openstack/ansible-hardening
Code Issues Proposed changes

V-386**: Disabling various unneeded services

Browse Source 
Implements: blueprint security-hardening

Change-Id: I2db583aee39d75ed81b547d9ad6cab99f7a39dc9
This commit is contained in:
Major Hayden 2015-10-09 12:49:33 -05:00
parent 90b6e48f21
commit 7a57dd3bb1
12 changed files with 106 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
defaults/main.yml
View File

@ -34,6 +34,9 @@ disable_services:
atd: yes # V-38640 atd: yes # V-38640
autofs: yes # V-38437 autofs: yes # V-38437
avahi: yes # V-31618 avahi: yes # V-31618
bluetooth: yes # V-38691
qpidd: yes # V-38648
rsh: yes # V-38594
ypbind: yes # V-38604 ypbind: yes # V-38604
xinetd: yes # V-38582 xinetd: yes # V-38582
@ -44,8 +47,8 @@ disable_services:
# boolean to 'no' means that the playbook will not alter the service. # boolean to 'no' means that the playbook will not alter the service.
# #
remove_services: remove_services:
rsh-server: yes # V-38591
ldap-server: yes # V-38627 ldap-server: yes # V-38627
rsh-server: yes # V-38591
sendmail: yes # V-38671 sendmail: yes # V-38671
telnet_server: yes # V-38587 telnet_server: yes # V-38587
tftp-server: yes # V-38606 tftp-server: yes # V-38606

5
doc/source/developer-notes/V-38550.rst
View File

@ -1,2 +1,3 @@
Rules are added for auditing discretionary access control changes made via Audit rules are added in a task so that any events associated with the loading
fchmodat. or unloading of a kernel module are logged. The new audit rule will be
loaded immediately with ``augenrules --load``.

8
doc/source/developer-notes/V-38589.rst Normal file
View File

@ -0,0 +1,8 @@
**Fixed by another STIG**
Neither Ubuntu or openstack-ansible installs the telnet daemon by default.
Running a telnet daemon isn't recommended under most situations, so the
telnet server package will be removed from the system if it is installed.
The telnet server is removed by the Ansible tasks for V-38587, so no action
is required here.

8
doc/source/developer-notes/V-38594.rst Normal file
View File

@ -0,0 +1,8 @@
**Fixed by another STIG**
Neither Ubuntu or openstack-ansible installs the rsh daemon by default.
Running a rsh daemon isn't recommended under most situations, so the
rsh server package will be removed from the system if it is installed.
The rsh server is removed by the Ansible tasks for V-38591, so no action
is required here.

10
doc/source/developer-notes/V-38598.rst Normal file
View File

@ -0,0 +1,10 @@
**Fixed by another STIG**
The ``rexecd`` daemon is part of the package that contains the ``rsh`` daemon.
Neither Ubuntu or openstack-ansible installs the rsh daemon by default.
Running a rsh daemon isn't recommended under most situations, so the
rsh server package will be removed from the system if it is installed.
The rsh server is removed by the Ansible tasks for V-38591, so no action
is required here.

10
doc/source/developer-notes/V-38602.rst Normal file
View File

@ -0,0 +1,10 @@
**Fixed by another STIG**
The ``rlogind`` daemon is part of the package that contains the ``rsh`` daemon.
Neither Ubuntu or openstack-ansible installs the rsh daemon by default.
Running a rsh daemon isn't recommended under most situations, so the
rsh server package will be removed from the system if it is installed.
The rsh server is removed by the Ansible tasks for V-38591, so no action
is required here.

7
doc/source/developer-notes/V-38644.rst Normal file
View File

@ -0,0 +1,7 @@
**Special case**
Ubuntu doesn't provide the same ``ntpdate`` service that a Red Hat Enterprise
Linux 6 server would have. In addition, time synchronization is added within
the fixes for V-38620 (where ``chrony`` is installed and configured).
There is no action to be taken on Ubuntu for this STIG.

5
doc/source/developer-notes/V-38646.rst Normal file
View File

@ -0,0 +1,5 @@
**Special case**
Ubuntu doesn't package the ``oddjobd`` daemon, so there are no packages to
remove or daemons to stop. There is no action to be taken for this STIG on
Ubuntu 14.04.

11
doc/source/developer-notes/V-38648.rst Normal file
View File

@ -0,0 +1,11 @@
Although some OpenStack implementations use ``qpidd`` for their messaging hub,
neither Ubuntu or openstack-ansible configures the service on the hosts by
default. The Ansible task for this STIG will check to see if the init script
exists for ``qpidd``. If it does, the daemon will be stopped and disable on
the next boot.
To opt-out of this change, adjust the following Ansible variable to ``no``:
.. code-block:: yaml
disable_services['qpidd']: no

7
doc/source/developer-notes/V-38650.rst
View File

@ -1,3 +1,4 @@
Audit rules are added in a task so that any events associated with the loading **Special case**
or unloading of a kernel module are logged. The new audit rule will be
loaded immediately with ``augenrules --load``. Ubuntu doesn't provide packages containing the ``rdisc`` service at this time.
Therefore, no action is taken for this STIG.

9
doc/source/developer-notes/V-38691.rst Normal file
View File

@ -0,0 +1,9 @@
Although neither Ubuntu 14.04 or openstack-ansible installs the ``bluetooth``
package, the Ansible tasks will disable the service and stop it if it's found
to be running on the system.
To opt-out of this change, adjust the following Ansible variable to ``no``:
.. code-block:: yaml
disable_services['bluetooth']: no

32
tasks/services.yml
View File

@ -14,7 +14,7 @@
# limitations under the License. # limitations under the License.
- name: Generate list of sysv_services - name: Generate list of sysv_services
shell: "chkconfig --list | sed '/^$/ d ; /xinetd based services:/ d ; /^\t/ d' | awk '{print $1}'" shell: "find /etc/init.d/ -printf '%f\n'"
register: sysv_services register: sysv_services
changed_when: false changed_when: false
tags: tags:
@ -34,6 +34,17 @@
- cat3 - cat3
- V-38437 - V-38437
- name: V-38640 - The abrt service must be disabled
service:
name: abrtd
state: stopped
enabled: no
when: disable_services['abrtd'] | bool and 'abrtd' in sysv_services.stdout
tags:
- services
- cat3
- V-38640
- name: V-38641 - The atd service must be disabled - name: V-38641 - The atd service must be disabled
service: service:
name: atd name: atd
@ -45,16 +56,27 @@
- cat3 - cat3
- V-38641 - V-38641
- name: V-38640 - The abrt service must be disabled - name: V-38648 - The qpidd service must be disabled
service: service:
name: abrtd name: qpidd
state: stopped state: stopped
enabled: no enabled: no
when: disable_services['abrtd'] | bool and 'abrtd' in sysv_services.stdout when: disable_services['qpidd'] | bool and 'qpidd' in sysv_services.stdout
tags: tags:
- services - services
- cat3 - cat3
- V-38640 - V-38648
- name: V-38691 - The bluetooth service must be disabled
service:
name: bluetooth
state: stopped
enabled: no
when: disable_services['bluetooth'] | bool and 'bluetooth' in sysv_services.stdout
tags:
- services
- cat2
- V-38691
- name: V-38582 - xinetd must be disabled if not in use - name: V-38582 - xinetd must be disabled if not in use
service: service: