RHEL 7 STIG in openstack-ansible-security

Registered by Major Hayden

The RHEL 7 STIG is in the final stages before release and the security role needs to be updated with these new configuration guidelines.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Low
Drafter:
Major Hayden
Direction:
Approved
Assignee:
Major Hayden
Definition:
Approved
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Major Hayden
Completed by
Major Hayden

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:security-rhel7-stig,n,z

Addressed by: https://review.openstack.org/354389
    Spec: Add RHEL 7 STIG configurations

Addressed by: https://review.openstack.org/363396
    Automate the STIG documentation

Gerrit topic: https://review.openstack.org/#q,topic:bp/security-rhel7-stig,n,z

Addressed by: https://review.openstack.org/380509
    Initial scaffolding for RHEL 7 STIG

Addressed by: https://review.openstack.org/381292
    Initial docs scaffolding for RHEL 7 STIG

Addressed by: https://review.openstack.org/382635
    Add dividers to defaults/main.yml

Addressed by: https://review.openstack.org/383943
    Add tasks for RHEL-07-010010

Addressed by: https://review.openstack.org/385563
    Security: Remove quotes from extra vars

Addressed by: https://review.openstack.org/385583
    Security: Add tasks for RHEL-07-010020

Addressed by: https://review.openstack.org/385587
    Security: Add tasks for RHEL-07-010260

Addressed by: https://review.openstack.org/391910
    Add RHEL-07-010270 (ssh - empty password)

Addressed by: https://review.openstack.org/391930
    Add RHEL-07-010430 and RHEL-07-010431

Addressed by: https://review.openstack.org/391972
    Remove packages according to STIG

Addressed by: https://review.openstack.org/392269
    [WIP] GPG verification for packages

Gerrit topic: https://review.openstack.org/#q,topic:391972-remove-packages,n,z

Addressed by: https://review.openstack.org/393905
    Install screen and ssh client/server

Addressed by: https://review.openstack.org/393833
    Fix tags

Addressed by: https://review.openstack.org/395033
    Refactor package removal

Addressed by: https://review.openstack.org/395153
    Configure sshd based on the RHEL 7 STIG

Addressed by: https://review.openstack.org/395164
    [Docs] Configure sshd based on the RHEL 7 STIG

Addressed by: https://review.openstack.org/395207
    [Docs] Auditing setuid/setgid applications

Addressed by: https://review.openstack.org/395222
    Transmit audit logs to other servers

Addressed by: https://review.openstack.org/395230
    Encrypt transmitted audit logs

Addressed by: https://review.openstack.org/395297
    Enable virus scanner

Addressed by: https://review.openstack.org/394535
    Remove deprecated always_run

Addressed by: https://review.openstack.org/395783
    Add template for audit rules

Addressed by: https://review.openstack.org/395788
    [Docs] Audit rules

Addressed by: https://review.openstack.org/395934
    [Docs] Exception for RHEL-07-040830

Addressed by: https://review.openstack.org/396410
    [WIP] Set graphical session locks

Addressed by: https://review.openstack.org/396416
    [Docs] Set graphical session locks

Addressed by: https://review.openstack.org/396421
    Automatically remove package deps

Addressed by: https://review.openstack.org/397246
    Enable graphical login banner

Addressed by: https://review.openstack.org/397256
    [Docs] Enable graphical login banner

Addressed by: https://review.openstack.org/397334
    Refactor auditd rules

Addressed by: https://review.openstack.org/397355
    [Docs] Refactor auditd rules

Addressed by: https://review.openstack.org/397390
    Add exception for supported release check

Addressed by: https://review.openstack.org/397395
    Check for other UID 0 accounts

Addressed by: https://review.openstack.org/397833
    [Doc] Exceptions for LDAP SSL/TLS checks

Addressed by: https://review.openstack.org/397857
    [Docs] Exception for PKI revocation

Addressed by: https://review.openstack.org/397877
    Securing sysctl configurations

Addressed by: https://review.openstack.org/397882
    [Docs] Securing sysctl configurations

Addressed by: https://review.openstack.org/397893
    Set cn_map permissions/owner

