packages - Package managers¶
Package managers provide a convenient, secure method for installing and upgrading applications on a system. They must be configured properly to ensure that software is carefully verified before it is installed.
Overview¶
Lorem ipsum
STIG requirements¶
All of the tasks for these STIG requirements are included in
tasks/rhel7stig/packages.yml
.
V-71855¶
Summary: The cryptographic hash of system files and commands must match vendor values.
Severity: High
Implementation Status: Opt-In
Deployer/Auditor notes¶
Ansible tasks will check the rpm -Va
output (on CentOS, RHEL, openSUSE and SLE) or
the output of debsums
(on Ubuntu) to see if any files installed from packages
have been altered. The tasks will print a list of files that have changed
since their package was installed.
Deployers should be most concerned with any checksum failures for binaries and their libraries. These are most often a sign of system compromise or poor system administration practices.
Configuration files may appear in the list as well, but these are often less concerning since some of these files are adjusted by the security role itself.
Generating and validating checksums of all files installed by packages consume a significant amount of disk I/O and could impact the performance of a production system. It can also delay the playbook’s completion. Therefore, the check is disabled by default.
Deployers can enable the check by setting the following Ansible variable:
security_check_package_checksums: yes
V-71897¶
Summary: The operating system must have the screen package installed.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The role will ensure that the screen
package is installed.
V-71967¶
Summary: The rsh-server package must not be installed.
Severity: High
Implementation Status: Implemented
Deployer/Auditor notes¶
The role will remove the rsh-server
package from the system if it is
installed. Deployers can opt-out of this change by setting the following
Ansible variable:
security_rhel7_remove_rsh_server: no
V-71969¶
Summary: The ypserv package must not be installed.
Severity: High
Implementation Status: Implemented
Deployer/Auditor notes¶
The role will remove the NIS server package from the system if it is installed. The package name differs between Linux distributions:
CentOS:
ypserv
Ubuntu:
nis
openSUSE Leap:
ypserv
Deployers can opt-out of this change by setting the following Ansible variable:
security_rhel7_remove_ypserv: no
V-71977¶
Summary: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
Severity: High
Implementation Status: Implemented
Deployer/Auditor notes¶
On Ubuntu systems, the tasks check for the AllowUnauthenticated
string
anywhere in the apt configuration files found within /etc/apt/apt.conf.d/
.
If the string is found, a warning is printed on the console.
On CentOS 7 systems, the tasks set the gpgcheck
option to 1
in the
/etc/yum.conf
file. This enables GPG checks for all packages installed
with yum
.
On openSUSE Leap systems, the tasks set the gpgcheck
option to 1
in the
/etc/zypp/zypp.conf
file. This enables GPG checks for all packages installed
with zypper
.
Setting security_enable_gpgcheck_packages
to no
will skip the
AllowUnauthenticated
string check on Ubuntu and it will set gpgcheck=0
in /etc/yum.conf
or /etc/zypp/zypp.conf
on CentOS and openSUSE Leap systems
respectively.
V-71979¶
Summary: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
Severity: High
Implementation Status: Implemented
Deployer/Auditor notes¶
On Ubuntu systems, the tasks comment out the no-debsig
configuration line
in /etc/dpkg/dpkg.cfg
. This causes dpkg
to verify GPG signatures for
all packages that are installed locally.
On CentOS 7 systems, the tasks set the localpkg_gpgcheck
option to 1
in
the /etc/yum.conf
file. This enables GPG checks for all packages installed
locally with yum
.
On openSUSE Leap systems, the tasks set the gpgcheck
option to 1
in the
/etc/zypp/zypp.conf
file. This enables GPG checks for all packages installed
with zypper
.
Setting security_enable_gpgcheck_packages_local
to no
will skip the
no-debsig
adjustment on Ubuntu and it will set local_gpgcheck=0
in
/etc/yum.conf
on CentOS systems. Similarly, on openSUSE Leap systems, it will set
gpgcheck=0
in /etc/zypp/zypp.conf
.
V-71981¶
Summary: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata.
Severity: High
Implementation Status: Opt-In
Deployer/Auditor notes¶
The STIG requires that repository XML files are verified during yum
runs.
