With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I078590020a98f0b5759f3de524753e01bb9c5597
Using dynamic inclusion (include_tasks) should only be done
if the tasks to include are based on a conditional and there
is no expectation for the tag on the include task to be applied
to all included tasks. Using include_tasks for static inclusion
dramatically raises memory consumption. Using include_tasks also
breaks the ability to use a tag applied to the include.
In this patch we fix all inclusions to ensure that they are set
properly to dynamic or static inclusions where necessary.
We also remove the unnecessary leading whitespace in the main
task file.
Change-Id: Idff86d4a90d3309f0e9ae3b9f0559b37e25dc26f
Closes-Bug: #1800169
This role made use of conditionals that still used filters, this
patch removes them all and switches them to the new system.
Change-Id: I7c68f4e5f7248aedd3cdae734aac6d97a8ce058b
This patch uses the new import_tasks/include_tasks modules from
Ansible 2.1+ and removes some deprecation warnings from the
beginning of playbook runs.
Change-Id: I17d0a9bcb9964d666e140b832b6f2a26ff948d41
This patch adds the basic scaffolding for developer-contributed
hardening standards that are outside the scope of the Security
Technical Implementation Guide (STIG). Deployers have the option
to deploy these hardening standards as well.
Change-Id: I33175ffd36a75d27e5ac6c13aaf1584e5fdf23dd
The current behavior of the hardening role is to install the
epel-release package on all deployments. This patch changes
the logic to only install the EPEL repository if the deployer
has asked for ClamAV to be installed.
The patch also provides an option to disable the installation
of EPEL entirely using a variable.
Closes-Bug: 1702167
Change-Id: I9c5e6048f95636faf2a6d71ac9217ba69ca41296
This commit removes the verbose options from the gate job and disables
clamav installation in the CI jobs. The clamav package is only available
in the EPEL repository, but the EPEL repo has been removed from
the CentOS images in the OpenStack gate. This will need to be handled
carefully in a later patch.
It also removes an apostrophe from `tasks/main.yml` that breaks syntax
highlighting in vim.
Change-Id: Ifbfc56ed5fe92887cf5beb6b2703fdc3e1c8bb05
The file vars/main.yml is automatically loaded
so by using this file name we're able to get
rid of the task that loads vars/common.yml which
is a small optimisation.
Change-Id: I4e0a1b81c42a90b7cd28830f1c2e72c7bd62efaf
This patch ensures that the EFI check always runs. This fixes a bug
where the role fails when a tag is provided to the role at runtime.
Closes-bug: 1660391
Change-Id: I2cba58343910ec7e9b43e88ae26bec3b056eff81
This patch allows deployers to optionally set a GRUB 2 password for accessing
single-user and maintenance runlevels. Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I33d1ef4dec72d196deaca142169675aa5077740b
This patch creates a common.yml variables file to hold variables
that apply to all distributions supported by the role. It also adds
comments into the existing vars file to instruct developers and
deployers about the proper location for variables.
Implements: blueprint security-rhel7-stig
Change-Id: Idad1cbfe0c6992a6333c4740080764a3ac776628
Now that Ansible 2.x allows for dynamic includes, we can drive a hard
split between the RHEL 6 and RHEL 7 STIG work. This speeds up gate jobs
and avoids situations where a variable is defined in one STIG playbook
versus another.
Implements: blueprint security-rhel7-stig
Change-Id: If3cf9f2154055a316c0764556d57a0dde9e061f4
This patch removes some extra tasks for detecting systemd and uses
the `ansible_service_mgr` fact instead.
Partial-Bug: #1640125
Change-Id: I240f2b09f123fb929eaca07fec72e981901d7a78
This patch consumes the centralised Ansible test scripts
implemented in https://review.openstack.org/381853
Depends-On: I5c1f2f0949d6b7ad7bfc4151257b081728ba956f
Depends-On: Ie379de765c6ebba958ce8e7f9dc27b7a3af74ff8
Change-Id: Ib7fe11b666322b11b1e30dea775304fd5d236f2f
This patch adds the initial scaffolding for the RHEL 7 STIG content
and provides a pathway for adding gate jobs that test the tasks for
the new content.
Implements: blueprint security-rhel7-stig
Change-Id: I4cc9468977fc6c14f4ca792a8964fa7a60a4e831
Ansible 2.1.1 introduces a regression in the way conditional
includes are handled which results in every task in the
included file being evaluated even if the condition for the
include is not met. This extends the run time significantly
for a deployment.
This patch forces all conditional includes to be dynamic.
Change-Id: I638b9e20176e0205a378704150e88d098b925c83
Related-Bug: https://github.com/ansible/ansible/issues/17687
If a deployer installs AIDE the first time they apply the role
without initializing AIDE and they want to initialize it later,
the handler that does the initialization never fires.
This patch does a few things:
- Ensures AIDE initialization if the initialize_aide bool is True
- Doesn't intialize the AIDE db if it already exists
- Moves the new db into place on Red Hat systems
- Moves the AIDE tasks into its own file with tags
- Prevents AIDE from trawling through /var
Closes-bug: 1616281
Change-Id: I85d65738fde064b06b1147c529b22c3f44a33e94
A couple of include tasks had 'tags' mistyped as 'tag'.
This also resolves a 'Specifying include variables at the top-level of
the task is deprecated.' deprecation warning seen in Ansible 2.1.1.0.
Change-Id: I1a806238e918fdae06da2b412399d812d644f467
This patch adds idempotency checking for the security role. It
ensures that no changes are made when the security role runs
multiple times against the same system.
Change-Id: Ia5df45ddc64b1af5149df64f3483f472b06d73f7
This patch brings the security role in-line with other OSA roles in
the method they use to check for systemd.
Change-Id: Id84d0c606a0323e4357d227d50e29dea1af2949d
In check mode, the security role will fail when tags are used. This
is because the check_mode variable wasn't being set when tags were
provided. This patch ensures that the tasks that check for check mode
and set the subsequent check_mode variable will run every time.
Closes-bug: 1590086
Change-Id: Ib6a29ee4c36632cd6d982ce87105f0ddec4a891d
This patch fixes the auditd rules template so that AppArmor and SELinux
policy modifications are logged, depending on which Linux distribution
is in use. The security_audit_apparmor_changes variable has been renamed
to security_audit_mac_changes to be more generic.
Documentation updates and a release note are included.
Closes-bug: 1584187
Change-Id: I0955e2cb8a05af4afd36aaca518322a9df6d1ff7
This patch enables the appropriate Linux Security Module (LSM) for the system
rather than simply checking it. This brings the role more in line with the
STIG requirements and allows it to be used as a more generic role in other
non-OpenStack-Ansible deployments.
It shouldn't affect OpenStack-Ansible deployments since AppArmor is expected
to be running in those deployments.
Documentation and release notes are included.
Change-Id: Ia017f12be0d60ea74b54396bc8278e4db92295ba
This patch adds initial support for CentOS 7 and Ubuntu 16.04
to the security role. Documentation and tests still need updates
in subsequent patches.
Release notes are included.
Change-Id: Iae936bb307a5938651c55e703d68d39a7716d178
This patch adds the bits needed to implement automated syntax/lint
role testing. It also moves the role into the base repository so
that the role becomes fully compatible with ansible-galaxy to
improve the role's consumability.
Change-Id: Ia79cd5dedbbe50dfdf46688830a989ff0897832a
Dmitriy Rabotyagov