: yaml 26 | 27 | security_check_package_checksums: yes 28 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71859.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71859 3 | status: implemented 4 | tag: graphical 5 | --- 6 | 7 | The tasks in the security role configure ``dconf`` to display a login banner 8 | each time a graphical session starts on the system. The default banner message 9 | set by the role is: 10 | 11 | You are accessing a secured system and your actions will be logged along 12 | with identifying information. Disconnect immediately if you are not an 13 | authorized user of this system. 14 | 15 | Deployers can customize this message by setting an Ansible variable: 16 | 17 | .. code-block:: yaml 18 | 19 | security_enable_graphical_login_message_text: > 20 | This is a customized banner message. 21 | 22 | .. warning:: 23 | 24 | The dconf configuration does not support multi-line strings. Ensure that 25 | ``security_enable_graphical_login_message_text`` contains a single line 26 | of text. 27 | 28 | In addition, deployers can opt out of displaying a login banner message by 29 | changing ``security_enable_graphical_login_message`` to ``no``. 30 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71861.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71861 3 | status: implemented 4 | tag: graphical 5 | --- 6 | 7 | The security role configures a login banner for graphical logins using 8 | ``dconf``. Deployers can opt out of this change by setting the following 9 | Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_enable_graphical_login_message: no 14 | 15 | The message is customized by setting another Ansible variable: 16 | 17 | .. code-block:: yaml 18 | 19 | security_enable_graphical_login_message_text: > 20 | You are accessing a secured system and your actions will be logged along 21 | with identifying information. Disconnect immediately if you are not an 22 | authorized user of this system. 23 | 24 | .. note:: 25 | 26 | The space available for the graphical banner is relatively short. Deployers 27 | should limit the length of their graphical login banners to the shortest 28 | length possible. 29 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71863.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71863 3 | status: implemented 4 | tag: misc 5 | --- 6 | 7 | The security role already deploys a login banner for console logins with tasks 8 | from another STIG: 9 | 10 | * :ref:`stig-V-72225` 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71891.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71891 3 | status: implemented 4 | tag: graphical 5 | --- 6 | 7 | The STIG requires that graphical sessions are locked when the screensaver 8 | starts and that users must re-enter credentials to restore access to the 9 | system. The screensaver lock is enabled by default if ``dconf`` is present on 10 | the system. 11 | 12 | Deployers can opt out of this change by setting an Ansible variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_lock_session: no 17 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71893.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71893 3 | status: implemented 4 | tag: graphical 5 | --- 6 | 7 | The STIG requires that the screensaver appears when a session reaches a certain 8 | period of inactivity. The tasks will enable the screensaver for inactive 9 | sessions by default. 10 | 11 | Deployers can opt out of this change by setting an Ansible variable: 12 | 13 | .. code-block:: yaml 14 | 15 | security_lock_session_when_inactive: no 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71895.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71895 3 | status: implemented 4 | tag: graphical 5 | --- 6 | 7 | This control is implemented by the tasks for another control. Refer to the 8 | documentation for more details on the change and how to opt out: 9 | 10 | * :ref:`stig-V-71893` 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71897.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71897 3 | status: implemented 4 | tag: packages 5 | --- 6 | 7 | The role will ensure that the ``screen`` package is installed. 8 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71899.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71899 3 | status: implemented 4 | tag: graphical 5 | --- 6 | 7 | This control is implemented by the tasks for another control. Refer to the 8 | documentation for more details on the change and how to opt out: 9 | 10 | * :ref:`stig-V-71893` 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71901.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71901 3 | status: implemented 4 | tag: graphical 5 | --- 6 | 7 | The STIG requires that a graphical session is locked when the screensaver 8 | starts. This requires a user to re-enter their credentials to regain access to 9 | the system. 10 | 11 | The tasks will set a timeout of 5 seconds after the screensaver has started 12 | before the session is locked. This gives a user a few seconds to press a key or 13 | wiggle their mouse after the screensaver appears without needing to re-enter 14 | their credentials. 15 | 16 | Deployers can adjust this timeout by setting an Ansible variable: 17 | 18 | .. code-block:: yaml 19 | 20 | security_lock_session_screensaver_lock_delay: 5 21 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71903.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71903 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | The password quality requirements from the STIG are examples of good security 8 | practice, but deployers are strongly encouraged to use centralized 9 | authentication for administrative server access whenever possible. 10 | 11 | Password quality requirements are controlled by two Ansible variables: one for 12 | each individual password requirement and one "master switch" variable. The 13 | master switch variable controls all password requirements and it is **disabled 14 | by default**. 15 | 16 | Deployers can enable all password quality requirements by setting the master 17 | switch variable to ``yes``: 18 | 19 | .. code-block:: yaml 20 | 21 | security_pwquality_apply_rules: yes 22 | 23 | When the master switch variable is enabled, each individual password quality 24 | requirement can be disabled by a variable. To disable the fix for this STIG 25 | control, set the following Ansible variable: 26 | 27 | .. code-block:: yaml 28 | 29 | security_pwquality_require_uppercase: no 30 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71905.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71905 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | The password quality requirements from the STIG are examples of good security 8 | practice, but deployers are strongly encouraged to use centralized 9 | authentication for administrative server access whenever possible. 10 | 11 | Password quality requirements are controlled by two Ansible variables: one for 12 | each individual password requirement and one "master switch" variable. The 13 | master switch variable controls all password requirements and it is **disabled 14 | by default**. 15 | 16 | Deployers can enable all password quality requirements by setting the master 17 | switch variable to ``yes``: 18 | 19 | .. code-block:: yaml 20 | 21 | security_pwquality_apply_rules: yes 22 | 23 | When the master switch variable is enabled, each individual password quality 24 | requirement can be disabled by a variable. To disable the fix for this STIG 25 | control, set the following Ansible variable: 26 | 27 | .. code-block:: yaml 28 | 29 | security_pwquality_require_lowercase: no 30 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71907.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71907 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | The password quality requirements from the STIG are examples of good security 8 | practice, but deployers are strongly encouraged to use centralized 9 | authentication for administrative server access whenever possible. 10 | 11 | Password quality requirements are controlled by two Ansible variables: one for 12 | each individual password requirement and one "master switch" variable. The 13 | master switch variable controls all password requirements and it is **disabled 14 | by default**. 15 | 16 | Deployers can enable all password quality requirements by setting the master 17 | switch variable to ``yes``: 18 | 19 | .. code-block:: yaml 20 | 21 | security_pwquality_apply_rules: yes 22 | 23 | When the master switch variable is enabled, each individual password quality 24 | requirement can be disabled by a variable. To disable the fix for this STIG 25 | control, set the following Ansible variable: 26 | 27 | .. code-block:: yaml 28 | 29 | security_pwquality_require_numeric: no 30 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71909.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71909 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | The password quality requirements from the STIG are examples of good security 8 | practice, but deployers are strongly encouraged to use centralized 9 | authentication for administrative server access whenever possible. 10 | 11 | Password quality requirements are controlled by two Ansible variables: one for 12 | each individual password requirement and one "master switch" variable. The 13 | master switch variable controls all password requirements and it is **disabled 14 | by default**. 15 | 16 | Deployers can enable all password quality requirements by setting the master 17 | switch variable to ``yes``: 18 | 19 | .. code-block:: yaml 20 | 21 | security_pwquality_apply_rules: yes 22 | 23 | When the master switch variable is enabled, each individual password quality 24 | requirement can be disabled by a variable. To disable the fix for this STIG 25 | control, set the following Ansible variable: 26 | 27 | .. code-block:: yaml 28 | 29 | security_pwquality_require_special: no 30 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71911.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71911 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | The password quality requirements from the STIG are examples of good security 8 | practice, but deployers are strongly encouraged to use centralized 9 | authentication for administrative server access whenever possible. 10 | 11 | Password quality requirements are controlled by two Ansible variables: one for 12 | each individual password requirement and one "master switch" variable. The 13 | master switch variable controls all password requirements and it is **disabled 14 | by default**. 15 | 16 | Deployers can enable all password quality requirements by setting the master 17 | switch variable to ``yes``: 18 | 19 | .. code-block:: yaml 20 | 21 | security_pwquality_apply_rules: yes 22 | 23 | When the master switch variable is enabled, each individual password quality 24 | requirement can be disabled by a variable. To disable the fix for this STIG 25 | control, set the following Ansible variable: 26 | 27 | .. code-block:: yaml 28 | 29 | security_pwquality_require_characters_changed: no 30 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71913.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71913 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | The password quality requirements from the STIG are examples of good security 8 | practice, but deployers are strongly encouraged to use centralized 9 | authentication for administrative server access whenever possible. 10 | 11 | Password quality requirements are controlled by two Ansible variables: one for 12 | each individual password requirement and one "master switch" variable. The 13 | master switch variable controls all password requirements and it is **disabled 14 | by default**. 15 | 16 | Deployers can enable all password quality requirements by setting the master 17 | switch variable to ``yes``: 18 | 19 | .. code-block:: yaml 20 | 21 | security_pwquality_apply_rules: yes 22 | 23 | When the master switch variable is enabled, each individual password quality 24 | requirement can be disabled by a variable. To disable the fix for this STIG 25 | control, set the following Ansible variable: 26 | 27 | .. code-block:: yaml 28 | 29 | security_pwquality_require_character_classes_changed: no 30 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71915.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71915 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | The password quality requirements from the STIG are examples of good security 8 | practice, but deployers are strongly encouraged to use centralized 9 | authentication for administrative server access whenever possible. 10 | 11 | Password quality requirements are controlled by two Ansible variables: one for 12 | each individual password requirement and one "master switch" variable. The 13 | master switch variable controls all password requirements and it is **disabled 14 | by default**. 15 | 16 | Deployers can enable all password quality requirements by setting the master 17 | switch variable to ``yes``: 18 | 19 | .. code-block:: yaml 20 | 21 | security_pwquality_apply_rules: yes 22 | 23 | When the master switch variable is enabled, each individual password quality 24 | requirement can be disabled by a variable. To disable the fix for this STIG 25 | control, set the following Ansible variable: 26 | 27 | .. code-block:: yaml 28 | 29 | security_pwquality_limit_repeated_characters: no 30 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71917.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71917 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | The password quality requirements from the STIG are examples of good security 8 | practice, but deployers are strongly encouraged to use centralized 9 | authentication for administrative server access whenever possible. 10 | 11 | Password quality requirements are controlled by two Ansible variables: one for 12 | each individual password requirement and one "master switch" variable. The 13 | master switch variable controls all password requirements and it is **disabled 14 | by default**. 15 | 16 | Deployers can enable all password quality requirements by setting the master 17 | switch variable to ``yes``: 18 | 19 | .. code-block:: yaml 20 | 21 | security_pwquality_apply_rules: yes 22 | 23 | When the master switch variable is enabled, each individual password quality 24 | requirement can be disabled by a variable. To disable the fix for this STIG 25 | control, set the following Ansible variable: 26 | 27 | .. code-block:: yaml 28 | 29 | security_pwquality_limit_repeated_character_classes: no 30 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71919.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71919 3 | status: implemented 4 | tag: accounts 5 | --- 6 | 7 | The PAM configuration file for password storage is checked to ensure that 8 | ``sha512`` is found on the ``pam_unix.so`` line. If ``sha512`` is not found, 9 | a debug message is printed in the Ansible output. 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71921.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71921 3 | status: implemented 4 | tag: accounts 5 | --- 6 | 7 | The default password storage mechanism for Ubuntu 16.04, CentOS 7, openSUSE Leap, 8 | SUSE Linux Enterprise 12 and Red Hat Enterprise Linux 7 is ``SHA512`` and the tasks 9 | in the security role ensure that the default is maintained. 10 | 11 | Deployers can configure a different password storage mechanism by setting the 12 | following Ansible variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_password_encrypt_method: SHA512 17 | 18 | .. warning:: 19 | 20 | SHA512 is the default on most modern Linux distributions and it meets the 21 | requirement of the STIG. Do not change the value unless a system has 22 | a specific need for a different password mechanism. 23 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71923.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71923 3 | status: implemented - red hat only 4 | tag: accounts 5 | --- 6 | 7 | The role ensures that ``crypt_style`` is set to ``sha512`` in 8 | ``/etc/libuser.conf``, which is the default for CentOS 7 and Red Hat Enterprise 9 | Linux 7. 10 | 11 | Ubuntu, openSUSE and SUSE Linux Enterprise 12 do not use ``libuser``, so this change 12 | is not applicable. 13 | 14 | Deployers can opt out of this change by setting the following Ansible variable: 15 | 16 | .. code-block:: yaml 17 | 18 | security_libuser_crypt_style_sha512: no 19 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71925.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71925 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | Although the STIG requires that all passwords have a minimum lifetime set, this 8 | can cause issue in some production environments. Therefore, deployers must opt 9 | in for this change. 10 | 11 | Set the following Ansible variable to an integer (in days) to enable this 12 | setting: 13 | 14 | .. code-block:: yaml 15 | 16 | security_password_min_lifetime_days: 1 17 | 18 | The STIG requires the minimum lifetime for password to be one day. 19 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71927.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71927 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | Setting a minimum password lifetime on interactive user accounts provides 8 | security benefits by limiting the frequency of password changes. However, this 9 | can cause login problems for users without proper communication and 10 | coordination. 11 | 12 | Deployers can opt-in for this change by setting the following Ansible variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_set_minimum_password_lifetime: yes 17 | 18 | The tasks will examine each interactive user account and set the minimum 19 | password age if the existing setting is not equal to one day. 20 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71929.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71929 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | Although the STIG requires that all passwords have a maximum lifetime set, this 8 | can cause authentication disruptions in production environments if users are 9 | not aware that their password will expire. Therefore, this change is not 10 | applied by default. 11 | 12 | Deployers can opt in for this change and provide a maximum lifetime for user 13 | passwords (in days) by setting the following Ansible variable: 14 | 15 | .. code-block:: yaml 16 | 17 | security_password_max_lifetime_days: 60 18 | 19 | The STIG requires that all passwords expire after 60 days. 20 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71931.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71931 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | Although the STIG requires that a maximum password lifetime is set for all 8 | interactive user accounts, the security benefits of this configuration are 9 | debatable. The `draft of NIST Publication 800-63B`_ argues that password 10 | rotation may reduce overall security in some situations. 11 | 12 | Deployers can opt-in for this change by setting the following Ansible variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_set_maximum_password_lifetime: yes 17 | 18 | The tasks will examine each interactive user account and set the maximum 19 | password age if the existing setting is not equal to 60 days. 20 | 21 | .. _draft of NIST Publication 800-63B: https://pages.nist.gov/800-63-3/sp800-63b.html 22 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71933.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71933 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | Although the STIG requires that five passwords are remembered to prevent re- 8 | use, this can cause issues in production environment if the change is not 9 | communicated well to users. Therefore, the tasks in the security role do not 10 | apply this change by default. 11 | 12 | Deployers can opt in for the change and specify a number of passwords to 13 | remember by setting the following Ansible variable: 14 | 15 | .. code-block:: yaml 16 | 17 | security_password_remember_password: 5 18 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71935.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71935 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | Although the STIG requires that passwords have a minimum length of 15 8 | characters, this change might be disruptive to users on a production system 9 | without communicating the change first. Therefore, this change is not applied 10 | by default. 11 | 12 | Deployers can opt in for the change by setting the following Ansible variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_pwquality_require_minimum_password_length: yes 17 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71937.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71937 3 | status: implemented 4 | tag: auth 5 | --- 6 | 7 | The Ansible tasks will ensure that PAM is configured to disallow logins from 8 | accounts with null or blank passwords. This involves removing a single option 9 | from one of the PAM configuration files: 10 | 11 | * CentOS or RHEL: removes ``nullok`` from ``/etc/pam.d/system-auth`` 12 | * Ubuntu: removes ``nullok_secure`` from ``/etc/pam.d/common-auth`` 13 | * openSUSE Leap or SLE: remove ``nullok`` from ``/etc/pam.d/common-auth`` and ``/etc/pam.d/common-password`` 14 | 15 | Deployers can opt-out of this change by setting the following Ansible variable: 16 | 17 | .. code-block:: yaml 18 | 19 | security_disallow_blank_password_login: no 20 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71939.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71939 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``PermitEmptyPasswords`` configuration will be set to ``no`` in 8 | ``/etc/ssh/sshd_config`` and sshd will be restarted. This disallows logins over 9 | ssh for users with a empty or null password set. 10 | 11 | Deployers can opt-out of this change by setting the following Ansible variable: 12 | 13 | .. code-block:: yaml 14 | 15 | security_sshd_disallow_empty_password: no 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71941.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71941 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | The STIG requires that user accounts are disabled when their password expires. 8 | This might be disruptive for some users or for automated processes. Therefore, 9 | the tasks in the security role do not apply this change by default. 10 | 11 | Deployers can opt in for this change by setting the following Ansible variable: 12 | 13 | .. code-block:: yaml 14 | 15 | security_disable_account_if_password_expires: yes 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71943.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71943 3 | status: opt-in - Red Hat Only 4 | tag: auth 5 | --- 6 | 7 | This STIG control is implemented by: 8 | 9 | * :ref:`stig-V-71945` 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71947.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71947 3 | status: exception - manual intervention 4 | tag: auth 5 | --- 6 | 7 | The STIG requires all users to authenticate when using ``sudo``, but this 8 | change can be highly disruptive for automated scripts or applications that 9 | cannot perform interactive authentication. Automated edits from Ansible tasks 10 | might cause authentication disruptions on some hosts, and deployers are urged 11 | to carefully review each use of the ``NOPASSWD`` directive in their ``sudo`` 12 | configuration files. 13 | 14 | Deployers can opt-out of this change by setting an Ansible variable: 15 | 16 | .. code-block:: yaml 17 | 18 | security_sudoers_nopasswd_check_enable: no 19 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71949.