openstack/ansible-hardening
Code Issues Proposed changes

Make .shosts search/removal opt in

Browse Source 
This patch makes the search for .shosts/shosts.equiv files an opt in
operation.

Closes-Bug: 1665568
Change-Id: Ide0c69a4112981e75defeaa317609e6a5f930225
This commit is contained in:
Major Hayden 2017-03-07 12:14:14 -06:00
parent 5f2d563e51
commit 9efb8153f1
No known key found for this signature in database
GPG Key ID: 737051E0C1011FB1
4 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@ -506,7 +506,7 @@ security_pam_faillock_unlock_time: 604800 # RHEL-07-010372
# Limit the number of concurrent connections per account. # Limit the number of concurrent connections per account.
#security_rhel7_concurrent_session_limit: 10 # RHEL-07-040010 #security_rhel7_concurrent_session_limit: 10 # RHEL-07-040010
# Remove .shosts and shosts.equiv files. # Remove .shosts and shosts.equiv files.
security_rhel7_remove_shosts_files: yes # RHEL-07-040330 security_rhel7_remove_shosts_files: no # RHEL-07-040330
## File permissions (file_perms) ## File permissions (file_perms)
# Reset file permissions and ownership for files installed via RPM packages. # Reset file permissions and ownership for files installed via RPM packages.

10
doc/metadata/rhel7/RHEL-07-040330.rst
View File

@ -1,14 +1,18 @@
--- ---
id: RHEL-07-040330 id: RHEL-07-040330
status: implemented status: opt-in
tag: auth tag: auth
--- ---
The tasks in the security role examine the filesystem for any ``.shosts`` or The tasks in the security role examine the filesystem for any ``.shosts`` or
``shosts.equiv`` files. If they are found, they are deleted. ``shosts.equiv`` files. If they are found, they are deleted.
Deployers can opt out of this change by setting the following Ansible variable: The search for these files will take a very long time on systems with slow
disks or systems with a large amount of files. Therefore, this task is skipped
by default.
Deployers can opt in for this change by setting the following Ansible variable:
.. code-block:: yaml .. code-block:: yaml
security_rhel7_remove_shosts_files: no security_rhel7_remove_shosts_files: yes

7
releasenotes/notes/shosts-file-search-opt-in-887f600a79eef07e.yaml Normal file
View File

@ -0,0 +1,7 @@
---
security:
- |
The tasks that search for ``.shosts`` and ``shosts.equiv`` files
(STIG ID: RHEL-07-040330) are now skipped by default. The search takes a
long time to complete on systems with lots of files and it also causes a
significant amount of disk I/O while it runs.

1
tests/test.yml
View File

@ -96,3 +96,4 @@
security_require_grub_authentication: yes security_require_grub_authentication: yes
security_set_home_directory_permissions_and_owners_recursively: no security_set_home_directory_permissions_and_owners_recursively: no
security_reset_perm_ownership: yes security_reset_perm_ownership: yes
security_rhel7_remove_shosts_files: yes