Automate the STIG documentation
With the upcoming changes to rebase onto the RHEL 7 STIG controls, there needs to be a new solution for documentation that is easier to manage and filter. This patch automates the generation of the STIG control documentation in the following way: * A Sphinx extension runs early in the doc build process that writes all of the individual STIG control docs as well as ToC pages. * ToC pages are now sorted by severity, tag, and implementation status. * A giant listing of controls is easier to navigate now. * Docs are generated from metadata in the /doc/metadata directory. New documentation only needs to be added there. (Will explain this in the developer notes in a subsequent patch.) Implements: blueprint security-rhel7-stig Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
This commit is contained in:
		
							
								
								
									
										3
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										3
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @@ -65,3 +65,6 @@ releasenotes/build | ||||
|  | ||||
| # Vagrant testing artifacts | ||||
| .vagrant | ||||
|  | ||||
| # Automatically generated documentation | ||||
| doc/source/auto_* | ||||
|   | ||||
							
								
								
									
										3168
									
								
								doc/metadata/U_RedHat_6_V1R12_Manual-xccdf.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3168
									
								
								doc/metadata/U_RedHat_6_V1R12_Manual-xccdf.xml
									
									
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because one or more lines are too long
											
										
									
								
							
							
								
								
									
										61
									
								
								doc/metadata/import-existing-notes.py
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										61
									
								
								doc/metadata/import-existing-notes.py
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,61 @@ | ||||
| #!/usr/bin/env python | ||||
| # Copyright 2016, Rackspace US, Inc. | ||||
| # | ||||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| # you may not use this file except in compliance with the License. | ||||
| # You may obtain a copy of the License at | ||||
| # | ||||
| #     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| # | ||||
| # Unless required by applicable law or agreed to in writing, software | ||||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| # See the License for the specific language governing permissions and | ||||
| # limitations under the License. | ||||
| """Import existing developer notes into base YAML format.""" | ||||
| import os | ||||
|  | ||||
|  | ||||
| import jinja2 | ||||
|  | ||||
|  | ||||
| SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__)) | ||||
| METADATA_DIR = "{0}/rhel6".format(SCRIPT_DIR) | ||||
| NOTES_DIR = "{0}/../source/stig-notes".format(SCRIPT_DIR) | ||||
|  | ||||
| yaml_tmp = """--- | ||||
| id: {{ note_data['id'] }} | ||||
| status: {{ note_data['status'] }} | ||||
| tag: {{ note_data['tag'] }} | ||||
| --- | ||||
|  | ||||
| {{ note_data['deployer_notes'] }} | ||||
| """ | ||||
|  | ||||
|  | ||||
| note_files = [x for x in os.listdir(NOTES_DIR) if 'developer' in x] | ||||
| for note_file in note_files: | ||||
|     stig_id = note_file[0:7] | ||||
|  | ||||
|     with open("{0}/{1}".format(NOTES_DIR, note_file), 'r') as f: | ||||
|         content = f.read() | ||||
|  | ||||
|     first_line = content.splitlines()[0] | ||||
|     print(first_line) | ||||
|     if 'exception' in first_line.lower(): | ||||
|         status = 'exception' | ||||
|     elif 'opt-in' in first_line.lower(): | ||||
|         status = 'opt-in' | ||||
|     else: | ||||
|         status = 'implemented' | ||||
|  | ||||
|     note_data = { | ||||
|         'id': stig_id, | ||||
|         'status': status, | ||||
|         'tag': 'misc', | ||||
|         'deployer_notes': content | ||||
|     } | ||||
|  | ||||
|     with open("{0}/{1}.rst".format(METADATA_DIR, stig_id), 'w') as f: | ||||
|         template = jinja2.Template(yaml_tmp) | ||||
|         f.write(template.render(note_data=note_data)) | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38437 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out | ||||
| of this change, adjust the following variable: | ||||
| 
 | ||||
| @@ -1,7 +1,10 @@ | ||||
| The role will add ``audit=1`` to the ``GRUB_CMDLINE_LINUX_DEFAULT`` variable | ||||
| in the GRUB configuration within ``/etc/default/grub.d/`` and it will also | ||||
| update the active ``grub.cfg`` so that the change takes effect on the next | ||||
| boot. | ||||
| --- | ||||
| id: V-38438 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| To opt-out of the change, set the following variable: | ||||
| 
 | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38439 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Although adding centralized authentication and carefully managing user | ||||
| @@ -1,2 +1,8 @@ | ||||
| --- | ||||
| id: V-38443 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The ``/etc/gshadow`` file is owned by root by default on Ubuntu 14.04, Ubuntu | ||||
| 16.04 and CentOS 7. The security role ensures that the file is owned by root. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38444 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| See V-38551 for additional details. IPv6 configuration and filtering is left | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38445 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The logs generated by the audit daemon are owned by root in Ubuntu 14.04, | ||||
| Ubuntu 16.04 and CentOS 7. The Ansible task for V-38445 ensures that the files | ||||
| are owned by the root user. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38446 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Forwarding root's email to another user is highly recommended, but the Ansible | ||||
| tasks won't configure an email address to receive root's email unless that | ||||
| email address is configured. Set ``security_root_forward_email`` to an email | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38447 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Although Ubuntu provides the ``debsums`` command for checking the contents of | ||||
| @@ -1,2 +1,8 @@ | ||||
| --- | ||||
| id: V-38448 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Although the ``/etc/gshadow`` file is group-owned by root by default, the | ||||
| Ansible tasks will ensure that it is configured that way. | ||||
| @@ -1,2 +1,8 @@ | ||||
| --- | ||||
| id: V-38449 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet | ||||
| the requirements of the STIG. | ||||
| @@ -1 +1,7 @@ | ||||
| --- | ||||
| id: V-38450 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The ownership of ``/etc/passwd`` will be changed to root. | ||||
| @@ -1 +1,7 @@ | ||||
| --- | ||||
| id: V-38451 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The group ownership for ``/etc/passwd`` will be set to root. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38452 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Although Ubuntu provides the ``debsums`` command for checking the contents of | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38453 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception for Ubuntu** | ||||
| 
 | ||||
| Verifying ownership and permissions of installed packages isn't possible in the | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38454 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Although Ubuntu provides the ``debsums`` command for checking the contents of | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38455 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Configuring another mount for ``/tmp`` can disrupt a running system and this | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38456 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Configuring another mount for ``/var`` can disrupt a running system and this | ||||
| @@ -1 +1,7 @@ | ||||
| --- | ||||
| id: V-38457 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The permissions for ``/etc/passwd`` will be set to ``0644``. | ||||
| @@ -1,2 +1,8 @@ | ||||
| --- | ||||
| id: V-38458 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The Ansible task will ensure that the ``/etc/group`` file is owned by the root | ||||
| user. | ||||
| @@ -1,2 +1,8 @@ | ||||
| --- | ||||
| id: V-38459 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The tasks in file_perms.yml will ensure that "/etc/group" is owned by | ||||
| the root account. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38460 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The Ansible tasks will check for ``all_squash`` in ``/etc/exports`` (if it is | ||||
| present). If found, a warning message will be printed. No configuration | ||||
| changes will be made since neither Ubuntu or openstack-ansible configures | ||||
| @@ -1,2 +1,8 @@ | ||||
| --- | ||||
| id: V-38461 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Ubuntu sets the mode of ``/etc/group`` to ``0644`` by default and the Ansible | ||||
| task will ensure that it is current set to those permissions. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38462 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| All versions of Ubuntu and CentOS supported by the role verify packages against | ||||
| GPG signatures by default. | ||||
| 
 | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38463 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Configuring a separate partition for ``/var/log`` is currently left up to the | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38464 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The default configuration for ``disk_error_action`` is ``SUSPEND``, which | ||||
| only suspends audit logging when there is a disk error on the system. | ||||
| Suspending audit logging can lead to security problems because the system is no | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38465 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set library files to have ``0755`` (or | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38466 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| As with V-38465, Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the ownership of | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38467 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Storing audit logs on a separate partition is recommended, but this change | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38468 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The default configuration for ``disk_full_action`` is ``SUSPEND``, which only | ||||
| suspends audit logging. Suspending audit logging can lead to security problems | ||||
| because the system is no longer keeping track of which syscalls were made. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38469 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the permissions for system | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38470 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The default configuration for ``security_space_left_action`` is ``SUSPEND``, | ||||
| which actually only suspends audit logging. Suspending audit logging can lead | ||||
| to security problems because the system is no longer keeping track of which | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38471 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| An Ansible task will adjust ``active`` from `no` to `yes` in | ||||
| ``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to | ||||
| syslog automatically. The auditd daemon will be restarted if the configuration | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38472 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set system commands to be owned by | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38473 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Creating ``/home`` on a different partition is highly recommended but it is | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38474 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| The openstack-ansible roles don't install X by default, so there is no | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38475 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Configuration required** | ||||
| 
 | ||||
| The STIG recommends passwords to be a minimum of 14 characters in length. To | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38476 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The security role verifies that the GPG keys that correspond to each supported | ||||
| Linux distribution are installed on each host. If the GPG keys are not found, | ||||
| or if they differ from the list of trusted GPG keys, the playbook execution | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38477 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Configuration required** | ||||
| 
 | ||||
| The STIG recommends setting a limit of one password change per day. To enable | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38478 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Ubuntu and CentOS do not use the Red Hat Network Service. However, there are | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38479 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Configuration required** | ||||
| 
 | ||||
| The STIG recommends setting a limit of 60 days before a password must | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38480 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Configuration required** | ||||
| 
 | ||||
| After enabling password age limits in V-38479, be sure to configure | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38481 | ||||
| status: opt-in | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Opt-in required** | ||||
| 
 | ||||
| Operating system patching policies vary from organization to organization and | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38482 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Password complexity requirements are left up to the deployer. Deployers are | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38483 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The Ansible task for V-38462 already checks for configurations that would | ||||
| disable any GPG checks when installing packages. However, it is possible for | ||||
| the root user to override these configurations via command line parameters. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38484 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last | ||||
| successful login for a user immediately after login. An Ansible task ensures | ||||
| this setting is applied and restarts the ssh daemon if necessary. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38486 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| System backups are left to the deployer to configure. Deployers are stringly | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38487 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The Ansible task for V-38462 already checks for apt configurations that would | ||||
| disable any GPG checks when installing packages. However, it's possible for | ||||
| the root user to override these configurations via command line parameters. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38488 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| System backups are left to the deployer to configure. Deployers are stringly | ||||
| @@ -1,2 +1,8 @@ | ||||
| --- | ||||
| id: V-38489 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The security role installs and configures the ``aide`` package to provide file | ||||
| integrity monitoring on the host. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38490 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Disabling the ``usb-storage`` module can add extra security, but it's not | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38491 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The Ansible task will check for the presence of ``/etc/hosts.equiv`` and | ||||
| ``/root/.rhosts``.  Both of those files could potentially be used with ``rsh`` | ||||
| for host access. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38492 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Virtual consoles are helpful during an emergency and they can only be reached | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38493 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the mode of ``/var/log/audit/`` to | ||||
| ``0750`` by default. The Ansible task for this requirement ensures that the | ||||
| mode is ``0750`` (which is more strict than the STIG requirement). | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38494 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Removing serial consoles from ``/etc/securetty`` can make troubleshooting | ||||
| @@ -1,2 +1,8 @@ | ||||
| --- | ||||
| id: V-38495 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The Ansible tasks will ensure that files in ``/var/log/audit`` are owned | ||||
| by the root user. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38496 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| The Ansible tasks will check for default system accounts (other than root) | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38497 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to | ||||
| authenticate via PAM by default. This STIG requires that those login attempts | ||||
| are blocked. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38498 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Ubuntu and CentOS set the current audit log (the one that is actively being | ||||
| written to) to ``0600`` so that only the root user can read and write to it. | ||||
| The older, rotated logs are set to ``0400`` since they should not receive | ||||
| @@ -1,2 +1,8 @@ | ||||
| --- | ||||
| id: V-38499 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The Ansible task will search for password hashes in ``/etc/passwd`` using | ||||
| awk and report a failure if any are found. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38500 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The Ansible tasks will search for accounts in ``/etc/passwd`` that have UID 0 | ||||
| that aren't the normal root account. If any matching accounts are found, a | ||||
| warning is printed to stdout and the Ansible play will fail. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38501 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception and opt-in alternative** | ||||
| 
 | ||||
| Adjusting PAM configurations is very risky since it affects how all users | ||||
| @@ -1,2 +1,8 @@ | ||||
| --- | ||||
| id: V-38502 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The user and group ownership of ``/etc/passwd`` is root by default. The Ansible | ||||
| task will ensure that the default is maintained. | ||||
| @@ -1,2 +1,8 @@ | ||||
| --- | ||||
| id: V-38503 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The user and group ownership of ``/etc/passwd`` is root by default. The Ansible | ||||
| task will ensure that the default is maintained. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38504 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but | ||||
| CentOS 7 sets it to ``000``. The STIG requires the mode to be ``000`` and the | ||||
| Ansible tasks in the security role ensure that the mode meets the requirement. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38511 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Special Case** | ||||
| 
 | ||||
| Running virtual infrastructure requires IP forwarding to be enabled on various | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38512 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Although a minimal set of iptables rules are configured on openstack-ansible | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38513 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Although a minimal set of iptables rules are configured on openstack-ansible | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38514 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not | ||||
| needed. Although this protocol is occasionally used in some OpenStack | ||||
| environments for quality of service functions, it is not in the default | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38515 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The Stream Control Transmission Protocol (SCTP) must be disabled. To opt-out of | ||||
| this change, set the following variable to ``no``: | ||||
| 
 | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38516 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. The Ansible | ||||
| tasks in this role will disable the module. | ||||
| 
 | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38517 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The `Transparent Inter-Process Communication (TIPC)`_ protocol must be | ||||
| disabled. To opt-out of this change, set the following variable to ``no``: | ||||
| 
 | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38518 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Different systems may have different log files populated depending on the type | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38519 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| Different systems may have different log files populated depending on the type | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38520 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| At the moment, openstack-ansible already sends logs to the rsyslog container | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38521 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| At the moment, openstack-ansible already sends logs to the rsyslog container | ||||
| @@ -1 +1,7 @@ | ||||
| --- | ||||
| id: V-38522 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Rules are added for auditing changes to system time made via ``settimeofday``. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38523 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| The STIG makes several requirements for IPv4 network restrictions, but these | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38524 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| This patch disables ICMPv4 redirects feature on the host. | ||||
| Accepting ICMP redirects has few legitimate uses. | ||||
| It should be disabled unless it is absolutely required. | ||||
| @@ -1 +1,7 @@ | ||||
| --- | ||||
| id: V-38525 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Rules are added for auditing changes to system time done via ``stime``. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38526 | ||||
| status: opt-in | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Opt-in required** | ||||
| 
 | ||||
| The STIG requires that secure ICMP redirects are disabled, but this can cause | ||||
| @@ -1,2 +1,8 @@ | ||||
| --- | ||||
| id: V-38527 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Rules are added for auditing changes to system time done via | ||||
| ``clock_settime``. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38528 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| The STIG requires that all martian packets are logged by setting the sysctl | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38529 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| The STIG makes several requirements for IPv4 network restrictions, but these | ||||
| @@ -1,2 +1,8 @@ | ||||
| --- | ||||
| id: V-38530 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Rules are added to auditd to log all attempts to change the system time using | ||||
| ``/etc/localtime``. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38531 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| The audit rules from V-38534 already cover all account modifications. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38532 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| The STIG makes several requirements for IPv4 network restrictions, but these | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38533 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| The STIG makes several requirements for IPv4 network restrictions, but these | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38534 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Audit rules are added in a task so that any events associated with | ||||
| account modifications are logged. The new audit rule will be loaded immediately | ||||
| with ``augenrules --load``. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38535 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| By default, Ubuntu 14.04 rejects ICMPv4 packets sent to a broadcast address. | ||||
| The Ansible tasks for this STIG configuration ensures that the secure default | ||||
| setting is maintained. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38536 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| The audit rules from V-38534 already cover all account modifications. | ||||
| @@ -1,2 +1,8 @@ | ||||
| --- | ||||
| id: V-38537 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Ubuntu already ignores ICMPv4 bogus error messages by default. The role will | ||||
| ensure that this default setting is maintained. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38538 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| The audit rules from V-38534 already cover all account modifications. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38539 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods. | ||||
| 
 | ||||
| Note that high-traffic environments may require TCP SYN cookies to be disabled. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38540 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| Rules are added for auditing network configuration changes. The path to | ||||
| Ubuntu's standard network configuration location has replaced the path | ||||
| to Red Hat's default network configuration location. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38541 | ||||
| status: implemented | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| For Ubuntu, rules are added to auditd that will log any changes made in the | ||||
| ``/etc/apparmor`` directory. | ||||
| 
 | ||||
							
								
								
									
										19
									
								
								doc/metadata/rhel6/V-38542.rst
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								doc/metadata/rhel6/V-38542.rst
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| --- | ||||
| id: V-38542 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
|  | ||||
| **Exception** | ||||
|  | ||||
| The STIG makes several requirements for IPv4 network restrictions, but these | ||||
| restrictions can impact certain network interfaces and cause service | ||||
| disruptions. Some security configurations make sense for certain types of | ||||
| network interfaces, like bridges, but other restrictions cause the network | ||||
| interface to stop passing valid traffic between hosts, containers, or virtual | ||||
| machines. | ||||
|  | ||||
| The default network scripts and LXC userspace tools already configure various | ||||
| network devices to their most secure setting. Since some hosts will act as | ||||
| routers, enabling security configurations that restrict network traffic can | ||||
| cause service disruptions for OpenStack environments. | ||||
| @@ -1,3 +1,9 @@ | ||||
| --- | ||||
| id: V-38543 | ||||
| status: exception | ||||
| tag: misc | ||||
| --- | ||||
| 
 | ||||
| **Exception** | ||||
| 
 | ||||
| The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat`` | ||||
Some files were not shown because too many files have changed in this diff Show More
		Reference in New Issue
	
	Block a user
	 Major Hayden
					Major Hayden