diff --git a/defaults/main.yml b/defaults/main.yml index 2b800e33..8be88796 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -34,6 +34,9 @@ disable_services: atd: yes # V-38640 autofs: yes # V-38437 avahi: yes # V-31618 + bluetooth: yes # V-38691 + qpidd: yes # V-38648 + rsh: yes # V-38594 ypbind: yes # V-38604 xinetd: yes # V-38582 @@ -44,8 +47,8 @@ disable_services: # boolean to 'no' means that the playbook will not alter the service. # remove_services: - rsh-server: yes # V-38591 ldap-server: yes # V-38627 + rsh-server: yes # V-38591 sendmail: yes # V-38671 telnet_server: yes # V-38587 tftp-server: yes # V-38606 diff --git a/doc/source/developer-notes/V-38550.rst b/doc/source/developer-notes/V-38550.rst index 7fae784a..f876925c 100644 --- a/doc/source/developer-notes/V-38550.rst +++ b/doc/source/developer-notes/V-38550.rst @@ -1,2 +1,3 @@ -Rules are added for auditing discretionary access control changes made via -fchmodat. +Audit rules are added in a task so that any events associated with the loading +or unloading of a kernel module are logged. The new audit rule will be +loaded immediately with ``augenrules --load``. diff --git a/doc/source/developer-notes/V-38589.rst b/doc/source/developer-notes/V-38589.rst new file mode 100644 index 00000000..831113d1 --- /dev/null +++ b/doc/source/developer-notes/V-38589.rst @@ -0,0 +1,8 @@ +**Fixed by another STIG** + +Neither Ubuntu or openstack-ansible installs the telnet daemon by default. +Running a telnet daemon isn't recommended under most situations, so the +telnet server package will be removed from the system if it is installed. + +The telnet server is removed by the Ansible tasks for V-38587, so no action +is required here. diff --git a/doc/source/developer-notes/V-38594.rst b/doc/source/developer-notes/V-38594.rst new file mode 100644 index 00000000..57e448a3 --- /dev/null +++ b/doc/source/developer-notes/V-38594.rst @@ -0,0 +1,8 @@ +**Fixed by another STIG** + +Neither Ubuntu or openstack-ansible installs the rsh daemon by default. +Running a rsh daemon isn't recommended under most situations, so the +rsh server package will be removed from the system if it is installed. + +The rsh server is removed by the Ansible tasks for V-38591, so no action +is required here. diff --git a/doc/source/developer-notes/V-38598.rst b/doc/source/developer-notes/V-38598.rst new file mode 100644 index 00000000..5c82ae60 --- /dev/null +++ b/doc/source/developer-notes/V-38598.rst @@ -0,0 +1,10 @@ +**Fixed by another STIG** + +The ``rexecd`` daemon is part of the package that contains the ``rsh`` daemon. + +Neither Ubuntu or openstack-ansible installs the rsh daemon by default. +Running a rsh daemon isn't recommended under most situations, so the +rsh server package will be removed from the system if it is installed. + +The rsh server is removed by the Ansible tasks for V-38591, so no action +is required here. diff --git a/doc/source/developer-notes/V-38602.rst b/doc/source/developer-notes/V-38602.rst new file mode 100644 index 00000000..c93a6354 --- /dev/null +++ b/doc/source/developer-notes/V-38602.rst @@ -0,0 +1,10 @@ +**Fixed by another STIG** + +The ``rlogind`` daemon is part of the package that contains the ``rsh`` daemon. + +Neither Ubuntu or openstack-ansible installs the rsh daemon by default. +Running a rsh daemon isn't recommended under most situations, so the +rsh server package will be removed from the system if it is installed. + +The rsh server is removed by the Ansible tasks for V-38591, so no action +is required here. diff --git a/doc/source/developer-notes/V-38644.rst b/doc/source/developer-notes/V-38644.rst new file mode 100644 index 00000000..160a7fd9 --- /dev/null +++ b/doc/source/developer-notes/V-38644.rst @@ -0,0 +1,7 @@ +**Special case** + +Ubuntu doesn't provide the same ``ntpdate`` service that a Red Hat Enterprise +Linux 6 server