With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: Id3136a5eed068e317aa1a7b33a1149629dc76d77
This patch adds variable `security_rhel7_enable_aide`. When it's False,
all AIDE related tasks would be ommited.
Change-Id: I64af348d9f49922ab51d8cd348d987df4263faa1
Using dynamic inclusion (include_tasks) should only be done
if the tasks to include are based on a conditional and there
is no expectation for the tag on the include task to be applied
to all included tasks. Using include_tasks for static inclusion
dramatically raises memory consumption. Using include_tasks also
breaks the ability to use a tag applied to the include.
In this patch we fix all inclusions to ensure that they are set
properly to dynamic or static inclusions where necessary.
We also remove the unnecessary leading whitespace in the main
task file.
Change-Id: Idff86d4a90d3309f0e9ae3b9f0559b37e25dc26f
Closes-Bug: #1800169
This patch uses the new import_tasks/include_tasks modules from
Ansible 2.1+ and removes some deprecation warnings from the
beginning of playbook runs.
Change-Id: I17d0a9bcb9964d666e140b832b6f2a26ff948d41
This patch allows deployers to provide a custom name/URL for the
traditional epel-release package.
Related-bug: 1702167
Change-Id: Ie5e30776d2d25a8c254f88c16e17ea15aa38ef26
The current behavior of the hardening role is to install the
epel-release package on all deployments. This patch changes
the logic to only install the EPEL repository if the deployer
has asked for ClamAV to be installed.
The patch also provides an option to disable the installation
of EPEL entirely using a variable.
Closes-Bug: 1702167
Change-Id: I9c5e6048f95636faf2a6d71ac9217ba69ca41296
Add support for the openSUSE Leap distributions. The security rules
are similar to the RedHat and Ubuntu ones. We also replace
ansible_os_family with ansible_pkg_mgr since the former does not
return consistent results across different SUSE distributions especially
on older Ansible versions.
Change-Id: I20ffe17039bb641aad70d8123f0b7e7417a42cba
This patch adjusts main.yml to retrieve a list of all users and a
list of just interactive users using the get_users module.
Change-Id: I4ff3ceeb068e339c62456f2e5c62ec97b72751f4
This patch adds the initial support for Fedora 25 in the security
role. A non-voting gate job is proposed in the following review:
https://review.openstack.org/#/c/467297/
Docs and general cleanup for Fedora/Debian support is coming soon.
Change-Id: Ia6c551d2f33255f7f71f7ba9bb328fc8f17f61e0
Several tasks in the auth.yml file were actually more closely related
to accounts rather than authentication. This patch moves tasks from
the auth.yml into accounts.yml and adjusts the docs to match.
This should alleviate confusion and allow deployers to fine-tune
their Ansible playbook runs.
Change-Id: I962014ba9022dd256dc04da6b4ac0860797fbc24
This patch installs AIDE and optionally initializes the AIDE database. A
cron job is also deployed for CentOS/RHEL since it doesn't come with
the AIDE package itself.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: Iae04c95903960deee2d750037c08b50c4ce4f800
Some of the prep tasks for the RHEL 7 content did not have the 'always' tag,
which caused playbooks to fail when using a tag, like 'auth'.
Closes-Bug: 1646934
Change-Id: I651b5ee964e916b9d7add1d1d5f9dbb139eb6be3
This patch enables SELinux/AppArmor and sets the SELinux targeted policy
on CentOS/RHEL hosts. Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I7e225bc10331e12d2405154d873a578e18532305
The STIG requires that a virus scanner is installed and running. This
won't be popular on many hypervisors or OpenStack control plane servers,
so the tasks are disabled by default.
Implements: blueprint security-rhel7-stig
Change-Id: I3b4803139e63aae3b740e8e150cb552a298c4ece
Each task must be tagged, rather than the include statements. Tasks
get skipped unnecessarily when this is broken.
Change-Id: I7e2850bff4d001f2c57c9d186485f012c547e16a
This patch removes packages per the requirements of these STIGs:
* RHEL-07-040500
* RHEL-07-020010
* RHEL-07-020000
* RHEL-07-021910
* RHEL-07-040560
Implements: blueprint security-rhel7-stig
Change-Id: I52459d54c578c4e14392bf647268a2237f8df24a
This patch disables automatic and timed logins in gdm only if gdm
is installed and configured.
Implements: blueprint security-rhel7-stig
Change-Id: I34c1f91deb20441d8ca577f38d44c30c05718205
This patch adds the tasks and documentation for RHEL-07-010270.
Implements: blueprint security-rhel7-stig
Change-Id: I6af1d6f188f7244c261c3c847f2056f293023eca
This patch adds tasks to disallow logins from accounts with null
or blank passwords.
Implements: blueprint security-rhel7-stig
Change-Id: Icc5fd167be93bff9946810a17d8ef5521653d648
This patch adds tasks which check for files that have been modified
since their packages were installed. This can sometimes be sign
of compromise.
Any files failing checksum validation are displayed for the deployer
to review.
Implements: blueprint security-rhel7-stig
Change-Id: I5ccc375ecb08e51c51dab80b47a190050731f700
This patch adds tasks to check for files which have had their
permissions or ownership modified since they were installed.
To avoid running RPM verification multiple times, the report is
gathered up front one time and then parsed quickly with grep in
subsequent tasks.
Implements: blueprint security-rhel7-stig
Change-Id: I170176319ac6dcda5f736fa90eb4eb47c4ce76b8
This patch adds the initial scaffolding for the RHEL 7 STIG content
and provides a pathway for adding gate jobs that test the tasks for
the new content.
Implements: blueprint security-rhel7-stig
Change-Id: I4cc9468977fc6c14f4ca792a8964fa7a60a4e831