packages - Package managers

packages - Package managers

Package managers provide a convenient, secure method for installing and upgrading applications on a system. They must be configured properly to ensure that software is carefully verified before it is installed.

Overview

Lorem ipsum

STIG requirements

All of the tasks for these STIG requirements are included in tasks/rhel7stig/packages.yml.

V-71855

  • Summary: The cryptographic hash of system files and commands must match vendor values.

  • Severity: High

  • Implementation Status: Opt-In

Deployer/Auditor notes

Ansible tasks will check the rpm -Va output (on CentOS, RHEL, openSUSE and SLE) or the output of debsums (on Ubuntu) to see if any files installed from packages have been altered. The tasks will print a list of files that have changed since their package was installed.

Deployers should be most concerned with any checksum failures for binaries and their libraries. These are most often a sign of system compromise or poor system administration practices.

Configuration files may appear in the list as well, but these are often less concerning since some of these files are adjusted by the security role itself.

Generating and validating checksums of all files installed by packages consume a significant amount of disk I/O and could impact the performance of a production system. It can also delay the playbook’s completion. Therefore, the check is disabled by default.

Deployers can enable the check by setting the following Ansible variable:

security_check_package_checksums: yes

V-71897

  • Summary: The operating system must have the screen package installed.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The role will ensure that the screen package is installed.


V-71967

  • Summary: The rsh-server package must not be installed.

  • Severity: High

  • Implementation Status: Implemented

Deployer/Auditor notes

The role will remove the rsh-server package from the system if it is installed. Deployers can opt-out of this change by setting the following Ansible variable:

security_rhel7_remove_rsh_server: no

V-71969

  • Summary: The ypserv package must not be installed.

  • Severity: High

  • Implementation Status: Implemented

Deployer/Auditor notes

The role will remove the NIS server package from the system if it is installed. The package name differs between Linux distributions:

  • CentOS: ypserv

  • Ubuntu: nis

  • openSUSE Leap: ypserv

Deployers can opt-out of this change by setting the following Ansible variable:

security_rhel7_remove_ypserv: no

V-71977

  • Summary: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.

  • Severity: High

  • Implementation Status: Implemented

Deployer/Auditor notes

On Ubuntu systems, the tasks check for the AllowUnauthenticated string anywhere in the apt configuration files found within /etc/apt/apt.conf.d/. If the string is found, a warning is printed on the console.

On CentOS 7 systems, the tasks set the gpgcheck option to 1 in the /etc/yum.conf file. This enables GPG checks for all packages installed with yum.

On openSUSE Leap systems, the tasks set the gpgcheck option to 1 in the /etc/zypp/zypp.conf file. This enables GPG checks for all packages installed with zypper.

Setting security_enable_gpgcheck_packages to no will skip the AllowUnauthenticated string check on Ubuntu and it will set gpgcheck=0 in /etc/yum.conf or /etc/zypp/zypp.conf on CentOS and openSUSE Leap systems respectively.


V-71979

  • Summary: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.

  • Severity: High

  • Implementation Status: Implemented

Deployer/Auditor notes

On Ubuntu systems, the tasks comment out the no-debsig configuration line in /etc/dpkg/dpkg.cfg. This causes dpkg to verify GPG signatures for all packages that are installed locally.

On CentOS 7 systems, the tasks set the localpkg_gpgcheck option to 1 in the /etc/yum.conf file. This enables GPG checks for all packages installed locally with yum.

On openSUSE Leap systems, the tasks set the gpgcheck option to 1 in the /etc/zypp/zypp.conf file. This enables GPG checks for all packages installed with zypper.

Setting security_enable_gpgcheck_packages_local to no will skip the no-debsig adjustment on Ubuntu and it will set local_gpgcheck=0 in /etc/yum.conf on CentOS systems. Similarly, on openSUSE Leap systems, it will set gpgcheck=0 in /etc/zypp/zypp.conf.


V-71981

  • Summary: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata.

  • Severity: High

  • Implementation Status: Opt-In

Deployer/Auditor notes

The STIG requires that repository XML files are verified during yum runs.

