Liberty Series Release Notes¶
12.2.5¶
New Features¶
AIDE is configured to skip the entire
/var
directory when it does the database initialization and when it performs checks. This reduces disk I/O and allows these jobs to complete faster.This also allows the initialization to become a blocking process and Ansible will wait for the initialization to complete prior to running the next task.
Although the STIG requires martian packets to be logged, the logging is now disabled by default. The logs can quickly fill up a syslog server or make a physical console unusable.
Deployers that need this logging enabled will need to set the following Ansible variable:
security_sysctl_enable_martian_logging: yes
Upgrade Notes¶
All of the discretionary access control (DAC) auditing is now disabled by default. This reduces the amount of logs generated during deployments and minor upgrades. The following variables are now set to
no
:security_audit_DAC_chmod: no security_audit_DAC_chown: no security_audit_DAC_lchown: no security_audit_DAC_fchmod: no security_audit_DAC_fchmodat: no security_audit_DAC_fchown: no security_audit_DAC_fchownat: no security_audit_DAC_fremovexattr: no security_audit_DAC_lremovexattr: no security_audit_DAC_fsetxattr: no security_audit_DAC_lsetxattr: no security_audit_DAC_setxattr: no
Bug Fixes¶
- The
/run
directory is excluded from AIDE checks since the files and directories there are only temporary and often change when services start and stop.
AIDE initialization is now always run on subsequent playbook runs when
initialize_aide
is set toyes
. The initialization will be skipped if AIDE isn’t installed or if the AIDE database already exists.See bug 1616281 for more details.
- The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly labeled in the auditd logs with the key of
export-V-38568
. They are now correctly logged with the keyfilesystem_mount-V-38568
.
12.0.16¶
New Features¶
- The audit rules added by the security role now have key fields that make it easier to link the audit log entry to the audit rule that caused it to appear.
Bug Fixes¶
- The role previously did not restart the audit daemon after generating a new rules file. The bug has been fixed and the audit daemon will be restarted after any audit rule changes.
- When the security role was run in Ansible’s check mode and a tag was
provided, the
check_mode
variable was not being set. Any tasks which depend on that variable would fail. This bug is fixed and thecheck_mode
variable is now set properly on every playbook run.
12.0.15¶
Bug Fixes¶
The security role previously set the permissions on all audit log files in
/var/log/audit
to0400
, but this prevents the audit daemon from writing to the active log file. This will preventauditd
from starting or restarting cleanly.The task now removes any permissions that are not allowed by the STIG. Any log files that meet or exceed the STIG requirements will not be modified.
12.0.14¶
Bug Fixes¶
- The dictionary-based variables in
defaults/main.yml
are now individual variables. The dictionary-based variables could not be changed as the documentation instructed. Instead it was required to override the entire dictionary. Deployers must use the new variable names to enable or disable the security configuration changes applied by the security role. For more information, see Launchpad Bug 1577944.
- Failed access logging is now disabled by default and can be enabled by changing
security_audit_failed_access
toyes
. The rsyslog daemon checks for the existence of log files regularly and this audit rule was triggered very frequently, which led to very large audit logs.
- The security role now handles
ssh_config
files that containMatch
stanzas. A marker is added to the configuration file and any new configuration items will be added below that marker. In addition, the configuration file is validated for each change to the ssh configuration file.