Newton Series Release Notes¶
PermitRootLoginin the ssh configuration has changed from
without-password. This will only allow ssh to be used to authenticate root via a key.
The installation of
chronyis still enabled by default, but it is now controlled by the
The role now enables auditing during early boot to comply with the requirements in V-38438. By default, the GRUB configuration variables in
/etc/default/grub.d/will be updated and the active
grub.cfgwill be updated.
Deployers can opt-out of the change entirely by setting a variable:
Deployers may opt-in for the change without automatically updating the active
grub.cfgfile by setting the following Ansible variables:
security_enable_audit_during_boot: yes security_enable_grub_update: no
A task was added to disable secure ICMP redirects per the requirements in V-38526. This change can cause problems in some environments, so it is disabled by default. Deployers can enable the task (which disables secure ICMP redirects) by setting
A new task was added to disable ICMPv6 redirects per the requirements in V-38548. However, since this change can cause problems in running OpenStack environments, it is disabled by default. Deployers who wish to enable this task (and disable ICMPv6 redirects) should set
AIDE is configured to skip the entire
/vardirectory when it does the database initialization and when it performs checks. This reduces disk I/O and allows these jobs to complete faster.
This also allows the initialization to become a blocking process and Ansible will wait for the initialization to complete prior to running the next task.
The auditd rules template included a rule that audited changes to the AppArmor policies, but the SELinux policy changes were not being audited. Any changes to SELinux policies in
/etc/selinuxare now being logged by auditd.
Although the STIG requires martian packets to be logged, the logging is now disabled by default. The logs can quickly fill up a syslog server or make a physical console unusable.
Deployers that need this logging enabled will need to set the following Ansible variable:
The security role now has tasks that will disable the graphical interface on a server using upstart (Ubuntu 14.04) or systemd (Ubuntu 16.04 and CentOS 7). These changes take effect after a reboot.
Deployers that need a graphical interface will need to set the following Ansible variable:
An Ansible was added to disable the
rdiscservice on CentOS systems if the service is installed on the system.
Deployers can opt-out of this change by setting
The Linux Security Module (LSM) that is appropriate for the Linux distribution in use will be automatically enabled by the security role by default. Deployers can opt out of this change by setting the following Ansible variable:
The documentation for STIG V-51337 has more information about how each LSM is enabled along with special notes for SELinux.
A task was added that restricts ICMPv4 redirects to meet the requirements of V-38524 in the STIG. This configuration is disabled by default since it could cause issues with LXC in some environments.
Deployers can enable this configuration by setting an Ansible variable:
The audit rules added by the security role now have key fields that make it easier to link the audit log entry to the audit rule that caused it to appear.
A new configuration parameter
security_ntp_bind_local_interfaceswas added to the security role to restrict the network interface to which chronyd will listen for NTP requests.
The security role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting
The GPG key checks for package verification in V-38476 are now working for Red Hat Enterprise Linux 7 in addition to CentOS 7. The checks only look for GPG keys from Red Hat and any other GPG keys, such as ones imported from the EPEL repository, are skipped.
Tasks were added to search for any device files without a proper SELinux label on CentOS systems. If any of these device labels are found, the playbook execution will stop with an error message.
The ansible-hardening role supports the application of the Red Hat Enterprise Linux 6 STIG configurations to systems running CentOS 7 and Ubuntu 16.04 LTS.
security_audit_apparmor_changesis now renamed to
security_audit_mac_changesand is enabled by default. Setting
nowill disable syscall auditing for any changes to AppArmor policies (in Ubuntu) or SELinux policies (in CentOS).
security_sysctl_tcp_syncookiesand it is now a boolean instead of an integer. It is still enabled by default, but deployers can disable TCP syncookies by setting the following Ansible variable:
The security role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option
security_package_stateshould be set to
All of the discretionary access control (DAC) auditing is now disabled by default. This reduces the amount of logs generated during deployments and minor upgrades. The following variables are now set to
security_audit_DAC_chmod: no security_audit_DAC_chown: no security_audit_DAC_lchown: no security_audit_DAC_fchmod: no security_audit_DAC_fchmodat: no security_audit_DAC_fchown: no security_audit_DAC_fchownat: no security_audit_DAC_fremovexattr: no security_audit_DAC_lremovexattr: no security_audit_DAC_fsetxattr: no security_audit_DAC_lsetxattr: no security_audit_DAC_setxattr: no
All variables in the security role are now prepended with
security_to avoid collisions with variables in other roles. All deployers who have used the security role in previous releases will need to prepend all security role variables with
For example, a deployer could have disabled direct root ssh logins with the following variable:
That variable would become:
/rundirectory is excluded from AIDE checks since the files and directories there are only temporary and often change when services start and stop.
AIDE initialization is now always run on subsequent playbook runs when
security_initialize_aideis set to
yes. The initialization will be skipped if AIDE isn’t installed or if the AIDE database already exists.
See bug 1616281 for more details.
The role previously did not restart the audit daemon after generating a new rules file. The bug has been fixed and the audit daemon will be restarted after any audit rule changes.
The dictionary-based variables in
defaults/main.ymlare now individual variables. The dictionary-based variables could not be changed as the documentation instructed. Instead it was required to override the entire dictionary. Deployers must use the new variable names to enable or disable the security configuration changes applied by the security role. For more information, see Launchpad Bug 1577944.
Failed access logging is now disabled by default and can be enabled by changing
yes. The rsyslog daemon checks for the existence of log files regularly and this audit rule was triggered very frequently, which led to very large audit logs.
An Ansible task was added to disable the
netconsoleservice on CentOS systems if the service is installed on the system.
Deployers can opt-out of this change by setting
The security role previously set the permissions on all audit log files in
0400, but this prevents the audit daemon from writing to the active log file. This will prevent
auditdfrom starting or restarting cleanly.
The task now removes any permissions that are not allowed by the STIG. Any log files that meet or exceed the STIG requirements will not be modified.
When the security role was run in Ansible’s check mode and a tag was provided, the
check_modevariable was not being set. Any tasks which depend on that variable would fail. This bug is fixed and the
check_modevariable is now set properly on every playbook run.
The security role now handles
ssh_configfiles that contain
Matchstanzas. A marker is added to the configuration file and any new configuration items will be added below that marker. In addition, the configuration file is validated for each change to the ssh configuration file.
The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly labeled in the auditd logs with the key of
export-V-38568. They are now correctly logged with the key