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71949 3 | status: exception - manual intervention 4 | tag: auth 5 | --- 6 | 7 | The STIG requires all users to re-authenticate when using ``sudo``, but this 8 | change can be highly disruptive for automated scripts or applications that 9 | cannot perform interactive authentication. Automated edits from Ansible tasks 10 | might cause authentication disruptions on some hosts, and deployers are urged 11 | to carefully review each use of the ``!authenticate`` directive in their 12 | ``sudo`` configuration files. 13 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71951.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71951 3 | status: implemented 4 | tag: accounts 5 | --- 6 | 7 | The tasks in the Ansible role set a four second delay between failed login 8 | attempts. Deployers can configure a different delay (in seconds) by setting the 9 | following Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_shadow_utils_fail_delay: 4 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71953.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71953 3 | status: implemented 4 | tag: graphical 5 | --- 6 | 7 | If ``AutomaticLoginEnable=true`` exists in the gdm configuration file, 8 | ``/etc/gdm/custom.conf``, the configuration will removed. This disallows 9 | automatic logins for gdm and requires a user to complete the username and 10 | password prompts. 11 | 12 | Deployers can opt-out of this change by setting an Ansible variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_disable_gdm_automatic_login: no 17 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71955.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71955 3 | status: implemented 4 | tag: graphical 5 | --- 6 | 7 | If ``TimedLoginEnable=true`` exists in the gdm configuration file, 8 | ``/etc/gdm/custom.conf``, the configuration will removed. This disallows timed 9 | logins for guest users in gdm. 10 | 11 | Deployers can opt-out of this change by setting an Ansible variable: 12 | 13 | .. code-block:: yaml 14 | 15 | security_disable_gdm_timed_login: no 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71957.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71957 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``PermitUserEnvironment`` configuration is set to ``no`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can opt out of this change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_sshd_disallow_environment_override: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71959.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71959 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``HostbasedAuthentication`` configuration is set to ``no`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can opt out of this change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_sshd_disallow_host_based_auth: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71961.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71961 3 | status: opt-in 4 | tag: misc 5 | --- 6 | 7 | Although the STIG requires that GRUB 2 asks for a password whenever a user 8 | attempts to enter single-user or maintenance mode, this change might be 9 | disruptive in an emergency situation. Therefore, this change is not applied by 10 | default. 11 | 12 | Deployers that wish to opt in for this change should set two Ansible variables: 13 | 14 | .. code-block:: yaml 15 | 16 | security_require_grub_authentication: yes 17 | security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC... 18 | 19 | The default password set in the security role is 'secrete', but deployers 20 | should set a much more secure password for production environments. Use the 21 | ``grub2-mkpasswd-pbkdf2`` command to create a password hash string and use it 22 | as the value for the Ansible variable ``security_grub_password_hash``. 23 | 24 | .. warning:: 25 | 26 | This change must be tested in a non-production environment first. Requiring 27 | authentication in GRUB 2 without proper communication to users could cause 28 | extensive delays in emergency situations. 29 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71963.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71963 3 | status: opt-in 4 | tag: misc 5 | --- 6 | 7 | The tasks in the security role for V-71961 will also apply changes to 8 | systems that use UEFI. For more details, refer to the following documentation: 9 | 10 | * :ref:`stig-V-71961` 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71965.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71965 3 | status: exception - manual intervention 4 | tag: auth 5 | --- 6 | 7 | Deploying multi-factor authentication methods, including smart cards, is a 8 | complicated process that requires preparation and communication. This work is 9 | left to deployers to complete manually. 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71967.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71967 3 | status: implemented 4 | tag: packages 5 | --- 6 | 7 | The role will remove the ``rsh-server`` package from the system if it is 8 | installed. Deployers can opt-out of this change by setting the following 9 | Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_remove_rsh_server: no 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71969.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71969 3 | status: implemented 4 | tag: packages 5 | --- 6 | 7 | The role will remove the NIS server package from the system if it is 8 | installed. The package name differs between Linux distributions: 9 | 10 | * CentOS: ``ypserv`` 11 | * Ubuntu: ``nis`` 12 | * openSUSE Leap: ``ypserv`` 13 | 14 | Deployers can opt-out of this change by setting the following Ansible variable: 15 | 16 | .. code-block:: yaml 17 | 18 | security_rhel7_remove_ypserv: no 19 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71971.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71971 3 | status: exception - manual intervention 4 | tag: auth 5 | --- 6 | 7 | The tasks in the security role cannot determine the access levels of individual 8 | users. 9 | 10 | Deployers are strongly encouraged to configure SELinux user confinement on 11 | compatible systems using ``semanage login``. Refer to the 12 | `Confining Existing Linux Users`_ documentation from Red Hat for detailed 13 | information and command line examples. 14 | 15 | .. _Confining Existing Linux Users: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71973.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71973 3 | status: opt-in 4 | tag: aide 5 | --- 6 | 7 | Initializing the AIDE database and completing the first AIDE run causes 8 | increased disk I/O and CPU usage for extended periods. Therefore, the AIDE 9 | database is not automatically initialized by the tasks in the security role. 10 | 11 | Deployers can enable the AIDE database initialization within the security role 12 | by setting the following Ansible variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_rhel7_initialize_aide: yes 17 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71975.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71975 3 | status: implemented 4 | tag: aide 5 | --- 6 | 7 | The cron job for AIDE is configured to send emails to the root user after each 8 | AIDE run. 9 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71977.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71977 3 | status: implemented 4 | tag: packages 5 | --- 6 | 7 | On Ubuntu systems, the tasks check for the ``AllowUnauthenticated`` string 8 | anywhere in the apt configuration files found within ``/etc/apt/apt.conf.d/``. 9 | If the string is found, a warning is printed on the console. 10 | 11 | On CentOS 7 systems, the tasks set the ``gpgcheck`` option to ``1`` in the 12 | ``/etc/yum.conf`` file. This enables GPG checks for all packages installed 13 | with ``yum``. 14 | 15 | On openSUSE Leap systems, the tasks set the ``gpgcheck`` option to ``1`` in the 16 | ``/etc/zypp/zypp.conf`` file. This enables GPG checks for all packages installed 17 | with ``zypper``. 18 | 19 | Setting ``security_enable_gpgcheck_packages`` to ``no`` will skip the 20 | ``AllowUnauthenticated`` string check on Ubuntu and it will set ``gpgcheck=0`` 21 | in ``/etc/yum.conf`` or ``/etc/zypp/zypp.conf`` on CentOS and openSUSE Leap systems 22 | respectively. 23 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71979.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71979 3 | status: implemented 4 | tag: packages 5 | --- 6 | 7 | On Ubuntu systems, the tasks comment out the ``no-debsig`` configuration line 8 | in ``/etc/dpkg/dpkg.cfg``. This causes ``dpkg`` to verify GPG signatures for 9 | all packages that are installed locally. 10 | 11 | On CentOS 7 systems, the tasks set the ``localpkg_gpgcheck`` option to ``1`` in 12 | the ``/etc/yum.conf`` file. This enables GPG checks for all packages installed 13 | locally with ``yum``. 14 | 15 | On openSUSE Leap systems, the tasks set the ``gpgcheck`` option to ``1`` in the 16 | ``/etc/zypp/zypp.conf`` file. This enables GPG checks for all packages installed 17 | with ``zypper``. 18 | 19 | Setting ``security_enable_gpgcheck_packages_local`` to ``no`` will skip the 20 | ``no-debsig`` adjustment on Ubuntu and it will set ``local_gpgcheck=0`` in 21 | ``/etc/yum.conf`` on CentOS systems. Similarly, on openSUSE Leap systems, it will set 22 | ``gpgcheck=0`` in ``/etc/zypp/zypp.conf``. 23 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71981.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71981 3 | status: opt-in 4 | tag: packages 5 | --- 6 | 7 | The STIG requires that repository XML files are verified during ``yum`` runs. 8 | 9 | .. warning:: 10 | 11 | This setting is disabled by default because it can cause issues with CentOS 12 | systems and prevent them from retrieving repository information. Deployers 13 | who choose to enable this setting should test it thoroughly on 14 | non-production environments before applying it to production systems. 15 | 16 | Deployers can override this default and opt in for the change by setting the 17 | following Ansible variable: 18 | 19 | .. code-block:: yaml 20 | 21 | security_enable_gpgcheck_repo: yes 22 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71983.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71983 3 | status: opt-in 4 | tag: kernel 5 | --- 6 | 7 | The tasks in the security role disable the ``usb-storage`` module and the 8 | change is applied the next time the server is rebooted. 9 | 10 | Deployers can opt out of this change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_disable_usb_storage: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71985.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71985 3 | status: implemented 4 | tag: misc 5 | --- 6 | 7 | The ``autofs`` service is stopped and disabled if it is found on the system. 8 | Deployers can opt out of this change by setting the following Ansible variable: 9 | 10 | .. code-block:: yaml 11 | 12 | security_rhel7_disable_autofs: no 13 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71987.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71987 3 | status: opt-in 4 | tag: packages 5 | --- 6 | 7 | Although the STIG requires that dependent packages are removed automatically 8 | when a package is removed, this can cause problems with certain packages, 9 | especially kernels. Deployers must opt in to meet the requirements of this STIG 10 | control. 11 | 12 | Deployers should set the following variable to enable automatic dependent 13 | package removal: 14 | 15 | .. code-block:: yaml 16 | 17 | security_package_clean_on_remove: yes 18 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71989.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71989 3 | status: implemented 4 | tag: lsm 5 | --- 6 | 7 | The tasks in the security role enable the appropriate Linux Security Module 8 | (LSM) for the operating system. 9 | 10 | For Ubuntu, openSUSE and SUSE Linux Enterprise 12 systems, AppArmor is installed and 11 | enabled. This change takes effect immediately. 12 | 13 | For CentOS or Red Hat Enterprise Linux systems, SELinux is enabled (in 14 | enforcing mode) and its user tools are automatically installed. If SELinux is 15 | not in enforcing mode already, a reboot is required to enable SELinux and 16 | relabel the filesystem. 17 | 18 | .. warning:: 19 | 20 | Relabeling a filesystem takes time and the server must be offline for the 21 | relabeling to complete. Filesystems with large amounts of files and 22 | filesystems on slow disks will cause the relabeling process to take more 23 | time. 24 | 25 | Deployers can opt out of this change by setting the following Ansible variable: 26 | 27 | .. code-block:: yaml 28 | 29 | security_rhel7_enable_linux_security_module: no 30 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71991.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71991 3 | status: implemented 4 | tag: misc 5 | --- 6 | 7 | The SELinux targeted policy is enabled on CentOS 7 and Red Hat systems. 8 | AppArmor only has one set of policies, so this change has no effect on Ubuntu, 9 | openSUSE Leap and SUSE systems running AppArmor. 10 | 11 | For more information on this change and how to opt out, refer to 12 | :ref:`stig-V-71989`. 13 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71993.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71993 3 | status: implemented 4 | tag: misc 5 | --- 6 | 7 | The tasks in the security role disable the control-alt-delete key sequence by 8 | masking its systemd service unit. 9 | 10 | Deployers can opt out of this change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_disable_ctrl_alt_delete: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71997.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71997 3 | status: exception - manual intervention 4 | tag: packages 5 | --- 6 | 7 | The STIG requires that the current release of the operating system is still 8 | supported and is actively receiving security updates. Deployers are urged to 9 | stay current with the latest releases from Ubuntu, SUSE, CentOS and Red Hat. 10 | 11 | The following links provide more details on end of life (EOL) dates for the 12 | distributions supported by this role: 13 | 14 | * `Ubuntu releases `_ 15 | * `CentOS EOL dates `_ 16 | * `Red Hat Enterprise Linux Life Cycle `_ 17 | * `openSUSE EOL dates `_ 18 | * `SUSE Linux Enterprise `_ 19 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-71999.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-71999 3 | status: opt-in 4 | tag: packages 5 | --- 6 | 7 | Although the STIG requires that security patches and updates are applied when 8 | they are made available, this might be disruptive to some systems. Therefore, 9 | the tasks in the security role will not configure automatic updates by default. 10 | 11 | Deployers can opt in for automatic package updates by setting the following 12 | Ansible variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_rhel7_automatic_package_updates: yes 17 | 18 | When enabled, the tasks install and configure ``yum-cron`` on CentOS and Red 19 | Hat Enterprise Linux. On Ubuntu systems, the ``unattended-upgrades`` package 20 | is installed and configured. On openSUSE Leap and SUSE Linux Enterprise systems, 21 | a daily cronjob is installed. 22 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72001.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72001 3 | status: exception - manual intervention 4 | tag: auth 5 | --- 6 | 7 | Deployers are strongly urged to review the list of user accounts on each server 8 | regularly. Evaluation of user accounts must be done on a case-by-case basis and 9 | the tasks in the security role are unable to determine which user accounts are 10 | valid. Deployers must complete this work manually. 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72003.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72003 3 | status: implemented 4 | tag: accounts 5 | --- 6 | 7 | If any users are found with invalid GIDs, those users are printed in the 8 | Ansible output. Deployers should review the list and ensure all users are 9 | assigned to a valid group that is defined in ``/etc/group``. 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72005.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72005 3 | status: implemented 4 | tag: accounts 5 | --- 6 | 7 | If an account with UID 0 other than ``root`` exists on the system, the playbook 8 | will fail with an error message that includes the other accounts which have a 9 | UID of 0. 10 | 11 | Deployers are strongly urged to keep only one account with UID 0, ``root``, and 12 | to use ``sudo`` any situations where root access is required. 13 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72007.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72007 3 | status: opt-in 4 | tag: file_perms 5 | --- 6 | 7 | Searching an entire filesystem with ``find`` reduces system performance and 8 | might impact certain applications negatively. Therefore, the search for files 9 | and directories with an invalid owner is **disabled by default**. 10 | 11 | Deployers can opt in for this search by setting the following Ansible variable: 12 | 13 | .. code-block:: yaml 14 | 15 | security_search_for_invalid_owner: yes 16 | 17 | Any files or directories without a valid user owner are displayed in the 18 | Ansible output. 19 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72009.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72009 3 | status: opt-in 4 | tag: file_perms 5 | --- 6 | 7 | Searching an entire filesystem with ``find`` reduces system performance and 8 | might impact certain applications negatively. Therefore, the search for files 9 | and directories with an invalid group owner is **disabled by default**. 10 | 11 | Deployers can opt in for this search by setting the following Ansible variable: 12 | 13 | .. code-block:: yaml 14 | 15 | security_search_for_invalid_group_owner: yes 16 | 17 | Any files or directories without a valid group owner are displayed in the 18 | Ansible output. 19 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72011.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72011 3 | status: implemented 4 | tag: accounts 5 | --- 6 | 7 | The usernames of all users without home directories assigned are provided in 8 | the Ansible console output. Deployers should use this list of usernames to 9 | audit each system to ensure every user has a valid home directory. 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72013.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72013 3 | status: implemented 4 | tag: accounts 5 | --- 6 | 7 | The ``CREATE_HOME`` variable is set to ``yes`` by the tasks in the security 8 | role. This ensures that home directories are created each time a new user 9 | account is created. 10 | 11 | Deployers can opt out of this change by setting the following Ansible variable: 12 | 13 | .. code-block:: yaml 14 | 15 | security_shadow_utils_create_home: no 16 | 17 | .. note:: 18 | 19 | On CentOS 7, Red Hat Enterprise Linux 7 systems, openSUSE Leap and SUSE 20 | Linux Enterprise 12, home directories are always created with new users by default. 21 | Home directories are not created by default on Ubuntu systems. 22 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72015.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72015 3 | status: implemented 4 | tag: accounts 5 | --- 6 | 7 | Each interactive user on the system is checked to verify that their assigned 8 | home directory exists on the filesystem. If a home directory is missing, the 9 | name of the user and their assigned home directory is printed in the Ansible 10 | console output. 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72017.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72017 3 | status: opt-in 4 | tag: file_perms 5 | --- 6 | 7 | Although the STIG requires that all home directories have the proper owner, 8 | group owner, and permissions, these changes might be disruptive in some 9 | environments. These tasks are not executed by default. 10 | 11 | Deployers can opt in for the following changes to each home directory: 12 | 13 | * Permissions are set to ``0750`` at a maximum. If permissions are already 14 | more restrictive than ``0750``, the permissions are left unchanged. 15 | 16 | * User ownership is set to the ``UID`` of the user. 17 | 18 | * Group ownership is set to the ``GID`` of the user. 19 | 20 | Deployers can opt in for these changes by setting the following Ansible 21 | variable: 22 | 23 | .. code-block:: yaml 24 | 25 | security_set_home_directory_permissions_and_owners: yes 26 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72019.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72019 3 | status: opt-in 4 | tag: file_perms 5 | --- 6 | 7 | This control is implemented by the tasks for another control. Refer to the 8 | documentation for more details on the change and how to opt out: 9 | 10 | * :ref:`stig-V-72017` 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72021.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72021 3 | status: opt-in 4 | tag: file_perms 5 | --- 6 | 7 | This control is implemented by the tasks for another control. Refer to the 8 | documentation for more details on the change and how to opt out: 9 | 10 | * :ref:`stig-V-72017` 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72023.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72023 3 | status: exception - manual intervention 4 | tag: file_perms 5 | --- 6 | 7 | Although the STIG has requirements for ownership and permissions of files and 8 | directories in each user's home directory, broad changes to these settings 9 | might cause disruptions to users on a system. Therefore, these changes are left 10 | to deployers to examine and adjust manually. 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72025.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72025 3 | status: exception - manual intervention 4 | tag: file_perms 5 | --- 6 | 7 | Although the STIG has requirements for ownership and permissions of files and 8 | directories in each user's home directory, broad changes to these settings 9 | might cause disruptions to users on a system. Therefore, these changes are left 10 | to deployers to examine and adjust manually. 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72027.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72027 3 | status: exception - manual intervention 4 | tag: file_perms 5 | --- 6 | 7 | Although the STIG has requirements for ownership and permissions of files and 8 | directories in each user's home directory, broad changes to these settings 9 | might cause disruptions to users on a system. Therefore, these changes are left 10 | to deployers to examine and adjust manually. 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72029.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72029 3 | status: exception - manual intervention 4 | tag: file_perms 5 | --- 6 | 7 | Although the STIG requires that all initialization files for interactive users 8 | have proper owners, group owners, and permissions, these changes are often 9 | disruptive for users. The tasks in the security role do not make any changes 10 | to user initialization files. 11 | 12 | Deployers should review the content and discretionary access controls applied 13 | to each user's initialization files in their home directory. 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72031.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72031 3 | status: exception - manual intervention 4 | tag: file_perms 5 | --- 6 | 7 | Although the STIG requires that all initialization files for interactive users 8 | have proper owners, group owners, and permissions, these changes are often 9 | disruptive for users. The tasks in the security role do not make any changes 10 | to user initialization files. 