misc - Miscellaneous security controls

misc - Miscellaneous security controls

Some of the security controls provided by the STIG are difficult to group together. The following documentation includes STIG requirements which do not easily fit into one of the other hardening domains.

Overview

Reliable time synchronization is a requirement in the STIG and the chrony package will be installed to handle NTP for systems secured with the openstack- ansible-security role. The default settings will work for most environments, but some deployers may prefer to use NTP servers which are geographically closer to their servers.

The role configures the chrony daemon to listen only on localhost. To allow chrony to listen on all addresses (the upstream default for chrony), set the security_ntp_bind_local_interfaces_only variable to False.

The default configuration allows RFC1918 addresses to reach the NTP server running on each host. That could be changed by using the security_allowed_ntp_subnets parameter.

STIG requirements

All of the tasks for these STIG requirements are included in tasks/rhel7stig/misc.yml.

V-71863

  • Summary: The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The security role already deploys a login banner for console logins with tasks from another STIG:


V-71961

  • Summary: Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.

  • Severity: High

  • Implementation Status: Opt-In

Deployer/Auditor notes

Although the STIG requires that GRUB 2 asks for a password whenever a user attempts to enter single-user or maintenance mode, this change might be disruptive in an emergency situation. Therefore, this change is not applied by default.

Deployers that wish to opt in for this change should set two Ansible variables:

security_require_grub_authentication: yes
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC...

The default password set in the security role is ‘secrete’, but deployers should set a much more secure password for production environments. Use the grub2-mkpasswd-pbkdf2 command to create a password hash string and use it as the value for the Ansible variable security_grub_password_hash.

Warning

This change must be tested in a non-production environment first. Requiring authentication in GRUB 2 without proper communication to users could cause extensive delays in emergency situations.


V-71963

  • Summary: Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.

  • Severity: High

  • Implementation Status: Opt-In

Deployer/Auditor notes

The tasks in the security role for V-71961 will also apply changes to systems that use UEFI. For more details, refer to the following documentation:


V-71985

  • Summary: File system automounter must be disabled unless required.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The autofs service is stopped and disabled if it is found on the system. Deployers can opt out of this change by setting the following Ansible variable:

security_rhel7_disable_autofs: no

V-71991

  • Summary: The operating system must enable the SELinux targeted policy.

  • Severity: High

  • Implementation Status: Implemented

Deployer/Auditor notes

The SELinux targeted policy is enabled on CentOS 7 and Red Hat systems. AppArmor only has one set of policies, so this change has no effect on Ubuntu, openSUSE Leap and SUSE systems running AppArmor.

For more information on this change and how to opt out, refer to The operating system must enable SELinux. (V-71989).


V-71993

  • Summary: The x86 Ctrl-Alt-Delete key sequence must be disabled.

  • Severity: High

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in the security role disable the control-alt-delete key sequence by masking its systemd service unit.

Deployers can opt out of this change by setting the following Ansible variable:

security_rhel7_disable_ctrl_alt_delete: no

V-72035

  • Summary: All local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Although the STIG requires that all initialization files must contain executable search paths that resolve to the user’s home directory, this change be disruptive for most users. The tasks in the security role do not make any changes to user initialization files.


V-72041

  • Summary: File systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Deployers should examine any filesystem mounts that contain home directories to ensure that the nosetuid option is set.


V-72043

  • Summary: File systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Deployers should examine any filesystem mounts of removable media to ensure that the nosetuid option is set.


V-72045

  • Summary: File systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Deployers should examine any filesystem mounts of NFS imports to ensure that the nosetuid option is set.


V-72051

  • Summary: Cron logging must be implemented.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Ubuntu, CentOS, Red Hat Enterprise Linux, openSUSE Leap and SUSE Linux Enterprise already capture the logs from cron.

Ubuntu systems collect cron job logs into the main syslog file (/var/log/syslog) rather than separate them into their own log file. CentOS and Red Hat Enterprise Linux systems collect cron logs in /var/log/cron. openSUSE Leap and SUSE Linux Enterprise collect cron job in /var/log/messages.

Deployers should not need to adjust these configurations unless a specific environment requires it. The tasks in the security role do not make changes to the rsyslog configuration.


V-72055

  • Summary: If the cron.allow file exists it must be group-owned by root.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The group ownership for /etc/cron.allow is already set by the task for the following STIG control:

If the cron.allow file exists it must be owned by root. (V-72053)


V-72059

  • Summary: A separate file system must be used for user home directories (such as /home or an equivalent).

  • Severity: Low

  • Implementation Status: Exception - Initial Provisioning

Deployer/Auditor notes

Deployers should consider using filesystem mounts for home directories during the initial server provisioning process. Adding filesystem mounts after a system is provisioned might lead to downtime.

The tasks in the security role do not take action on filesystem mounts. If the server does not mount /home as a separate filesystem, a warning is printed in the Ansible output.


V-72061

  • Summary: The system must use a separate file system for /var.

  • Severity: Low

  • Implementation Status: Exception - Initial Provisioning

Deployer/Auditor notes

Deployers should consider using filesystem mounts for /var during the initial server provisioning process. Adding filesystem mounts after a system is provisioned might lead to downtime.

The tasks in the security role do not take action on filesystem mounts. If the server does not mount /var as a separate filesystem, a warning is printed in the Ansible output.


V-72063

  • Summary: The system must use a separate file system for the system audit data path.

  • Severity: Low

  • Implementation Status: Exception - Initial Provisioning

Deployer/Auditor notes

Deployers should consider using filesystem mounts for /var/log/audit during the initial server provisioning process. Adding filesystem mounts after a system is provisioned might lead to downtime.

The tasks in the security role do not take action on filesystem mounts. If the server does not mount /var/log/audit as a separate filesystem, a warning is printed in the Ansible output.


V-72065

  • Summary: The system must use a separate file system for /tmp (or equivalent).

  • Severity: Low

  • Implementation Status: Exception - Initial Provisioning

Deployer/Auditor notes

Deployers should consider using filesystem mounts for /tmp during the initial server provisioning process. Adding filesystem mounts after a system is provisioned might lead to downtime.

The tasks in the security role do not take action on filesystem mounts. If the server does not mount /tmp as a separate filesystem, a warning is printed in the Ansible output.


V-72067

  • Summary: The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

  • Severity: High

  • Implementation Status: Implemented - Red Hat And Suse Only

Deployer/Auditor notes

The tasks in the Ansible role install the dracut-fips (RHEL and SLE) and dracut-fips-aesni (RHEL) packages and check to see if FIPS is enabled on the system. If it is not enabled, a warning message is printed in the Ansible output.

Enabling FIPS at boot time requires additional manual configuration. Refer to Chapter 7. Federal Standards and Regulations in the Red Hat documentation for more details. Section 7.1.1 contains the steps required for updating the bootloader configuration and regenerating the initramfs.

Note

This change only applies to CentOS, Red Hat Enterprise Linux, openSUSE Leap and SUSE Linux Enterprise. Ubuntu does not use dracut by default and the process for enabling the FIPS functionality at boot time is more complex.


V-72075

  • Summary: The system must not allow removable media to be used as the boot loader unless approved.

  • Severity: Medium

  • Implementation Status: Exception - Initial Provisioning

Deployer/Auditor notes

When a server is initially provisioned, deployers should avoid storing the boot loader on removable media. It is not possible to change this via automated tasks.


V-72209

  • Summary: The system must send rsyslog output to a log aggregation server.

  • Severity: Medium

  • Implementation Status: Verification Only

Deployer/Auditor notes

The tasks in the security role check for uncommented lines in the rsyslog configuration that contain @ or @@, which signifies that a remote logging configuration is in place. If these lines are not found, a warning message is printed in the Ansible output.


V-72211

  • Summary: The rsyslog daemon must not accept log messages from other servers unless the server is being used for log aggregation.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Deployers must take manual steps to add or remove syslog reception configuration lines depending on a server’s role:

  • If the server is a log aggregation server, deployers must configure the server to receive syslog output from the other servers via TCP connections.

  • If the server is not a log aggregation server, deployers must configure the server so that it does not accept syslog output from other servers.


V-72213

  • Summary: The system must use a virus scan program.

  • Severity: High

  • Implementation Status: Opt-In

Deployer/Auditor notes

The STIG requires that a virus scanner is installed and running, but the value of a virus scanner within an OpenStack control plane or on a hypervisor is negligible in many cases. In addition, the disk I/O impact of a virus scanner can impact a production environment negatively.

The security role has tasks to deploy ClamAV with automatic updates, but the tasks are disabled by default.

Deployers can enable the ClamAV virus scanner by setting the following Ansible variable:

security_enable_virus_scanner: yes

Warning

The ClamAV packages are provided in the EPEL repository. Setting the security_enable_virus_scanner will also cause the EPEL repository to be installed by the role.


V-72215

  • Summary: The system must update the virus scan program every seven days or more frequently.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

By default, CentOS 7, Red Hat Enterprise Linux 7, openSUSE Leap and SUSE Linux Enterprise 12 check for virus database updates 12 times a day. Ubuntu servers have a default of 24 checks per day.

The tasks in the security role do not adjust these defaults as they are more secure than the STIG’s requirement.


V-72219

  • Summary: The host must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Deployers should review each firewall rule on a regular basis to ensure that each port is open for a valid reason.


V-72223

  • Summary: All network connections associated with a communication session must be terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in the security role set a 600 second (10 minute) timeout for network connections associated with a communication session. Deployers can change the timeout value by setting the following Ansible variable:

# Example: shorten the timeout to 5 minutes (300 seconds)
security_rhel7_session_timeout: 300

V-72269

  • Summary: The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in the security role make the following changes on each host:

  • The chrony package is installed.

