Package managers provide a convenient, secure method for installing and upgrading applications on a system. They must be configured properly to ensure that software is carefully verified before it is installed.
Lorem ipsum
All of the tasks for these STIG requirements are included in
tasks/rhel7stig/packages.yml
.
Ansible tasks will check the rpm -Va
output (on CentOS, RHEL, openSUSE and SLE) or
the output of debsums
(on Ubuntu) to see if any files installed from packages
have been altered. The tasks will print a list of files that have changed
since their package was installed.
Deployers should be most concerned with any checksum failures for binaries and their libraries. These are most often a sign of system compromise or poor system administration practices.
Configuration files may appear in the list as well, but these are often less concerning since some of these files are adjusted by the security role itself.
The role will ensure that the screen
package is installed.
The role will remove the rsh-server
package from the system if it is
installed. Deployers can opt-out of this change by setting the following
Ansible variable:
security_rhel7_remove_rsh_server: no
The role will remove the NIS server package from the system if it is installed. The package name differs between Linux distributions:
ypserv
nis
ypserv
Deployers can opt-out of this change by setting the following Ansible variable:
security_rhel7_remove_ypserv: no
On Ubuntu systems, the tasks check for the AllowUnauthenticated
string
anywhere in the apt configuration files found within /etc/apt/apt.conf.d/
.
If the string is found, a warning is printed on the console.
On CentOS 7 systems, the tasks set the gpgcheck
option to 1
in the
/etc/yum.conf
file. This enables GPG checks for all packages installed
with yum
.
On openSUSE Leap systems, the tasks set the gpgcheck
option to 1
in the
/etc/zypp/zypp.conf
file. This enables GPG checks for all packages installed
with zypper
.
Setting security_enable_gpgcheck_packages
to no
will skip the
AllowUnauthenticated
string check on Ubuntu and it will set gpgcheck=0
in /etc/yum.conf
or /etc/zypp/zypp.conf
on CentOS and openSUSE Leap systems
respectively.
On Ubuntu systems, the tasks comment out the no-debsig
configuration line
in /etc/dpkg/dpkg.cfg
. This causes dpkg
to verify GPG signatures for
all packages that are installed locally.
On CentOS 7 systems, the tasks set the localpkg_gpgcheck
option to 1
in
the /etc/yum.conf
file. This enables GPG checks for all packages installed
locally with yum
.
On openSUSE Leap systems, the tasks set the gpgcheck
option to 1
in the
/etc/zypp/zypp.conf
file. This enables GPG checks for all packages installed
with zypper
.
Setting security_enable_gpgcheck_packages_local
to no
will skip the
no-debsig
adjustment on Ubuntu and it will set local_gpgcheck=0
in
/etc/yum.conf
on CentOS systems. Similarly, on openSUSE Leap systems, it will set
gpgcheck=0
in /etc/zypp/zypp.conf
.
The STIG requires that repository XML files are verified during yum
runs.
Warning
This setting is disabled by default because it can cause issues with CentOS systems and prevent them from retrieving repository information. Deployers who choose to enable this setting should test it thoroughly on non-production environments before applying it to production systems.
Deployers can override this default and opt in for the change by setting the following Ansible variable:
security_enable_gpgcheck_repo: yes
Although the STIG requires that dependent packages are removed automatically when a package is removed, this can cause problems with certain packages, especially kernels. Deployers must opt in to meet the requirements of this STIG control.
Deployers should set the following variable to enable automatic dependent package removal:
security_package_clean_on_remove: yes
The STIG requires that the current release of the operating system is still supported and is actively receiving security updates. Deployers are urged to stay current with the latest releases from Ubuntu, SUSE, CentOS and Red Hat.
The following links provide more details on end of life (EOL) dates for the distributions supported by this role:
Although the STIG requires that security patches and updates are applied when they are made available, this might be disruptive to some systems. Therefore, the tasks in the security role will not configure automatic updates by default.
Deployers can opt in for automatic package updates by setting the following Ansible variable:
security_rhel7_automatic_package_updates: yes
When enabled, the tasks install and configure yum-cron
on CentOS and Red
Hat Enterprise Linux. On Ubuntu systems, the unattended-upgrades
package
is installed and configured. On openSUSE Leap and SUSE Linux Enterprise systems,
a daily cronjob is installed.
The role will remove the telnet server package from the system if it is installed. The package name differs between Linux distributions:
telnet-server
telnetd
telnet-server
Deployers can opt-out of this change by setting the following Ansible variable:
security_rhel7_remove_telnet_server: no
The STIG requires that every system has an ssh client and server installed. The role installs the following packages:
openssh-clients
, openssh-server
openssh-client
, openssh-server
openssh
This STIG is not yet implemented.
The role will remove the TFTP server package from the system if it is installed. The package name differs between Linux distributions:
tftp-server
tftpd
tftp
Deployers can opt-out of this change by setting the following Ansible variable:
security_rhel7_remove_tftp_server: no
The role will remove the xorg server package from the system if it is installed. The package name differs between Linux distributions:
xorg-x11-server-Xorg
xorg-xserver
xorg-x11-server
Deployers can opt-out of this change by setting the following Ansible variable:
security_rhel7_remove_xorg: no
The STIG requires that the following multifactor authentication packages are installed:
These packages are benign if they are not needed on a system, but
authconfig-gtk
may cause some graphical dependencies to be installed
which may not be needed on some systems. The security role installs these
packages, but it skips the installation of authconfig-gtk
. Deployers can
install the graphical package manually if needed.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.