11 | 12 | Deployers should review the content and discretionary access controls applied 13 | to each user's initialization files in their home directory. 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72033.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72033 3 | status: exception - manual intervention 4 | tag: file_perms 5 | --- 6 | 7 | Although the STIG requires that all initialization files for interactive users 8 | have proper owners, group owners, and permissions, these changes are often 9 | disruptive for users. The tasks in the security role do not make any changes 10 | to user initialization files. 11 | 12 | Deployers should review the content and discretionary access controls applied 13 | to each user's initialization files in their home directory. 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72035.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72035 3 | status: exception - manual intervention 4 | tag: misc 5 | --- 6 | 7 | Although the STIG requires that all initialization files must contain 8 | executable search paths that resolve to the user's home directory, this change 9 | be disruptive for most users. The tasks in the security role do not make any 10 | changes to user initialization files. 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72037.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72037 3 | status: exception - manual intervention 4 | tag: file_perms 5 | --- 6 | 7 | Deployers should manually search their system for world-writable programs and 8 | change the permissions on those programs. They are easily found with this 9 | command: 10 | 11 | .. code-block:: console 12 | 13 | find / -perm -002 -type f 14 | 15 | World-writable executables should not be needed under almost all circumstances. 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72039.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72039 3 | status: implemented - red hat only 4 | tag: lsm 5 | --- 6 | 7 | The tasks in the security role examine the SELinux contexts on each device file 8 | found on the system. Any devices without appropriate labels are printed in 9 | the Ansible output. 10 | 11 | Deployers should investigate the unlabeled devices and ensure that the correct 12 | labels are applied for the class of device. 13 | 14 | .. note:: 15 | 16 | This change applies only to CentOS or Red Hat Enterprise Linux systems 17 | since they rely on SELinux as their default Linux Security Module (LSM). 18 | Ubuntu, openSUSE Leap and SUSE Linux Enterprise systems use AppArmor, which 19 | uses policy files rather than labels applied to individual files. 20 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72041.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72041 3 | status: exception - manual intervention 4 | tag: misc 5 | --- 6 | 7 | Deployers should examine any filesystem mounts that contain home directories to 8 | ensure that the ``nosetuid`` option is set. 9 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72043.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72043 3 | status: exception - manual intervention 4 | tag: misc 5 | --- 6 | 7 | Deployers should examine any filesystem mounts of removable media to ensure 8 | that the ``nosetuid`` option is set. 9 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72045.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72045 3 | status: exception - manual intervention 4 | tag: misc 5 | --- 6 | 7 | Deployers should examine any filesystem mounts of NFS imports to ensure that 8 | the ``nosetuid`` option is set. 9 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72047.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72047 3 | status: opt-in 4 | tag: file_perms 5 | --- 6 | 7 | The tasks in the security role examine the world-writable directories on the 8 | system and report any directories that are not group-owned by the ``root`` 9 | user. Those directories appear in the Ansible output. 10 | 11 | Deployers should review the list of directories and group owners to ensure 12 | that they are appropriate for the directory. Unauthorized group ownership 13 | could allow certain users to modify files from other users. 14 | 15 | Searching the entire filesystem for world-writable directories will consume 16 | a significant amount of disk I/O and could impact the performance of a 17 | production system. It can also delay the playbook's completion. Therefore, 18 | the search is disabled by default. 19 | 20 | Deployers can enable the search by setting the following Ansible variable: 21 | 22 | .. code-block:: yaml 23 | 24 | security_find_world_writable_dirs: yes 25 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72049.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72049 3 | status: exception - manual intervention 4 | tag: file_perms 5 | --- 6 | 7 | Although the STIG requires that all local interactive user accounts have a 8 | umask of ``077``, this change can be disruptive for users and the applications 9 | they run. This change cannot be applied in an automated way. 10 | 11 | Deployers should review user initialization files regularly to ensure that the 12 | umask is not specified. This allows the system-wide setting of ``077`` to be 13 | applied to all user sessions. 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72051.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72051 3 | status: exception - manual intervention 4 | tag: misc 5 | --- 6 | 7 | Ubuntu, CentOS, Red Hat Enterprise Linux, openSUSE Leap and SUSE Linux 8 | Enterprise already capture the logs from cron. 9 | 10 | Ubuntu systems collect cron job logs into the main syslog file 11 | (``/var/log/syslog``) rather than separate them into their own log file. 12 | CentOS and Red Hat Enterprise Linux systems collect cron logs in 13 | ``/var/log/cron``. 14 | openSUSE Leap and SUSE Linux Enterprise collect cron job in 15 | ``/var/log/messages``. 16 | 17 | Deployers should not need to adjust these configurations unless a specific 18 | environment requires it. The tasks in the security role do not make changes to 19 | the ``rsyslog`` configuration. 20 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72053.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72053 3 | status: implemented 4 | tag: file_perms 5 | --- 6 | 7 | The tasks in the security role check for the existence of ``/etc/cron.allow`` 8 | and set both the user and group ownership to ``root``. This is the default on 9 | Ubuntu, CentOS, Red Hat Enterprise Linux systems, openSUSE Leap and SUSE Linux 10 | Enterprise 12 already. 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72055.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72055 3 | status: implemented 4 | tag: misc 5 | --- 6 | 7 | The group ownership for ``/etc/cron.allow`` is already set by the task for the 8 | following STIG control: 9 | 10 | :ref:`stig-V-72053` 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72057.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72057 3 | status: implemented 4 | tag: kernel 5 | --- 6 | 7 | The ``kdump`` service is disabled if it exists on the system. Deployers can opt 8 | out of this change by setting the following Ansible variable: 9 | 10 | .. code-block:: yaml 11 | 12 | security_disable_kdump: no 13 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72059.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72059 3 | status: exception - initial provisioning 4 | tag: misc 5 | --- 6 | 7 | Deployers should consider using filesystem mounts for home directories during 8 | the initial server provisioning process. Adding filesystem mounts after a 9 | system is provisioned might lead to downtime. 10 | 11 | The tasks in the security role do not take action on filesystem mounts. If the 12 | server does not mount ``/home`` as a separate filesystem, a warning is printed 13 | in the Ansible output. 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72061.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72061 3 | status: exception - initial provisioning 4 | tag: misc 5 | --- 6 | 7 | Deployers should consider using filesystem mounts for ``/var`` during 8 | the initial server provisioning process. Adding filesystem mounts after a 9 | system is provisioned might lead to downtime. 10 | 11 | The tasks in the security role do not take action on filesystem mounts. If the 12 | server does not mount ``/var`` as a separate filesystem, a warning is printed 13 | in the Ansible output. 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72063.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72063 3 | status: exception - initial provisioning 4 | tag: misc 5 | --- 6 | 7 | Deployers should consider using filesystem mounts for ``/var/log/audit`` during 8 | the initial server provisioning process. Adding filesystem mounts after a 9 | system is provisioned might lead to downtime. 10 | 11 | The tasks in the security role do not take action on filesystem mounts. If the 12 | server does not mount ``/var/log/audit`` as a separate filesystem, a warning is 13 | printed in the Ansible output. 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72065.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72065 3 | status: exception - initial provisioning 4 | tag: misc 5 | --- 6 | 7 | Deployers should consider using filesystem mounts for ``/tmp`` during 8 | the initial server provisioning process. Adding filesystem mounts after a 9 | system is provisioned might lead to downtime. 10 | 11 | The tasks in the security role do not take action on filesystem mounts. If the 12 | server does not mount ``/tmp`` as a separate filesystem, a warning is 13 | printed in the Ansible output. 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72067.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72067 3 | status: implemented - red hat and suse only 4 | tag: misc 5 | --- 6 | 7 | The tasks in the Ansible role install the ``dracut-fips`` (RHEL and SLE) and 8 | ``dracut-fips-aesni`` (RHEL) packages and check to see if FIPS is enabled on the 9 | system. If it is not enabled, a warning message is printed in the Ansible 10 | output. 11 | 12 | Enabling FIPS at boot time requires additional manual configuration. Refer to 13 | `Chapter 7. Federal Standards and Regulations`_ in the Red Hat documentation 14 | for more details. Section 7.1.1 contains the steps required for updating 15 | the bootloader configuration and regenerating the initramfs. 16 | 17 | .. _Chapter 7. Federal Standards and Regulations : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Federal_Standards_and_Regulations.html 18 | 19 | .. note:: 20 | 21 | This change only applies to CentOS, Red Hat Enterprise Linux, openSUSE Leap 22 | and SUSE Linux Enterprise. Ubuntu does not use dracut by default and the process 23 | for enabling the FIPS functionality at boot time is more complex. 24 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72069.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72069 3 | status: implemented 4 | tag: aide 5 | --- 6 | 7 | CentOS 7 and Red Hat Enterprise Linux 7 already deploy a very secure AIDE 8 | configuration that checks access control lists (ACLs) and extended attributes 9 | by default. No configuration changes are applied on these systems. 10 | 11 | However, Ubuntu lacks the rules that include ACL and extended attribute checks. 12 | The tasks in the security role will add a small configuration block at the end 13 | of the AIDE configuration file to meet the requirements of this STIG, as well 14 | as V-72071. 15 | 16 | openSUSE Leap and SUSE Linux Enterprise 12 also lack a rule to check ACLs and 17 | extended attributes. The default configuration file is adjusted to include those 18 | as well. 19 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72071.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72071 3 | status: implemented 4 | tag: aide 5 | --- 6 | 7 | CentOS 7 and Red Hat Enterprise Linux 7 already deploy a very secure AIDE 8 | configuration that checks access control lists (ACLs) and extended attributes 9 | by default. No configuration changes are applied on these systems. 10 | 11 | However, Ubuntu lacks the rules that include ACL and extended attribute checks. 12 | The tasks in the security role will add a small configuration block at the end 13 | of the AIDE configuration file to meet the requirements of this STIG, as well 14 | as V-72069. 15 | 16 | openSUSE Leap and SUSE Linux Enterprise 12 also lack a rule to check ACLs and 17 | extended attributes. The default configuration file is adjusted to include those 18 | as well. 19 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72073.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72073 3 | status: implemented 4 | tag: aide 5 | --- 6 | 7 | The default AIDE configuration in CentOS 7, Red Hat Enterprise Linux 7, 8 | openSUSE Leap and SUSE Linux Enterprise 12 already uses SHA512 to validate 9 | file contents and directories. No changes are required on these systems. 10 | 11 | The tasks in the security role add a rule to end of the AIDE configuration on 12 | Ubuntu systems that uses SHA512 for validation. 13 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72075.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72075 3 | status: exception - initial provisioning 4 | tag: misc 5 | --- 6 | 7 | When a server is initially provisioned, deployers should avoid storing 8 | the boot loader on removable media. It is not possible to change this via 9 | automated tasks. 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72077.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72077 3 | status: implemented 4 | tag: packages 5 | --- 6 | 7 | The role will remove the telnet server package from the system if it is 8 | installed. The package name differs between Linux distributions: 9 | 10 | * CentOS: ``telnet-server`` 11 | * Ubuntu: ``telnetd`` 12 | * openSUSE Leap: ``telnet-server`` 13 | 14 | Deployers can opt-out of this change by setting the following Ansible variable: 15 | 16 | .. code-block:: yaml 17 | 18 | security_rhel7_remove_telnet_server: no 19 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72079.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72079 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks in the security role start the audit daemon immediately and ensure 8 | that it starts at boot time. 9 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72081.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72081 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The audit daemon takes various actions when there is an auditing failure. There 8 | are three options for the ``-f`` flag for ``auditctl``: 9 | 10 | * ``0``: In the event of an auditing failure, do nothing. 11 | * ``1``: In the event of an auditing failure, write messages to the kernel log. 12 | * ``2``: In the event of an auditing failure, cause a kernel panic. 13 | 14 | Most operating systems set the failure flag to ``1`` by default, which 15 | maximizes system availability while still causing an alert. The tasks in the 16 | security role set the flag to ``1`` by default. 17 | 18 | Deployers can adjust the following Ansible variable to customize the failure 19 | flag: 20 | 21 | .. code-block:: yaml 22 | 23 | security_rhel7_audit_failure_flag: 1 24 | 25 | .. warning:: 26 | 27 | Setting the failure flag to ``2`` is **strongly** discouraged unless the 28 | security of the system takes priority over its availability. Any failure in 29 | auditing causes a kernel panic and the system requires a hard reboot. 30 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72083.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72083 3 | status: opt-in 4 | tag: auditd 5 | --- 6 | 7 | The ``audispd`` service transmits audit logs to other servers. Deployers 8 | should specify the address of another server that can receive audit logs by 9 | setting the following Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_audisp_remote_server: '10.0.21.1' 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72085.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72085 3 | status: opt-in 4 | tag: auditd 5 | --- 6 | 7 | The ``audispd`` daemon transmits audit logs without encryption by default. The 8 | STIG requires that these logs are encrypted while they are transferred across 9 | the network. The encryption is controlled by the ``enable_krb5`` option in 10 | ``/etc/audisp/audisp-remote.conf``. 11 | 12 | Deployers can opt-in for encrypted audit log transmission by setting the 13 | following Ansible variable: 14 | 15 | .. code-block:: yaml 16 | 17 | security_audisp_enable_krb5: yes 18 | 19 | .. warning:: 20 | 21 | Only enable this setting if kerberos is already configured. 22 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72087.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72087 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks in the security role set the ``disk_full_action`` and 8 | ``network_failure_action`` to ``syslog`` in the audispd remote configuration. 9 | In the event of a full disk on the remote log server or a network interruption, 10 | the local system sends warnings to syslog. This is the safest option since it 11 | maximizes the availability of the local system. 12 | 13 | Deployers have two other options available: 14 | 15 | * ``single``: Switch the local server into single-user mode in the event of a 16 | logging failure. 17 | 18 | * ``halt``: Shut off the local server gracefully in the event of a logging 19 | failure. 20 | 21 | .. warning:: 22 | 23 | Choosing ``single`` or ``halt`` causes a server to go into a degraded or 24 | offline state immediately after a logging failure. 25 | 26 | Deployers can adjust these configurations by setting the following Ansible 27 | variables (the safe defaults are shown here): 28 | 29 | .. code-block:: yaml 30 | 31 | security_rhel7_auditd_disk_full_action: syslog 32 | security_rhel7_auditd_network_failure_action: syslog 33 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72089.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72089 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The ``space_left`` configuration is set to 25% of the size of the disk mounted 8 | on ``/``. This calculation is done automatically. 9 | 10 | Deployers can set a custom threshold for the ``space_left`` configuration (in 11 | megabytes) by setting the following Ansible variable: 12 | 13 | .. code-block:: yaml 14 | 15 | # Example: A setting of 1GB (1024MB) 16 | security_rhel7_auditd_space_left: 1024 17 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72091.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72091 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The ``space_left_action`` in the audit daemon configuration is set to 8 | ``email``. This configuration causes the root user to receive an email when the 9 | ``space_left`` threshold is reached. 10 | 11 | Deployers can customize this configuration by setting the following Ansible 12 | variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_rhel7_auditd_space_left_action: email 17 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72093.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72093 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The ``action_mail_acct`` configuration in the audit daemon configuration file 8 | is set to ``root`` to meet the requirements of the STIG. Deployers can 9 | customize the recipient of the emails that come from auditd by setting the 10 | following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_auditd_action_mail_acct: root 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72095.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72095 3 | status: exception - manual intervention 4 | tag: auditd 5 | --- 6 | 7 | This STIG is difficult to implement in an automated way because the number of 8 | applications on a system with setuid/setgid permissions changes over time. 9 | In addition, adding audit rules for some of these automatically could cause a 10 | significant increase in logging traffic when these applications are used 11 | regularly. 12 | 13 | Deployers are urged to do the following instead: 14 | 15 | * Minimize the amount of applications with setuid/setgid privileges 16 | * Monitor any new applications that gain setuid/setgid privileges 17 | * Add risky applications with setuid/setgid privileges to auditd for detailed 18 | syscall monitoring 19 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72097.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72097 3 | status: opt-in 4 | tag: auditd 5 | --- 6 | 7 | The STIG requires that all ``chown`` syscalls are audited, but this 8 | change creates a significant increase in logging on most systems. This increase 9 | can cause some systems to run out of disk space for logs. 10 | 11 | .. warning:: 12 | 13 | This rule is disabled by default to avoid high CPU usage and disk space 14 | exhaustion. Deployers should only enable this rule if they have tested it 15 | thoroughly in a non-production environment with system health monitoring 16 | enabled. 17 | 18 | Deployers can opt in for this change by setting the following Ansible variable: 19 | 20 | .. code-block:: yaml 21 | 22 | security_rhel7_audit_chown: yes 23 | 24 | This rule is compatible with x86, x86_64, and ppc64 architectures. 25 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72099.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72099 3 | status: opt-in 4 | tag: auditd 5 | --- 6 | 7 | The STIG requires that all ``fchown`` syscalls are audited, but this 8 | change creates a significant increase in logging on most systems. This increase 9 | can cause some systems to run out of disk space for logs. 10 | 11 | .. warning:: 12 | 13 | This rule is disabled by default to avoid high CPU usage and disk space 14 | exhaustion. Deployers should only enable this rule if they have tested it 15 | thoroughly in a non-production environment with system health monitoring 16 | enabled. 17 | 18 | Deployers can opt in for this change by setting the following Ansible variable: 19 | 20 | .. code-block:: yaml 21 | 22 | security_rhel7_audit_fchown: yes 23 | 24 | This rule is compatible with x86, x86_64, and ppc64 architectures. 25 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72101.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72101 3 | status: opt-in 4 | tag: auditd 5 | --- 6 | 7 | The STIG requires that all ``lchown`` syscalls are audited, but this change 8 | creates a significant increase in logging on most systems. This increase can 9 | cause some systems to run out of disk space for logs. 10 | 11 | .. warning:: 12 | 13 | This rule is disabled by default to avoid high CPU usage and disk space 14 | exhaustion. Deployers should only enable this rule if they have tested it 15 | thoroughly in a non-production environment with system health monitoring 16 | enabled. 17 | 18 | Deployers can opt in for this change by setting the following Ansible variable: 19 | 20 | .. code-block:: yaml 21 | 22 | security_rhel7_audit_lchown: yes 23 | 24 | This rule is compatible with x86, x86_64, and ppc64 architectures. 25 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72103.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72103 3 | status: opt-in 4 | tag: auditd 5 | --- 6 | 7 | The STIG requires that all ``fchownat`` syscalls are audited, but this 8 | change creates a significant increase in logging on most systems. This increase 9 | can cause some systems to run out of disk space for logs. 10 | 11 | .. warning:: 12 | 13 | This rule is disabled by default to avoid high CPU usage and disk space 14 | exhaustion. Deployers should only enable this rule if they have tested it 15 | thoroughly in a non-production environment with system health monitoring 16 | enabled. 17 | 18 | Deployers can opt in for this change by setting the following Ansible variable: 19 | 20 | .. code-block:: yaml 21 | 22 | security_rhel7_audit_fchownat: yes 23 | 24 | This rule is compatible with x86, x86_64, and ppc64 architectures. 25 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72105.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72105 3 | status: opt-in 4 | tag: auditd 5 | --- 6 | 7 | The STIG requires that all ``chmod`` syscalls are audited, but this 8 | change creates a significant increase in logging on most systems. This increase 9 | can cause some systems to run out of disk space for logs. 10 | 11 | .. warning:: 12 | 13 | This rule is disabled by default to avoid high CPU usage and disk space 14 | exhaustion. Deployers should only enable this rule if they have tested it 15 | thoroughly in a non-production environment with system health monitoring 16 | enabled. 17 | 18 | Deployers can opt in for this change by setting the following Ansible variable: 19 | 20 | .. code-block:: yaml 21 | 22 | security_rhel7_audit_chmod: yes 23 | 24 | This rule is compatible with x86, x86_64, and ppc64 architectures. 25 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72107.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72107 3 | status: opt-in 4 | tag: auditd 5 | --- 6 | 7 | The STIG requires that all ``fchmod`` syscalls are audited, but this 8 | change creates a significant increase in logging on most systems. This increase 9 | can cause some systems to run out of disk space for logs. 10 | 11 | .. warning:: 12 | 13 | This rule is disabled by default to avoid high CPU usage and disk space 14 | exhaustion. Deployers should only enable this rule if they have tested it 15 | thoroughly in a non-production environment with system health monitoring 16 | enabled. 17 | 18 | Deployers can opt in for this change by setting the following Ansible variable: 19 | 20 | .. code-block:: yaml 21 | 22 | security_rhel7_audit_fchmod: yes 23 | 24 | This rule is compatible with x86, x86_64, and ppc64 architectures. 25 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72109.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72109 3 | status: opt-in 4 | tag: auditd 5 | --- 6 | 7 | The STIG requires that all ``fchmodat`` syscalls are audited, but this 8 | change creates a significant increase in logging on most systems. This increase 9 | can cause some systems to run out of disk space for logs. 10 | 11 | .. warning:: 12 | 13 | This rule is disabled by default to avoid high CPU usage and disk space 14 | exhaustion. Deployers should only enable this rule if they have tested it 15 | thoroughly in a non-production environment with system health monitoring 16 | enabled. 17 | 18 | Deployers can opt in for this change by setting the following Ansible variable: 19 | 20 | .. code-block:: yaml 21 | 22 | security_rhel7_audit_fchmodat: yes 23 | 24 | This rule is compatible with x86, x86_64, and ppc64 architectures. 25 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72111.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72111 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit all ``setxattr`` syscalls on the system. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_setxattr: no 14 | 15 | This rule is compatible with x86, x86_64, and ppc64 architectures. 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72113.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72113 3 | status: opt-in 4 | tag: auditd 5 | --- 6 | 7 | The STIG requires that all ``fsetxattr`` syscalls are audited, but this 8 | change creates a significant increase in logging on most systems. This increase 9 | can cause some systems to run out of disk space for logs. 10 | 11 | .. warning:: 12 | 13 | This rule is disabled by default to avoid high CPU usage and disk space 14 | exhaustion. Deployers should only enable this rule if they have tested it 15 | thoroughly in a non-production environment with system health monitoring 16 | enabled. 17 | 18 | Deployers can opt in for this change by setting the following Ansible variable: 19 | 20 | .. code-block:: yaml 21 | 22 | security_rhel7_audit_fsetxattr: yes 23 | 24 | This rule is compatible with x86, x86_64, and ppc64 architectures. 25 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72115.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72115 3 | status: opt-in 4 | tag: auditd 5 | --- 6 | 7 | The STIG requires that all ``lsetxattr`` syscalls are audited, but this change 8 | creates a significant increase in logging on most systems. This increase can 9 | cause some systems to run out of disk space for logs. 10 | 11 | .. warning:: 12 | 13 | This rule is disabled by default to avoid high CPU usage and disk space 14 | exhaustion. Deployers should only enable this rule if they have tested it 15 | thoroughly in a non-production environment with system health monitoring 16 | enabled. 17 | 18 | Deployers can opt in for this change by setting the following Ansible variable: 19 | 20 | .. code-block:: yaml 21 | 22 | security_rhel7_audit_lsetxattr: yes 23 | 24 | This rule is compatible with x86, x86_64, and ppc64 architectures. 25 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72117.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72117 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit all ``removexattr`` syscalls on the system. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_removexattr: no 14 | 15 | This rule is compatible with x86, x86_64, and ppc64 architectures. 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72119.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72119 3 | status: opt-in 4 | tag: auditd 5 | --- 6 | 7 | The STIG requires that all ``fremovexattr`` syscalls are audited, but this 8 | change creates a significant increase in logging on most systems. This increase 9 | can cause some systems to run out of disk space for logs. 10 | 11 | .. warning:: 12 | 13 | This rule is disabled by default to avoid high CPU usage and disk space 14 | exhaustion. Deployers should only enable this rule if they have tested it 15 | thoroughly in a non-production environment with system health monitoring 16 | enabled. 17 | 18 | Deployers can opt in for this change by setting the following Ansible variable: 19 | 20 | .. code-block:: yaml 21 | 22 | security_rhel7_audit_fremovexattr: yes 23 | 24 | This rule is compatible with x86, x86_64, and ppc64 architectures. 25 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72121.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72121 3 | status: opt-in 4 | tag: auditd 5 | --- 6 | 7 | The STIG requires that all ``lremovexattr`` syscalls are audited, but this 8 | change creates a significant increase in logging on most systems. This increase 9 | can cause some systems to run out of disk space for logs. 10 | 11 | .. warning:: 12 | 13 | This rule is disabled by default to avoid high CPU usage and disk space 14 | exhaustion. Deployers should only enable this rule if they have tested it 15 | thoroughly in a non-production environment with system health monitoring 16 | enabled. 17 | 18 | Deployers can opt in for this change by setting the following Ansible variable: 19 | 20 | .. code-block:: yaml 21 | 22 | security_rhel7_audit_lremovexattr: yes 23 | 24 | This rule is compatible with x86, x86_64, and ppc64 architectures. 25 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72123.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72123 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit all ``creat`` syscalls on the system. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_creat: no 14 | 15 | This rule is compatible with x86, x86_64, and ppc64 architectures. 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72125.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72125 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit all ``open`` syscalls on the system. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_open: no 14 | 15 | This rule is compatible with x86, x86_64, and ppc64 architectures. 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72127.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72127 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit all ``openat`` syscalls on the system. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_openat: no 14 | 15 | This rule is compatible with x86, x86_64, and ppc64 architectures. 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72129.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72129 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit all ``open_by_handle_at`` syscalls on the system. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_open_by_handle_at: no 14 | 15 | This rule is compatible with x86, x86_64, and ppc64 architectures. 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72131.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72131 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit all ``truncate`` syscalls on the system. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_truncate: no 14 | 15 | This rule is compatible with x86, x86_64, and ppc64 architectures. 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72133.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72133 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit all ``ftruncate`` syscalls on the system. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_ftruncate: no 14 | 15 | This rule is compatible with x86, x86_64, and ppc64 architectures. 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72135.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72135 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit any time the ``semanage`` command is used. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_semanage: no 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72137.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72137 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit any time the ``setsebool`` command is used. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_setsebool: no 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72139.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72139 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``chcon`` command 8 | is used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_chcon: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72141.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72141 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``restorecon`` command 8 | is used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_restorecon: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72143.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72143 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit all successful and unsuccessful account access events. 8 | Deployers can opt out of this change by setting the following Ansible variable: 9 | 10 | .. code-block:: yaml 11 | 12 | security_rhel7_audit_account_access: no 13 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72145.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72145 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | This control is implemented by the tasks for another control: 8 | 9 | * :ref:`stig-V-72143` 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72147.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72147 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time an account is accessed. 8 | 9 | Deployers can opt-out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_account_access: no 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72149.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72149 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``passwd`` command is 8 | used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_passwd_command: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72151.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72151 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``unix_chkpwd`` command 8 | is used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_unix_chkpwd: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72153.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72153 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``gpasswd`` command 8 | is used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_gpasswd: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72155.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72155 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``chage`` command 8 | is used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_chage: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72157.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72157 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``userhelper`` command 8 | is used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_userhelper: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72159.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72159 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``su`` command is used. 8 | 9 | Deployers can opt-out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_su: no 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72161.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72161 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``sudo`` command is 8 | used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_sudo: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72163.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72163 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time a user manages the 8 | configuration files for ``sudo``. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_sudo_config_changes: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72165.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72165 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``newgrp`` command is 8 | used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_newgrp: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72167.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72167 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``chsh`` command is 8 | used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_chsh: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72169.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72169 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``sudoedit`` command is 8 | used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_sudoedit: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72171.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72171 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``mount`` command is 8 | used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_mount: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72173.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72173 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``umount`` command is 8 | used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_umount: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72175.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72175 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``postdrop`` command is 8 | used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_postdrop: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72177.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72177 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``postqueue`` command is 8 | used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_postqueue: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72179.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72179 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``ssh-keysign`` command 8 | is used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_ssh_keysign: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72183.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72183 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``crontab`` command 8 | is used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_crontab: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72185.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72185 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``pam_timestamp_check`` 8 | command is used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_pam_timestamp_check: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72187.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72187 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit all ``init_module`` syscalls on the system. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_init_module: no 14 | 15 | This rule is compatible with x86, x86_64, and ppc64 architectures. 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72189.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72189 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit all ``delete_module`` syscalls on the system. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_delete_module: no 14 | 15 | This rule is compatible with x86, x86_64, and ppc64 architectures. 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72191.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72191 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``insmod`` command is 8 | used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_insmod: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72193.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72193 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``rmmod`` command is 8 | used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_rmmod: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72195.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72195 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``modprobe`` command is 8 | used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_modprobe: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72197.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72197 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time that an account is modified. 8 | This includes changes to the following files: 9 | 10 | * ``/etc/group`` 11 | * ``/etc/passwd`` 12 | * ``/etc/gshadow`` 13 | * ``/etc/shadow`` 14 | * ``/etc/security/opasswd`` 15 | 16 | Deployers can opt-out of this change by setting an Ansible variable: 17 | 18 | .. code-block:: yaml 19 | 20 | security_rhel7_audit_account_actions: no 21 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72199.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72199 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit all ``rename`` syscalls on the system. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_rename: no 14 | 15 | This rule is compatible with x86, x86_64, and ppc64 architectures. 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72201.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72201 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit all ``renameat`` syscalls on the system. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_renameat: no 14 | 15 | This rule is compatible with x86, x86_64, and ppc64 architectures. 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72203.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72203 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | Rules are added to audit all ``rmdir`` syscalls on the system. 8 | 9 | Deployers can opt out of this change by setting an Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_rhel7_audit_rmdir: no 14 | 15 | This rule is compatible with x86, x86_64, and ppc64 architectures. 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72205.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72205 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``unlink`` command is 8 | used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_unlink: no 15 | 16 | This rule is compatible with x86, x86_64, and ppc64 architectures. 17 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72207.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72207 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | The tasks add a rule to auditd that logs each time the ``unlinkat`` command is 8 | used. 9 | 10 | Deployers can opt-out of this change by setting an Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_audit_unlinkat: no 15 | 16 | This rule is compatible with x86, x86_64, and ppc64 architectures. 17 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72209.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72209 3 | status: verification only 4 | tag: misc 5 | --- 6 | 7 | The tasks in the security role check for uncommented lines in the rsyslog 8 | configuration that contain ``@`` or ``@@``, which signifies that a remote 9 | logging configuration is in place. If these lines are not found, a warning 10 | message is printed in the Ansible output. 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72211.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72211 3 | status: exception - manual intervention 4 | tag: misc 5 | --- 6 | 7 | Deployers must take manual steps to add or remove syslog reception 8 | configuration lines depending on a server's role: 9 | 10 | * If the server is a log aggregation server, deployers must configure the 11 | server to receive syslog output from the other servers via TCP connections. 12 | 13 | * If the server is not a log aggregation server, deployers must configure the 14 | server so that it does not accept syslog output from other servers. 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72213.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72213 3 | status: opt-in 4 | tag: misc 5 | --- 6 | 7 | The STIG requires that a virus scanner is installed and running, but the value 8 | of a virus scanner within an OpenStack control plane or on a hypervisor is 9 | negligible in many cases. In addition, the disk I/O impact of a virus scanner 10 | can impact a production environment negatively. 11 | 12 | The security role has tasks to deploy ClamAV with automatic updates, but the 13 | tasks are disabled by default. 14 | 15 | Deployers can enable the ClamAV virus scanner by setting the following Ansible 16 | variable: 17 | 18 | .. code-block:: yaml 19 | 20 | security_enable_virus_scanner: yes 21 | 22 | .. warning:: 23 | 24 | The ClamAV packages are provided in the EPEL repository. Setting the 25 | ``security_enable_virus_scanner`` will also cause the EPEL repository to 26 | be installed by the role. 27 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72215.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72215 3 | status: implemented 4 | tag: misc 5 | --- 6 | 7 | By default, CentOS 7, Red Hat Enterprise Linux 7, openSUSE Leap and SUSE Linux 8 | Enterprise 12 check for virus database updates 12 times a day. Ubuntu servers 9 | have a default of 24 checks per day. 10 | 11 | The tasks in the security role do not adjust these defaults as they are more 12 | secure than the STIG's requirement. 13 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72217.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72217 3 | status: opt-in 4 | tag: auth 5 | --- 6 | 7 | Although the STIG requires that each account is limited to 10 concurrent 8 | connections, this change might be disruptive in some environments. Therefore, 9 | this change is not applied by default. 10 | 11 | Deployers can opt in for this change by setting a concurrent connection limit 12 | with this Ansible variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_rhel7_concurrent_session_limit: 10 17 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72219.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72219 3 | status: exception - manual intervention 4 | tag: misc 5 | --- 6 | 7 | Deployers should review each firewall rule on a regular basis to ensure that 8 | each port is open for a valid reason. 9 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72221.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72221 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``Ciphers`` configuration is set to ``aes128-ctr,aes192-ctr,aes256-ctr`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can change the list of ciphers by setting the following Ansible 11 | variable: 12 | 13 | .. code-block:: yaml 14 | 15 | security_sshd_cipher_list: 'cipher1,cipher2,cipher3' 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72223.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72223 3 | status: implemented 4 | tag: misc 5 | --- 6 | 7 | The tasks in the security role set a 600 second (10 minute) timeout for network 8 | connections associated with a communication session. Deployers can change the 9 | timeout value by setting the following Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | # Example: shorten the timeout to 5 minutes (300 seconds) 14 | security_rhel7_session_timeout: 300 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72225.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72225 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The tasks in the security role deploy a standard notice and consent banner into 8 | ``/etc/motd`` on each server. Ubuntu, CentOS, Red Hat Enterprise Linux, 9 | openSUSE Leap and SUSE Linux Enterprise display this banner after each successful 10 | login via ssh or the console. 11 | 12 | Deployers can choose a different destination for the banner by setting the 13 | following Ansible variable: 14 | 15 | .. code-block:: yaml 16 | 17 | security_sshd_banner_file: /etc/motd 18 | 19 | The message is customized with the following Ansible variable: 20 | 21 | .. code-block:: yaml 22 | 23 | security_login_banner_text: | 24 | ------------------------------------------------------------------------------ 25 | * WARNING * 26 | * You are accessing a secured system and your actions will be logged along * 27 | * with identifying information. Disconnect immediately if you are not an * 28 | * authorized user of this system. * 29 | ------------------------------------------------------------------------------ 30 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72227.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72227 3 | status: exception - manual intervention 4 | tag: auth 5 | --- 6 | 7 | Deployers are strongly urged to utilize ``sssd`` for systems that authenticate 8 | against LDAP or Active Directory (AD) servers. 9 | 10 | The ldap connector for ``sssd`` connects only to LDAP servers over 11 | encrypted connections. Review the man page for 12 | `sssd-ldap `_ for more details on this 13 | requirement. 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72229.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72229 3 | status: exception - manual intervention 4 | tag: auth 5 | --- 6 | 7 | Deployers are strongly urged to utilize ``sssd`` for systems that authenticate 8 | against LDAP or Active Directory (AD) servers. 9 | 10 | To meet this control, deployers must ensure that ``ldap_tls_cacert`` or 11 | ``ldap_tls_cacertdir`` are set in the ``/etc/sssd/sssd.conf`` file. The 12 | ``ldap_tls_cacert`` directive specifies a single certificate while 13 | ``ldap_tls_cacertdir`` specifies a directory where ``sssd`` can find CA 14 | certificates. 15 | 16 | .. warning:: 17 | 18 | Use caution when adjusting these settings. If the correct CA certificates 19 | are not already deployed to the servers that perform LDAP authentication, 20 | their attempts to authenticate users might fail. 21 | 22 | Consult with administrators of the LDAP system and test all changes on 23 | a non-production system first. 24 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72231.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72231 3 | status: exception - manual intervention 4 | tag: auth 5 | --- 6 | 7 | Deployers are strongly urged to utilize ``sssd`` for systems that authenticate 8 | against LDAP or Active Directory (AD) servers. 9 | 10 | To meet this control, deployers must ensure that ``ldap_tls_cacert`` or 11 | ``ldap_tls_cacertdir`` are set in the ``/etc/sssd/sssd.conf`` file. The 12 | ``ldap_tls_cacert`` directive specifies a single certificate while 13 | ``ldap_tls_cacertdir`` specifies a directory where ``sssd`` can find CA 14 | certificates. 15 | 16 | .. warning:: 17 | 18 | Use caution when adjusting these settings. If the correct CA certificates 19 | are not already deployed to the servers that perform LDAP authentication, 20 | their attempts to authenticate users might fail. 21 | 22 | Consult with administrators of the LDAP system and test all changes on 23 | a non-production system first. 24 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72233.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72233 3 | status: implemented 4 | tag: packages 5 | --- 6 | 7 | The STIG requires that every system has an ssh client and server installed. The 8 | role installs the following packages: 9 | 10 | * CentOS: ``openssh-clients``, ``openssh-server`` 11 | * Ubuntu: ``openssh-client``, ``openssh-server`` 12 | * openSUSE Leap: ``openssh`` 13 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72235.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72235 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The STIG has a requirement that the ``sshd`` daemon is running and enabled at 8 | boot time. The tasks in the security role ensure that these requirements are 9 | met. 10 | 11 | Some deployers may not have ``sshd`` enabled on highly specialized systems and 12 | those deployers should opt out of this change by setting the following Ansible 13 | variable: 14 | 15 | .. code-block:: yaml 16 | 17 | security_enable_sshd: no 18 | 19 | .. note:: 20 | 21 | Setting ``security_enable_sshd`` to ``no`` causes the tasks to ignore the 22 | state of the service entirely. A setting of ``no`` does not stop or alter 23 | the ``sshd`` service. 24 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72237.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72237 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``ClientAliveInterval`` configuration is set to ``600`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can adjust the length of the interval by changing the following 11 | Ansible variable: 12 | 13 | .. code-block:: yaml 14 | 15 | security_sshd_client_alive_interval: 600 16 | 17 | .. note:: 18 | 19 | The STIG requires that ``ClientAliveInterval`` is set to 600 and 20 | ``ClientAliveCountMax`` is set to zero, which sets a 10 minute session 21 | timeout. If no data is transferred in a 10 minute period, the session is 22 | disconnected. 23 | 24 | The ``ClientAliveInterval`` specifies how long the ssh daemon waits 25 | before it sends a message to the client to see if it is still alive. The 26 | ``ClientAliveCountMax`` specifies how many of these messages are sent 27 | without receiving a response. 28 | 29 | Deployers should refer to :ref:`stig-V-72241` to customize the 30 | ``ClientAliveCountMax`` setting. 31 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72239.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72239 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | This STIG is already applied by the changes for :ref:`stig-V-72249`. 8 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72241.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72241 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``ClientAliveCountMax`` configuration is set to ``0`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can adjust the maximum amount of client alive intervals by changing 11 | the following Ansible variable. 12 | 13 | .. code-block:: yaml 14 | 15 | security_sshd_client_alive_count_max: 0 16 | 17 | .. note:: 18 | 19 | The STIG requires that ``ClientAliveInterval`` is set to 600 and 20 | ``ClientAliveCountMax`` is set to zero, which sets a 10 minute session 21 | timeout. If no data is transferred in a 10 minute period, the session is 22 | disconnected. 23 | 24 | The ``ClientAliveInterval`` specifies how long the ssh daemon waits 25 | before it sends a message to the client to see if it is still alive. The 26 | ``ClientAliveCountMax`` specifies how many of these messages are sent 27 | without receiving a response. 28 | 29 | Deployers should refer to :ref:`stig-V-72237` to customize the 30 | ``ClientAliveInterval`` setting. 31 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72243.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72243 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``IgnoreRhosts`` configuration is set to ``yes`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can opt out of this change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_sshd_disallow_rhosts_auth: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72245.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72245 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``PrintLastLog`` configuration is set to ``yes`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can opt out of this change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_sshd_print_last_log: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72247.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72247 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``PermitRootLogin`` configuration is set to ``no`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can select another setting for PermitRootLogin, from the available 11 | options ``without-password``, ``prohibit-password``, ``forced-commands-only``, 12 | ``yes``, or ``no`` by setting the following variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_sshd_permit_root_login: no 17 | 18 | .. warning:: 19 | 20 | Ensure that a regular user account exists with a pathway to root access 21 | (preferably via ``sudo``) before applying the security role. This 22 | configuration change disallows any direct logins with the ``root`` 23 | user. 24 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72249.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72249 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``IgnoreUserKnownHosts`` configuration is set to ``yes`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can opt out of this change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_sshd_disallow_known_hosts_auth: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72251.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72251 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``Protocol`` configuration is set to ``2`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can opt out of this change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_sshd_protocol: 2 15 | 16 | .. warning:: 17 | 18 | There is no reason to enable any other protocol than SSHv2. SSHv1 has 19 | multiple vulnerabilities, and it is no longer widely used. 20 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72253.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72253 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``MACs`` configuration is set to ``hmac-sha2-256,hmac-sha2-512`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can adjust the allowed Message Authentication Codes (MACs) by setting 11 | the following Ansible variable: 12 | 13 | .. code-block:: yaml 14 | 15 | security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512' 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72255.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72255 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The permissions on ssh public host keys is set to ``0644``. If the existing 8 | permissions are more restrictive than ``0644``, the tasks do not make changes 9 | to the files. 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72257.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72257 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The permissions on ssh private host keys is set to ``0600``. If the existing 8 | permissions are more restrictive than ``0600``, the tasks do not make changes 9 | to the files. 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72259.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72259 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``GSSAPIAuthentication`` setting is set to ``no`` to meet the requirements 8 | of the STIG. 9 | 10 | Deployers can opt out of this change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_sshd_disallow_gssapi: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72261.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72261 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``KerberosAuthentication`` configuration is set to ``no`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can opt out of this change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_sshd_disable_kerberos_auth: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72263.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72263 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``StrictModes`` configuration is set to ``yes`` in ``/etc/ssh/sshd_config`` 8 | and sshd is restarted. 9 | 10 | Deployers can opt out of this change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_sshd_enable_strict_modes: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72265.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72265 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``UsePrivilegeSeparation`` configuration is set to ``sandbox`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can opt out of this change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_sshd_enable_privilege_separation: no 15 | 16 | .. note:: 17 | 18 | Although the STIG requires this setting to be ``yes``, the ``sandbox`` 19 | setting actually provides more security because it enables privilege 20 | separation during the early authentication process. 21 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72267.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72267 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``Compression`` configuration is set to ``delayed`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can choose another option by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_sshd_compression: 'no' 15 | 16 | .. note:: 17 | 18 | The following are the available settings for ``Compression`` in the ssh 19 | configuration file: 20 | 21 | * ``delayed``: Compression is enabled after authentication. 22 | * ``no``: Compression is disabled. 23 | * ``yes``: Compression is enabled during authentication and during the 24 | session (not allowed by the STIG). 25 | 26 | The ``delayed`` option balances security with performance and is an 27 | approved option in the STIG. 28 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72269.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72269 3 | status: implemented 4 | tag: misc 5 | --- 6 | 7 | The tasks in the security role make the following changes on each host: 8 | 9 | * The ``chrony`` package is installed. 10 | * The service (``chronyd`` on Red Hat, CentOS, SLE and openSUSE Leap, 11 | ``chrony`` on Ubuntu) is started and enabled at boot time. 12 | * A configuration file template is deployed that includes ``maxpoll 10`` on 13 | each server line. 14 | 15 | Deployers can opt out of these changes by setting the following Ansible 16 | variable: 17 | 18 | .. code-block:: yaml 19 | 20 | security_rhel7_enable_chrony: no 21 | 22 | .. note:: 23 | 24 | Although the STIG mentions the traditional ``ntpd`` service, this role uses 25 | ``chrony``, which is a more modern implementation. 26 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72271.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72271 3 | status: opt-in 4 | tag: misc 5 | --- 6 | 7 | Although the STIG requires that incoming TCP connections are rate limited with 8 | ``firewalld``, this setting can cause problems with certain applications which 9 | handle large amounts of TCP connections. Therefore, the tasks in the security 10 | role do not apply the rate limit by default. 11 | 12 | Deployers can opt in for this change by setting the following Ansible variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_enable_firewalld_rate_limit: yes 17 | 18 | The STIG recommends a limit of 25 connection per minute and allowing bursts up 19 | to 100 connections. Both of these options are adjustable with the following 20 | Ansible variables: 21 | 22 | .. code-block:: yaml 23 | 24 | security_enable_firewalld_rate_limit_per_minute: 25 25 | security_enable_firewalld_rate_limit_burst: 100 26 | 27 | .. warning:: 28 | 29 | Deployers should test rate limiting in a non-production environment first 30 | before applying it to production systems. Ensure that the application 31 | running on the system is receiving a large volume of requests so that the 32 | rule can be thoroughly tested. 33 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72273.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72273 3 | status: opt-in 4 | tag: misc 5 | --- 6 | 7 | The STIG requires that a firewall is configured on each server. This might be 8 | disruptive to some environments since the default firewall policy for 9 | ``firewalld`` is very restrictive. Therefore, the tasks in the security role 10 | do not install or enable the ``firewalld`` daemon by default. 11 | 12 | Deployers can opt in for this change by setting the following Ansible variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_enable_firewalld: yes 17 | 18 | .. warning:: 19 | 20 | Deployers must pre-configure ``firewalld`` or copy over a working XML file 21 | in ``/etc/firewalld/zones/`` from another server. The default firewalld 22 | restrictions on Ubuntu, CentOS, Red Hat Enterprise Linux and openSUSE Leap 23 | are highly restrictive. 24 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72275.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72275 3 | status: verification only 4 | tag: auth 5 | --- 6 | 7 | The PAM configuration is checked for the presence of ``pam_lastlogin`` and a 8 | warning message is printed if the directive is not found. The tasks in the 9 | security role do not adjust PAM configurations since these changes might be 10 | disruptive in some environments. 11 | 12 | Deployers should review their PAM configurations and add ``pam_lastlogin`` to 13 | ``/etc/pam.d/postlogin`` on CentOS and Red Hat Enterprise Linux or to 14 | ``/etc/pam.d/login`` on Ubuntu, openSUSE Leap and SUSE Linux Enterprise. 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72277.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72277 3 | status: opt-in 4 | tag: auth 5 | --- 6 | 7 | The tasks in the security role examine the filesystem for any ``.shosts`` or 8 | ``shosts.equiv`` files. If they are found, they are deleted. 9 | 10 | The search for these files will take a very long time on systems with slow 11 | disks or systems with a large amount of files. Therefore, this task is skipped 12 | by default. 13 | 14 | Deployers can opt in for this change by setting the following Ansible variable: 15 | 16 | .. code-block:: yaml 17 | 18 | security_rhel7_remove_shosts_files: yes 19 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72279.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72279 3 | status: implemented 4 | tag: auth 5 | --- 6 | 7 | This control is implemented by the tasks for another control: 8 | 9 | * :ref:`stig-V-72277` 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72281.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72281 3 | status: implemented 4 | tag: misc 5 | --- 6 | 7 | If a server has fewer than two nameservers configured in ``/etc/resolv.conf``, 8 | a warning is printed in the Ansible output. 9 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72283.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72283 3 | status: implemented 4 | tag: kernel 5 | --- 6 | 7 | The tasks in this role set ``net.ipv4.conf.all.accept_source_route`` and 8 | ``net.ipv4.conf.default.accept_source_route`` to ``0`` by default. This 9 | prevents the system from forwarding source-routed IPv4 packets on all 10 | new and existing interfaces. 11 | 12 | Deployers can opt out of this change by setting the following Ansible variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_disallow_source_routed_packet_forward_ipv4: no 17 | 18 | For more details on source routed packets, refer to the 19 | `Red Hat documentation `_. 20 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72285.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72285 3 | status: implemented 4 | tag: kernel 5 | --- 6 | 7 | This control is implemented by the tasks for another control: 8 | 9 | * :ref:`stig-V-72283` 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72287.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72287 3 | status: implemented 4 | tag: kernel 5 | --- 6 | 7 | The tasks in this role set ``net.ipv4.icmp_echo_ignore_broadcasts`` to ``1`` 8 | by default. This prevents the system from responding to IPv4 ICMP echoes sent 9 | to the broadcast address. 10 | 11 | Deployers can opt out of this change by setting the following Ansible variable: 12 | 13 | .. code-block:: yaml 14 | 15 | security_disallow_echoes_broadcast_address: no 16 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72289.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72289 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | This control is implemented by the tasks for another control: 8 | 9 | * :ref:`stig-V-73175` 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72291.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72291 3 | status: implemented 4 | tag: kernel 5 | --- 6 | 7 | The tasks in this role set ``net.ipv4.conf.default.send_redirects`` and 8 | ``net.ipv4.conf.all.send_redirects`` to ``0`` by default. This prevents a 9 | system from sending IPv4 ICMP redirect packets on all new and existing 10 | interfaces. 11 | 12 | Deployers can opt out of this change by setting the following Ansible variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_disallow_icmp_redirects: no 17 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72293.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72293 3 | status: implemented 4 | tag: kernel 5 | --- 6 | 7 | This control is implemented by the tasks for another control: 8 | 9 | * :ref:`stig-V-72291` 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72295.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72295 3 | status: verification only 4 | tag: misc 5 | --- 6 | 7 | All interfaces are examined to ensure they are not in promiscuous mode. A 8 | warning message is printed in the Ansible output if any promiscuous interfaces 9 | are found. 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72297.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72297 3 | status: implemented 4 | tag: misc 5 | --- 6 | 7 | The ``smtpd_client_restrictions`` configuration in postfix is set to 8 | ``permit_mynetworks, reject`` to meet the STIG's requirements. 9 | 10 | Deployers can opt out of this change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_restrict_mail_relaying: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72299.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72299 3 | status: not implemented 4 | tag: packages 5 | --- 6 | 7 | This STIG is not yet implemented. 8 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72301.