We are joyful to announce the release of: openstack-ansible-security 14.0.0: OpenStack-Ansible: Host security hardening This release is part of the newton release series. Download the package from: https://tarballs.openstack.org/openstack-ansible-security/ For more details, please see below. 14.0.0 ^^^^^^ New Features ************ * The role now enables auditing during early boot to comply with the requirements in V-38438. By default, the GRUB configuration variables in "/etc/default/grub.d/" will be updated and the active "grub.cfg" will be updated. Deployers can opt-out of the change entirely by setting a variable: security_enable_audit_during_boot: no Deployers may opt-in for the change without automatically updating the active "grub.cfg" file by setting the following Ansible variables: security_enable_audit_during_boot: yes security_enable_grub_update: no * A task was added to disable secure ICMP redirects per the requirements in V-38526. This change can cause problems in some environments, so it is disabled by default. Deployers can enable the task (which disables secure ICMP redirects) by setting "security_disable_icmpv4_redirects_secure" to "yes". * A new task was added to disable ICMPv6 redirects per the requirements in V-38548. However, since this change can cause problems in running OpenStack environments, it is disabled by default. Deployers who wish to enable this task (and disable ICMPv6 redirects) should set "security_disable_icmpv6_redirects" to "yes". * AIDE is configured to skip the entire "/var" directory when it does the database initialization and when it performs checks. This reduces disk I/O and allows these jobs to complete faster. This also allows the initialization to become a blocking process and Ansible will wait for the initialization to complete prior to running the next task. * The auditd rules template included a rule that audited changes to the AppArmor policies, but the SELinux policy changes were not being audited. Any changes to SELinux policies in "/etc/selinux" are now being logged by auditd. * Although the STIG requires martian packets to be logged, the logging is now disabled by default. The logs can quickly fill up a syslog server or make a physical console unusable. Deployers that need this logging enabled will need to set the following Ansible variable: security_sysctl_enable_martian_logging: yes * The security role now has tasks that will disable the graphical interface on a server using upstart (Ubuntu 14.04) or systemd (Ubuntu 16.04 and CentOS 7). These changes take effect after a reboot. Deployers that need a graphical interface will need to set the following Ansible variable: security_disable_x_windows: no * An Ansible was added to disable the "rdisc" service on CentOS systems if the service is installed on the system. Deployers can opt-out of this change by setting "security_disable_rdisc" to "no". * The Linux Security Module (LSM) that is appropriate for the Linux distribution in use will be automatically enabled by the security role by default. Deployers can opt out of this change by setting the following Ansible variable: security_enable_linux_security_module: False The documentation for STIG V-51337 has more information about how each LSM is enabled along with special notes for SELinux. * A task was added that restricts ICMPv4 redirects to meet the requirements of V-38524 in the STIG. This configuration is disabled by default since it could cause issues with LXC in some environments. Deployers can enable this configuration by setting an Ansible variable: security_disable_icmpv4_redirects: yes * The audit rules added by the security role now have key fields that make it easier to link the audit log entry to the audit rule that caused it to appear. * A new configuration parameter "security_ntp_bind_local_interfaces" was added to the security role to restrict the network interface to which chronyd will listen for NTP requests. * The security role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting "security_package_state" to "present". * The GPG key checks for package verification in V-38476 are now working for Red Hat Enterprise Linux 7 in addition to CentOS 7. The checks only look for GPG keys from Red Hat and any other GPG keys, such as ones imported from the EPEL repository, are skipped. * Tasks were added to search for any device files without a proper SELinux label on CentOS systems. If any of these device labels are found, the playbook execution will stop with an error message. * The openstack-ansible-security role supports the application of the Red Hat Enterprise Linux 6 STIG configurations to systems running CentOS 7 and Ubuntu 16.04 LTS. Upgrade Notes ************* * The variable "security_audit_apparmor_changes" is now renamed to "security_audit_mac_changes" and is enabled by default. Setting "security_audit_mac_changes" to "no" will disable syscall auditing for any changes to AppArmor policies (in Ubuntu) or SELinux policies (in CentOS). * The variable "security_sysctl_enable_tcp_syncookies" has replaced "security_sysctl_tcp_syncookies" and it is now a boolean instead of an integer. It is still enabled by default, but deployers can disable TCP syncookies by setting the following Ansible variable: security_sysctl_enable_tcp_syncookies: no * The security role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option "security_package_state" should be set to "present". * All of the discretionary access control (DAC) auditing is now disabled by default. This reduces the amount of logs generated during deployments and minor upgrades. The following variables are now set to "no": security_audit_DAC_chmod: no security_audit_DAC_chown: no security_audit_DAC_lchown: no security_audit_DAC_fchmod: no security_audit_DAC_fchmodat: no security_audit_DAC_fchown: no security_audit_DAC_fchownat: no security_audit_DAC_fremovexattr: no security_audit_DAC_lremovexattr: no security_audit_DAC_fsetxattr: no security_audit_DAC_lsetxattr: no security_audit_DAC_setxattr: no * All variables in the security role are now prepended with "security_" to avoid collisions with variables in other roles. All deployers who have used the security role in previous releases will need to prepend all security role variables with "security_". For example, a deployer could have disabled direct root ssh logins with the following variable: ssh_permit_root_login: yes That variable would become: security_ssh_permit_root_login: yes Bug Fixes ********* * The "/run" directory is excluded from AIDE checks since the files and directories there are only temporary and often change when services start and stop. * AIDE initialization is now always run on subsequent playbook runs when "security_initialize_aide" is set to "yes". The initialization will be skipped if AIDE isn't installed or if the AIDE database already exists. See bug 1616281 (https://launchpad.net/bugs/1616281) for more details. * The role previously did not restart the audit daemon after generating a new rules file. The bug (https://launchpad.net/bugs/1590916) has been fixed and the audit daemon will be restarted after any audit rule changes. * The dictionary-based variables in "defaults/main.yml" are now individual variables. The dictionary-based variables could not be changed as the documentation instructed. Instead it was required to override the entire dictionary. Deployers must use the new variable names to enable or disable the security configuration changes applied by the security role. For more information, see Launchpad Bug 1577944 (https://bugs.launchpad.net/openstack- ansible/+bug/1577944). * Failed access logging is now disabled by default and can be enabled by changing "security_audit_failed_access" to "yes". The rsyslog daemon checks for the existence of log files regularly and this audit rule was triggered very frequently, which led to very large audit logs. * An Ansible task was added to disable the "netconsole" service on CentOS systems if the service is installed on the system. Deployers can opt-out of this change by setting "security_disable_netconsole" to "no". * The security role previously set the permissions on all audit log files in "/var/log/audit" to "0400", but this prevents the audit daemon from writing to the active log file. This will prevent "auditd" from starting or restarting cleanly. The task now removes any permissions that are not allowed by the STIG. Any log files that meet or exceed the STIG requirements will not be modified. * When the security role was run in Ansible's check mode and a tag was provided, the "check_mode" variable was not being set. Any tasks which depend on that variable would fail. This bug is fixed (https://bugs.launchpad.net/openstack-ansible/+bug/1590086) and the "check_mode" variable is now set properly on every playbook run. * The security role now handles "ssh_config" files that contain "Match" stanzas. A marker is added to the configuration file and any new configuration items will be added below that marker. In addition, the configuration file is validated for each change to the ssh configuration file. * The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly labeled in the auditd logs with the key of "export-V-38568". They are now correctly logged with the key "filesystem_mount-V-38568". Changes in openstack-ansible-security 13.0.0..14.0.0 ---------------------------------------------------- 