Add file to the reno documentation build to show release notes for
stable/2023.2.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.2.
Sem-Ver: feature
Change-Id: I4f820c0073b76009ddc224cf6419d8379e4bc1d7
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I664bf44a2202856a12e6484f63a0944535dc071e
Add file to the reno documentation build to show release notes for
stable/xena.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/xena.
Sem-Ver: feature
Change-Id: I4dffba103892d243d460e120ac5262f6752b2af1
This patch adds variable `security_rhel7_enable_aide`. When it's False,
all AIDE related tasks would be ommited.
Change-Id: I64af348d9f49922ab51d8cd348d987df4263faa1
The sync from https://review.opendev.org/733244 updated to
openstackdocstheme 2.2.1 and reno 3.1.0 versions.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: Id2c810e9214981f381d5a9d4f1f2e40cb63a02af
Add file to the reno documentation build to show release notes for
stable/ussuri.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/ussuri.
Change-Id: I29c8a8f1df649c9e01213ff5937ea72a12b14e5d
Sem-Ver: feature
New version of openstackdocstheme (Victoria+) respects pygments_style.
Since this repo is using now Victoria (master) requirements but has
not branched for Ussuri yet, it uses the new version.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
Change-Id: I3fe3956b80df054c8b56761e4c009457af5c98f0
The fedora-latest build is broken on master and stable branches. OSA
do not support depoyment on Fedora so this job is removed to allow
other code to merge.
Change-Id: Iee174f76d732941ef97b75612c1420c3dee335f3
This repo is now testing only with Python 3, so let's make
a few cleanups:
- Remove python 2.7 stanza from setup.py
- Remove obsolete sections from setup.cfg
- Update requirements, no need for python_version anymore
- Use newer openstackdocstheme and Sphinx versions
- Cleanup */source/conf.py to remove now obsolete content.
- Remove install_command from tox.ini, the default is fine
Change-Id: Ic96b71596d4523e55fa4b451c99a8521dd581e4d
Some options are now automatically configured by the version 1.20:
- project
- html_last_updated_fmt
- latex_engine
- latex_elements
- version
- release.
Change-Id: I14b62b4010950877d58a615de5f671ab6c866b48
Add file to the reno documentation build to show release notes for
stable/train.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/train.
Change-Id: I9b9b1428bb3ac7c89393af3229cfc4fbad45da7f
Sem-Ver: feature
Add file to the reno documentation build to show release notes for
stable/stein.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.
Change-Id: I9e46d961625a402109591f20279c823b6728988b
Sem-Ver: feature
This patch drops the offline option because this role usually
applies to always-on machines and the subsystem which detects
if you're online or offline seems to be largely unstable which
causes chronyd to never attempt to synchronize time.
It also drops the minpoll and maxpoll options to leave it to
the defaults of the chronyd service, this is due to the numbers
provided not allowing the system to properly sync up time.
It also adds the 'iburst' option which will send a few quick
bursts when the system first goes up in order to get it to sync
up with time faster.
Change-Id: Iad41ef505f5a1c142ec7ffe07e4a1c08aa614235
Provide the possibility to allow users to synchronize
the RTC. It is (still) disabled by default, since
certain combinations of linux kernel version and
hardware pieces are subject to cause lockups.
"rtcautotrim 10" and rtcfile have been favoured over
"rtcsync" since "rtcsync" syncs the RTC every 11 seconds
which is not necessary IMO. "rtcautotrim 10" will only
set the time to the RTC if the gap between RTC and
the system clock exceed more than 10 seconds.
Change-Id: I2961bc554eb6caf6e6c78137a33c4fde256ae1ff
Users may wish to remove the 'offline' option for increased
reliability, since ifup/ifdown scripts are typically not
required in (static) server environments. Futhermore it
enables users to adjust the polling timers to their needs.
Change-Id: Iafa31c03e98785a574f38bb2206b9bea9550743e
Now that infra is moving from Fedora 26 to 27, we need to update
the role to reflect the changing support for Fedora releases.
Change-Id: Icce8fd7ee2f8c54e6eb33beec7af96c4d1d375d6
Signed-off-by: Major Hayden <major@mhtx.net>
Release notes are version independent, so remove version/release
values. We've found that projects now require the service package
to be installed in order to build release notes, and this is entirely
due to the current convention of pulling in the version information.
Release notes should not need installation in order to build, so this
unnecessary version setting needs to be removed.
This is needed for new release notes publishing, see
I56909152975f731a9d2c21b2825b972195e48ee8 and the discussion starting
at
http://lists.openstack.org/pipermail/openstack-dev/2017-November/124480.html
.
