This role will configure a CentOS7 system with a hardened baseline based on the CentOS7 DISA STIGs
Why this role?
- Different compliance scanners look for implementations of the DISA STIGs (or any other compliance guideline) in different ways. Nessus may be looking for a value of
True
while oscap-scanner looks for a value oftrue
- This role aims to simply compliance. You choose your scanner, your compliance guidelines, your specific compiance settings (optional), then you run the role.
- Idempotency. This role can be ran multiple times against the same host without adverse effects. Idempotency is important in any Ansible role, but especially true when trying to enforce and maintain a compliance baseline
This role has no external requirements by itself. The testing of those role does depend on various packages. Please see the testing section
There are too many variables for this role to go over here. Please see defaults/main.yml
for a full list.
centos_7_security_scanner
- Type: String
- Default: Nessus
- This variable defines which security verifier we will be attempting to match. Different scanners will look for different implementations of the DISA STIG security rules.
security_banner_text
- Type: String
- Default: Long String
- This variable defines the login/ssh banner to display. This may be different per environment
security_audit_configure
- Type: Boolean
- Default: True
- This variable controls the auditing rules. This role uses many variables like this to control various aspects of the hardening. By default we will implement all auditing rules (and turn them on). This may effect performance.
security_mounts_configure
- Type: Boolean
- Default: True
- This variable controls the application of paritioning and mount options. When turned off, the playbook will not check for noexec,nosuid on mountpoints
security_mount_options_tmp_noexec
- Type: Boolean
- Default: True
- By default we will enforce noexec on the tmp partition. Change this to False to disable
security_module_blacklist
- Type: List
- Default: ["cramfs","freevxfs","jffs2","hfs","hfsplus","squashfs","udf","usb-storage","bluetooth","dccp","sctp"]
- Which kernel modules to blacklist. The default will blacklist everything that DISA STIGs require
security_rsyslog_host
- Type: String
- Default: loghost
- The loghost server to ship our logs to
security_configure_firewalld
- Type: Boolean
- Default: True
- This variable controls the playbook's ability to manage firewalld. If set to True then the playbook will modify the default zone for the gateway interface and control the default firewalld zone
security_default_firewalld_zone
- Type: String
- Default: "drop"
- DISA STIGs call for the default firewalld zone to be "drop". When network interfaces are added to firewalld they are assigned to the default zone.
- hosts: servers
roles:
- role: ansible-centos-7-security
security_audit_configure: False
security_mounts_configure: False
This role is tested again a vagrant box that can be built with packer. The vagrant box that this role expects can be found here: https://github.com/ragingpastry/oscap-cent7-stig-disa
There are multiple environments in which these tests work. There are defined by molecule and live in molecule/*
There is a workstation environment and a "base" environment available for testing currently. There apply different standards and require different baselines. They also utilize different packer images.
- python-vagrant
- molecule
- libvirt
- qemu-system-x86
- vagrant
- Install Depencencies
pip install python-vagrant molecule
yum install -y libvirt qemu-system-x86
systemctl enable libvirtd && systemctl start libvirtd
yum install https://releases.hashicorp.com/vagrant/2.0.0/vagrant_2.0.0_x86_64.rpm
- Build Packer images (if required)
git clone https://github.com/ragingpastry/oscap-cent7-stig-disa
cd oscap-cent7-stig-disa
packer build packer/<packer image>.json
- Add packer images to vagrant
vagrant box add --name centos7-stig-disa
This needs to be named either centos7-stig-disa or centos7-stig-disa-workstation. Molecule will look for these vagrant boxes. These are defined inmolecule/vagrant
andmolecule/vagrant-workstation
- Run tests
tox
Basically, we just need to make sure that partitioning is correct. The following describes the paritioning in the vagrant box
part pv.18 --fstype="lvmpv" --ondisk=vda --size=3000
part /boot --fstype="ext4" --ondisk=vda --size=1000
part pv.11 --fstype="lvmpv" --ondisk=vda --size=1 --grow
volgroup lg_data pv.18
volgroup lg_os pv.11
logvol / --fstype="xfs" --size=8000 --name=lv_root --vgname=lg_os
logvol /home --fstype="xfs" --size=1000 --name=lv_home --vgname=lg_data
logvol /tmp --fstype="xfs" --size=1000 --name=lv_tmp --vgname=lg_os
logvol /var --fstype="xfs" --size=2000 --name=lv_var --vgname=lg_os
logvol /var/tmp --fstype="xfs" --size=1000 --name=lv_var_tmp --vgname=lg_os
logvol /var/log --fstype="xfs" --size=1500 --name=lv_var_log --vgname=lg_os
logvol /var/log/audit --fstype="xfs" --size=500 --name=lv_var_log_audit --vgname=lg_os
logvol swap --fstype="swap" --size=1000 --name=lv_swap --vgname=lg_data
This role can be tested using tox
, however we need to make sure the selinux python bindings get included in tox's python environment. This is due to an unfortunate "feature" of ansible currently.
Tox will attempt to copy /usr/lib64/python2.7/site-packages/selinux into each tox environment. If the selinux python bindings are not installed then this will fail. Ensure libselinux-python
is installed.
BSD
Nick Wilburn