RHEL 7 STIG in openstack-ansible-security
The RHEL 7 STIG is in the final stages before release and the security role needs to be updated with these new configuration guidelines.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Low
- Drafter:
- Major Hayden
- Direction:
- Approved
- Assignee:
- Major Hayden
- Definition:
- Approved
- Series goal:
- None
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Major Hayden
- Completed by
- Major Hayden
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Spec: Add RHEL 7 STIG configurations
Addressed by: https:/
Automate the STIG documentation
Gerrit topic: https:/
Addressed by: https:/
Initial scaffolding for RHEL 7 STIG
Addressed by: https:/
Initial docs scaffolding for RHEL 7 STIG
Addressed by: https:/
Add dividers to defaults/main.yml
Addressed by: https:/
Add tasks for RHEL-07-010010
Addressed by: https:/
Security: Remove quotes from extra vars
Addressed by: https:/
Security: Add tasks for RHEL-07-010020
Addressed by: https:/
Security: Add tasks for RHEL-07-010260
Addressed by: https:/
Add RHEL-07-010270 (ssh - empty password)
Addressed by: https:/
Add RHEL-07-010430 and RHEL-07-010431
Addressed by: https:/
Remove packages according to STIG
Addressed by: https:/
[WIP] GPG verification for packages
Gerrit topic: https:/
Addressed by: https:/
Install screen and ssh client/server
Addressed by: https:/
Fix tags
Addressed by: https:/
Refactor package removal
Addressed by: https:/
Configure sshd based on the RHEL 7 STIG
Addressed by: https:/
[Docs] Configure sshd based on the RHEL 7 STIG
Addressed by: https:/
[Docs] Auditing setuid/setgid applications
Addressed by: https:/
Transmit audit logs to other servers
Addressed by: https:/
Encrypt transmitted audit logs
Addressed by: https:/
Enable virus scanner
Addressed by: https:/
Remove deprecated always_run
Addressed by: https:/
Add template for audit rules
Addressed by: https:/
[Docs] Audit rules
Addressed by: https:/
[Docs] Exception for RHEL-07-040830
Addressed by: https:/
[WIP] Set graphical session locks
Addressed by: https:/
[Docs] Set graphical session locks
Addressed by: https:/
Automatically remove package deps
Addressed by: https:/
Enable graphical login banner
Addressed by: https:/
[Docs] Enable graphical login banner
Addressed by: https:/
Refactor auditd rules
Addressed by: https:/
[Docs] Refactor auditd rules
Addressed by: https:/
Add exception for supported release check
Addressed by: https:/
Check for other UID 0 accounts
Addressed by: https:/
[Doc] Exceptions for LDAP SSL/TLS checks
Addressed by: https:/
[Docs] Exception for PKI revocation
Addressed by: https:/
Securing sysctl configurations
Addressed by: https:/
[Docs] Securing sysctl configurations
Addressed by: https:/
Set cn_map permissions/owner
Addressed by: https:/
[Docs] Set cn_map permissions/owner
Addressed by: https:/
Apply password quality rules
Addressed by: https:/
[Docs] Apply password quality rules
Addressed by: https:/
Ensure libuser crypt_style is SHA512 [+Docs]
Addressed by: https:/
Ensure passwords hashed with SHA512 [+Docs]
Addressed by: https:/
Fix stig_packages_rhel7 typo
Addressed by: https:/
Set lifetime limits for passwords [+Docs]
Addressed by: https:/
Find files/dirs without valid owners [+Docs]
Addressed by: https:/
Move common variables to common.yml
Addressed by: https:/
Check for users w/o home dirs [+Docs]
Addressed by: https:/
Create home directories by default [+Docs]
Addressed by: https:/
Verify that home directories exist [+Docs]
Addressed by: https:/
Use dynamic includes for speedup
Addressed by: https:/
Require auth for sudo [+Docs]
Addressed by: https:/
Expire cached sssd authenticators [+Docs]
Addressed by: https:/
Set auditd failure flag [+Docs]
Addressed by: https:/
[Docs] Exception for MFA/smartcards
Addressed by: https:/
[Docs] Exception for SELinux user confinement
Addressed by: https:/
Disable usb-storage module [+Docs]
Addressed by: https:/
Disable autofs [+Docs]
