Xena Series Release Notes

New Features

  • It is now possible to modify the NTP server options in chrony using security_ntp_server_options.

  • Chrony got a new configuration option to synchronize the system clock back to the RTC using the security_ntp_sync_rtc variable. Disabled by default.

  • Added variable security_rhel7_enable_aide that is designed to avoid installation and initialization of the aide related STIGs

Upgrade Notes

  • Changed the default NTP server options in chrony.conf. The offline option has been removed, minpoll/maxpoll have been removed in favour of the upstream defaults, while the iburst option was added to speed up initial time synchronization.

Deprecation Notes

  • Fedora is no longer tested in CI for each commit.

New Features

  • Fedora 27 is now supported.

Deprecation Notes

  • Fedora 26 support is deprecated and no longer tested on each commit.

New Features

  • Generating and validating checksums for all files installed by packages is now disabled by default. The check causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the check by setting security_check_package_checksums to yes.

  • The security_sshd_permit_root_login setting can now be set to change the PermitRootLogin setting in /etc/ssh/sshd_config to any of the possible options. Set security_sshd_permit_root_login to one of without-password, prohibit-password, forced-commands-only, yes or no.

  • The tasks within the ansible-hardening role are now based on Version 1, Release 3 of the Red Hat Enteprise Linux Security Technical Implementation Guide.

  • The sysctl parameter kernel.randomize_va_space is now set to 2 by default. This matches the default of most modern Linux distributions and it ensures that Address Space Layout Randomization (ASLR) is enabled.

  • The Datagram Congestion Control Protocol (DCCP) kernel module is now disabled by default, but a reboot is required to make the change effective.

  • Searching for world-writable files is now disabled by default. The search causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the search by setting security_find_world_writable_dirs to yes.

New Features

  • Deployers can now specify a custom package name or URL for an EPEL release package. CentOS systems use epel-release by default, but some deployers have a customized package that redirects servers to internal mirrors.

  • Fedora 26 is now supported.

  • The default list of NTP servers for chrony are now more friendly to users outside North America. Deployers can still provide their own list of NTP servers with the security_ntp_servers Ansible variable.

  • The password minimum and maximum lifetimes are now opt-in changes that can take action against user accounts instead of printing debug warnings. Refer to the documentation for STIG requirements V-71927 and V-71931 to review the opt-in process and warnings.

Upgrade Notes

  • The EPEL repository is only installed and configured when the deployer sets security_enable_virus_scanner to yes. This allows the ClamAV packages to be installed. If security_enable_virus_scanner is set to no (the default), the EPEL repository will not be added.

    See Bug 1702167 for more details.

  • Deployers now have the option to prevent the EPEL repository from being installed by the role. Setting security_epel_install_repository to no prevents EPEL from being installed. This setting may prevent certain packages from installing, such as ClamAV.

  • The tasks for V-72181, which include adding audit rules for the pt_chown command, have been removed. They are not required in the RHEL 7 STIG V1R2 release.

Deprecation Notes

  • Fedora 25 support is deprecated and no longer tested on each commit.

Security Issues

  • PermitRootLogin in the ssh configuration has changed from yes to without-password. This will only allow ssh to be used to authenticate root via a key.

Bug Fixes

  • The sysctl configuration task was not skipping configurations where enabled was set to no. Instead, it was removing configurations when enabled: no was set.

    There is now a fix in place that ensures any sysctl configuration with enabled: no will be skipped and the configuration will be left unaltered on the system.


The first release of the Red Hat Enterprise Linux 7 STIG was entirely renumbered from the pre-release versions. Many of the STIG configurations simply changed numbers, but some were removed or changed. A few new configurations were added as well.

New Features

  • Deployers can provide a customized login banner via a new Ansible variable: security_login_banner_text. This banner text is used for non-graphical logins, which includes console and ssh logins.

Security Issues

  • The security role will no longer fix file permissions and ownership based on the contents of the RPM database by default. Deployers can opt in for these changes by setting security_reset_perm_ownership to yes.

  • The tasks that search for .shosts and shosts.equiv files (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a long time to complete on systems with lots of files and it also causes a significant amount of disk I/O while it runs.

  • The latest version of the RHEL 7 STIG requires that a standard login banner is presented to users when they log into the system (V-71863). The security role now deploys a login banner that is used for console and ssh sessions.