  • The service (chronyd on Red Hat, CentOS, SLE and openSUSE Leap, chrony on Ubuntu) is started and enabled at boot time.

  • A configuration file template is deployed that includes maxpoll 10 on each server line.

Deployers can opt out of these changes by setting the following Ansible variable:

security_rhel7_enable_chrony: no

Note

Although the STIG mentions the traditional ntpd service, this role uses chrony, which is a more modern implementation.


V-72271

  • Summary: The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

Although the STIG requires that incoming TCP connections are rate limited with firewalld, this setting can cause problems with certain applications which handle large amounts of TCP connections. Therefore, the tasks in the security role do not apply the rate limit by default.

Deployers can opt in for this change by setting the following Ansible variable:

security_enable_firewalld_rate_limit: yes

The STIG recommends a limit of 25 connection per minute and allowing bursts up to 100 connections. Both of these options are adjustable with the following Ansible variables:

security_enable_firewalld_rate_limit_per_minute: 25
security_enable_firewalld_rate_limit_burst: 100

Warning

Deployers should test rate limiting in a non-production environment first before applying it to production systems. Ensure that the application running on the system is receiving a large volume of requests so that the rule can be thoroughly tested.


V-72273

  • Summary: The operating system must enable an application firewall, if available.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The STIG requires that a firewall is configured on each server. This might be disruptive to some environments since the default firewall policy for firewalld is very restrictive. Therefore, the tasks in the security role do not install or enable the firewalld daemon by default.

Deployers can opt in for this change by setting the following Ansible variable:

security_enable_firewalld: yes

Warning

Deployers must pre-configure firewalld or copy over a working XML file in /etc/firewalld/zones/ from another server. The default firewalld restrictions on Ubuntu, CentOS, Red Hat Enterprise Linux and openSUSE Leap are highly restrictive.


V-72281

  • Summary: For systems using DNS resolution, at least two name servers must be configured.

  • Severity: Low

  • Implementation Status: Implemented

Deployer/Auditor notes

If a server has fewer than two nameservers configured in /etc/resolv.conf, a warning is printed in the Ansible output.


V-72295

  • Summary: Network interfaces must not be in promiscuous mode.

  • Severity: Medium

  • Implementation Status: Verification Only

Deployer/Auditor notes

All interfaces are examined to ensure they are not in promiscuous mode. A warning message is printed in the Ansible output if any promiscuous interfaces are found.


V-72297

  • Summary: The system must be configured to prevent unrestricted mail relaying.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The smtpd_client_restrictions configuration in postfix is set to permit_mynetworks, reject to meet the STIG’s requirements.

Deployers can opt out of this change by setting the following Ansible variable:

security_rhel7_restrict_mail_relaying: no

V-72305

  • Summary: If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.

  • Severity: Medium

  • Implementation Status: Verification Only

Deployer/Auditor notes

The tasks in the security role examine the TFTP server configuration file (if it exists) to verify that the secure operation flag (-s) is listed on the server_args line. If it is missing, a warning message is printed in the Ansible output.


V-72311

  • Summary: The Network File System (NFS) must be configured to use RPCSEC_GSS.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Deployers using NFS should examine their mounts to ensure krb5:krb5i:krb5p is provided with the sec option. Kerberos must be installed and configured before making the change.


V-72313

  • Summary: SNMP community strings must be changed from the default.

  • Severity: High

  • Implementation Status: Verification Only

Deployer/Auditor notes

The tasks in the security role examine the contents of the /etc/snmp/snmpd.conf file (if it exists) and search for the default community strings: public and private. If either default string is found, a message is printed in the Ansible output.


V-72315

  • Summary: The system access control program must be configured to grant or deny system access to specific hosts and services.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

The firewalld service is optionally enabled and configured in the tasks for another STIG control:

Deployers should review their firewalld ruleset regularly to ensure that each firewall rule is specific as possible. Each rule should allow the smallest number of hosts to access the smallest number of services.


V-72317

  • Summary: The system must not have unauthorized IP tunnels configured.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Deployers should review all tunneled connections on a regular basis to ensure each is valid and properly secured. This requires careful verification that cannot be done with automated Ansible tasks.


V-73161

  • Summary: File systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Deployers should review their NFS mounts to ensure they are mounted with the noexec option. Deployers should skip this change if they execute applications from NFS mounts.


V-73177

  • Summary: Wireless network adapters must be disabled.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Deployers should review the configuration of any wireless networking device connected to the system to ensure it must be enabled. The STIG requires that all wireless network devices are enabled unless required.


V-77819

  • Summary: The operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

The STIG requires that multifactor authentication is used for graphical user logon, but this change requires custom configuration based on the authentication solution that is used.

Deployers should review the available options, such as traditional smartcards, USB devices (such as Yubikeys), or software token systems, and use one of these solutions on each system.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.