Addressed by: https://review.openstack.org/397894
    [Docs] Set cn_map permissions/owner

Addressed by: https://review.openstack.org/399174
    Apply password quality rules

Addressed by: https://review.openstack.org/399186
    [Docs] Apply password quality rules

Addressed by: https://review.openstack.org/399199
    Ensure libuser crypt_style is SHA512 [+Docs]

Addressed by: https://review.openstack.org/399197
    Ensure passwords hashed with SHA512 [+Docs]

Addressed by: https://review.openstack.org/399217
    Fix stig_packages_rhel7 typo

Addressed by: https://review.openstack.org/399232
    Set lifetime limits for passwords [+Docs]

Addressed by: https://review.openstack.org/399255
    Find files/dirs without valid owners [+Docs]

Addressed by: https://review.openstack.org/399733
    Move common variables to common.yml

Addressed by: https://review.openstack.org/399749
    Check for users w/o home dirs [+Docs]

Addressed by: https://review.openstack.org/399759
    Create home directories by default [+Docs]

Addressed by: https://review.openstack.org/399783
    Verify that home directories exist [+Docs]

Addressed by: https://review.openstack.org/399790
    Use dynamic includes for speedup

Addressed by: https://review.openstack.org/403807
    Require auth for sudo [+Docs]

Addressed by: https://review.openstack.org/403833
    Expire cached sssd authenticators [+Docs]

Addressed by: https://review.openstack.org/404413
    Set auditd failure flag [+Docs]

Addressed by: https://review.openstack.org/404415
    [Docs] Exception for MFA/smartcards

Addressed by: https://review.openstack.org/404417
    [Docs] Exception for SELinux user confinement

Addressed by: https://review.openstack.org/404418
    Disable usb-storage module [+Docs]

Addressed by: https://review.openstack.org/404420
    Disable autofs [+Docs]

Addressed by: https://review.openstack.org/404421
    [Docs] Exceptions for disk encryption

Addressed by: https://review.openstack.org/404425
    Enable SELinux/AppArmor [+Docs]

Addressed by: https://review.openstack.org/404429
    Disable ctrl-alt-del key sequence [+Docs]

Addressed by: https://review.openstack.org/404925
    Enable firewalld [+Docs]

Addressed by: https://review.openstack.org/404928
    Add firewalld rate limit rule [+Docs]

Addressed by: https://review.openstack.org/404986
    Check for two nameservers [+Docs]

Addressed by: https://review.openstack.org/405402
    Display MOTD warning banner [+Docs]

Addressed by: https://review.openstack.org/405413
    Check for SHA512 password storage [+Docs]

Addressed by: https://review.openstack.org/405436
    Refactor login.defs adjustments [+Docs]

Addressed by: https://review.openstack.org/405462
    Prevent password re-use [+Docs]

Addressed by: https://review.openstack.org/405498
    Set minimum password length [+Docs]

Addressed by: https://review.openstack.org/405540
    Apply pam_faillock restrictions [+Docs]

Addressed by: https://review.openstack.org/405604
    Set grub2 password [+Docs]

Addressed by: https://review.openstack.org/405615
    [Docs] Exception for removing default accounts

Addressed by: https://review.openstack.org/405633
    Enable AIDE [+Docs]

Addressed by: https://review.openstack.org/406288
    Extend get_users module to get groups

Addressed by: https://review.openstack.org/406289
    Check for groups that don't exist [+Docs]

Addressed by: https://review.openstack.org/406303
    Disable accounts w/expired passwords [+Docs]

Addressed by: https://review.openstack.org/406329
    Set home dir mode to 0750 or less [+Docs]

Addressed by: https://review.openstack.org/406353
    Verify password age limits [+Docs]

Addressed by: https://review.openstack.org/406358
    Enable automatic package updates [+Docs]

Addressed by: https://review.openstack.org/407004
    [Docs] Exception for removing unnecessary accounts

Addressed by: https://review.openstack.org/407108
    Search for unlabeled device files [+Docs]

Addressed by: https://review.openstack.org/407150
    [Docs] Exceptions for filesystem mounts

