V-386**: Disabling various unneeded services

Implements: blueprint security-hardening Change-Id: I2db583aee39d75ed81b547d9ad6cab99f7a39dc9
2015-10-09 12:49:33 -05:00 · 2015-10-09 12:49:33 -05:00 · 7a57dd3bb1
commit 7a57dd3bb1
parent 90b6e48f21
12 changed files with 106 additions and 11 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -34,6 +34,9 @@ disable_services:
  atd: yes                                        # V-38640
  autofs: yes                                     # V-38437
  avahi: yes                                      # V-31618
+  bluetooth: yes                                  # V-38691
+  qpidd: yes                                      # V-38648
+  rsh: yes                                        # V-38594
  ypbind: yes                                     # V-38604
  xinetd: yes                                     # V-38582

@ -44,8 +47,8 @@ disable_services:
 # boolean to 'no' means that the playbook will not alter the service.
 #
 remove_services:
-  rsh-server: yes                                 # V-38591
  ldap-server: yes                                # V-38627
+  rsh-server: yes                                 # V-38591
  sendmail: yes                                   # V-38671
  telnet_server: yes                              # V-38587
  tftp-server: yes                                # V-38606
--- a/doc/source/developer-notes/V-38550.rst
+++ b/doc/source/developer-notes/V-38550.rst
@ -1,2 +1,3 @@
-Rules are added for auditing discretionary access control changes made via
-fchmodat.
+Audit rules are added in a task so that any events associated with the loading
+or unloading of a kernel module are logged.  The new audit rule will be
+loaded immediately with ``augenrules --load``.
--- a/doc/source/developer-notes/V-38589.rst
+++ b/doc/source/developer-notes/V-38589.rst
@ -0,0 +1,8 @@
+**Fixed by another STIG**
+
+Neither Ubuntu or openstack-ansible installs the telnet daemon by default.
+Running a telnet daemon isn't recommended under most situations, so the
+telnet server package will be removed from the system if it is installed.
+
+The telnet server is removed by the Ansible tasks for V-38587, so no action
+is required here.
--- a/doc/source/developer-notes/V-38594.rst
+++ b/doc/source/developer-notes/V-38594.rst
@ -0,0 +1,8 @@
+**Fixed by another STIG**
+
+Neither Ubuntu or openstack-ansible installs the rsh daemon by default.
+Running a rsh daemon isn't recommended under most situations, so the
+rsh server package will be removed from the system if it is installed.
+
+The rsh server is removed by the Ansible tasks for V-38591, so no action
+is required here.
--- a/doc/source/developer-notes/V-38598.rst
+++ b/doc/source/developer-notes/V-38598.rst
@ -0,0 +1,10 @@
+**Fixed by another STIG**
+
+The ``rexecd`` daemon is part of the package that contains the ``rsh`` daemon.
+
+Neither Ubuntu or openstack-ansible installs the rsh daemon by default.
+Running a rsh daemon isn't recommended under most situations, so the
+rsh server package will be removed from the system if it is installed.
+
+The rsh server is removed by the Ansible tasks for V-38591, so no action
+is required here.
--- a/doc/source/developer-notes/V-38602.rst
+++ b/doc/source/developer-notes/V-38602.rst
@ -0,0 +1,10 @@
+**Fixed by another STIG**
+
+The ``rlogind`` daemon is part of the package that contains the ``rsh`` daemon.
+
+Neither Ubuntu or openstack-ansible installs the rsh daemon by default.
+Running a rsh daemon isn't recommended under most situations, so the
+rsh server package will be removed from the system if it is installed.
+
+The rsh server is removed by the Ansible tasks for V-38591, so no action
+is required here.
--- a/doc/source/developer-notes/V-38644.rst
+++ b/doc/source/developer-notes/V-38644.rst
@ -0,0 +1,7 @@
+**Special case**
+
+Ubuntu doesn't provide the same ``ntpdate`` service that a Red Hat Enterprise
+Linux 6 server would have. In addition, time synchronization is added within
+the fixes for V-38620 (where ``chrony`` is installed and configured).
+
+There is no action to be taken on Ubuntu for this STIG.
--- a/doc/source/developer-notes/V-38646.rst
+++ b/doc/source/developer-notes/V-38646.rst
@ -0,0 +1,5 @@
+**Special case**
+
+Ubuntu doesn't package the ``oddjobd`` daemon, so there are no packages to
+remove or daemons to stop. There is no action to be taken for this STIG on
+Ubuntu 14.04.
--- a/doc/source/developer-notes/V-38648.rst
+++ b/doc/source/developer-notes/V-38648.rst
@ -0,0 +1,11 @@
+Although some OpenStack implementations use ``qpidd`` for their messaging hub,
+neither Ubuntu or openstack-ansible configures the service on the hosts by
+default. The Ansible task for this STIG will check to see if the init script
+exists for ``qpidd``. If it does, the daemon will be stopped and disable on
+the next boot.
+
+To opt-out of this change, adjust the following Ansible variable to ``no``:
+
+.. code-block:: yaml
+
+    disable_services['qpidd']: no
--- a/doc/source/developer-notes/V-38650.rst
+++ b/doc/source/developer-notes/V-38650.rst
@ -1,3 +1,4 @@
-Audit rules are added in a task so that any events associated with the loading
-or unloading of a kernel module are logged.  The new audit rule will be
-loaded immediately with ``augenrules --load``.
+**Special case**
+
+Ubuntu doesn't provide packages containing the ``rdisc`` service at this time.
+Therefore, no action is taken for this STIG.
--- a/doc/source/developer-notes/V-38691.rst
+++ b/doc/source/developer-notes/V-38691.rst
@ -0,0 +1,9 @@
+Although neither Ubuntu 14.04 or openstack-ansible installs the ``bluetooth``
+package, the Ansible tasks will disable the service and stop it if it's found
+to be running on the system.
+
+To opt-out of this change, adjust the following Ansible variable to ``no``:
+
+.. code-block:: yaml
+
+    disable_services['bluetooth']: no
--- a/tasks/services.yml
+++ b/tasks/services.yml
@ -14,7 +14,7 @@
 # limitations under the License.

