Enable virus scanner
The STIG requires that a virus scanner is installed and running. This won't be popular on many hypervisors or OpenStack control plane servers, so the tasks are disabled by default. Implements: blueprint security-rhel7-stig Change-Id: I3b4803139e63aae3b740e8e150cb552a298c4ece
This commit is contained in:
		| @@ -437,6 +437,10 @@ security_disable_gdm_automatic_login: yes                    # RHEL-07-010430 | ||||
| # Disable timed gdm logins for guests | ||||
| security_disable_gdm_timed_login: yes                        # RHEL-07-010431 | ||||
|  | ||||
| ## Miscellaneous (misc) | ||||
| # Enable virus scanning with clamav | ||||
| security_enable_virus_scanner: no                            # RHEL-07-030810 | ||||
|  | ||||
| ## Packages (packages) | ||||
| # Remove packages from the system as required by the STIG. Set any of these | ||||
| # to 'no' to skip their removal. | ||||
|   | ||||
| @@ -1,7 +1,20 @@ | ||||
| --- | ||||
| id: RHEL-07-030810 | ||||
| status: not implemented | ||||
| status: opt-in | ||||
| tag: misc | ||||
| --- | ||||
|  | ||||
| This STIG requirement is not yet implemented. | ||||
| The STIG requires that a virus scanner is installed and running, but the value | ||||
| of a virus scanner within an OpenStack control plane or on a hypervisor is | ||||
| negligible in many cases.  In addition, the disk I/O impact of a virus scanner | ||||
| can impact a production environment negatively. | ||||
|  | ||||
| The security role has tasks to deploy ClamAV with automatic updates, but the | ||||
| tasks are disabled by default. | ||||
|  | ||||
| Deployers can enable the ClamAV virus scanner by setting the following Ansible | ||||
| variable: | ||||
|  | ||||
| .. code-block:: yaml | ||||
|  | ||||
|     security_enable_virus_scanner: yes | ||||
|   | ||||
| @@ -57,6 +57,11 @@ | ||||
|     name: vsftpd | ||||
|     state: restarted | ||||
|  | ||||
| - name: restart clamav | ||||
|   service: | ||||
|     name: "{{ clamav_service }}" | ||||
|     state: restarted | ||||
|  | ||||
| # Miscellaneous ############################################################## | ||||
| - name: generate auditd rules | ||||
|   command: augenrules --load | ||||
|   | ||||
| @@ -47,6 +47,7 @@ | ||||
| - include: auth.yml | ||||
| - include: file_perms.yml | ||||
| - include: graphical.yml | ||||
| - include: misc.yml | ||||
| - include: sshd.yml | ||||
|  | ||||
| - name: Remove the temporary directory | ||||
|   | ||||
							
								
								
									
										93
									
								
								tasks/rhel7stig/misc.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										93
									
								
								tasks/rhel7stig/misc.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,93 @@ | ||||
| --- | ||||
| # Copyright 2016, Rackspace US, Inc. | ||||
| # | ||||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| # you may not use this file except in compliance with the License. | ||||
| # You may obtain a copy of the License at | ||||
| # | ||||
| #     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| # | ||||
| # Unless required by applicable law or agreed to in writing, software | ||||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| # See the License for the specific language governing permissions and | ||||
| # limitations under the License. | ||||
|  | ||||
| - name: Check if ClamAV is installed | ||||
|   stat: | ||||
|     path: /usr/bin/clamdscan | ||||
|   register: clamav_install_check | ||||
|   changed_when: False | ||||
|   tags: | ||||
|     - always | ||||
|  | ||||
| - name: Remove 'Example' line from ClamAV configuration files | ||||
|   lineinfile: | ||||
|     dest: "{{ item }}" | ||||
|     regexp: "^Example" | ||||
|     state: absent | ||||
|   with_items: | ||||
|     - /etc/freshclam.conf | ||||
|     - /etc/clamd.d/scan.conf | ||||
|   when: | ||||
|     - clamav_install_check.stat.exists | ||||
|     - security_enable_virus_scanner | bool | ||||
|     - ansible_os_family | lower == 'redhat' | ||||
|   notify: | ||||
|     - restart clamav | ||||
|   tags: | ||||
|     - misc | ||||
|     - RHEL-07-030810 | ||||
|  | ||||
| - name: Set ClamAV server type as socket | ||||
|   lineinfile: | ||||
|     dest: /etc/clamd.d/scan.conf | ||||
|     regexp: "^(#)?LocalSocket (.*)$" | ||||
|     line: 'LocalSocket \2' | ||||
|     backrefs: yes | ||||
|   when: | ||||
|     - clamav_install_check.stat.exists | ||||
|     - security_enable_virus_scanner | bool | ||||
|     - ansible_os_family | lower == 'redhat' | ||||
|   notify: | ||||
|     - restart clamav | ||||
|   tags: | ||||
|     - misc | ||||
|     - RHEL-07-030810 | ||||
|  | ||||
| - name: Allow automatic freshclam updates | ||||
|   lineinfile: | ||||
|     dest: /etc/sysconfig/freshclam | ||||
|     regexp: "^FRESHCLAM_DELAY" | ||||
|     state: absent | ||||
|   when: | ||||
|     - clamav_install_check.stat.exists | ||||
|     - security_enable_virus_scanner | bool | ||||
|     - ansible_os_family | lower == 'redhat' | ||||
|   notify: | ||||
|     - restart clamav | ||||
|   tags: | ||||
|     - misc | ||||
|     - RHEL-07-030810 | ||||
|  | ||||
| - name: Update ClamAV database | ||||
|   command: freshclam | ||||
|   changed_when: False | ||||
|   when: | ||||
|     - clamav_install_check.stat.exists | ||||
|     - security_enable_virus_scanner | bool | ||||
|   tags: | ||||
|     - misc | ||||
|     - RHEL-07-030810 | ||||
|  | ||||
| - name: Ensure ClamAV is running | ||||
|   service: | ||||
|     name: "{{ clamav_service }}" | ||||
|     state: started | ||||
|     enabled: yes | ||||
|   when: | ||||
|     - clamav_install_check.stat.exists | ||||
|     - security_enable_virus_scanner | bool | ||||
|   tags: | ||||
|     - misc | ||||
|     - RHEL-07-030810 | ||||
| @@ -33,6 +33,7 @@ | ||||
|     - RHEL-07-021910 | ||||
|     - RHEL-07-020000 | ||||
|     - RHEL-08-020010 | ||||
|     - RHEL-07-030810 | ||||
|     - RHEL-07-040260 | ||||
|     - RHEL-07-040500 | ||||
|     - RHEL-07-040560 | ||||
|   | ||||
| @@ -73,3 +73,4 @@ | ||||
|     security_package_clean_on_remove: yes | ||||
|     security_unattended_upgrades_enabled: true | ||||
|     security_unattended_upgrades_notifications: true | ||||
|     security_enable_virus_scanner: yes | ||||
|   | ||||
| @@ -26,6 +26,7 @@ chrony_conf_file: /etc/chrony.conf | ||||
| cron_service: crond | ||||
| ssh_service: sshd | ||||
| chrony_service: chronyd | ||||
| clamav_service: 'clamd@scan' | ||||
|  | ||||
| # Commands | ||||
| grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf" | ||||
| @@ -52,6 +53,18 @@ stig_packages: | ||||
|       - yum-cron | ||||
|     state: "{{ security_package_state }}" | ||||
|     enabled: "{{ security_unattended_upgrades_enabled }}" | ||||
|   - packages: | ||||
|       - clamav | ||||
|       - clamav-data | ||||
|       - clamav-devel | ||||
|       - clamav-filesystem | ||||
|       - clamav-lib | ||||
|       - clamav-scanner-systemd | ||||
|       - clamav-server-systemd | ||||
|       - clamav-server | ||||
|       - clamav-update | ||||
|     state: "{{ security_package_state }}" | ||||
|     enabled: "{{ security_enable_virus_scanner }}" | ||||
|   - packages: | ||||
|       - xinetd | ||||
|     state: absent | ||||
|   | ||||
| @@ -29,6 +29,7 @@ chrony_conf_file: /etc/chrony/chrony.conf | ||||
| cron_service: cron | ||||
| ssh_service: ssh | ||||
| chrony_service: chrony | ||||
| clamav_service: clamd | ||||
|  | ||||
| # Commands | ||||
| grub_update_cmd: "update-grub" | ||||
| @@ -97,6 +98,12 @@ stig_packages_rhel7: | ||||
|       - screen | ||||
|     state: "{{ security_package_state }}" | ||||
|     enabled: True | ||||
|   - packages: | ||||
|       - clamav | ||||
|       - clamav-daemon | ||||
|       - clamav-freshclam | ||||
|     state: "{{ security_package_state }}" | ||||
|     enabled: "{{ security_enable_virus_scanner }}" | ||||
|   - packages: | ||||
|       - rsh-server | ||||
|     state: absent | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Major Hayden
					Major Hayden