72ef48f Update tox.ini tests target for stable/newton 5ee9ead Skip V-38620 (chrony) in gate 5f263af Use centralised test scripts 081e46e Update UPPER_CONSTRAINTS_FILE for stable/newton 888fd8e Update .gitreview for stable/newton f460a97 [Docs] Fix sphinx pickling error 481ad31 Force Ansible to use dynamic includes bb37cfd Fix a minor typo in documentation e5a346f Update testing bits for consistency 4cdf533 [Docs] More cleanup c93b167 Add network conf auditing on CentOS 3d6cac0 [Docs] Update configuration/controls docs 3c19f00 [Docs] Metadata cleanup 4b6cbd5 [Docs] Update dev guide for metadata docs 79eeaa4 Updated from global requirements e57593d Automate the STIG documentation 28c73b4 Use command to avoid alias execution for log compression in CI 6d67b6a Rename collected logs for easier CI viewing 98fdd52 Disable DAC change auditing 1889953 Collect compressed logs after functional test execution 2aca828 Adding V-38438 (auditd during boot) e58ae24 Disable martian logging by default 83dd342 Add additional nullok check 427cd00 Enable log collection after functional testing 1fdd5b4 Remove extra AIDE tasks 129e629 Exclude /run from AIDE checks 4525cae Updated from global requirements 87e2190 Disable automatic ToC generation 578ce32 Ensure AIDE initializes on subsequent runs 31823b7 Implemented: V-38548. a189e05 Fix numbering on V-38583 fb33be7 Update to Ansible 2.1.1 8945ecb Restore logrotate cron job in CI 9ea5033 Fix AIDE cron job creation 862b713 Make all linting tests use upper-constraints 2c4393f Added SNI support for os_security role via OS packages 822ffad Add AIDE cron job in CentOS 7 704e1c8 Implemented: V-38526. 36e7d54 Updated from global requirements f85e9e4 Skip SNMPv1/2 (V-38660) checks in gate 06997d1 Add python packages for SNI support in tests f1acb0f Move other-requirements.txt to bindep.txt 1625f2a Add workaround for CVE-2016-5696 675c9e8 Show idempotency check output a715acf Fix auditd rpmverify check 8d2cde7 Add python-apt for check mode c458db6 Include ansible commands for ansible linting 43c81eb Adjust TCP syncookes variable to bool 08bd55d Correct tags attribute typo 70d9224 Add ability to change apt/yum package state 088884c Ensure that doc linting is included in the linters test 5e70944 Add audit rules to support ppc64le architecture. fa11dd4 Add idempotency check 983f20a Updated from global requirements 20b8d9a Fix duplicated config options in auditd.conf 7f7098c Restore check/audit test in tox.ini b5b92c1 Fix chrony daemon name for rh derivatives cc01563 Use plugins repo version of the human_log callback plugin 7eeaf92 Updated from global requirements e75613e Resolve 'E501 line too long' linters error 7003129 Remove doc8 check ignores 7751415 Update sphinx configuration 65293e8 Update tox configuration e831f70 Docs: Add note about RHEL 7 testing 432a9eb Switch to openstackdocs theme 5f8a93c Ignore ansible-lint warnings about rpm command usage 076be96 Docs: Fix rendering of :orphan: a95aeaa Pin test-requirements to match OpenStack requirements ff07803 Add support for Xenial and CentOS 7 to the Vagrantfile 2538d3c Fix documentation warnings from sphinx 6a9230c Ensure aide-common package is installed ba25681 Use standard check for systemd b937e5b Docs: Specify supported distributions 809b6cb Restart auditd after running augenrules 44e6056 Add key fields to audit rules ef69ba2 Add initial support for Red Hat Enterprise Linux 7 24f3f73 Add release note for V-38524 implementation d56468f Docs: Add developer guide for security role 03d436f Fix grub configuration file path in RHEL/CentOS 7 d8ae1e3 Set check_mode variable every time ee00627 Add check/audit to gate testing 5112569 Implemented: V-38524. 2683e56 Fix broken check mode for CentOS 7 45330fe Don't start LSM in check mode ecb0329 Consistency for multi-os in the includes bf28fdf Search for unlabeled device files 42deedc Remove one more "FAILED" from a custom fail message 40634db Add /etc/apparmor.d/ for auditing 6476ef7 Ensure V-38574 works reliably on CentOS 65a7bc4 Setting default runlevel/target to non-graphical 9fbe88a Fix unlocked account check on Ansible 2.2 09a60bf Remove "FAILED" from custom fail messages 7d2964a Add a note to the README file where to report bugs 7b313ee Adding audit rule for SELinux policy modifications 3114703 Add new parameter 'security_ntp_bind_local_interfaces_only' 31424a4 Enable LSM instead of checking status a841e18 Docs: Update dev notes for Cat 2 controls 32ce224 Docs: Update dev notes for Cat 3 controls e954ff5 Docs: Update dev notes for Cat 1 controls a972b4f Fix null password auth in CentOS 490d2f4 Fix auditd log permission bug 5cd0192 Fixing the "dry-run" errors. 