Home » Security hardening for openstack-ansible
Ensuring all packages’ cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.
Details: V-38462 in STIG Viewer.
Ubuntu checks packages against GPG signatures by default. It can be turned off for all package installations by a setting in /etc/apt/apt.conf.d/ and we search for that in the Ansible task. A warning is printed if the AllowUnauthenticated configuration option is present in the apt configuration directories.
Please note that users can pass an argument on the apt command line to bypass the checks as well, but that’s outside the scope of this check and remediation.
The Red Hat GPG keys are necessary to cryptographically verify packages are from Red Hat.
Details: V-38476 in STIG Viewer.
The STIG talks about yum having the RHN GPG keys installed, but this requirement has been adapted to check for the Ubuntu signing keys normally present in Ubuntu 14.04.
See tasks/apt.yml for more details:
# apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub 2048g/79164387 2004-09-12
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
pub 4096R/C0B21F32 2012-05-11
uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
pub 4096R/EFE21092 2012-05-11
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.
Details: V-38491 in STIG Viewer.
The Ansible task will check for the presence of /etc/hosts.equiv and /root/.rhosts. Both of those files could potentially be used with rsh for host access, but rshd is not installed by default with Ubuntu 14.04 or openstack-ansible.
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Details: V-38497 in STIG Viewer.
Ubuntu 14.04 allows accounts with null passwords to authenticate via PAM by default. This STIG requires that those login attempts are blocked.
In Ubuntu, this functionality is controlled by the nullok_secure parameter found in /etc/pam.d/common-auth. The Ansible task for this STIG will remove the nullok_secure from the PAM configuration file. The effects of the change are immediate and no service restarts are required.
However, deployers can opt-out of this change by adjusting an Ansible variable:
pam_remove_nullok: no
Setting the variable to yes (the default) will cause the Ansible tasks to remove the nullok_secure parameter while setting the variable to no will leave the PAM configuration unchanged.
Removing the “telnet-server” package decreases the risk of the unencrypted telnet service’s accidental (or intentional) activation. Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.
Details: V-38587 in STIG Viewer.
The telnetd service will be removed by the Ansible tasks, if it is installed. To opt-out of this change, adjust the following variable to no:
security_remove_telnet_server: no
The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.
Details: V-38589 in STIG Viewer.
Fixed by another STIG
Neither Ubuntu or openstack-ansible installs the telnet daemon by default. Running a telnet daemon isn’t recommended under most situations, so the telnet server package will be removed from the system if it is installed.
The telnet server is removed by the Ansible tasks for V-38587, so no action is required here.
The “rsh-server” package provides several obsolete and insecure network services. Removing it decreases the risk of those services’ accidental (or intentional) activation.
Details: V-38591 in STIG Viewer.
The rshd service will be removed by the Ansible tasks, if it is installed. To opt-out of this change, adjust the following variable to no:
security_remove_rsh_server: no
The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Details: V-38594 in STIG Viewer.
Fixed by another STIG
Neither Ubuntu or openstack-ansible installs the rsh daemon by default. Running a rsh daemon isn’t recommended under most situations, so the rsh server package will be removed from the system if it is installed.
The rsh server is removed by the Ansible tasks for V-38591, so no action is required here.
The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Details: V-38598 in STIG Viewer.
Fixed by another STIG
The rexecd daemon is part of the package that contains the rsh daemon.
Neither Ubuntu or openstack-ansible installs the rsh daemon by default. Running a rsh daemon isn’t recommended under most situations, so the rsh server package will be removed from the system if it is installed.
The rsh server is removed by the Ansible tasks for V-38591, so no action is required here.
The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Details: V-38602 in STIG Viewer.
Fixed by another STIG
The rlogind daemon is part of the package that contains the rsh daemon.
Neither Ubuntu or openstack-ansible installs the rsh daemon by default. Running a rsh daemon isn’t recommended under most situations, so the rsh server package will be removed from the system if it is installed.
The rsh server is removed by the Ansible tasks for V-38591, so no action is required here.
SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.
Details: V-38607 in STIG Viewer.
The tasks in sshd.yml will ensure that SSH does uses protocol version 2.
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
Details: V-38614 in STIG Viewer.
The tasks in sshd.yml will ensure that SSH does not allow empty passwords.
Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system.
Details: V-38653 in STIG Viewer.
Exception
The openstack-ansible project doesn’t install snmpd by default, and neither does Ubuntu 14.04. Deployers are strongly recommended to use SNMPv3 with strong passwords for all connectivity if they choose to install snmpd.
Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.
Details: V-38666 in STIG Viewer.
Exception
Installing an antivirus program on openstack-ansible infrastructure is left up to the deployer. There are strong arguments against virus scanners due to detection failures and performance impacts.
For deployers who require an antivirus solution, refer to the suggestions and examples in Ubuntu’s documentation on antivirus software.
A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
Details: V-38668 in STIG Viewer.
The control-alt-delete keyboard sequence is disable by an Ansible task in /etc/init/control-alt-delete.conf. A reboot is recommended to apply the change.
Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.
Details: V-38677 in STIG Viewer.
The tasks in nfsd.yml first check to see if the system has nfs exports. If so, it then checks for the presence of ‘insecure_locks’.
Using the “-s” option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.
Details: V-38701 in STIG Viewer.
Exception
Neither Ubuntu 14.04 nor openstack-ansible adds a tftp daemon to the system. The xinetd service is also not installed.