Newton Series Release Notes

14.0.5

New Features

  • The installation of chrony is still enabled by default, but it is now controlled by the security_enable_chrony variable.

14.0.0

New Features

  • The role now enables auditing during early boot to comply with the requirements in V-38438. By default, the GRUB configuration variables in /etc/default/grub.d/ will be updated and the active grub.cfg will be updated.

    Deployers can opt-out of the change entirely by setting a variable:

    security_enable_audit_during_boot: no
    

    Deployers may opt-in for the change without automatically updating the active grub.cfg file by setting the following Ansible variables:

    security_enable_audit_during_boot: yes
    security_enable_grub_update: no
    
  • A task was added to disable secure ICMP redirects per the requirements in V-38526. This change can cause problems in some environments, so it is disabled by default. Deployers can enable the task (which disables secure ICMP redirects) by setting security_disable_icmpv4_redirects_secure to yes.
  • A new task was added to disable ICMPv6 redirects per the requirements in V-38548. However, since this change can cause problems in running OpenStack environments, it is disabled by default. Deployers who wish to enable this task (and disable ICMPv6 redirects) should set security_disable_icmpv6_redirects to yes.
  • AIDE is configured to skip the entire /var directory when it does the database initialization and when it performs checks. This reduces disk I/O and allows these jobs to complete faster.

    This also allows the initialization to become a blocking process and Ansible will wait for the initialization to complete prior to running the next task.

  • The auditd rules template included a rule that audited changes to the AppArmor policies, but the SELinux policy changes were not being audited. Any changes to SELinux policies in /etc/selinux are now being logged by auditd.
  • Although the STIG requires martian packets to be logged, the logging is now disabled by default. The logs can quickly fill up a syslog server or make a physical console unusable.

    Deployers that need this logging enabled will need to set the following Ansible variable:

    security_sysctl_enable_martian_logging: yes
    
  • The security role now has tasks that will disable the graphical interface on a server using upstart (Ubuntu 14.04) or systemd (Ubuntu 16.04 and CentOS 7). These changes take effect after a reboot.

    Deployers that need a graphical interface will need to set the following Ansible variable:

    security_disable_x_windows: no
    
  • An Ansible was added to disable the rdisc service on CentOS systems if the service is installed on the system.

    Deployers can opt-out of this change by setting security_disable_rdisc to no.

  • The Linux Security Module (LSM) that is appropriate for the Linux distribution in use will be automatically enabled by the security role by default. Deployers can opt out of this change by setting the following Ansible variable:

    security_enable_linux_security_module: False
    

    The documentation for STIG V-51337 has more information about how each LSM is enabled along with special notes for SELinux.

  • A task was added that restricts ICMPv4 redirects to meet the requirements of V-38524 in the STIG. This configuration is disabled by default since it could cause issues with LXC in some environments.

    Deployers can enable this configuration by setting an Ansible variable:

    security_disable_icmpv4_redirects: yes
    
  • The audit rules added by the security role now have key fields that make it easier to link the audit log entry to the audit rule that caused it to appear.
  • A new configuration parameter security_ntp_bind_local_interfaces was added to the security role to restrict the network interface to which chronyd will listen for NTP requests.
  • The security role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting security_package_state to present.
  • The GPG key checks for package verification in V-38476 are now working for Red Hat Enterprise Linux 7 in addition to CentOS 7. The checks only look for GPG keys from Red Hat and any other GPG keys, such as ones imported from the EPEL repository, are skipped.
  • Tasks were added to search for any device files without a proper SELinux label on CentOS systems. If any of these device labels are found, the playbook execution will stop with an error message.
  • The openstack-ansible-security role supports the application of the Red Hat Enterprise Linux 6 STIG configurations to systems running CentOS 7 and Ubuntu 16.04 LTS.

Upgrade Notes

  • The variable security_audit_apparmor_changes is now renamed to security_audit_mac_changes and is enabled by default. Setting security_audit_mac_changes to no will disable syscall auditing for any changes to AppArmor policies (in Ubuntu) or SELinux policies (in CentOS).
  • The variable security_sysctl_enable_tcp_syncookies has replaced security_sysctl_tcp_syncookies and it is now a boolean instead of an integer. It is still enabled by default, but deployers can disable TCP syncookies by setting the following Ansible variable:

    security_sysctl_enable_tcp_syncookies: no
    
  • The security role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option security_package_state should be set to present.
  • All of the discretionary access control (DAC) auditing is now disabled by default. This reduces the amount of logs generated during deployments and minor upgrades. The following variables are now set to no:

    security_audit_DAC_chmod: no
    security_audit_DAC_chown: no
    security_audit_DAC_lchown: no
    security_audit_DAC_fchmod: no
    security_audit_DAC_fchmodat: no
    security_audit_DAC_fchown: no
    security_audit_DAC_fchownat: no
    security_audit_DAC_fremovexattr: no
    security_audit_DAC_lremovexattr: no
    security_audit_DAC_fsetxattr: no
    security_audit_DAC_lsetxattr: no
    security_audit_DAC_setxattr: no
    
  • All variables in the security role are now prepended with security_ to avoid collisions with variables in other roles. All deployers who have used the security role in previous releases will need to prepend all security role variables with security_.

    For example, a deployer could have disabled direct root ssh logins with the following variable:

    ssh_permit_root_login: yes
    

    That variable would become:

    security_ssh_permit_root_login: yes
    

Bug Fixes

  • The /run directory is excluded from AIDE checks since the files and directories there are only temporary and often change when services start and stop.
  • AIDE initialization is now always run on subsequent playbook runs when security_initialize_aide is set to yes. The initialization will be skipped if AIDE isn’t installed or if the AIDE database already exists.

    See bug 1616281 for more details.

  • The role previously did not restart the audit daemon after generating a new rules file. The bug has been fixed and the audit daemon will be restarted after any audit rule changes.
  • The dictionary-based variables in defaults/main.yml are now individual variables. The dictionary-based variables could not be changed as the documentation instructed. Instead it was required to override the entire dictionary. Deployers must use the new variable names to enable or disable the security configuration changes applied by the security role. For more information, see Launchpad Bug 1577944.
  • Failed access logging is now disabled by default and can be enabled by changing security_audit_failed_access to yes. The rsyslog daemon checks for the existence of log files regularly and this audit rule was triggered very frequently, which led to very large audit logs.
  • An Ansible task was added to disable the netconsole service on CentOS systems if the service is installed on the system.

    Deployers can opt-out of this change by setting security_disable_netconsole to no.

  • The security role previously set the permissions on all audit log files in /var/log/audit to 0400, but this prevents the audit daemon from writing to the active log file. This will prevent auditd from starting or restarting cleanly.

    The task now removes any permissions that are not allowed by the STIG. Any log files that meet or exceed the STIG requirements will not be modified.

  • When the security role was run in Ansible’s check mode and a tag was provided, the check_mode variable was not being set. Any tasks which depend on that variable would fail. This bug is fixed and the check_mode variable is now set properly on every playbook run.
  • The security role now handles ssh_config files that contain Match stanzas. A marker is added to the configuration file and any new configuration items will be added below that marker. In addition, the configuration file is validated for each change to the ssh configuration file.
  • The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly labeled in the auditd logs with the key of export-V-38568. They are now correctly logged with the key filesystem_mount-V-38568.