2459cb4 Disable the rdisc service (if present) 3107e7c Disable the netconsole service (if present) 750260d Use ansible_managed variable in templates 05e3a1f Do not use bare variables with with_items b562271 Use fail module instead of debug module with failed_when 8a3a83a Add multi-release docs index 22c4c21 Add CentOS 7 and Ubuntu 16.04 support fa28004 Migrate to unique variable names 54de1b5 Handle Match properly in sshd_config 6f8b686 Removing equal signs in docs f5061fd Switch from dict to individual variables c7d2d84 Add .swp files to .gitignore e57f251 Fix verbiage in docs on auditd rule 19999b4 Add dependencies for paramiko 2.0 77b8b45 Disable failed access auditd logging 8389ec0 Add reno scaffolding for release notes management 5b5eabd blacklist Ansible 1.9.6 d1ca8db Add ability to enable unattended upgrades e44efd0 Doc updates 72cbd94 Fix flake8 violation in conf.py 9058a3f Improved search for unlocked system accounts Diffstat (except docs and test files) ------------------------------------- .gitignore | 19 +- .gitreview | 1 + README.md | 50 +- README.rst | 26 +- Vagrantfile | 59 +- bindep.txt | 44 + defaults/main.yml | 237 +- files/20auto-upgrades | 2 + handlers/main.yml | 23 +- manual-test.rc | 33 + meta/main.yml | 4 + other-requirements.txt | 16 - releasenotes/notes/.placeholder | 0 .../notes/add-v38438-3f7e905892be4b4f.yaml | 21 + .../notes/adding-v38526-381a407caa566b14.yaml | 8 + .../notes/adding-v38548-9c51b30bf9780ff3.yaml | 8 + .../notes/aide-exclude-run-4d3c97a2d08eb373.yaml | 6 + .../aide-initialization-fix-16ab0223747d7719.yaml | 17 + ...diting-mac-policy-changes-fb83e0260a6431ed.yaml | 15 + .../notes/augenrules-restart-39fe3e1e2de3eaba.yaml | 5 + ...figurable-martian-logging-370ede40b036db0b.yaml | 13 + ...tionary-variables-removed-957c7b7b2108ba1f.yaml | 9 + ...iled-access-audit-logging-789dc01c8bcbef17.yaml | 6 + ...sable-graphical-interface-5db89cd1bef7e12d.yaml | 13 + ...isable-netconsole-service-915bb33449b4012c.yaml | 7 + .../disabling-rdisc-centos-75115b3509941bfa.yaml | 8 + .../notes/enable-lsm-bae903e463079a3f.yaml | 14 + ...ble-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml | 11 + ...-audit-log-permission-bug-81a772e2e6d0a5b3.yaml | 10 + .../fix-check-mode-with-tags-bf798856a27c53eb.yaml | 7 + ...ndling-sshd-match-stanzas-fa40b97689004e46.yaml | 7 + .../notes/implemented-v38524-b357edec95128307.yaml | 12 + .../improved-audit-rule-keys-9fa85f758386446c.yaml | 5 + ...ind-local-interfaces-only-05f03de632e81097.yaml | 5 + .../notes/package-state-6684c5634bdf127a.yaml | 13 + .../reduce-auditd-logging-633677a74aee5481.yaml | 25 + .../notes/rhel-gpg-check-0b483a824314d1b3.yaml | 7 + ...rch-for-unlabeled-devices-cb047c5f767e93ce.yaml | 6 + ...support-for-centos-xenial-2b89c318cc3df4b0.yaml | 5 + ...unique-variable-migration-c0639030b495438f.yaml | 20 + releasenotes/source/_static/.placeholder | 0 releasenotes/source/_templates/.placeholder | 0 releasenotes/source/conf.py | 281 ++ releasenotes/source/index.rst | 10 + releasenotes/source/liberty.rst | 6 + releasenotes/source/mitaka.rst | 6 + releasenotes/source/unreleased.rst | 5 + setup.cfg | 2 +- setup.py | 11 +- tasks/aide.yml | 115 + tasks/apt.yml | 60 +- tasks/auditd.yml | 97 +- tasks/auth.yml | 167 +- tasks/boot.yml | 32 +- tasks/console.yml | 27 +- tasks/file_perms.yml | 18 +- tasks/kernel.yml | 67 +- tasks/lsm.yml | 83 + tasks/mail.yml | 27 +- tasks/main.yml | 56 +- tasks/misc.yml | 218 +- tasks/nfsd.yml | 24 +- tasks/rpm.yml | 109 + tasks/services.yml | 191 +- tasks/sshd.yml | 82 +- templates/ZZ_aide_exclusions.j2 | 5 +- templates/chrony.conf.j2 | 14 +- templates/jail.local.j2 | 6 +- templates/osas-auditd.j2 | 346 +- test-requirements.txt | 22 +- tox.ini | 172 +- vars/redhat.yml | 38 + vars/ubuntu.yml | 41 + 889 files changed, 10206 insertions(+), 10525 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt index 3422d65..73b06a3 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,4 +1,9 @@ -ansible-lint<=2.3.9 -ansible>=1.9.1,<2.0.0 -bashate -flake8 +# The order of packages is significant, because pip processes them in the order +# of appearance. Changing the order has an impact on the overall integration +# process, which may cause wedges in the gate later. +bashate>=0.2 # Apache-2.0 +flake8<2.6.0,>=2.5.4 # MIT +pyasn1 # BSD +pyOpenSSL>=0.14 # Apache-2.0 +requests>=2.10.0 # Apache-2.0 +ndg-httpsclient>=0.4.2;python_version<'3.0' # BSD @@ -7,2 +12,7 @@ flake8 -sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2 -oslosphinx>=2.5.0 # Apache-2.0 +sphinx!=1.3b1,<1.3,>=1.2.1 # BSD +oslosphinx!=3.4.0,>=2.5.0 # Apache-2.0 +openstackdocstheme>=1.5.0 # Apache-2.0 +doc8 # Apache-2.0 +reno>=1.8.0 # Apache2 +Jinja2>=2.8 # BSD License (3 clause) +lxml>=2.3 # BSD