Warning
This setting is disabled by default because it can cause issues with CentOS systems and prevent them from retrieving repository information. Deployers who choose to enable this setting should test it thoroughly on non-production environments before applying it to production systems.
Deployers can override this default and opt in for the change by setting the following Ansible variable:
security_enable_gpgcheck_repo: yes
V-71987¶
Summary: The operating system must remove all software components after updated versions have been installed.
Severity: Low
Implementation Status: Opt-In
Deployer/Auditor notes¶
Although the STIG requires that dependent packages are removed automatically when a package is removed, this can cause problems with certain packages, especially kernels. Deployers must opt in to meet the requirements of this STIG control.
Deployers should set the following variable to enable automatic dependent package removal:
security_package_clean_on_remove: yes
V-71997¶
Summary: The operating system must be a vendor supported release.
Severity: High
Implementation Status: Exception - Manual Intervention
Deployer/Auditor notes¶
The STIG requires that the current release of the operating system is still supported and is actively receiving security updates. Deployers are urged to stay current with the latest releases from Ubuntu, SUSE, CentOS and Red Hat.
The following links provide more details on end of life (EOL) dates for the distributions supported by this role:
V-71999¶
Summary: Vendor packaged system security patches and updates must be installed and up to date.
Severity: Medium
Implementation Status: Opt-In
Deployer/Auditor notes¶
Although the STIG requires that security patches and updates are applied when they are made available, this might be disruptive to some systems. Therefore, the tasks in the security role will not configure automatic updates by default.
Deployers can opt in for automatic package updates by setting the following Ansible variable:
security_rhel7_automatic_package_updates: yes
When enabled, the tasks install and configure yum-cron
on CentOS and Red
Hat Enterprise Linux. On Ubuntu systems, the unattended-upgrades
package
is installed and configured. On openSUSE Leap and SUSE Linux Enterprise systems,
a daily cronjob is installed.
V-72077¶
Summary: The telnet-server package must not be installed.
Severity: High
Implementation Status: Implemented
Deployer/Auditor notes¶
The role will remove the telnet server package from the system if it is installed. The package name differs between Linux distributions:
CentOS:
telnet-server
Ubuntu:
telnetd
openSUSE Leap:
telnet-server
Deployers can opt-out of this change by setting the following Ansible variable:
security_rhel7_remove_telnet_server: no
V-72233¶
Summary: All networked systems must have SSH installed.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The STIG requires that every system has an ssh client and server installed. The role installs the following packages:
CentOS:
openssh-clients
,openssh-server
Ubuntu:
openssh-client
,openssh-server
openSUSE Leap:
openssh
V-72299¶
Summary: A File Transfer Protocol (FTP) server package must not be installed unless needed.
Severity: High
Implementation Status: Not Implemented
Deployer/Auditor notes¶
This STIG is not yet implemented.
V-72301¶
Summary: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support.
Severity: High
Implementation Status: Implemented
Deployer/Auditor notes¶
The role will remove the TFTP server package from the system if it is installed. The package name differs between Linux distributions:
CentOS:
tftp-server
Ubuntu:
tftpd
openSUSE Leap:
tftp
Deployers can opt-out of this change by setting the following Ansible variable:
security_rhel7_remove_tftp_server: no
V-72307¶
Summary: An X Windows display manager must not be installed unless approved.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The role will remove the xorg server package from the system if it is installed. The package name differs between Linux distributions:
CentOS:
xorg-x11-server-Xorg
Ubuntu:
xorg-xserver
openSUSE Leap:
xorg-x11-server
Deployers can opt-out of this change by setting the following Ansible variable:
security_rhel7_remove_xorg: no
V-72417¶
Summary: The operating system must have the required packages for multifactor authentication installed.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The STIG requires that the following multifactor authentication packages are installed:
authconfig
authconfig-gtk
esc
pam_pkcs11
These packages are benign if they are not needed on a system, but
authconfig-gtk
may cause some graphical dependencies to be installed
which may not be needed on some systems. The security role installs these
packages, but it skips the installation of authconfig-gtk
. Deployers can
install the graphical package manually if needed.