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72301 3 | status: implemented 4 | tag: packages 5 | --- 6 | 7 | The role will remove the TFTP server package from the system if it is 8 | installed. The package name differs between Linux distributions: 9 | 10 | * CentOS: ``tftp-server`` 11 | * Ubuntu: ``tftpd`` 12 | * openSUSE Leap: ``tftp`` 13 | 14 | Deployers can opt-out of this change by setting the following Ansible variable: 15 | 16 | 17 | .. code-block:: yaml 18 | 19 | security_rhel7_remove_tftp_server: no 20 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72303.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72303 3 | status: implemented 4 | tag: sshd 5 | --- 6 | 7 | The ``X11Forwarding`` configuration is set to ``yes`` in 8 | ``/etc/ssh/sshd_config`` and sshd is restarted. 9 | 10 | Deployers can opt out of this change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_sshd_enable_x11_forwarding: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72305.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72305 3 | status: verification only 4 | tag: misc 5 | --- 6 | 7 | The tasks in the security role examine the TFTP server configuration file (if 8 | it exists) to verify that the secure operation flag (``-s``) is listed on the 9 | ``server_args`` line. If it is missing, a warning message is printed in the 10 | Ansible output. 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72307.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72307 3 | status: implemented 4 | tag: packages 5 | --- 6 | 7 | The role will remove the xorg server package from the system if it is 8 | installed. The package name differs between Linux distributions: 9 | 10 | * CentOS: ``xorg-x11-server-Xorg`` 11 | * Ubuntu: ``xorg-xserver`` 12 | * openSUSE Leap: ``xorg-x11-server`` 13 | 14 | Deployers can opt-out of this change by setting the following Ansible variable: 15 | 16 | .. code-block:: yaml 17 | 18 | security_rhel7_remove_xorg: no 19 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72309.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72309 3 | status: opt-in 4 | tag: kernel 5 | --- 6 | 7 | Disabling IP forwarding on a system that routes packets or host virtual 8 | machines might cause network interruptions. The tasks in this role do not 9 | adjust the ``net.ipv4.ip_forward`` configuration by default. 10 | 11 | Deployers can opt in for this change and disable IP forwarding by setting the 12 | following Ansible variable: 13 | 14 | .. code-block:: yaml 15 | 16 | security_disallow_ip_forwarding: yes 17 | 18 | .. warning:: 19 | 20 | IP forwarding is required in some environments. Always test in a 21 | non-production environment before changing this setting on a production 22 | system. 23 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72311.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72311 3 | status: exception - manual intervention 4 | tag: misc 5 | --- 6 | 7 | Deployers using NFS should examine their mounts to ensure ``krb5:krb5i:krb5p`` 8 | is provided with the ``sec`` option. Kerberos must be installed and configured 9 | before making the change. 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72313.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72313 3 | status: verification only 4 | tag: misc 5 | --- 6 | 7 | The tasks in the security role examine the contents of the 8 | ``/etc/snmp/snmpd.conf`` file (if it exists) and search for the default 9 | community strings: ``public`` and ``private``. If either default string is 10 | found, a message is printed in the Ansible output. 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72315.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72315 3 | status: exception - manual intervention 4 | tag: misc 5 | --- 6 | 7 | The ``firewalld`` service is optionally enabled and configured in the tasks for 8 | another STIG control: 9 | 10 | * :ref:`stig-V-72273` 11 | 12 | Deployers should review their ``firewalld`` ruleset regularly to ensure that 13 | each firewall rule is specific as possible. Each rule should allow the smallest 14 | number of hosts to access the smallest number of services. 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72317.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72317 3 | status: exception - manual intervention 4 | tag: misc 5 | --- 6 | 7 | Deployers should review all tunneled connections on a regular basis to ensure 8 | each is valid and properly secured. This requires careful verification that 9 | cannot be done with automated Ansible tasks. 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72319.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72319 3 | status: implemented 4 | tag: kernel 5 | --- 6 | 7 | The tasks in this role set ``net.ipv6.conf.all.accept_source_route`` to ``0`` 8 | by default. This prevents the system from forwarding source-routed IPv6 9 | packets. 10 | 11 | Deployers can opt out of this change by setting the following Ansible variable: 12 | 13 | .. code-block:: yaml 14 | 15 | security_disallow_source_routed_packet_forward_ipv6: no 16 | 17 | Refer to `"IPv6 source routing: history repeats itself" `_ 18 | for more details on IPv6 source routed packets. 19 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72417.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72417 3 | status: implemented 4 | tag: packages 5 | --- 6 | 7 | The STIG requires that the following multifactor authentication packages are 8 | installed: 9 | 10 | * authconfig 11 | * authconfig-gtk 12 | * esc 13 | * pam_pkcs11 14 | 15 | These packages are benign if they are not needed on a system, but 16 | ``authconfig-gtk`` may cause some graphical dependencies to be installed 17 | which may not be needed on some systems. The security role installs these 18 | packages, but it skips the installation of ``authconfig-gtk``. Deployers can 19 | install the graphical package manually if needed. 20 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72427.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72427 3 | status: exception - manual intervention 4 | tag: auth 5 | --- 6 | 7 | Although the STIG requires that the ``sssd.conf`` contains both ``nss`` and 8 | ``pam`` authentication modules, this change can be disruptive in environments 9 | that are already using LDAP or Active Directory for authentication. Deployers 10 | should make these changes only if their environment is compatible. 11 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72433.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72433 3 | status: exception - manual intervention 4 | tag: auth 5 | --- 6 | 7 | Any adjustment to PKI authentication can cause disruptions for users. Deployers 8 | should verify that enabling OCSP validation is compatible with their existing 9 | configuration. 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-72435.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-72435 3 | status: exception - manual intervention 4 | tag: auth 5 | --- 6 | 7 | Any adjustment to PKI authentication can cause disruptions for users. Deployers 8 | should verify that their environment is compatible with smart cards before 9 | requiring them for authentication. 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-73155.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-73155 3 | status: implemented 4 | tag: graphical 5 | --- 6 | 7 | This control is implemented by the tasks for another control: 8 | 9 | * :ref:`stig-V-71891` 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-73157.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-73157 3 | status: implemented 4 | tag: graphical 5 | --- 6 | 7 | This control is implemented by the tasks for another control: 8 | 9 | * :ref:`stig-V-71891` 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-73159.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-73159 3 | status: opt-in 4 | tag: accounts 5 | --- 6 | 7 | The security role can require new or changed passwords to follow the pwquality 8 | rules, but this change can be disruptive for users without proper 9 | communication. Deployers must opt in for this change by setting the following 10 | variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_enable_pwquality_password_set: yes 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-73161.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-73161 3 | status: exception - manual intervention 4 | tag: misc 5 | --- 6 | 7 | Deployers should review their NFS mounts to ensure they are mounted with the 8 | ``noexec`` option. Deployers should skip this change if they execute 9 | applications from NFS mounts. 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-73163.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-73163 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | This control is implemented by the tasks for another control: 8 | 9 | * :ref:`stig-V-72087` 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-73165.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-73165 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | This control is implemented by the tasks for another control: 8 | 9 | * :ref:`stig-V-72197` 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-73167.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-73167 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | This control is implemented by the tasks for another control: 8 | 9 | * :ref:`stig-V-72197` 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-73171.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-73171 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | This control is implemented by the tasks for another control: 8 | 9 | * :ref:`stig-V-72197` 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-73173.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-73173 3 | status: implemented 4 | tag: auditd 5 | --- 6 | 7 | This control is implemented by the tasks for another control: 8 | 9 | * :ref:`stig-V-72197` 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-73175.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-73175 3 | status: implemented 4 | tag: kernel 5 | --- 6 | 7 | This control is implemented by the tasks for another control: 8 | 9 | * :ref:`stig-V-72293` 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-73177.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-73177 3 | status: exception - manual intervention 4 | tag: misc 5 | --- 6 | 7 | Deployers should review the configuration of any wireless networking device 8 | connected to the system to ensure it must be enabled. The STIG requires that 9 | all wireless network devices are enabled unless required. 10 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-77819.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-77819 3 | status: exception - manual intervention 4 | tag: misc 5 | --- 6 | 7 | The STIG requires that multifactor authentication is used for graphical user 8 | logon, but this change requires custom configuration based on the 9 | authentication solution that is used. 10 | 11 | Deployers should review the available options, such as traditional 12 | smartcards, USB devices (such as Yubikeys), or software token systems, and 13 | use one of these solutions on each system. 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-77821.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-77821 3 | status: implemented 4 | tag: kernel 5 | --- 6 | 7 | The ansible-hardening role disables the DCCP kernel module by default. Each 8 | system must be rebooted to fully apply the change. 9 | 10 | Deployers can opt out of the change by setting the following Ansible variable: 11 | 12 | .. code-block:: yaml 13 | 14 | security_rhel7_disable_dccp: no 15 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-77823.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-77823 3 | status: exception - manual intervention 4 | tag: auth 5 | --- 6 | 7 | Modifying sensitive systemd unit files directly or via overrides could cause 8 | a system to have issues during the boot process. The role does not make any 9 | adjustments to the ``rescue.service`` because this service is critical during 10 | emergencies. 11 | 12 | All of the distributions supported by the role already require authentication 13 | for single user mode. 14 | -------------------------------------------------------------------------------- /doc/metadata/rhel7/V-77825.rst: -------------------------------------------------------------------------------- 1 | --- 2 | id: V-77825 3 | status: implemented 4 | tag: kernel 5 | --- 6 | 7 | Most modern systems enable Address Space Layout Randomization (ASLR) by 8 | default (with a setting of ``2``), and the role ensures that the secure 9 | default is maintained. 10 | 11 | Deployers can opt out of the change by setting the following Ansible variable: 12 | 13 | .. code-block:: yaml 14 | 15 | security_enable_aslr: no 16 | 17 | For more details on the ASLR settings, review the 18 | `sysctl documentation `_. 19 | -------------------------------------------------------------------------------- /doc/metadata/stig_to_rst.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright 2016, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | """Convert STIG XML to RST for easier reading.""" 16 | import os 17 | import xmltodict 18 | 19 | SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__)) 20 | xml_file = 'U_Red_Hat_Enterprise_Linux_7_STIG_V1R2_Manual-xccdf.xml' 21 | with open('{}/{}'.format(SCRIPT_DIR, xml_file), 'r') as f: 22 | xmldict = xmltodict.parse(f.read()) 23 | 24 | for group in xmldict['Benchmark']['Group']: 25 | rule = group['Rule'] 26 | 27 | print("\n{}\n{}\n".format(group['@id'], "=" * len(group['@id']))) 28 | print("{}\n".format(rule['title'])) 29 | print("{}\n".format(rule['version'])) 30 | print("{}\n".format(rule['description'].encode('utf-8'))) 31 | -------------------------------------------------------------------------------- /doc/metadata/template_all_rhel7.j2: -------------------------------------------------------------------------------- 1 | {% set page_title = "Review All STIG Controls" %} 2 | {{ "=" * page_title | length }} 3 | {{ page_title }} 4 | {{ "=" * page_title | length }} 5 | 6 | Navigating the list 7 | =================== 8 | 9 | Use your browser's search function (usually CTRL-f) to find the 10 | security configuration in the full list shown here. You can search for STIG 11 | ID numbers, such as ``V-38463``, or for particular topics, like ``audit``. 12 | 13 | ---- 14 | 15 | {% for stig_id in stig_ids | sort %} 16 | .. _stig-{{ stig_id }}: 17 | 18 | {% include "template_doc_rhel7.j2" %} 19 | 20 | {% if not loop.last %} 21 | ---- 22 | {% endif %} 23 | 24 | {% endfor %} 25 | -------------------------------------------------------------------------------- /doc/metadata/template_doc_rhel7.j2: -------------------------------------------------------------------------------- 1 | {% set rule = all_deployer_notes[stig_id] %} 2 | {% set page_title = rule['title'] | trim + ' (' + rule['id'] + ')'%} 3 | {{ page_title }} 4 | {{ "-" * page_title | length }} 5 | 6 | STIG Description 7 | ~~~~~~~~~~~~~~~~ 8 | 9 | **Severity:** {{ rule['severity'] | title }} 10 | 11 | {{ rule['description']['VulnDiscussion'] | addmonospace }} 12 | 13 | Deployer/Auditor notes 14 | ~~~~~~~~~~~~~~~~~~~~~~ 15 | 16 | **Implementation Status:** {{ rule['deployer_notes']['status'] | title }} 17 | {{ rule['deployer_notes']['content'] }} 18 | -------------------------------------------------------------------------------- /doc/metadata/template_toc_partial_rhel7.j2: -------------------------------------------------------------------------------- 1 | {# 2 | This file renders *partial* documentation that is included by other 3 | documentation. This is used in the "Hardening Domains" section. 4 | #} 5 | {% for section_header, stig_id_list in stig_dict.items() %} 6 | STIG requirements 7 | ----------------- 8 | 9 | All of the tasks for these STIG requirements are included in 10 | ``tasks/rhel7stig/{{ section_header }}.yml``. 11 | 12 | {% for stig_id in stig_id_list | sort %} 13 | 14 | {% set rule = all_deployer_notes[stig_id] %} 15 | {{ rule['id'] }} 16 | {{ "~" * rule['id'] | length }} 17 | 18 | * **Summary**: {{ rule['title'] | replace("\n", " ") | indent(2, False) }} 19 | * **Severity:** {{ rule['severity'] | title }} 20 | * **Implementation Status:** {{ rule['deployer_notes']['status'] | title }} 21 | 22 | Deployer/Auditor notes 23 | ^^^^^^^^^^^^^^^^^^^^^^ 24 | 25 | {{ rule['deployer_notes']['content'] }} 26 | 27 | 28 | {% if not loop.last %} 29 | ---- 30 | {% endif %} 31 | 32 | {% endfor %} 33 | {% endfor %} 34 | -------------------------------------------------------------------------------- /doc/metadata/template_toc_rhel7.j2: -------------------------------------------------------------------------------- 1 | {% set page_title = "STIG Controls by " + toc_type | title %} 2 | {{ "=" * page_title | length }} 3 | {{ page_title }} 4 | {{ "=" * page_title | length }} 5 | 6 | .. contents:: 7 | :depth: 2 8 | :backlinks: none 9 | 10 | {% for section_header, stig_id_list in stig_dict.items() %} 11 | 12 | {% if toc_type == 'tag' %} 13 | {% set section_title = section_header + " (" + stig_id_list | length | string + " controls)" %} 14 | {% else %} 15 | {% set section_title = section_header | title + " (" + stig_id_list | length | string + " controls)" %} 16 | {% endif %} 17 | .. _{{ toc_type | replace(' ', '-') }}-{{ section_header | replace(' ', '-') }}: 18 | 19 | {{ section_title }} 20 | {{ "=" * section_title | length }} 21 | 22 | {% for stig_id in stig_id_list | sort %} 23 | 24 | {% include "template_doc_rhel7.j2" %} 25 | 26 | {% if not loop.last %} 27 | ---- 28 | {% endif %} 29 | 30 | {% endfor %} 31 | {% endfor %} 32 | -------------------------------------------------------------------------------- /doc/requirements.txt: -------------------------------------------------------------------------------- 1 | # The order of packages is significant, because pip processes them in the order 2 | # of appearance. Changing the order has an impact on the overall integration 3 | # process, which may cause wedges in the gate later. 4 | 5 | # WARNING: 6 | # This file is maintained in the openstack-ansible-tests repository. 7 | # https://opendev.org/openstack/openstack-ansible-tests/src/branch/master/sync/doc/requirements.txt 8 | # If you need to modify this file, update the one in the 9 | # openstack-ansible-tests repository. Once it merges there, the changes will 10 | # automatically be proposed to all the repositories which use it. 11 | 12 | sphinx>=2.0.0,!=2.1.0 # BSD 13 | sphinxcontrib-svg2pdfconverter>=0.1.0 # BSD 14 | openstackdocstheme>=2.2.1 # Apache-2.0 15 | reno>=3.1.0 # Apache-2.0 16 | doc8>=0.6.0 # Apache-2.0 17 | -------------------------------------------------------------------------------- /doc/source/_static/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/ansible-hardening/394652de90d88de38ac06ffc1a032516c95bd6dc/doc/source/_static/.gitkeep -------------------------------------------------------------------------------- /doc/source/_static/ansible-hardening-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/ansible-hardening/394652de90d88de38ac06ffc1a032516c95bd6dc/doc/source/_static/ansible-hardening-logo.png -------------------------------------------------------------------------------- /doc/source/_themes/openstack/static/header-line.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/ansible-hardening/394652de90d88de38ac06ffc1a032516c95bd6dc/doc/source/_themes/openstack/static/header-line.gif -------------------------------------------------------------------------------- /doc/source/_themes/openstack/static/header_bg.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/ansible-hardening/394652de90d88de38ac06ffc1a032516c95bd6dc/doc/source/_themes/openstack/static/header_bg.jpg -------------------------------------------------------------------------------- /doc/source/_themes/openstack/static/openstack_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/ansible-hardening/394652de90d88de38ac06ffc1a032516c95bd6dc/doc/source/_themes/openstack/static/openstack_logo.png -------------------------------------------------------------------------------- /doc/source/_themes/openstack/theme.conf: -------------------------------------------------------------------------------- 1 | [theme] 2 | inherit = basic 3 | stylesheet = nature.css 4 | pygments_style = tango 5 | 6 | [options] 7 | incubating = false 8 | -------------------------------------------------------------------------------- /doc/source/domains.rst: -------------------------------------------------------------------------------- 1 | .. _hardening_domains_label: 2 | 3 | Hardening Domains (RHEL 7 STIG) 4 | =============================== 5 | 6 | The STIG divides its hardening requirements into severity levels, but the 7 | security role divides the requirements into system domains to make them easier 8 | to review. 9 | 10 | The documentation provided here includes a brief overview of each hardening 11 | domain and the STIG requirements that go along with each. 12 | 13 | .. toctree:: 14 | :maxdepth: 1 15 | 16 | rhel7/domains/accounts.rst 17 | rhel7/domains/aide.rst 18 | rhel7/domains/auditd.rst 19 | rhel7/domains/auth.rst 20 | rhel7/domains/file_perms.rst 21 | rhel7/domains/graphical.rst 22 | rhel7/domains/kernel.rst 23 | rhel7/domains/lsm.rst 24 | rhel7/domains/misc.rst 25 | rhel7/domains/packages.rst 26 | rhel7/domains/sshd.rst 27 | -------------------------------------------------------------------------------- /doc/source/rhel7/domains/accounts.rst: -------------------------------------------------------------------------------- 1 | accounts - User account security controls 2 | ========================================= 3 | 4 | Security controls for user accounts on Linux systems are a crucial barrier to 5 | prevent unauthorized access. 6 | 7 | Overview 8 | -------- 9 | 10 | Many of the STIG requirements for user account controls are already included in 11 | many Linux distributions or they can be applied without disruptions. However, 12 | some requirements can cause problems with user authentication without 13 | coordination. 14 | 15 | Deployers should consider an authentication solution that uses centralized 16 | authentication, such as LDAP, Active Directory, or Kerberos, for the best 17 | security posture. 18 | 19 | .. include:: auto_accounts.rst 20 | -------------------------------------------------------------------------------- /doc/source/rhel7/domains/auth.rst: -------------------------------------------------------------------------------- 1 | auth - Authentication 2 | ===================== 3 | 4 | User or automated authentication to a Linux system must be closely monitored 5 | and carefully configured to prevent unauthorized access. 6 | 7 | Overview 8 | -------- 9 | 10 | Most of the STIG requirements for authentication are already included in Linux 11 | distributions by default or are easily applied without disruptions. Deployers 12 | should review the documentation below and test all changes on a non-production 13 | system first. 14 | 15 | .. include:: auto_auth.rst 16 | -------------------------------------------------------------------------------- /doc/source/rhel7/domains/file_perms.rst: -------------------------------------------------------------------------------- 1 | file_perms - Filesystem permissions 2 | =================================== 3 | 4 | One of the first layers of defense against attacks on a Linux system is 5 | Discretionary Access Control (DAC), which is managed through filesystem 6 | permissions. 7 | 8 | Overview 9 | -------- 10 | 11 | Some of the STIG requirements for file permissions could cause disruptions on 12 | production systems if the permissions were adjusted to meet the needs of a 13 | particular application. These configurations are applied on an opt-in basis. 