Permalink
Browse files

Update to RHEL 7 STIG V1R3

This patch updates the tasks to match the changes in Version 1,
Release 3 of the RHEL 7 STIG. It adds four new configurations:

  - V-77819 (docs only, manual intervention req'd)
  - V-77821 (disabling DCCP, implemented)
  - V-77823 (docs only, manual intervention req'd)
  - V-77825 (enabling ASLR, implemented)

Closes-Bug: 1729344
Change-Id: I009fb31139e654f839d94781baf3d392c6613f46
  • Loading branch information...
major committed Nov 1, 2017
1 parent e79c6c0 commit 782bb48c14c03aedaefcaf421fd5935ef5f561b8
View
@@ -363,3 +363,7 @@ security_disallow_ip_forwarding: no # V-72309
security_rhel7_disable_usb_storage: yes # V-71983
# Disable kdump.
security_disable_kdump: yes # V-72057
# Disable Datagram Congestion Control Protocol (DCCP).
security_rhel7_disable_dccp: yes # V-77821
# Enable Address Space Layout Randomization (ASLR).
security_enable_aslr: yes # V-77825

Large diffs are not rendered by default.

Oops, something went wrong.
@@ -0,0 +1,13 @@
---
id: V-77819
status: exception - manual intervention
tag: misc
---
The STIG requires that multifactor authentication is used for graphical user
logon, but this change requires custom configuration based on the
authentication solution that is used.
Deployers should review the available options, such as traditional
smartcards, USB devices (such as Yubikeys), or software token systems, and
use one of these solutions on each system.
@@ -0,0 +1,14 @@
---
id: V-77821
status: implemented
tag: kernel
---
The ansible-hardening role disables the DCCP kernel module by default. Each
system must be rebooted to fully apply the change.
Deployers can opt out of the change by setting the following Ansible variable:
.. code-block:: yaml
security_rhel7_disable_dccp: no
@@ -0,0 +1,13 @@
---
id: V-77823
status: exception - manual intervention
tag: auth
---
Modifying sensitive systemd unit files directly or via overrides could cause
a system to have issues during the boot process. The role does not make any
adjustments to the ``rescue.service`` because this service is critical during
emergencies.
All of the distributions supported by the role already require authentication
for single user mode.
@@ -0,0 +1,18 @@
---
id: V-77825
status: implemented
tag: kernel
---
Most modern systems enable Address Space Layout Randomization (ASLR) by
default (with a setting of ``2``), and the role ensures that the secure
default is maintained.
Deployers can opt out of the change by setting the following Ansible variable:
.. code-block:: yaml
security_enable_aslr: no
For more details on the ASLR settings, review the
`sysctl documentation <https://www.kernel.org/doc/Documentation/sysctl/kernel.txt>`_.
@@ -28,7 +28,7 @@
SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
METADATA_DIR = "{0}/../../metadata".format(SCRIPT_DIR)
DOC_SOURCE_DIR = "{0}/..".format(SCRIPT_DIR)
XCCDF_FILE = 'U_Red_Hat_Enterprise_Linux_7_STIG_V1R2_Manual-xccdf.xml'
XCCDF_FILE = 'U_Red_Hat_Enterprise_Linux_7_STIG_V1R3_Manual-xccdf.xml'
XCCDF_NAMESPACE = {'x': 'http://checklists.nist.gov/xccdf/1.1'}
@@ -0,0 +1,15 @@
---
features:
- |
The tasks within the ansible-hardening role are now based on Version 1,
Release 3 of the Red Hat Enteprise Linux Security Technical Implementation
Guide.
- |
The ``sysctl`` parameter ``kernel.randomize_va_space`` is now set to
``2`` by default. This matches the default of most modern Linux
distributions and it ensures that Address Space Layout Randomization
(ASLR) is enabled.
- |
The Datagram Congestion Control Protocol (DCCP) kernel module is now
disabled by default, but a reboot is required to make the change
effective.
View
@@ -95,3 +95,15 @@
- high
- misc
- V-72067
- name: V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled
lineinfile:
dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf
line: install dccp /bin/true
create: yes
when:
- security_rhel7_disable_dccp | bool
tags:
- kernel
- medium
- V-77821
View
@@ -253,9 +253,9 @@ password_quality_rhel7:
description: "Password must have at least four character classes changed"
enabled: "{{ security_pwquality_require_character_classes_changed }}"
- parameter: maxrepeat
value: 4
value: 3
stig_id: V-71915
description: "Password must have at most four characters repeated consecutively"
description: "Password must have at most three characters repeated consecutively"
enabled: "{{ security_pwquality_limit_repeated_characters }}"
- parameter: maxclassrepeat
value: 4
@@ -341,3 +341,6 @@ sysctl_settings_rhel7:
- name: net.ipv4.conf.default.accept_redirects
value: 0
enabled: "{{ security_disallow_icmp_redirects | bool }}"
- name: kernel.randomize_va_space
value: 2
enabled: "{{ security_enable_aslr | bool }}"

0 comments on commit 782bb48

Please sign in to comment.