Change-Id: Ic2a850f059ba46f212cbc2acd29feccea7a44c4e
PermitRootLogin can be 'yes', 'no', 'without-password',
'prohibit-password' or 'forced-commands-only'.
This patch changes the functionality to ensure that
security_sshd_permit_root_login is one of the above settings - if so, it
will use that value.
Due to the way Ansible handles "no" and "yes", we have to check if the
value is "False" (string equivalent for boolean no), and if so output
"no", otherwise output the string (which would be one of the above
options).
Previously, we could only set this value to 'no'.
Change-Id: I5ee5ff6abc4578d17d4b23d8a2fa1648508ceeed
This patch updates the tasks to match the changes in Version 1,
Release 3 of the RHEL 7 STIG. It adds four new configurations:
- V-77819 (docs only, manual intervention req'd)
- V-77821 (disabling DCCP, implemented)
- V-77823 (docs only, manual intervention req'd)
- V-77825 (enabling ASLR, implemented)
Closes-Bug: 1729344
Change-Id: I009fb31139e654f839d94781baf3d392c6613f46
The search for world-writable files is very intensive and causes
some long delays when running playbooks. This patch makes it
optional and updates the documentation to match.
Change-Id: I206f75597c48023a889bd7027daff2eff82b1a16
This patch updates the STIG XML to version 1 release 2.
The new release does not have V-72181 included, so the relevant
tasks and variables have been removed.
Closes-Bug: 1718772
Change-Id: I441dbacdfa82e49c0c24f86e303706ae79c7d4dd
The intended functionality for "enabled: no" on sysctl configurations
was to skip the config entirely and leave the variable unaltered.
However, setting "enabled: no" was causing the configuration to be
removed entirely.
This patch ensures that any sysctl variables with "enabled: no" are
skipped and left unaltered.
Closes-Bug: 1710490
Depends-On: I2607f295a924a2ec51920b5f2b27c34d5222e8ff
Change-Id: If9c8c008538b2ff631a714a8ffe16df9376dedf3
This patch allows deployers to provide a custom name/URL for the
traditional epel-release package.
Related-bug: 1702167
Change-Id: Ie5e30776d2d25a8c254f88c16e17ea15aa38ef26
The current behavior of the hardening role is to install the
epel-release package on all deployments. This patch changes
the logic to only install the EPEL repository if the deployer
has asked for ClamAV to be installed.
The patch also provides an option to disable the installation
of EPEL entirely using a variable.
Closes-Bug: 1702167
Change-Id: I9c5e6048f95636faf2a6d71ac9217ba69ca41296
This patch makes it easier for deployers to customize their login
banner and it also fixes some documentation bugs around how to
configure the graphical login banner.
Closes-bug: 1679749
Change-Id: I755de63cc3965f065077c983dbf1015ad93dfa6c
This patch gets the docs adjusted to work with the new RHEL 7 STIG
version 1 release. The new STIG release has changed all of the
numbering, but it maintains a link to (most) of the old STIG IDs in
the XML.
Closes-bug: 1676865
Change-Id: I65023fe63163c9804a3aec9dcdbf23c69bedb604
This patch makes the search for .shosts/shosts.equiv files an opt in
operation.
Closes-Bug: 1665568
Change-Id: Ide0c69a4112981e75defeaa317609e6a5f930225
Although setting file permissions and ownership based on the contents
of the RPM database is a good practice, it causes significant
deployment delays and can cause issues if a system administrator has
intentionally changed file permissions or ownership to meet their
specific needs.
This patch disables the tasks that set the permissions/ownership back
to their original values but leaves them enabled in the gate job.
Change-Id: I185f6755d9bddf58e23d6512f4728522c36306c0
This patch enables the RHEL 7 STIG content tasks as the default.
Documentation has also been updated to reflect the change and provide
more concise information about what is available with each release.
The OpenStack-Ansible repo is still set to use the RHEL 6 STIG until
some issues with individual roles are resolved.
Implements: blueprint security-rhel7-stig
Change-Id: Ic72d97b87c0fb16646e5a31030404e1a9ad6a469
This patch switches the package state for all packages installed
by the security role to `present`. This change should speed up
the run time of the security role and it avoids unexpected package
upgrades on systems that run the security role on a recurring basis.
Change-Id: I28bcc1c0ebf266909bbde554411f68fde0e64a58
Instead of breaking up package installations and removals into separate
tasks, this patch moves them all under one task that does two execution
steps.
In addition, the security_enable_chrony variable was added to control the
installation and configuration of chrony. The tox tests for the role were
configured to skip chrony in the gate using a skipped tag, but this caused
the package install/removal task to get skipped.
Docs/release notes are included for the chrony change.
Change-Id: I1def033953b50be3911cd932fd17b10dd2c658b7