14 | Deployers must verify that these changes work well with their systems before 15 | applying the changes. 16 | 17 | .. include:: auto_file_perms.rst 18 | -------------------------------------------------------------------------------- /doc/source/rhel7/domains/graphical.rst: -------------------------------------------------------------------------------- 1 | graphical - Graphical login security controls 2 | ============================================= 3 | 4 | Although most Linux servers only have text-based interfaces, graphical 5 | environments are required for certain applications. Security controls must be 6 | applied to these graphical environments to prevent unauthorized access. 7 | 8 | Overview 9 | -------- 10 | 11 | The STIG requirements for graphical interfaces are focused on ensuring proper 12 | authentication for new sessions and enforcing re-authentication after idle 13 | periods. 14 | 15 | These controls will be skipped on systems without a graphical login interface. 16 | 17 | .. include:: auto_graphical.rst 18 | -------------------------------------------------------------------------------- /doc/source/rhel7/domains/kernel.rst: -------------------------------------------------------------------------------- 1 | kernel - Kernel parameters 2 | ========================== 3 | 4 | The Linux kernel has many parameters that can improve overall system security 5 | and most of these parameters can be changed while a system is running. 6 | 7 | Overview 8 | -------- 9 | 10 | The security role applies several changes to kernel parameters and each of 11 | these changes are controlled by Ansible variables. Review the ``## Kernel 12 | settings`` section within ``defaults/main.yml`` file for more information on 13 | these changes. 14 | 15 | One deviation appears in this section for IP forwarding. Review the 16 | documentation for ``V-72309`` below for more details. 17 | 18 | .. include:: auto_kernel.rst 19 | -------------------------------------------------------------------------------- /doc/source/rhel7/domains/lsm.rst: -------------------------------------------------------------------------------- 1 | lsm - Linux Security Modules 2 | ============================ 3 | 4 | Linux Security Modules, such as AppArmor and SELinux, provide an extra level of 5 | security controls on a Linux system. They provide Mandatory Access Control 6 | (MAC) that checks system activities against security policy. These policies 7 | apply to all users, including root. 8 | 9 | Overview 10 | -------- 11 | 12 | The STIG requires that SELinux is in enforcing mode to provide additional 13 | security against attacks. The security role will enable SELinux on CentOS 14 | systems and enable AppArmor on Ubuntu and Debian systems. 15 | 16 | .. include:: auto_lsm.rst 17 | -------------------------------------------------------------------------------- /doc/source/rhel7/domains/misc.rst: -------------------------------------------------------------------------------- 1 | misc - Miscellaneous security controls 2 | ====================================== 3 | 4 | Some of the security controls provided by the STIG are difficult to group 5 | together. The following documentation includes STIG requirements which do not 6 | easily fit into one of the other hardening domains. 7 | 8 | Overview 9 | -------- 10 | 11 | Reliable time synchronization is a requirement in the STIG and the ``chrony`` 12 | package will be installed to handle NTP for systems secured with the openstack- 13 | ansible-security role. The default settings will work for most environments, 14 | but some deployers may prefer to use NTP servers which are geographically 15 | closer to their servers. 16 | 17 | The role configures the chrony daemon to listen only on ``localhost``. To allow 18 | chrony to listen on all addresses (the upstream default for chrony), 19 | set the ``security_ntp_bind_local_interfaces_only`` variable to ``False``. 20 | 21 | The default configuration allows `RFC1918`_ addresses to reach the NTP server 22 | running on each host. That could be changed by using the 23 | ``security_allowed_ntp_subnets`` parameter. 24 | 25 | .. _RFC1918: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces 26 | 27 | .. include:: auto_misc.rst 28 | -------------------------------------------------------------------------------- /doc/source/rhel7/domains/packages.rst: -------------------------------------------------------------------------------- 1 | packages - Package managers 2 | =========================== 3 | 4 | Package managers provide a convenient, secure method for installing and 5 | upgrading applications on a system. They must be configured properly to ensure 6 | that software is carefully verified before it is installed. 7 | 8 | Overview 9 | -------- 10 | 11 | Lorem ipsum 12 | 13 | .. include:: auto_packages.rst 14 | -------------------------------------------------------------------------------- /doc/source/rhel7/domains/sshd.rst: -------------------------------------------------------------------------------- 1 | sshd - SSH daemon 2 | ================= 3 | 4 | The SSH daemon, ``sshd``, provides secure, encrypted access to Linux servers. 5 | 6 | Overview 7 | -------- 8 | 9 | The STIG has several requirements for ssh server configuration and these 10 | requirements are applied by default by the role. To opt-out or change these 11 | requirements, see the section under the ``## ssh server (sshd)`` comment in 12 | ``defaults/main.yml``. 13 | 14 | Deviation for PermitRootLogin 15 | There is one deviation from the STIG for the ``PermitRootLogin`` 16 | configuration option. The STIG requires that direct root logins are 17 | disabled, and this is the recommended setting for secure production 18 | environments. 19 | 20 | However, this can cause problems in some existing environments and the 21 | default for the role is to set it to ``yes`` (direct root logins allowed). 22 | 23 | .. include:: auto_sshd.rst 24 | -------------------------------------------------------------------------------- /examples/playbook.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Gather security hardening facts 3 | hosts: "{{ security_host_group|default('hosts') }}" 4 | gather_facts: true 5 | tags: 6 | - always 7 | 8 | - name: Apply security hardening configurations 9 | hosts: "{{ security_host_group|default('hosts') }}" 10 | gather_facts: false 11 | user: root 12 | roles: 13 | - role: "ansible-hardening" 14 | when: apply_security_hardening | default(True) | bool 15 | environment: "{{ deployment_environment_variables | default({}) }}" 16 | tags: 17 | - security 18 | -------------------------------------------------------------------------------- /files/20auto-upgrades: -------------------------------------------------------------------------------- 1 | APT::Periodic::Update-Package-Lists "1"; 2 | APT::Periodic::Unattended-Upgrade "1"; 3 | -------------------------------------------------------------------------------- /files/V-38682-modprobe.conf: -------------------------------------------------------------------------------- 1 | # File managed by ansible-hardening 2 | # Fixes RHEL 6 STIG V-38682 3 | install net-pf-31 /bin/true 4 | install bluetooth /bin/true 5 | -------------------------------------------------------------------------------- /files/ansible-hardening-disable-dccp.conf: -------------------------------------------------------------------------------- 1 | install dccp /bin/true 2 | install dccp_diag /bin/true -------------------------------------------------------------------------------- /files/dconf-profile-gdm: -------------------------------------------------------------------------------- 1 | user-db:user 2 | system-db:gdm 3 | file-db:/usr/share/gdm/greeter-dconf-defaults 4 | -------------------------------------------------------------------------------- /files/dconf-user-profile: -------------------------------------------------------------------------------- 1 | user-db:user 2 | system-db:local 3 | -------------------------------------------------------------------------------- /files/login_banner.txt: -------------------------------------------------------------------------------- 1 | ------------------------------------------------------------------------------ 2 | * WARNING * 3 | * You are accessing a secured system and your actions will be logged along * 4 | * with identifying information. Disconnect immediately if you are not an * 5 | * authorized user of this system. * 6 | ------------------------------------------------------------------------------ 7 | -------------------------------------------------------------------------------- /files/zypper-autoupdates: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | /usr/bin/zypper -n dup -l 4 | -------------------------------------------------------------------------------- /manual-test.rc: -------------------------------------------------------------------------------- 1 | export VIRTUAL_ENV=$(pwd) 2 | export ANSIBLE_HOST_KEY_CHECKING=False 3 | export ANSIBLE_SSH_CONTROL_PATH=/tmp/%%h-%%r 4 | 5 | # TODO (odyssey4me) These are only here as they are non-standard folder 6 | # names for Ansible 1.9.x. We are using the standard folder names for 7 | # Ansible v2.x. We can remove this when we move to Ansible 2.x. 8 | export ANSIBLE_ACTION_PLUGINS=${HOME}/.ansible/plugins/action 9 | export ANSIBLE_CALLBACK_PLUGINS=${HOME}/.ansible/plugins/callback 10 | export ANSIBLE_FILTER_PLUGINS=${HOME}/.ansible/plugins/filter 11 | export ANSIBLE_LOOKUP_PLUGINS=${HOME}/.ansible/plugins/lookup 12 | 13 | # This is required as the default is the current path or a path specified 14 | # in ansible.cfg 15 | export ANSIBLE_LIBRARY=${HOME}/.ansible/plugins/library 16 | 17 | # This is required as the default is '/etc/ansible/roles' or a path 18 | # specified in ansible.cfg 19 | export ANSIBLE_ROLES_PATH=${HOME}/.ansible/roles:$(pwd)/.. 20 | 21 | export ANSIBLE_SSH_ARGS="-o ControlMaster=no \ 22 | -o UserKnownHostsFile=/dev/null \ 23 | -o StrictHostKeyChecking=no \ 24 | -o ServerAliveInterval=64 \ 25 | -o ServerAliveCountMax=1024 \ 26 | -o Compression=no \ 27 | -o TCPKeepAlive=yes \ 28 | -o VerifyHostKeyDNS=no \ 29 | -o ForwardX11=no \ 30 | -o ForwardAgent=yes" 31 | 32 | echo "Run manual functional tests by executing the following:" 33 | echo "# ./.tox/functional/bin/ansible-playbook -i tests/inventory tests/test.yml" 34 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | author: OpenStack 4 | description: Security hardening role for OpenStack-Ansible 5 | company: OpenStack 6 | license: Apache 7 | role_name: hardening 8 | namespace: openstack 9 | min_ansible_version: "2.10" 10 | platforms: 11 | - name: Debian 12 | versions: 13 | - bullseye 14 | - name: EL 15 | versions: 16 | - "8" 17 | - "9" 18 | - name: Ubuntu 19 | versions: 20 | - focal 21 | - jammy 22 | galaxy_tags: 23 | - cloud 24 | - security 25 | - system 26 | dependencies: [] 27 | -------------------------------------------------------------------------------- /meta/openstack-ansible.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2017, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | # (c) 2017, Jean-Philippe Evrard 17 | 18 | maturity_info: 19 | status: complete 20 | created_during: liberty 21 | -------------------------------------------------------------------------------- /releasenotes/notes/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/ansible-hardening/394652de90d88de38ac06ffc1a032516c95bd6dc/releasenotes/notes/.placeholder -------------------------------------------------------------------------------- /releasenotes/notes/add-v38438-3f7e905892be4b4f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | The role now enables auditing during early boot to comply with the 5 | requirements in V-38438. By default, the GRUB configuration variables in 6 | ``/etc/default/grub.d/`` will be updated and the active ``grub.cfg`` will 7 | be updated. 8 | 9 | Deployers can opt-out of the change entirely by setting a variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_enable_audit_during_boot: no 14 | 15 | Deployers may opt-in for the change without automatically updating the 16 | active ``grub.cfg`` file by setting the following Ansible variables: 17 | 18 | .. code-block:: yaml 19 | 20 | security_enable_audit_during_boot: yes 21 | security_enable_grub_update: no 22 | -------------------------------------------------------------------------------- /releasenotes/notes/adding-v38526-381a407caa566b14.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | A task was added to disable secure ICMP redirects per the requirements in 5 | V-38526. This change can cause problems in some environments, so it is 6 | disabled by default. Deployers can enable the task (which disables secure 7 | ICMP redirects) by setting ``security_disable_icmpv4_redirects_secure`` to 8 | ``yes``. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/adding-v38548-9c51b30bf9780ff3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | A new task was added to disable ICMPv6 redirects per the requirements in 5 | V-38548. However, since this change can cause problems in running OpenStack 6 | environments, it is disabled by default. Deployers who wish to enable this 7 | task (and disable ICMPv6 redirects) should set 8 | ``security_disable_icmpv6_redirects`` to ``yes``. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/aide-exclude-run-4d3c97a2d08eb373.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | The ``/run`` directory is excluded from AIDE checks since the files and 5 | directories there are only temporary and often change when services 6 | start and stop. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/aide-initialization-fix-16ab0223747d7719.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | AIDE is configured to skip the entire ``/var`` directory when it does the 5 | database initialization and when it performs checks. This reduces disk 6 | I/O and allows these jobs to complete faster. 7 | 8 | This also allows the initialization to become a blocking process and 9 | Ansible will wait for the initialization to complete prior to running the 10 | next task. 11 | fixes: 12 | - | 13 | AIDE initialization is now always run on subsequent playbook runs when 14 | ``security_initialize_aide`` is set to ``yes``. The initialization will 15 | be skipped if AIDE isn't installed or if the AIDE database already exists. 16 | 17 | See `bug 1616281 `_ for more details. 18 | -------------------------------------------------------------------------------- /releasenotes/notes/allow-custom-epel-release-packages-b409be1aa46ee9c3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Deployers can now specify a custom package name or URL for an EPEL release 5 | package. CentOS systems use ``epel-release`` by default, but some deployers 6 | have a customized package that redirects servers to internal mirrors. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/auditing-mac-policy-changes-fb83e0260a6431ed.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | upgrade: 4 | - | 5 | The variable ``security_audit_apparmor_changes`` is now renamed to 6 | ``security_audit_mac_changes`` and is enabled by default. Setting 7 | ``security_audit_mac_changes`` to ``no`` will disable syscall auditing for 8 | any changes to AppArmor policies (in Ubuntu) or SELinux policies (in 9 | CentOS). 10 | features: 11 | - | 12 | The auditd rules template included a rule that audited changes to the 13 | AppArmor policies, but the SELinux policy changes were not being audited. 14 | Any changes to SELinux policies in ``/etc/selinux`` are now being logged 15 | by auditd. 16 | -------------------------------------------------------------------------------- /releasenotes/notes/augenrules-restart-39fe3e1e2de3eaba.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - The role previously did not restart the audit daemon after generating a 4 | new rules file. The `bug `_ has been 5 | fixed and the audit daemon will be restarted after any audit rule changes. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/chrony-config-variable-7a1a7862c05c9675.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | The installation of ``chrony`` is still enabled by default, but it is now 5 | controlled by the ``security_enable_chrony`` variable. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/chrony-ntp-server-defaults-7cd2e3a80723e0bd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - Changed the default NTP server options in ``chrony.conf``. The ``offline`` 4 | option has been removed, ``minpoll``/``maxpoll`` have been removed in favour of 5 | the upstream defaults, while the ``iburst`` option was added to speed up 6 | initial time synchronization. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/chrony-ntp-server-options-f8f87225a5282e1a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - It is now possible to modify the NTP server options in chrony using 4 | ``security_ntp_server_options``. 5 | -------------------------------------------------------------------------------- /releasenotes/notes/chrony-rtc-sync-f46b9a526aec0889.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - Chrony got a new configuration option to synchronize the system clock back 4 | to the RTC using the ``security_ntp_sync_rtc`` variable. Disabled by default. 5 | -------------------------------------------------------------------------------- /releasenotes/notes/conditionally-install-epel-9e8e1b67e5943019.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The EPEL repository is only installed and configured when the deployer sets 5 | ``security_enable_virus_scanner`` to ``yes``. This allows the ClamAV 6 | packages to be installed. If ``security_enable_virus_scanner`` is set to 7 | ``no`` (the default), the EPEL repository will not be added. 8 | 9 | See 10 | `Bug 1702167 `_ 11 | for more details. 12 | - | 13 | Deployers now have the option to prevent the EPEL repository from being 14 | installed by the role. Setting ``security_epel_install_repository`` to 15 | ``no`` prevents EPEL from being installed. This setting may prevent certain 16 | packages from installing, such as ClamAV. 17 | -------------------------------------------------------------------------------- /releasenotes/notes/configurable-martian-logging-370ede40b036db0b.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Although the STIG requires martian packets to be logged, the logging is 5 | now disabled by default. The logs can quickly fill up a syslog server or 6 | make a physical console unusable. 7 | 8 | Deployers that need this logging enabled will need to set the following 9 | Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_sysctl_enable_martian_logging: yes 14 | -------------------------------------------------------------------------------- /releasenotes/notes/customizable-login-banner-string-d8d5ae874e8e49f3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Deployers can provide a customized login banner via a new Ansible variable: 5 | ``security_login_banner_text``. This banner text is used for non-graphical 6 | logins, which includes console and ssh logins. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - The dictionary-based variables in ``defaults/main.yml`` are now individual 4 | variables. The dictionary-based variables could not be changed as the 5 | documentation instructed. Instead it was required to override the entire 6 | dictionary. Deployers must use the new variable names to enable or disable 7 | the security configuration changes applied by the security role. For more 8 | information, see 9 | `Launchpad Bug 1577944 `_. 10 | -------------------------------------------------------------------------------- /releasenotes/notes/disable-check-of-package-checksums-by-default-3543840512c348d6.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Generating and validating checksums for all files installed by packages is now 5 | disabled by default. The check causes delays in playbook runs and it can 6 | consume a significant amount of CPU and I/O resources. Deployers can re-enable 7 | the check by setting ``security_check_package_checksums`` to ``yes``. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - Failed access logging is now disabled by default and can be enabled by 4 | changing ``security_audit_failed_access`` to ``yes``. The rsyslog daemon 5 | checks for the existence of log files regularly and this audit rule was 6 | triggered very frequently, which led to very large audit logs. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/disable-graphical-interface-5db89cd1bef7e12d.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | The security role now has tasks that will disable the graphical interface 5 | on a server using upstart (Ubuntu 14.04) or systemd (Ubuntu 16.04 and 6 | CentOS 7). These changes take effect after a reboot. 7 | 8 | Deployers that need a graphical interface will need to set the following 9 | Ansible variable: 10 | 11 | .. code-block:: yaml 12 | 13 | security_disable_x_windows: no 14 | -------------------------------------------------------------------------------- /releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml: -------------------------------------------------------------------------------- 1 | fixes: 2 | - | 3 | An Ansible task was added to disable the ``netconsole`` service on CentOS 4 | systems if the service is installed on the system. 5 | 6 | Deployers can opt-out of this change by setting 7 | ``security_disable_netconsole`` to ``no``. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/disable-rpm-perms-fix-by-default-b164e39717f0ada7.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | security: 3 | - | 4 | The security role will no longer fix file permissions and ownership based 5 | on the contents of the RPM database by default. Deployers can opt in for 6 | these changes by setting ``security_reset_perm_ownership`` to ``yes``. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/disabling-rdisc-centos-75115b3509941bfa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | An Ansible was added to disable the ``rdisc`` service on CentOS systems if 5 | the service is installed on the system. 6 | 7 | Deployers can opt-out of this change by setting ``security_disable_rdisc`` 8 | to ``no``. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/enable-lsm-bae903e463079a3f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | The Linux Security Module (LSM) that is appropriate for the Linux 5 | distribution in use will be automatically enabled by the security role by 6 | default. Deployers can opt out of this change by setting the following 7 | Ansible variable: 8 | 9 | .. code-block:: yaml 10 | 11 | security_enable_linux_security_module: False 12 | 13 | The documentation for STIG V-51337 has more information about how each 14 | LSM is enabled along with special notes for SELinux. 15 | -------------------------------------------------------------------------------- /releasenotes/notes/enable-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The variable ``security_sysctl_enable_tcp_syncookies`` has replaced 5 | ``security_sysctl_tcp_syncookies`` and it is now a boolean instead of an 6 | integer. It is still enabled by default, but deployers can disable TCP 7 | syncookies by setting the following Ansible variable: 8 | 9 | .. code-block:: yaml 10 | 11 | security_sysctl_enable_tcp_syncookies: no 12 | -------------------------------------------------------------------------------- /releasenotes/notes/enable_aide-d9783c50675cb80f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Added variable ``security_rhel7_enable_aide`` that is designed to avoid 5 | installation and initialization of the aide related STIGs 6 | -------------------------------------------------------------------------------- /releasenotes/notes/fedora-26-support-70a304f9c97d1b37.