Addressed by: https://review.openstack.org/407157
    Find world-writable dirs with bad group owners

Addressed by: https://review.openstack.org/407164
    [Docs] Exception for user init file umask

Addressed by: https://review.openstack.org/407170
    [Docs] Exception for cron logging

Addressed by: https://review.openstack.org/407178
    Set cron.allow owner/group owner [+Docs]

Addressed by: https://review.openstack.org/407187
    Disable kdump [+Docs]

Addressed by: https://review.openstack.org/407199
    Ensure separate filesystems exist [+Docs]

Addressed by: https://review.openstack.org/407530
    Add AIDE checks for ACL/xattrs [+Docs]

Addressed by: https://review.openstack.org/407534
    [Docs] Exception: grub on removable media

Addressed by: https://review.openstack.org/407536
    Enable/start auditd [+Docs]

Addressed by: https://review.openstack.org/407550
    Set audisp failure options [+Docs]

Addressed by: https://review.openstack.org/407570
    Set space_left in auditd [+Docs]

Addressed by: https://review.openstack.org/407575
    Set space_left_action in auditd [+Docs]

Addressed by: https://review.openstack.org/407579
    Set action_email_acct in auditd [+Docs]

Addressed by: https://review.openstack.org/407584
    [Docs] Fix broken/missing auditd docs

Addressed by: https://review.openstack.org/407593
    Add checks for remote syslog [+Docs]

Addressed by: https://review.openstack.org/407597
    [Docs] Exception: Disable syslog reception

Addressed by: https://review.openstack.org/407605
    [Docs] Virus definition update frequency

Addressed by: https://review.openstack.org/407218
    Enable FIPS [+Docs]

Addressed by: https://review.openstack.org/407611
    Set maxlogins limit [+Docs]

Addressed by: https://review.openstack.org/407613
    [Docs] Exception: logging level

Addressed by: https://review.openstack.org/407650
    Check for ocsp_on in PKCS config [+Docs]

Addressed by: https://review.openstack.org/407654
    Check for cackey/coolkey values [+Docs]

Addressed by: https://review.openstack.org/407671
    [Docs] Exception: firewall port auditing

Addressed by: https://review.openstack.org/407684
    Set TMOUT variable for all sessions [+Docs]

Addressed by: https://review.openstack.org/407687
    Enable chrony [+Docs]

Addressed by: https://review.openstack.org/407691
    Check for pam_lastlogin [+Docs]

Addressed by: https://review.openstack.org/407695
    Remove .shosts/shosts.equiv files [+Docs]

Addressed by: https://review.openstack.org/407698
    Check for promiscuous interfaces [+Docs]

Addressed by: https://review.openstack.org/407701
    Restrict mail relaying [+Docs]

Addressed by: https://review.openstack.org/407709
    Check for TFTP secure mode [+Docs]

Addressed by: https://review.openstack.org/407717
    Check for default SNMP comm strings [+Docs]

Addressed by: https://review.openstack.org/407720
    [Docs] Docs for TFTP server removal

Addressed by: https://review.openstack.org/407724
    Set permissions on sshd host keys [+Docs]

Addressed by: https://review.openstack.org/407727
    [Docs] Add missing docs for GSSAPI

Addressed by: https://review.openstack.org/408647
    [Docs] Exception: Add AUTH_GSS for NFS

Addressed by: https://review.openstack.org/408666
    [Docs] Refer to other control for firewalld

Addressed by: https://review.openstack.org/408672
    [Docs] Exception for firewalld config

Addressed by: https://review.openstack.org/408736
    Set user/group/modes on user init files [+Docs]

Addressed by: https://review.openstack.org/408777
    [Docs] User init file exceptions

Addressed by: https://review.openstack.org/410258
    [Docs] Update for RHEL7 STIG

Addressed by: https://review.openstack.org/410263
    [Docs] Fix missing code-block property

Addressed by: https://review.openstack.org/418448
    [WIP] Enable RHEL 7 STIG tasks as default

Addressed by: https://review.openstack.org/411406
    Use RHEL 7 STIG content in OSA

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.