misc - Miscellaneous security controls¶
Some of the security controls provided by the STIG are difficult to group together. The following documentation includes STIG requirements which do not easily fit into one of the other hardening domains.
Overview¶
Reliable time synchronization is a requirement in the STIG and the chrony
package will be installed to handle NTP for systems secured with the openstack-
ansible-security role. The default settings will work for most environments,
but some deployers may prefer to use NTP servers which are geographically
closer to their servers.
The role configures the chrony daemon to listen only on localhost
. To allow
chrony to listen on all addresses (the upstream default for chrony),
set the security_ntp_bind_local_interfaces_only
variable to False
.
The default configuration allows RFC1918 addresses to reach the NTP server
running on each host. That could be changed by using the
security_allowed_ntp_subnets
parameter.