Warning

This setting is disabled by default because it can cause issues with CentOS systems and prevent them from retrieving repository information. Deployers who choose to enable this setting should test it thoroughly on non-production environments before applying it to production systems.

Deployers can override this default and opt in for the change by setting the following Ansible variable:

security_enable_gpgcheck_repo: yes

V-71987

  • Summary: The operating system must remove all software components after updated versions have been installed.

  • Severity: Low

  • Implementation Status: Opt-In

Deployer/Auditor notes

Although the STIG requires that dependent packages are removed automatically when a package is removed, this can cause problems with certain packages, especially kernels. Deployers must opt in to meet the requirements of this STIG control.

Deployers should set the following variable to enable automatic dependent package removal:

security_package_clean_on_remove: yes

V-71997

  • Summary: The operating system must be a vendor supported release.

  • Severity: High

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

The STIG requires that the current release of the operating system is still supported and is actively receiving security updates. Deployers are urged to stay current with the latest releases from Ubuntu, SUSE, CentOS and Red Hat.

The following links provide more details on end of life (EOL) dates for the distributions supported by this role:


V-71999

  • Summary: Vendor packaged system security patches and updates must be installed and up to date.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

Although the STIG requires that security patches and updates are applied when they are made available, this might be disruptive to some systems. Therefore, the tasks in the security role will not configure automatic updates by default.

Deployers can opt in for automatic package updates by setting the following Ansible variable:

security_rhel7_automatic_package_updates: yes

When enabled, the tasks install and configure yum-cron on CentOS and Red Hat Enterprise Linux. On Ubuntu systems, the unattended-upgrades package is installed and configured. On openSUSE Leap and SUSE Linux Enterprise systems, a daily cronjob is installed.


V-72077

  • Summary: The telnet-server package must not be installed.

  • Severity: High

  • Implementation Status: Implemented

Deployer/Auditor notes

The role will remove the telnet server package from the system if it is installed. The package name differs between Linux distributions:

  • CentOS: telnet-server

  • Ubuntu: telnetd

  • openSUSE Leap: telnet-server

Deployers can opt-out of this change by setting the following Ansible variable:

security_rhel7_remove_telnet_server: no

V-72233

  • Summary: All networked systems must have SSH installed.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The STIG requires that every system has an ssh client and server installed. The role installs the following packages:

  • CentOS: openssh-clients, openssh-server

  • Ubuntu: openssh-client, openssh-server

  • openSUSE Leap: openssh


V-72299

  • Summary: A File Transfer Protocol (FTP) server package must not be installed unless needed.

  • Severity: High

  • Implementation Status: Not Implemented

Deployer/Auditor notes

This STIG is not yet implemented.


V-72301

  • Summary: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support.

  • Severity: High

  • Implementation Status: Implemented

Deployer/Auditor notes

The role will remove the TFTP server package from the system if it is installed. The package name differs between Linux distributions:

  • CentOS: tftp-server

  • Ubuntu: tftpd

  • openSUSE Leap: tftp

Deployers can opt-out of this change by setting the following Ansible variable:

security_rhel7_remove_tftp_server: no

V-72307

  • Summary: An X Windows display manager must not be installed unless approved.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The role will remove the xorg server package from the system if it is installed. The package name differs between Linux distributions:

  • CentOS: xorg-x11-server-Xorg

  • Ubuntu: xorg-xserver

  • openSUSE Leap: xorg-x11-server

Deployers can opt-out of this change by setting the following Ansible variable:

security_rhel7_remove_xorg: no

V-72417

  • Summary: The operating system must have the required packages for multifactor authentication installed.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The STIG requires that the following multifactor authentication packages are installed:

  • authconfig

  • authconfig-gtk

  • esc

  • pam_pkcs11

These packages are benign if they are not needed on a system, but authconfig-gtk may cause some graphical dependencies to be installed which may not be needed on some systems. The security role installs these packages, but it skips the installation of authconfig-gtk. Deployers can install the graphical package manually if needed.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.