 - name: Generate list of sysv_services
-  shell: "chkconfig --list | sed '/^$/ d ; /xinetd based services:/ d ; /^\t/ d' | awk '{print $1}'"
+  shell: "find /etc/init.d/ -printf '%f\n'"
  register: sysv_services
  changed_when: false
  tags:
@ -34,6 +34,17 @@
    - cat3
    - V-38437

+- name: V-38640 - The abrt service must be disabled
+  service:
+    name: abrtd
+    state: stopped
+    enabled: no
+  when: disable_services['abrtd'] | bool and 'abrtd' in sysv_services.stdout
+  tags:
+    - services
+    - cat3
+    - V-38640
+
 - name: V-38641 - The atd service must be disabled
  service:
    name: atd
@ -45,16 +56,27 @@
    - cat3
    - V-38641

- name: V-38640 - The abrt service must be disabled
+- name: V-38648 - The qpidd service must be disabled
  service:
-    name: abrtd
+    name: qpidd
    state: stopped
    enabled: no
-  when: disable_services['abrtd'] | bool and 'abrtd' in sysv_services.stdout
+  when: disable_services['qpidd'] | bool and 'qpidd' in sysv_services.stdout
  tags:
    - services
    - cat3
-    - V-38640
+    - V-38648
+
+- name: V-38691 - The bluetooth service must be disabled
+  service:
+    name: bluetooth
+    state: stopped
+    enabled: no
+  when: disable_services['bluetooth'] | bool and 'bluetooth' in sysv_services.stdout
+  tags:
+    - services
+    - cat2
+    - V-38691

 - name: V-38582 - xinetd must be disabled if not in use
  service: