Home » Security hardening for openstack-ansible

Category 3 (High) controls

V-38462: The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.

Ensuring all packages’ cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.

Details: V-38462 in STIG Viewer.

Notes for deployers

Ubuntu checks packages against GPG signatures by default. It can be turned off for all package installations by a setting in /etc/apt/apt.conf.d/ and we search for that in the Ansible task. A warning is printed if the AllowUnauthenticated configuration option is present in the apt configuration directories.

Please note that users can pass an argument on the apt command line to bypass the checks as well, but that’s outside the scope of this check and remediation.

V-38476: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.

The Red Hat GPG keys are necessary to cryptographically verify packages are from Red Hat.

Details: V-38476 in STIG Viewer.

Notes for deployers

The STIG talks about yum having the RHN GPG keys installed, but this requirement has been adapted to check for the Ubuntu signing keys normally present in Ubuntu 14.04.

See tasks/apt.yml for more details:

# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   1024D/437D05B5 2004-09-12
uid                  Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub   2048g/79164387 2004-09-12

pub   1024D/FBB75451 2004-12-30
uid                  Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>

pub   4096R/C0B21F32 2012-05-11
uid                  Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>

pub   4096R/EFE21092 2012-05-11
uid                  Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

V-38491: There must be no .rhosts or hosts.equiv files on the system.

Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.

Details: V-38491 in STIG Viewer.

Notes for deployers

The Ansible task will check for the presence of /etc/hosts.equiv and /root/.rhosts. Both of those files could potentially be used with rsh for host access, but rshd is not installed by default with Ubuntu 14.04 or openstack-ansible.

V-38497: The system must not have accounts configured with blank or null passwords.

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Details: V-38497 in STIG Viewer.

Notes for deployers

Ubuntu 14.04 allows accounts with null passwords to authenticate via PAM by default. This STIG requires that those login attempts are blocked.

In Ubuntu, this functionality is controlled by the nullok_secure parameter found in /etc/pam.d/common-auth. The Ansible task for this STIG will remove the nullok_secure from the PAM configuration file. The effects of the change are immediate and no service restarts are required.

However, deployers can opt-out of this change by adjusting an Ansible variable:

pam_remove_nullok: no

Setting the variable to yes (the default) will cause the Ansible tasks to remove the nullok_secure parameter while setting the variable to no will leave the PAM configuration unchanged.

V-38587: The telnet-server package must not be installed.

Removing the “telnet-server” package decreases the risk of the unencrypted telnet service’s accidental (or intentional) activation. Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.

Details: V-38587 in STIG Viewer.

Notes for deployers

The telnetd service will be removed by the Ansible tasks, if it is installed. To opt-out of this change, adjust the following variable to no:

security_remove_telnet_server: no

V-38589: The telnet daemon must not be running.

The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.

Details: V-38589 in STIG Viewer.

Notes for deployers

Fixed by another STIG

Neither Ubuntu or openstack-ansible installs the telnet daemon by default. Running a telnet daemon isn’t recommended under most situations, so the telnet server package will be removed from the system if it is installed.

The telnet server is removed by the Ansible tasks for V-38587, so no action is required here.

V-38591: The rsh-server package must not be installed.

The “rsh-server” package provides several obsolete and insecure network services. Removing it decreases the risk of those services’ accidental (or intentional) activation.

Details: V-38591 in STIG Viewer.

Notes for deployers

The rshd service will be removed by the Ansible tasks, if it is installed. To opt-out of this change, adjust the following variable to no:

security_remove_rsh_server: no

V-38594: The rshd service must not be running.

The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

Details: V-38594 in STIG Viewer.

Notes for deployers

Fixed by another STIG

Neither Ubuntu or openstack-ansible installs the rsh daemon by default. Running a rsh daemon isn’t recommended under most situations, so the rsh server package will be removed from the system if it is installed.

The rsh server is removed by the Ansible tasks for V-38591, so no action is required here.

V-38598: The rexecd service must not be running.

The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

Details: V-38598 in STIG Viewer.

Notes for deployers

Fixed by another STIG

The rexecd daemon is part of the package that contains the rsh daemon.

Neither Ubuntu or openstack-ansible installs the rsh daemon by default. Running a rsh daemon isn’t recommended under most situations, so the rsh server package will be removed from the system if it is installed.

The rsh server is removed by the Ansible tasks for V-38591, so no action is required here.

V-38602: The rlogind service must not be running.

The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

Details: V-38602 in STIG Viewer.

Notes for deployers

Fixed by another STIG

The rlogind daemon is part of the package that contains the rsh daemon.

Neither Ubuntu or openstack-ansible installs the rsh daemon by default. Running a rsh daemon isn’t recommended under most situations, so the rsh server package will be removed from the system if it is installed.

The rsh server is removed by the Ansible tasks for V-38591, so no action is required here.

V-38607: The SSH daemon must be configured to use only the SSHv2 protocol.

SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.

Details: V-38607 in STIG Viewer.

Notes for deployers

The tasks in sshd.yml will ensure that SSH does uses protocol version 2.

V-38614: The SSH daemon must not allow authentication using an empty password.

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

Details: V-38614 in STIG Viewer.

Notes for deployers

The tasks in sshd.yml will ensure that SSH does not allow empty passwords.

V-38653: The snmpd service must not use a default password.

Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system.

Details: V-38653 in STIG Viewer.

Notes for deployers

Exception

The openstack-ansible project doesn’t install snmpd by default, and neither does Ubuntu 14.04. Deployers are strongly recommended to use SNMPv3 with strong passwords for all connectivity if they choose to install snmpd.

V-38666: The system must use and update a DoD-approved virus scan program.

Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.

Details: V-38666 in STIG Viewer.

Notes for deployers

Exception

Installing an antivirus program on openstack-ansible infrastructure is left up to the deployer. There are strong arguments against virus scanners due to detection failures and performance impacts.

For deployers who require an antivirus solution, refer to the suggestions and examples in Ubuntu’s documentation on antivirus software.

V-38668: The x86 Ctrl-Alt-Delete key sequence must be disabled.

A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.

Details: V-38668 in STIG Viewer.

Notes for deployers

The control-alt-delete keyboard sequence is disable by an Ansible task in /etc/init/control-alt-delete.conf. A reboot is recommended to apply the change.

V-38677: The NFS server must not have the insecure file locking option enabled.

Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.

Details: V-38677 in STIG Viewer.

Notes for deployers

The tasks in nfsd.yml first check to see if the system has nfs exports. If so, it then checks for the presence of ‘insecure_locks’.

V-38701: The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.

Using the “-s” option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.

Details: V-38701 in STIG Viewer.

Notes for deployers

Exception

Neither Ubuntu 14.04 nor openstack-ansible adds a tftp daemon to the system. The xinetd service is also not installed.

Table Of Contents

Previous topic

Category 2 (Medium) controls

Next topic

Developer Guide

Project Source

This Page