Xena Series Release Notes¶
18.0.0.0b1-98¶
New Features¶
It is now possible to modify the NTP server options in chrony using
security_ntp_server_options.
Chrony got a new configuration option to synchronize the system clock back to the RTC using the
security_ntp_sync_rtcvariable. Disabled by default.
Added variable
security_rhel7_enable_aidethat is designed to avoid installation and initialization of the aide related STIGs
Upgrade Notes¶
Changed the default NTP server options in
chrony.conf. Theofflineoption has been removed,minpoll/maxpollhave been removed in favour of the upstream defaults, while theiburstoption was added to speed up initial time synchronization.
Deprecation Notes¶
Fedora is no longer tested in CI for each commit.
18.0.0.0b1¶
New Features¶
Fedora 27 is now supported.
Deprecation Notes¶
Fedora 26 support is deprecated and no longer tested on each commit.
17.0.0.0b2¶
New Features¶
Generating and validating checksums for all files installed by packages is now disabled by default. The check causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the check by setting
security_check_package_checksumstoyes.
The
security_sshd_permit_root_loginsetting can now be set to change thePermitRootLoginsetting in/etc/ssh/sshd_configto any of the possible options. Setsecurity_sshd_permit_root_loginto one ofwithout-password,prohibit-password,forced-commands-only,yesorno.
The tasks within the ansible-hardening role are now based on Version 1, Release 3 of the Red Hat Enteprise Linux Security Technical Implementation Guide.
The
sysctlparameterkernel.randomize_va_spaceis now set to2by default. This matches the default of most modern Linux distributions and it ensures that Address Space Layout Randomization (ASLR) is enabled.
The Datagram Congestion Control Protocol (DCCP) kernel module is now disabled by default, but a reboot is required to make the change effective.
Searching for world-writable files is now disabled by default. The search causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the search by setting
security_find_world_writable_dirstoyes.
17.0.0.0b1¶
New Features¶
Deployers can now specify a custom package name or URL for an EPEL release package. CentOS systems use
epel-releaseby default, but some deployers have a customized package that redirects servers to internal mirrors.
Fedora 26 is now supported.
The default list of NTP servers for chrony are now more friendly to users outside North America. Deployers can still provide their own list of NTP servers with the
security_ntp_serversAnsible variable.
The password minimum and maximum lifetimes are now opt-in changes that can take action against user accounts instead of printing debug warnings. Refer to the documentation for STIG requirements V-71927 and V-71931 to review the opt-in process and warnings.
Upgrade Notes¶
The EPEL repository is only installed and configured when the deployer sets
security_enable_virus_scannertoyes. This allows the ClamAV packages to be installed. Ifsecurity_enable_virus_scanneris set tono(the default), the EPEL repository will not be added.See Bug 1702167 for more details.
Deployers now have the option to prevent the EPEL repository from being installed by the role. Setting
security_epel_install_repositorytonoprevents EPEL from being installed. This setting may prevent certain packages from installing, such as ClamAV.
The tasks for V-72181, which include adding audit rules for the
pt_chowncommand, have been removed. They are not required in the RHEL 7 STIG V1R2 release.
Deprecation Notes¶
Fedora 25 support is deprecated and no longer tested on each commit.
Security Issues¶
PermitRootLoginin the ssh configuration has changed fromyestowithout-password. This will only allow ssh to be used to authenticate root via a key.
Bug Fixes¶
The sysctl configuration task was not skipping configurations where
enabledwas set tono. Instead, it was removing configurations whenenabled: nowas set.There is now a fix in place that ensures any sysctl configuration with
enabled: nowill be skipped and the configuration will be left unaltered on the system.
16.0.0.0b1¶
Prelude¶
The first release of the Red Hat Enterprise Linux 7 STIG was entirely renumbered from the pre-release versions. Many of the STIG configurations simply changed numbers, but some were removed or changed. A few new configurations were added as well.
New Features¶
Deployers can provide a customized login banner via a new Ansible variable:
security_login_banner_text. This banner text is used for non-graphical logins, which includes console and ssh logins.
Security Issues¶
The security role will no longer fix file permissions and ownership based on the contents of the RPM database by default. Deployers can opt in for these changes by setting
security_reset_perm_ownershiptoyes.
The tasks that search for
.shostsandshosts.equivfiles (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a long time to complete on systems with lots of files and it also causes a significant amount of disk I/O while it runs.