Addressed by: https:/
[Docs] Exceptions for disk encryption
Addressed by: https:/
Enable SELinux/AppArmor [+Docs]
Addressed by: https:/
Disable ctrl-alt-del key sequence [+Docs]
Addressed by: https:/
Enable firewalld [+Docs]
Addressed by: https:/
Add firewalld rate limit rule [+Docs]
Addressed by: https:/
Check for two nameservers [+Docs]
Addressed by: https:/
Display MOTD warning banner [+Docs]
Addressed by: https:/
Check for SHA512 password storage [+Docs]
Addressed by: https:/
Refactor login.defs adjustments [+Docs]
Addressed by: https:/
Prevent password re-use [+Docs]
Addressed by: https:/
Set minimum password length [+Docs]
Addressed by: https:/
Apply pam_faillock restrictions [+Docs]
Addressed by: https:/
Set grub2 password [+Docs]
Addressed by: https:/
[Docs] Exception for removing default accounts
Addressed by: https:/
Enable AIDE [+Docs]
Addressed by: https:/
Extend get_users module to get groups
Addressed by: https:/
Check for groups that don't exist [+Docs]
Addressed by: https:/
Disable accounts w/expired passwords [+Docs]
Addressed by: https:/
Set home dir mode to 0750 or less [+Docs]
Addressed by: https:/
Verify password age limits [+Docs]
Addressed by: https:/
Enable automatic package updates [+Docs]
Addressed by: https:/
[Docs] Exception for removing unnecessary accounts
Addressed by: https:/
Search for unlabeled device files [+Docs]
Addressed by: https:/
[Docs] Exceptions for filesystem mounts
Addressed by: https:/
Find world-writable dirs with bad group owners
Addressed by: https:/
[Docs] Exception for user init file umask
Addressed by: https:/
[Docs] Exception for cron logging
Addressed by: https:/
Set cron.allow owner/group owner [+Docs]
Addressed by: https:/
Disable kdump [+Docs]
Addressed by: https:/
Ensure separate filesystems exist [+Docs]
Addressed by: https:/
Add AIDE checks for ACL/xattrs [+Docs]
Addressed by: https:/
[Docs] Exception: grub on removable media
Addressed by: https:/
Enable/start auditd [+Docs]
Addressed by: https:/
Set audisp failure options [+Docs]
Addressed by: https:/
Set space_left in auditd [+Docs]
Addressed by: https:/
Set space_left_action in auditd [+Docs]
Addressed by: https:/
Set action_email_acct in auditd [+Docs]
Addressed by: https:/
[Docs] Fix broken/missing auditd docs
Addressed by: https:/
Add checks for remote syslog [+Docs]
Addressed by: https:/
[Docs] Exception: Disable syslog reception
Addressed by: https:/
[Docs] Virus definition update frequency
Addressed by: https:/
Enable FIPS [+Docs]
Addressed by: https:/
Set maxlogins limit [+Docs]
Addressed by: https:/
[Docs] Exception: logging level
Addressed by: https:/
Check for ocsp_on in PKCS config [+Docs]
Addressed by: https:/
Check for cackey/coolkey values [+Docs]
Addressed by: https:/
[Docs] Exception: firewall port auditing
Addressed by: https:/
Set TMOUT variable for all sessions [+Docs]
Addressed by: https:/
Enable chrony [+Docs]
Addressed by: https:/
Check for pam_lastlogin [+Docs]
Addressed by: https:/
Remove .shosts/
Addressed by: https:/
Check for promiscuous interfaces [+Docs]
Addressed by: https:/
Restrict mail relaying [+Docs]
Addressed by: https:/
Check for TFTP secure mode [+Docs]
Addressed by: https:/
Check for default SNMP comm strings [+Docs]
Addressed by: https:/
[Docs] Docs for TFTP server removal
Addressed by: https:/
Set permissions on sshd host keys [+Docs]
Addressed by: https:/
[Docs] Add missing docs for GSSAPI
Addressed by: https:/
[Docs] Exception: Add AUTH_GSS for NFS
Addressed by: https:/
[Docs] Refer to other control for firewalld
Addressed by: https:/
[Docs] Exception for firewalld config
Addressed by: https:/
Set user/group/modes on user init files [+Docs]
Addressed by: https:/
[Docs] User init file exceptions
Addressed by: https:/
[Docs] Update for RHEL7 STIG
Addressed by: https:/
[Docs] Fix missing code-block property
Addressed by: https:/
[WIP] Enable RHEL 7 STIG tasks as default
Addressed by: https:/
Use RHEL 7 STIG content in OSA