  • The cn_map permissions and ownership adjustments included as part of RHEL-07-040070 and RHEL-07-040080 has been removed. This STIG configuration was removed in the most recent release of the RHEL 7 STIG.

  • The PKI-based authentication checks for RHEL-07-040030, RHEL-07-040040, and RHEL-07-040050 are no longer included in the RHEL 7 STIG. The tasks and documentation for these outdated configurations are removed.

New Features

  • The Red Hat Enterprise Linux (RHEL) 7 STIG content is now deployed by default. Deployers can continue using the RHEL 7 STIG content by setting the following Ansible variable:

    stig_version: rhel6

Upgrade Notes

  • Deployers should review the new RHEL 7 STIG variables in defaults/main.yml to provide custom configuration for the Ansible tasks.

Deprecation Notes

  • The Red Hat Enteprise Linux 6 STIG content has been deprecated. The tasks and variables for the RHEL 6 STIG will be removed in a future release.

New Features

  • The installation of chrony is still enabled by default, but it is now controlled by the security_enable_chrony variable.

Upgrade Notes

  • The security role will accept the currently installed version of a package rather than attempting to update it. This reduces unexpected changes on the system from subsequent runs of the security role. Deployers can still set security_package_state to latest to ensure that all packages installed by the security role are up to date.

New Features

  • The role now enables auditing during early boot to comply with the requirements in V-38438. By default, the GRUB configuration variables in /etc/default/grub.d/ will be updated and the active grub.cfg will be updated.

    Deployers can opt-out of the change entirely by setting a variable:

    security_enable_audit_during_boot: no

    Deployers may opt-in for the change without automatically updating the active grub.cfg file by setting the following Ansible variables:

    security_enable_audit_during_boot: yes
    security_enable_grub_update: no
  • Although the STIG requires martian packets to be logged, the logging is now disabled by default. The logs can quickly fill up a syslog server or make a physical console unusable.

    Deployers that need this logging enabled will need to set the following Ansible variable:

    security_sysctl_enable_martian_logging: yes

Upgrade Notes

  • All of the discretionary access control (DAC) auditing is now disabled by default. This reduces the amount of logs generated during deployments and minor upgrades. The following variables are now set to no:

    security_audit_DAC_chmod: no
    security_audit_DAC_chown: no
    security_audit_DAC_lchown: no
    security_audit_DAC_fchmod: no
    security_audit_DAC_fchmodat: no
    security_audit_DAC_fchown: no
    security_audit_DAC_fchownat: no
    security_audit_DAC_fremovexattr: no
    security_audit_DAC_lremovexattr: no
    security_audit_DAC_fsetxattr: no
    security_audit_DAC_lsetxattr: no
    security_audit_DAC_setxattr: no

Bug Fixes

  • The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly labeled in the auditd logs with the key of export-V-38568. They are now correctly logged with the key filesystem_mount-V-38568.

New Features

  • A task was added to disable secure ICMP redirects per the requirements in V-38526. This change can cause problems in some environments, so it is disabled by default. Deployers can enable the task (which disables secure ICMP redirects) by setting security_disable_icmpv4_redirects_secure to yes.

  • A new task was added to disable ICMPv6 redirects per the requirements in V-38548. However, since this change can cause problems in running OpenStack environments, it is disabled by default. Deployers who wish to enable this task (and disable ICMPv6 redirects) should set security_disable_icmpv6_redirects to yes.

  • AIDE is configured to skip the entire /var directory when it does the database initialization and when it performs checks. This reduces disk I/O and allows these jobs to complete faster.

    This also allows the initialization to become a blocking process and Ansible will wait for the initialization to complete prior to running the next task.

  • The security role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting security_package_state to present.

Upgrade Notes

  • The variable security_sysctl_enable_tcp_syncookies has replaced security_sysctl_tcp_syncookies and it is now a boolean instead of an integer. It is still enabled by default, but deployers can disable TCP syncookies by setting the following Ansible variable:

    security_sysctl_enable_tcp_syncookies: no
  • The security role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option security_package_state should be set to present.

Bug Fixes

  • The /run directory is excluded from AIDE checks since the files and directories there are only temporary and often change when services start and stop.

  • AIDE initialization is now always run on subsequent playbook runs when security_initialize_aide is set to yes. The initialization will be skipped if AIDE isn’t installed or if the AIDE database already exists.