would have. In addition, time synchronization is added within +the fixes for V-38620 (where ``chrony`` is installed and configured). + +There is no action to be taken on Ubuntu for this STIG. diff --git a/doc/source/developer-notes/V-38646.rst b/doc/source/developer-notes/V-38646.rst new file mode 100644 index 00000000..3fee80f4 --- /dev/null +++ b/doc/source/developer-notes/V-38646.rst @@ -0,0 +1,5 @@ +**Special case** + +Ubuntu doesn't package the ``oddjobd`` daemon, so there are no packages to +remove or daemons to stop. There is no action to be taken for this STIG on +Ubuntu 14.04. diff --git a/doc/source/developer-notes/V-38648.rst b/doc/source/developer-notes/V-38648.rst new file mode 100644 index 00000000..1aada79a --- /dev/null +++ b/doc/source/developer-notes/V-38648.rst @@ -0,0 +1,11 @@ +Although some OpenStack implementations use ``qpidd`` for their messaging hub, +neither Ubuntu or openstack-ansible configures the service on the hosts by +default. The Ansible task for this STIG will check to see if the init script +exists for ``qpidd``. If it does, the daemon will be stopped and disable on +the next boot. + +To opt-out of this change, adjust the following Ansible variable to ``no``: + +.. code-block:: yaml + + disable_services['qpidd']: no diff --git a/doc/source/developer-notes/V-38650.rst b/doc/source/developer-notes/V-38650.rst index f876925c..b9671ca8 100644 --- a/doc/source/developer-notes/V-38650.rst +++ b/doc/source/developer-notes/V-38650.rst @@ -1,3 +1,4 @@ -Audit rules are added in a task so that any events associated with the loading -or unloading of a kernel module are logged. The new audit rule will be -loaded immediately with ``augenrules --load``. +**Special case** + +Ubuntu doesn't provide packages containing the ``rdisc`` service at this time. +Therefore, no action is taken for this STIG. diff --git a/doc/source/developer-notes/V-38691.rst b/doc/source/developer-notes/V-38691.rst new file mode 100644 index 00000000..a47d6750 --- /dev/null +++ b/doc/source/developer-notes/V-38691.rst @@ -0,0 +1,9 @@ +Although neither Ubuntu 14.04 or openstack-ansible installs the ``bluetooth`` +package, the Ansible tasks will disable the service and stop it if it's found +to be running on the system. + +To opt-out of this change, adjust the following Ansible variable to ``no``: + +.. code-block:: yaml + + disable_services['bluetooth']: no diff --git a/tasks/services.yml b/tasks/services.yml index 2077f10c..eef94c77 100644 --- a/tasks/services.yml +++ b/tasks/services.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Generate list of sysv_services - shell: "chkconfig --list | sed '/^$/ d ; /xinetd based services:/ d ; /^\t/ d' | awk '{print $1}'" + shell: "find /etc/init.d/ -printf '%f\n'" register: sysv_services changed_when: false tags: @@ -34,6 +34,17 @@ - cat3 - V-38437 +- name: V-38640 - The abrt service must be disabled + service: + name: abrtd + state: stopped + enabled: no + when: disable_services['abrtd'] | bool and 'abrtd' in sysv_services.stdout + tags: + - services + - cat3 + - V-38640 + - name: V-38641 - The atd service must be disabled service: name: atd @@ -45,16 +56,27 @@ - cat3 - V-38641 -- name: V-38640 - The abrt service must be disabled +- name: V-38648 - The qpidd service must be disabled service: - name: abrtd + name: qpidd state: stopped enabled: no - when: disable_services['abrtd'] | bool and 'abrtd' in sysv_services.stdout + when: disable_services['qpidd'] | bool and 'qpidd' in sysv_services.stdout tags: - services - cat3 - - V-38640 + - V-38648 + +- name: V-38691 - The bluetooth service must be disabled + service: + name: bluetooth + state: stopped + enabled: no + when: disable_services['bluetooth'] | bool and 'bluetooth' in sysv_services.stdout + tags: + - services + - cat2 + - V-38691 - name: V-38582 - xinetd must be disabled if not in use service: