With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
Since ansible-core 2.14 you can't use warn as module argument.
Instead, noqa should be used to instruct ansible-lint to
supress alerts.
Change-Id: Ie448fa182db8c1c9f64744ea72f27f285aa64366
This patch allows deployers to optionally set a GRUB 2 password for accessing
single-user and maintenance runlevels. Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I33d1ef4dec72d196deaca142169675aa5077740b
This patch masks the systemd unit that controls the C-A-D key sequence.
Implements: blueprint security-rhel7-stig
Change-Id: I9bd01641fd8787fab90921e360e5933953871d51
The STIG requires that a virus scanner is installed and running. This
won't be popular on many hypervisors or OpenStack control plane servers,
so the tasks are disabled by default.
Implements: blueprint security-rhel7-stig
Change-Id: I3b4803139e63aae3b740e8e150cb552a298c4ece
This patch applies the graphical session lock settings from the following
STIG controls:
- RHEL-07-010060
- RHEL-07-010070
- RHEL-07-010071
- RHEL-07-010073
- RHEL-07-010074
Docs will be provided in a follow-on patch.
Implements: blueprint security-rhel7-stig
Change-Id: I306ea5e2e274a2ca63158ba8b039686b27a5d923
On CentOS the chrony.conf is in /etc/. adding a var to define it.
Depends-On: I1aa3faf88f5953c230693600fcbcb786d49a35e0
Change-Id: Id6afe700f0d908396b4441e6c92dc79e29b228bf
It is not possible to restart auditd with systemctl. Using the service
interface is required. There are chef cookbooks[1] with the same
workaround.
This patch also includes a `cache_valid_time` addition to test.yml to
unblock the gate.
[1] https://github.com/chef-cookbooks/auditd/pull/22/files
Change-Id: I1aa3faf88f5953c230693600fcbcb786d49a35e0
This patch adds a task and handlers for enabling the audit daemon
during the boot sequence to comply with V-38438. Deployers have
the option to opt-out of the entire change, or they can apply the
change without updating the active grub.cfg file.
Change-Id: Ia8702b8439a5993516397363b21356f1216be403
If a deployer installs AIDE the first time they apply the role
without initializing AIDE and they want to initialize it later,
the handler that does the initialization never fires.
This patch does a few things:
- Ensures AIDE initialization if the initialize_aide bool is True
- Doesn't intialize the AIDE db if it already exists
- Moves the new db into place on Red Hat systems
- Moves the AIDE tasks into its own file with tags
- Prevents AIDE from trawling through /var
Closes-bug: 1616281
Change-Id: I85d65738fde064b06b1147c529b22c3f44a33e94
The augenrules command joins together all of the audit rules from
rules.d and it is run any time the audit rules template changes. However,
the augenrules handler didn't actually restart auditd to apply the
changes to the system.
This patch fires off the auditd restart handler anytime the augenrules
handler is notified.
Closes-bug: 1590916
Change-Id: Ice83fe17ebb0e9edff9da897e435ae96c1778580
This patch adds initial support for CentOS 7 and Ubuntu 16.04
to the security role. Documentation and tests still need updates
in subsequent patches.
Release notes are included.
Change-Id: Iae936bb307a5938651c55e703d68d39a7716d178
This patch migrates all of the remaining non-unique variable names
in the security role to a pattern that begins with `security_*`.
This will reduce potential variable collisions with other roles.
This is a breaking change for deployers and users who are moving
from the liberty or stable/mitaka branches to master. Release notes
are included with additional details to help with the transition.
Closes-Bug: 1578326
Change-Id: Ib716e81e6fed971b21dc5579ae1a871736e21189
The AIDE database initialization consumes a lot of CPU time and I/O resources.
We shouldn't initialize the database by default, but this should be
configurable by the deployer.
Closes-bug: 1534658
Change-Id: If680000619c35914e58ed8b7883c7eaa7928cec4
This requirement is not easily translated for Ubuntu 14.04. As a mitigation,
fail2ban will be installed and configured to block IP addresses with failed
login attempts for 15 minutes.
Change-Id: Icb469896c55acc8b18dfb64ebf642fe7d48e86fc
This patch adds the bits needed to implement automated syntax/lint
role testing. It also moves the role into the base repository so
that the role becomes fully compatible with ansible-galaxy to
improve the role's consumability.
Change-Id: Ia79cd5dedbbe50dfdf46688830a989ff0897832a