    See bug 1616281 for more details.

New Features

  • The security role now has tasks that will disable the graphical interface on a server using upstart (Ubuntu 14.04) or systemd (Ubuntu 16.04 and CentOS 7). These changes take effect after a reboot.

    Deployers that need a graphical interface will need to set the following Ansible variable:

    security_disable_x_windows: no
  • A task was added that restricts ICMPv4 redirects to meet the requirements of V-38524 in the STIG. This configuration is disabled by default since it could cause issues with LXC in some environments.

    Deployers can enable this configuration by setting an Ansible variable:

    security_disable_icmpv4_redirects: yes
  • The audit rules added by the security role now have key fields that make it easier to link the audit log entry to the audit rule that caused it to appear.

  • The GPG key checks for package verification in V-38476 are now working for Red Hat Enterprise Linux 7 in addition to CentOS 7. The checks only look for GPG keys from Red Hat and any other GPG keys, such as ones imported from the EPEL repository, are skipped.

Bug Fixes

  • The role previously did not restart the audit daemon after generating a new rules file. The bug has been fixed and the audit daemon will be restarted after any audit rule changes.

  • When the security role was run in Ansible’s check mode and a tag was provided, the check_mode variable was not being set. Any tasks which depend on that variable would fail. This bug is fixed and the check_mode variable is now set properly on every playbook run.

New Features

  • The auditd rules template included a rule that audited changes to the AppArmor policies, but the SELinux policy changes were not being audited. Any changes to SELinux policies in /etc/selinux are now being logged by auditd.

  • An Ansible was added to disable the rdisc service on CentOS systems if the service is installed on the system.

    Deployers can opt-out of this change by setting security_disable_rdisc to no.

  • The Linux Security Module (LSM) that is appropriate for the Linux distribution in use will be automatically enabled by the security role by default. Deployers can opt out of this change by setting the following Ansible variable:

    security_enable_linux_security_module: False

    The documentation for STIG V-51337 has more information about how each LSM is enabled along with special notes for SELinux.

  • A new configuration parameter security_ntp_bind_local_interfaces was added to the security role to restrict the network interface to which chronyd will listen for NTP requests.

  • Tasks were added to search for any device files without a proper SELinux label on CentOS systems. If any of these device labels are found, the playbook execution will stop with an error message.

  • The openstack-ansible-security role supports the application of the Red Hat Enterprise Linux 6 STIG configurations to systems running CentOS 7 and Ubuntu 16.04 LTS.

Upgrade Notes

  • The variable security_audit_apparmor_changes is now renamed to security_audit_mac_changes and is enabled by default. Setting security_audit_mac_changes to no will disable syscall auditing for any changes to AppArmor policies (in Ubuntu) or SELinux policies (in CentOS).

  • All variables in the security role are now prepended with security_ to avoid collisions with variables in other roles. All deployers who have used the security role in previous releases will need to prepend all security role variables with security_.

    For example, a deployer could have disabled direct root ssh logins with the following variable:

    ssh_permit_root_login: yes

    That variable would become:

    security_ssh_permit_root_login: yes

Bug Fixes

  • The dictionary-based variables in defaults/main.yml are now individual variables. The dictionary-based variables could not be changed as the documentation instructed. Instead it was required to override the entire dictionary. Deployers must use the new variable names to enable or disable the security configuration changes applied by the security role. For more information, see Launchpad Bug 1577944.

  • Failed access logging is now disabled by default and can be enabled by changing security_audit_failed_access to yes. The rsyslog daemon checks for the existence of log files regularly and this audit rule was triggered very frequently, which led to very large audit logs.

  • An Ansible task was added to disable the netconsole service on CentOS systems if the service is installed on the system.

    Deployers can opt-out of this change by setting security_disable_netconsole to no.

  • The security role previously set the permissions on all audit log files in /var/log/audit to 0400, but this prevents the audit daemon from writing to the active log file. This will prevent auditd from starting or restarting cleanly.

    The task now removes any permissions that are not allowed by the STIG. Any log files that meet or exceed the STIG requirements will not be modified.

  • The security role now handles ssh_config files that contain Match stanzas. A marker is added to the configuration file and any new configuration items will be added below that marker. In addition, the configuration file is validated for each change to the ssh configuration file.