Newton Series Release Notes¶
14.0.5¶
New Features¶
- The installation of
chrony
is still enabled by default, but it is now controlled by thesecurity_enable_chrony
variable.
14.0.0¶
New Features¶
The role now enables auditing during early boot to comply with the requirements in V-38438. By default, the GRUB configuration variables in
/etc/default/grub.d/
will be updated and the activegrub.cfg
will be updated.Deployers can opt-out of the change entirely by setting a variable:
security_enable_audit_during_boot: no
Deployers may opt-in for the change without automatically updating the active
grub.cfg
file by setting the following Ansible variables:security_enable_audit_during_boot: yes security_enable_grub_update: no
- A task was added to disable secure ICMP redirects per the requirements in
V-38526. This change can cause problems in some environments, so it is
disabled by default. Deployers can enable the task (which disables secure
ICMP redirects) by setting
security_disable_icmpv4_redirects_secure
toyes
.
- A new task was added to disable ICMPv6 redirects per the requirements in
V-38548. However, since this change can cause problems in running OpenStack
environments, it is disabled by default. Deployers who wish to enable this
task (and disable ICMPv6 redirects) should set
security_disable_icmpv6_redirects
toyes
.
AIDE is configured to skip the entire
/var
directory when it does the database initialization and when it performs checks. This reduces disk I/O and allows these jobs to complete faster.This also allows the initialization to become a blocking process and Ansible will wait for the initialization to complete prior to running the next task.
- The auditd rules template included a rule that audited changes to the
AppArmor policies, but the SELinux policy changes were not being audited.
Any changes to SELinux policies in
/etc/selinux
are now being logged by auditd.
Although the STIG requires martian packets to be logged, the logging is now disabled by default. The logs can quickly fill up a syslog server or make a physical console unusable.
Deployers that need this logging enabled will need to set the following Ansible variable:
security_sysctl_enable_martian_logging: yes
The security role now has tasks that will disable the graphical interface on a server using upstart (Ubuntu 14.04) or systemd (Ubuntu 16.04 and CentOS 7). These changes take effect after a reboot.
Deployers that need a graphical interface will need to set the following Ansible variable:
security_disable_x_windows: no
An Ansible was added to disable the
rdisc
service on CentOS systems if the service is installed on the system.Deployers can opt-out of this change by setting
security_disable_rdisc
tono
.
The Linux Security Module (LSM) that is appropriate for the Linux distribution in use will be automatically enabled by the security role by default. Deployers can opt out of this change by setting the following Ansible variable:
security_enable_linux_security_module: False
The documentation for STIG V-51337 has more information about how each LSM is enabled along with special notes for SELinux.
A task was added that restricts ICMPv4 redirects to meet the requirements of V-38524 in the STIG. This configuration is disabled by default since it could cause issues with LXC in some environments.
Deployers can enable this configuration by setting an Ansible variable:
security_disable_icmpv4_redirects: yes
- The audit rules added by the security role now have key fields that make it easier to link the audit log entry to the audit rule that caused it to appear.
- A new configuration parameter
security_ntp_bind_local_interfaces
was added to the security role to restrict the network interface to which chronyd will listen for NTP requests.
- The security role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting
security_package_state
topresent
.
- The GPG key checks for package verification in V-38476 are now working for Red Hat Enterprise Linux 7 in addition to CentOS 7. The checks only look for GPG keys from Red Hat and any other GPG keys, such as ones imported from the EPEL repository, are skipped.
- Tasks were added to search for any device files without a proper SELinux label on CentOS systems. If any of these device labels are found, the playbook execution will stop with an error message.
- The openstack-ansible-security role supports the application of the Red Hat Enterprise Linux 6 STIG configurations to systems running CentOS 7 and Ubuntu 16.04 LTS.
Upgrade Notes¶
- The variable
security_audit_apparmor_changes
is now renamed tosecurity_audit_mac_changes
and is enabled by default. Settingsecurity_audit_mac_changes
tono
will disable syscall auditing for any changes to AppArmor policies (in Ubuntu) or SELinux policies (in CentOS).
The variable
security_sysctl_enable_tcp_syncookies
has replacedsecurity_sysctl_tcp_syncookies
and it is now a boolean instead of an integer. It is still enabled by default, but deployers can disable TCP syncookies by setting the following Ansible variable:security_sysctl_enable_tcp_syncookies: no
- The security role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option
security_package_state
should be set topresent
.
All of the discretionary access control (DAC) auditing is now disabled by default. This reduces the amount of logs generated during deployments and minor upgrades. The following variables are now set to
no
:security_audit_DAC_chmod: no security_audit_DAC_chown: no security_audit_DAC_lchown: no security_audit_DAC_fchmod: no security_audit_DAC_fchmodat: no security_audit_DAC_fchown: no security_audit_DAC_fchownat: no security_audit_DAC_fremovexattr: no security_audit_DAC_lremovexattr: no security_audit_DAC_fsetxattr: no security_audit_DAC_lsetxattr: no security_audit_DAC_setxattr: no
All variables in the security role are now prepended with
security_
to avoid collisions with variables in other roles. All deployers who have used the security role in previous releases will need to prepend all security role variables withsecurity_
.For example, a deployer could have disabled direct root ssh logins with the following variable:
ssh_permit_root_login: yes
That variable would become:
security_ssh_permit_root_login: yes
Bug Fixes¶
- The
/run
directory is excluded from AIDE checks since the files and directories there are only temporary and often change when services start and stop.
AIDE initialization is now always run on subsequent playbook runs when
security_initialize_aide
is set toyes
. The initialization will be skipped if AIDE isn’t installed or if the AIDE database already exists.See bug 1616281 for more details.
- The role previously did not restart the audit daemon after generating a new rules file. The bug has been fixed and the audit daemon will be restarted after any audit rule changes.
- The dictionary-based variables in
defaults/main.yml
are now individual variables. The dictionary-based variables could not be changed as the documentation instructed. Instead it was required to override the entire dictionary. Deployers must use the new variable names to enable or disable the security configuration changes applied by the security role. For more information, see Launchpad Bug 1577944.
- Failed access logging is now disabled by default and can be enabled by changing
security_audit_failed_access
toyes
. The rsyslog daemon checks for the existence of log files regularly and this audit rule was triggered very frequently, which led to very large audit logs.
An Ansible task was added to disable the
netconsole
service on CentOS systems if the service is installed on the system.Deployers can opt-out of this change by setting
security_disable_netconsole
tono
.
The security role previously set the permissions on all audit log files in
/var/log/audit
to0400
, but this prevents the audit daemon from writing to the active log file. This will preventauditd
from starting or restarting cleanly.The task now removes any permissions that are not allowed by the STIG. Any log files that meet or exceed the STIG requirements will not be modified.
- When the security role was run in Ansible’s check mode and a tag was
provided, the
check_mode
variable was not being set. Any tasks which depend on that variable would fail. This bug is fixed and thecheck_mode
variable is now set properly on every playbook run.
- The security role now handles
ssh_config
files that containMatch
stanzas. A marker is added to the configuration file and any new configuration items will be added below that marker. In addition, the configuration file is validated for each change to the ssh configuration file.
- The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly labeled in the auditd logs with the key of
export-V-38568
. They are now correctly logged with the keyfilesystem_mount-V-38568
.