The latest version of the RHEL 7 STIG requires that a standard login banner is presented to users when they log into the system (V-71863). The security role now deploys a login banner that is used for console and ssh sessions.
The
cn_mappermissions and ownership adjustments included as part of RHEL-07-040070 and RHEL-07-040080 has been removed. This STIG configuration was removed in the most recent release of the RHEL 7 STIG.
The PKI-based authentication checks for RHEL-07-040030, RHEL-07-040040, and RHEL-07-040050 are no longer included in the RHEL 7 STIG. The tasks and documentation for these outdated configurations are removed.
15.0.0.0b3¶
New Features¶
The Red Hat Enterprise Linux (RHEL) 7 STIG content is now deployed by default. Deployers can continue using the RHEL 7 STIG content by setting the following Ansible variable:
stig_version: rhel6
Upgrade Notes¶
Deployers should review the new RHEL 7 STIG variables in
defaults/main.ymlto provide custom configuration for the Ansible tasks.
Deprecation Notes¶
The Red Hat Enteprise Linux 6 STIG content has been deprecated. The tasks and variables for the RHEL 6 STIG will be removed in a future release.
15.0.0.0b1¶
New Features¶
The installation of
chronyis still enabled by default, but it is now controlled by thesecurity_enable_chronyvariable.
Upgrade Notes¶
The security role will accept the currently installed version of a package rather than attempting to update it. This reduces unexpected changes on the system from subsequent runs of the security role. Deployers can still set
security_package_statetolatestto ensure that all packages installed by the security role are up to date.
14.0.0.0rc1¶
New Features¶
The role now enables auditing during early boot to comply with the requirements in V-38438. By default, the GRUB configuration variables in
/etc/default/grub.d/will be updated and the activegrub.cfgwill be updated.Deployers can opt-out of the change entirely by setting a variable:
security_enable_audit_during_boot: no
Deployers may opt-in for the change without automatically updating the active
grub.cfgfile by setting the following Ansible variables:security_enable_audit_during_boot: yes security_enable_grub_update: no
Although the STIG requires martian packets to be logged, the logging is now disabled by default. The logs can quickly fill up a syslog server or make a physical console unusable.
Deployers that need this logging enabled will need to set the following Ansible variable:
security_sysctl_enable_martian_logging: yes
Upgrade Notes¶
All of the discretionary access control (DAC) auditing is now disabled by default. This reduces the amount of logs generated during deployments and minor upgrades. The following variables are now set to
no:security_audit_DAC_chmod: no security_audit_DAC_chown: no security_audit_DAC_lchown: no security_audit_DAC_fchmod: no security_audit_DAC_fchmodat: no security_audit_DAC_fchown: no security_audit_DAC_fchownat: no security_audit_DAC_fremovexattr: no security_audit_DAC_lremovexattr: no security_audit_DAC_fsetxattr: no security_audit_DAC_lsetxattr: no security_audit_DAC_setxattr: no
Bug Fixes¶
The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly labeled in the auditd logs with the key of
export-V-38568. They are now correctly logged with the keyfilesystem_mount-V-38568.
14.0.0.0b3¶
New Features¶
A task was added to disable secure ICMP redirects per the requirements in V-38526. This change can cause problems in some environments, so it is disabled by default. Deployers can enable the task (which disables secure ICMP redirects) by setting
security_disable_icmpv4_redirects_securetoyes.
A new task was added to disable ICMPv6 redirects per the requirements in V-38548. However, since this change can cause problems in running OpenStack environments, it is disabled by default. Deployers who wish to enable this task (and disable ICMPv6 redirects) should set
security_disable_icmpv6_redirectstoyes.
AIDE is configured to skip the entire
/vardirectory when it does the database initialization and when it performs checks. This reduces disk I/O and allows these jobs to complete faster.This also allows the initialization to become a blocking process and Ansible will wait for the initialization to complete prior to running the next task.
The security role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting
security_package_statetopresent.
Upgrade Notes¶
The variable
security_sysctl_enable_tcp_syncookieshas replacedsecurity_sysctl_tcp_syncookiesand it is now a boolean instead of an integer. It is still enabled by default, but deployers can disable TCP syncookies by setting the following Ansible variable:security_sysctl_enable_tcp_syncookies: no
The security role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option
security_package_stateshould be set topresent.
Bug Fixes¶
The
/rundirectory is excluded from AIDE checks since the files and directories there are only temporary and often change when services start and stop.
AIDE initialization is now always run on subsequent playbook runs when
security_initialize_aideis set toyes. The initialization will be skipped if AIDE isn’t installed or if the AIDE database already exists.See bug 1616281 for more details.
14.0.0.0b2¶
New Features¶
The security role now has tasks that will disable the graphical interface on a server using upstart (Ubuntu 14.04) or systemd (Ubuntu 16.04 and CentOS 7). These changes take effect after a reboot.
Deployers that need a graphical interface will need to set the following Ansible variable:
security_disable_x_windows: no
A task was added that restricts ICMPv4 redirects to meet the requirements of V-38524 in the STIG. This configuration is disabled by default since it could cause issues with LXC in some environments.
Deployers can enable this configuration by setting an Ansible variable:
security_disable_icmpv4_redirects: yes
The audit rules added by the security role now have key fields that make it easier to link the audit log entry to the audit rule that caused it to appear.
The GPG key checks for package verification in V-38476 are now working for Red Hat Enterprise Linux 7 in addition to CentOS 7. The checks only look for GPG keys from Red Hat and any other GPG keys, such as ones imported from the EPEL repository, are skipped.
Bug Fixes¶
The role previously did not restart the audit daemon after generating a new rules file. The bug has been fixed and the audit daemon will be restarted after any audit rule changes.
When the security role was run in Ansible’s check mode and a tag was provided, the
check_modevariable was not being set. Any tasks which depend on that variable would fail. This bug is fixed and thecheck_modevariable is now set properly on every playbook run.
14.0.0.0b1¶
New Features¶
The auditd rules template included a rule that audited changes to the AppArmor policies, but the SELinux policy changes were not being audited. Any changes to SELinux policies in
/etc/selinuxare now being logged by auditd.
An Ansible was added to disable the
rdiscservice on CentOS systems if the service is installed on the system.Deployers can opt-out of this change by setting
security_disable_rdisctono.
The Linux Security Module (LSM) that is appropriate for the Linux distribution in use will be automatically enabled by the security role by default. Deployers can opt out of this change by setting the following Ansible variable:
security_enable_linux_security_module: False
The documentation for STIG V-51337 has more information about how each LSM is enabled along with special notes for SELinux.
A new configuration parameter
security_ntp_bind_local_interfaceswas added to the security role to restrict the network interface to which chronyd will listen for NTP requests.
Tasks were added to search for any device files without a proper SELinux label on CentOS systems. If any of these device labels are found, the playbook execution will stop with an error message.
The openstack-ansible-security role supports the application of the Red Hat Enterprise Linux 6 STIG configurations to systems running CentOS 7 and Ubuntu 16.04 LTS.
Upgrade Notes¶
The variable
security_audit_apparmor_changesis now renamed tosecurity_audit_mac_changesand is enabled by default. Settingsecurity_audit_mac_changestonowill disable syscall auditing for any changes to AppArmor policies (in Ubuntu) or SELinux policies (in CentOS).
All variables in the security role are now prepended with
security_to avoid collisions with variables in other roles. All deployers who have used the security role in previous releases will need to prepend all security role variables withsecurity_.For example, a deployer could have disabled direct root ssh logins with the following variable:
ssh_permit_root_login: yes
That variable would become:
security_ssh_permit_root_login: yes
Bug Fixes¶
The dictionary-based variables in
defaults/main.ymlare now individual variables. The dictionary-based variables could not be changed as the documentation instructed. Instead it was required to override the entire dictionary. Deployers must use the new variable names to enable or disable the security configuration changes applied by the security role. For more information, see Launchpad Bug 1577944.
Failed access logging is now disabled by default and can be enabled by changing
security_audit_failed_accesstoyes. The rsyslog daemon checks for the existence of log files regularly and this audit rule was triggered very frequently, which led to very large audit logs.
An Ansible task was added to disable the
netconsoleservice on CentOS systems if the service is installed on the system.Deployers can opt-out of this change by setting
security_disable_netconsoletono.
The security role previously set the permissions on all audit log files in
/var/log/auditto0400, but this prevents the audit daemon from writing to the active log file. This will preventauditdfrom starting or restarting cleanly.The task now removes any permissions that are not allowed by the STIG. Any log files that meet or exceed the STIG requirements will not be modified.
The security role now handles
ssh_configfiles that containMatchstanzas. A marker is added to the configuration file and any new configuration items will be added below that marker. In addition, the configuration file is validated for each change to the ssh configuration file.