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - Fedora 26 is now supported. 4 | deprecations: 5 | - Fedora 25 support is deprecated and no longer tested on each commit. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/fedora-27-support-a1e0c670e4fc5626.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - Fedora 27 is now supported. 4 | deprecations: 5 | - Fedora 26 support is deprecated and no longer tested on each commit. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/fedora-latest-support-bf58ecd96cc8fbd4.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - | 4 | Fedora is no longer tested in CI for each commit. 5 | -------------------------------------------------------------------------------- /releasenotes/notes/fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | The security role previously set the permissions on all audit log files in 5 | ``/var/log/audit`` to ``0400``, but this prevents the audit daemon from 6 | writing to the active log file. This will prevent ``auditd`` from 7 | starting or restarting cleanly. 8 | 9 | The task now removes any permissions that are not allowed by the STIG. Any 10 | log files that meet or exceed the STIG requirements will not be modified. 11 | -------------------------------------------------------------------------------- /releasenotes/notes/fix-check-mode-with-tags-bf798856a27c53eb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | When the security role was run in Ansible's check mode and a tag was 5 | provided, the ``check_mode`` variable was not being set. Any tasks which 6 | depend on that variable would fail. This `bug is fixed `_ 7 | and the ``check_mode`` variable is now set properly on every playbook run. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/global-ntp-servers-155c1daef3680025.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | The default list of NTP servers for chrony are now more friendly to users 5 | outside North America. Deployers can still provide their own list of NTP 6 | servers with the ``security_ntp_servers`` Ansible variable. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/handling-sshd-match-stanzas-fa40b97689004e46.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - The security role now handles ``ssh_config`` files that contain 4 | ``Match`` stanzas. A marker is added to the configuration file and any new 5 | configuration items will be added below that marker. In addition, the 6 | configuration file is validated for each change to the ssh configuration 7 | file. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/implemented-v38524-b357edec95128307.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | A task was added that restricts ICMPv4 redirects to meet the requirements 5 | of V-38524 in the STIG. This configuration is disabled by default since 6 | it could cause issues with LXC in some environments. 7 | 8 | Deployers can enable this configuration by setting an Ansible variable: 9 | 10 | .. code-block:: yaml 11 | 12 | security_disable_icmpv4_redirects: yes 13 | -------------------------------------------------------------------------------- /releasenotes/notes/improved-audit-rule-keys-9fa85f758386446c.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - The audit rules added by the security role now have key fields that make 4 | it easier to link the audit log entry to the audit rule that caused it to 5 | appear. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - A new configuration parameter ``security_ntp_bind_local_interfaces`` was 4 | added to the security role to restrict the network interface to which 5 | chronyd will listen for NTP requests. -------------------------------------------------------------------------------- /releasenotes/notes/package-state-6684c5634bdf127a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - The security role now supports the ability to configure whether 4 | apt/yum tasks install the latest available package, or just ensure 5 | that the package is present. The default action is to ensure that 6 | the latest package is present. The action taken may be changed to 7 | only ensure that the package is present by setting 8 | ``security_package_state`` to ``present``. 9 | upgrade: 10 | - The security role always checks whether the latest package is 11 | installed when executed. If a deployer wishes to change the check to 12 | only validate the presence of the package, the option 13 | ``security_package_state`` should be set to ``present``. 14 | -------------------------------------------------------------------------------- /releasenotes/notes/package-state-present-951161faa5384abd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - The security role will accept the currently installed version of a package 4 | rather than attempting to update it. This reduces unexpected changes on 5 | the system from subsequent runs of the security role. Deployers can still 6 | set ``security_package_state`` to ``latest`` to ensure that all packages 7 | installed by the security role are up to date. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/password-lifetime-opt-in-c380f0ec81daffd0.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | The password minimum and maximum lifetimes are now opt-in changes that 5 | can take action against user accounts instead of printing debug warnings. 6 | Refer to the documentation for STIG requirements V-71927 and V-71931 to 7 | review the opt-in process and warnings. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - The ``security_sshd_permit_root_login`` setting can 4 | now be set to change the ``PermitRootLogin`` setting 5 | in ``/etc/ssh/sshd_config`` to any of the possible 6 | options. Set ``security_sshd_permit_root_login`` to 7 | one of ``without-password``, ``prohibit-password``, 8 | ``forced-commands-only``, ``yes`` or ``no``. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/reduce-auditd-logging-633677a74aee5481.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | All of the discretionary access control (DAC) auditing is now disabled by 5 | default. This reduces the amount of logs generated during deployments and 6 | minor upgrades. The following variables are now set to ``no``: 7 | 8 | .. code-block:: yaml 9 | 10 | security_audit_DAC_chmod: no 11 | security_audit_DAC_chown: no 12 | security_audit_DAC_lchown: no 13 | security_audit_DAC_fchmod: no 14 | security_audit_DAC_fchmodat: no 15 | security_audit_DAC_fchown: no 16 | security_audit_DAC_fchownat: no 17 | security_audit_DAC_fremovexattr: no 18 | security_audit_DAC_lremovexattr: no 19 | security_audit_DAC_fsetxattr: no 20 | security_audit_DAC_lsetxattr: no 21 | security_audit_DAC_setxattr: no 22 | fixes: 23 | - The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly 24 | labeled in the auditd logs with the key of ``export-V-38568``. They are 25 | now correctly logged with the key ``filesystem_mount-V-38568``. 26 | -------------------------------------------------------------------------------- /releasenotes/notes/remove-v72181-e29b9f5d9c971541.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The tasks for V-72181, which include adding audit rules for the 5 | ``pt_chown`` command, have been removed. They are not required in the RHEL 6 | 7 STIG V1R2 release. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/rhel-gpg-check-0b483a824314d1b3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | The GPG key checks for package verification in V-38476 are now working for 5 | Red Hat Enterprise Linux 7 in addition to CentOS 7. The checks only look 6 | for GPG keys from Red Hat and any other GPG keys, such as ones imported 7 | from the EPEL repository, are skipped. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/rhel7-stig-default-f6c7c97498a8b2e7.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | The Red Hat Enterprise Linux (RHEL) 7 STIG content is now deployed by 5 | default. Deployers can continue using the RHEL 7 STIG content by setting 6 | the following Ansible variable: 7 | 8 | .. code-block:: yaml 9 | 10 | stig_version: rhel6 11 | upgrade: 12 | - | 13 | Deployers should review the new RHEL 7 STIG variables in 14 | ``defaults/main.yml`` to provide custom configuration for the Ansible 15 | tasks. 16 | deprecations: 17 | - | 18 | The Red Hat Enteprise Linux 6 STIG content has been deprecated. The tasks 19 | and variables for the RHEL 6 STIG will be removed in a future release. 20 | -------------------------------------------------------------------------------- /releasenotes/notes/rhel7-stig-v1r3-update-c533ed40ba609ccf.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | The tasks within the ansible-hardening role are now based on Version 1, 5 | Release 3 of the Red Hat Enteprise Linux Security Technical Implementation 6 | Guide. 7 | - | 8 | The ``sysctl`` parameter ``kernel.randomize_va_space`` is now set to 9 | ``2`` by default. This matches the default of most modern Linux 10 | distributions and it ensures that Address Space Layout Randomization 11 | (ASLR) is enabled. 12 | - | 13 | The Datagram Congestion Control Protocol (DCCP) kernel module is now 14 | disabled by default, but a reboot is required to make the change 15 | effective. 16 | -------------------------------------------------------------------------------- /releasenotes/notes/search-for-unlabeled-devices-cb047c5f767e93ce.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Tasks were added to search for any device files without a proper SELinux 5 | label on CentOS systems. If any of these device labels are found, the 6 | playbook execution will stop with an error message. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/shosts-file-search-opt-in-887f600a79eef07e.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | security: 3 | - | 4 | The tasks that search for ``.shosts`` and ``shosts.equiv`` files 5 | (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a 6 | long time to complete on systems with lots of files and it also causes a 7 | significant amount of disk I/O while it runs. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/skip-sysctl-when-disabled-b32eca48df5b1437.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | The sysctl configuration task was not skipping configurations where 5 | ``enabled`` was set to ``no``. Instead, it was removing configurations 6 | when ``enabled: no`` was set. 7 | 8 | There is now a fix in place that ensures any sysctl configuration with 9 | ``enabled: no`` will be skipped and the configuration will be left 10 | unaltered on the system. 11 | -------------------------------------------------------------------------------- /releasenotes/notes/sshd-permit-root-login-without-password-948ec79c6508c19b.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | security: 3 | - | 4 | ``PermitRootLogin`` in the ssh configuration has changed from 5 | ``yes`` to ``without-password``. This will only allow ssh to be used 6 | to authenticate root via a key. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/stig-rhel7-version-1-renumbering-fiesta-aa047fea3ea35e74.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | The first release of the Red Hat Enterprise Linux 7 STIG was entirely 4 | renumbered from the pre-release versions. Many of the STIG configurations 5 | simply changed numbers, but some were removed or changed. A few new 6 | configurations were added as well. 7 | security: 8 | - | 9 | The latest version of the RHEL 7 STIG requires that a standard login banner 10 | is presented to users when they log into the system (V-71863). The 11 | security role now deploys a login banner that is used for console and ssh 12 | sessions. 13 | - | 14 | The ``cn_map`` permissions and ownership adjustments included as part of 15 | RHEL-07-040070 and RHEL-07-040080 has been removed. This STIG 16 | configuration was removed in the most recent release of the RHEL 7 STIG. 17 | - | 18 | The PKI-based authentication checks for RHEL-07-040030, RHEL-07-040040, 19 | and RHEL-07-040050 are no longer included in the RHEL 7 STIG. The tasks 20 | and documentation for these outdated configurations are removed. 21 | -------------------------------------------------------------------------------- /releasenotes/notes/support-for-centos-xenial-2b89c318cc3df4b0.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - The openstack-ansible-security role supports the application of the Red 4 | Hat Enterprise Linux 6 STIG configurations to systems running CentOS 7 and 5 | Ubuntu 16.04 LTS. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/unique-variable-migration-c0639030b495438f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | All variables in the security role are now prepended with ``security_`` to 5 | avoid collisions with variables in other roles. All deployers who have 6 | used the security role in previous releases will need to prepend all 7 | security role variables with ``security_``. 8 | 9 | For example, a deployer could have disabled direct root ssh logins with the 10 | following variable: 11 | 12 | .. code-block:: yaml 13 | 14 | ssh_permit_root_login: yes 15 | 16 | That variable would become: 17 | 18 | .. code-block:: yaml 19 | 20 | security_ssh_permit_root_login: yes 21 | -------------------------------------------------------------------------------- /releasenotes/notes/world-writable-file-search-optional-7420269230a0e22f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Searching for world-writable files is now disabled by default. The search 5 | causes delays in playbook runs and it can consume a significant amount of 6 | CPU and I/O resources. Deployers can re-enable the search by setting 7 | ``security_find_world_writable_dirs`` to ``yes``. 8 | -------------------------------------------------------------------------------- /releasenotes/source/2023.2.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | 2023.2 Series Release Notes 3 | =========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/2023.2 7 | -------------------------------------------------------------------------------- /releasenotes/source/_static/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/ansible-hardening/394652de90d88de38ac06ffc1a032516c95bd6dc/releasenotes/source/_static/.placeholder -------------------------------------------------------------------------------- /releasenotes/source/_templates/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/ansible-hardening/394652de90d88de38ac06ffc1a032516c95bd6dc/releasenotes/source/_templates/.placeholder -------------------------------------------------------------------------------- /releasenotes/source/index.rst: -------------------------------------------------------------------------------- 1 | =============================== 2 | ansible-hardening Release Notes 3 | =============================== 4 | 5 | .. toctree:: 6 | :maxdepth: 1 7 | 8 | unreleased 9 | 2023.2 10 | zed 11 | xena 12 | ussuri 13 | train 14 | stein 15 | rocky 16 | queens 17 | pike 18 | ocata 19 | newton 20 | -------------------------------------------------------------------------------- /releasenotes/source/newton.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Newton Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: origin/stable/newton 7 | -------------------------------------------------------------------------------- /releasenotes/source/ocata.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Ocata Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: origin/stable/ocata 7 | -------------------------------------------------------------------------------- /releasenotes/source/pike.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Pike Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: origin/stable/pike 7 | -------------------------------------------------------------------------------- /releasenotes/source/queens.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Queens Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: stable/queens 7 | -------------------------------------------------------------------------------- /releasenotes/source/rocky.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Rocky Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: stable/rocky 7 | -------------------------------------------------------------------------------- /releasenotes/source/stein.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Stein Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: stable/stein 7 | -------------------------------------------------------------------------------- /releasenotes/source/train.rst: -------------------------------------------------------------------------------- 1 | ========================== 2 | Train Series Release Notes 3 | ========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/train 7 | -------------------------------------------------------------------------------- /releasenotes/source/unreleased.rst: -------------------------------------------------------------------------------- 1 | ============================== 2 | Current Series Release Notes 3 | ============================== 4 | 5 | .. release-notes:: 6 | -------------------------------------------------------------------------------- /releasenotes/source/ussuri.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | Ussuri Series Release Notes 3 | =========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/ussuri 7 | -------------------------------------------------------------------------------- /releasenotes/source/xena.rst: -------------------------------------------------------------------------------- 1 | ========================= 2 | Xena Series Release Notes 3 | ========================= 4 | 5 | .. release-notes:: 6 | :branch: unmaintained/xena 7 | -------------------------------------------------------------------------------- /releasenotes/source/zed.rst: -------------------------------------------------------------------------------- 1 | ======================== 2 | Zed Series Release Notes 3 | ======================== 4 | 5 | .. release-notes:: 6 | :branch: unmaintained/zed 7 | -------------------------------------------------------------------------------- /tasks/contrib/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2017, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | - name: Notify the deployer that contrib tasks are enabled 17 | ansible.builtin.debug: 18 | msg: "The contrib tasks are enabled." 19 | -------------------------------------------------------------------------------- /templates/ZZ_aide_exclusions.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # These excluded paths prevent AIDE from wandering into directories where it 4 | # shouldn't be hashing/monitoring files. 5 | 6 | {% for dir in security_aide_exclude_dirs %} 7 | !{{ dir }} 8 | {% endfor %} 9 | -------------------------------------------------------------------------------- /templates/dconf-gdm-banner-message.j2: -------------------------------------------------------------------------------- 1 | [org/gnome/login-screen] 2 | banner-message-enable={{ security_enable_graphical_login_message | bool | ternary('true', 'false') }} 3 | banner-message-text='{{ security_enable_graphical_login_message_text | trim }}' 4 | -------------------------------------------------------------------------------- /templates/dconf-screensaver-lock.j2: -------------------------------------------------------------------------------- 1 | {% if security_lock_session | bool %} 2 | [org/gnome/desktop/session] 3 | # V-71893 - The operating system must initiate a screensaver after a 4 | # 15-minute period of inactivity for graphical user 5 | # interfaces. 6 | idle-delay={{ security_lock_session_inactive_delay }} 7 | 8 | [org/gnome/desktop/screensaver] 9 | # V-71891 - The operating system must enable a user session lock until 10 | # that user re-establishes access using established 11 | # identification and authentication procedures. 12 | lock-enabled=true 13 | 14 | # V-71901 - The operating system must initiate a session lock for 15 | # graphical user interfaces when the screensaver is activated. 16 | lock-delay={{ security_lock_session_screensaver_lock_delay }} 17 | 18 | {% if security_lock_session_when_inactive | bool %} 19 | # V-71893 - The operating system must initiate a session lock for the 20 | # screensaver after a period of inactivity for graphical user 21 | # interfaces. 22 | idle-activation-enabled=true 23 | {% endif %} 24 | {% endif %} 25 | -------------------------------------------------------------------------------- /templates/dconf-session-user-config-lockout.j2: -------------------------------------------------------------------------------- 1 | {% if security_lock_session | bool %} 2 | /org/gnome/desktop/session/idle-delay 3 | /org/gnome/desktop/screensaver/lock-enabled 4 | /org/gnome/desktop/screensaver/lock-delay 5 | {% if security_lock_session_when_inactive | bool %} 6 | /org/gnome/desktop/screensaver/idle-activation-enabled 7 | {% endif %} 8 | {% endif %} 9 | -------------------------------------------------------------------------------- /templates/jail.local.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # added for RHEL 6 STIG V-38501 4 | 5 | [DEFAULT] 6 | # "bantime" is the number of seconds that a host is banned. 7 | bantime = {{ security_fail2ban_bantime }} 8 | -------------------------------------------------------------------------------- /templates/pam_faillock.j2: -------------------------------------------------------------------------------- 1 | # V-71945 - If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked. 2 | auth required pam_faillock.so preauth silent audit deny="{{ security_pam_faillock_attempts }}" "{{ security_pam_faillock_deny_root | bool | ternary('even_deny_root','') }}" fail_interval="{{ security_pam_faillock_interval }}" unlock_time="{{ security_pam_faillock_unlock_time }}" 3 | auth [default=die] pam_faillock.so authfail audit deny="{{ security_pam_faillock_attempts }}" "{{ security_pam_faillock_deny_root | bool | ternary('even_deny_root','') }}" fail_interval="{{ security_pam_faillock_interval }}" unlock_time="{{ security_pam_faillock_unlock_time }}" 4 | -------------------------------------------------------------------------------- /templates/pwquality.conf.j2: -------------------------------------------------------------------------------- 1 | {% if security_pwquality_apply_rules | bool %} 2 | {% for rule in password_quality_rhel7 %} 3 | {% if rule.value is defined and rule.enabled | bool %} 4 | # {{ rule.stig_id }} - {{ rule.description }} 5 | {{ rule.parameter}} = {{ rule.value }} 6 | {% endif %} 7 | {% endfor %} 8 | {% endif %} 9 | -------------------------------------------------------------------------------- /test-requirements.txt: -------------------------------------------------------------------------------- 1 | # These are actually only used for doc building but 2 | # doc/requirements.txt is synced from openstack-ansible-tests, so we 3 | # need to add them elsewhere. 4 | 5 | Jinja2>=2.10 # BSD License (3 clause) 6 | lxml!=3.7.0,>=3.4.1 # BSD 7 | -------------------------------------------------------------------------------- /tests/inventory: -------------------------------------------------------------------------------- 1 | [all] 2 | localhost ansible_connection=local ansible_become=True 3 | -------------------------------------------------------------------------------- /zuul.d/project.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2017, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | - project: 17 | templates: 18 | - openstack-ansible-linters-jobs 19 | - openstack-ansible-deploy-hosts_metal-jobs 20 | - check-requirements 21 | - publish-openstack-docs-pti 22 | - release-notes-jobs-python3 23 | --------------------------------------------------------------------------------