Lineinfile module can manage only single occurance of line in the file,
while pam.d/sshd contains multiple occurances of pam_motd which
results in not disabling it fully.
In order to properly comment out/uncomment all occurances replace module
should be used instead.
Change-Id: I73babb2431d4fda5aa90d9a1e230c1796449c0fc
Right now default cloud images of Ubuntu does contain dynamic MOTD
by default, that takes around extra 0.4 sec for establishing connection.
Disabiling MOTD should improve responsivness of hosts and speedup
ansible execution as well.
With that we're keeping static MOTD that has no impact on connection
speed.
Change-Id: Iaf25f6f444055cefd60dd2e3b4d5579f2a6fcdb1
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
Since ansible-core 2.14 you can't use warn as module argument.
Instead, noqa should be used to instruct ansible-lint to
supress alerts.
Change-Id: Ie448fa182db8c1c9f64744ea72f27f285aa64366
With current behaviour we duplicate SSH options and don't care if same
thing is defined anywhere down the line.
With that change we change how options are defined - instead of the
template we use a list of mappings. With that
we can select and remove options that playbook supposed to manage.
With that we also keep playbook idempotency. As side effect we still
can have options duplicated but only if they have exact same value.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/840353
Change-Id: I140606f7e724fbe2a4f0b03f6a0501da7bdd5964
Closes-Bug: #1958649
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I078590020a98f0b5759f3de524753e01bb9c5597
While most our supported distributions does create LocalSocket on their
own, it's not always the case and shouldn't be trusted that much.
Change-Id: I56851f56aa85108a4898ef99c48ac77c898ccb69
Closes-Bug: #1944564
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: Id3136a5eed068e317aa1a7b33a1149629dc76d77
For systems with many packages deployed or heavy loaded environments
rpm verification takes the way more time then 5 minutes ending up in
corrupted database of the rpm packages. So we set limit to 1 hour
and extending amount of retries to wait for result to match the async
timeout
Change-Id: I30d29630214914bea99fc7fd66afa3218705d733
Closes-Bug: #1921292
This halves the number of files examined by the find module on an ubuntu
focal system and nearly halves the runtime of the task on a ceph backed
VM.
Change-Id: I862351badc70fa091bebf55dd2910cccfa731ca2
This patch adds variable `security_rhel7_enable_aide`. When it's False,
all AIDE related tasks would be ommited.
Change-Id: I64af348d9f49922ab51d8cd348d987df4263faa1
By default Centos is shipped with Jinja 2.7.2 which do not have `in`
test. So we replace that logic with rejecting absent packages
and suggest that the rest of statuses are valid for
package installation.
Change-Id: Ibeb3aba5cccddc1af1f968c57bdc0be75e7f22d9
Replace the deprecated "state: installed" parameter with "state: present" as
it's no longer supported in Ansible 2.9
Change-Id: I78c8595228f1aabded6cd23159c2a889738f3288
Signed-off-by: Khaled Elkhawaga <k.elkhawaga@gmail.com>
In order to prevent RPM database corruption on the target hosts, this
change splits the STIG yum add/remove tasks into two separate plays.
Change-Id: I68751339d5b4cbfb61b8e3cf4ffbfeb47ea5fd76
Closes-Bug: #1851954
While running the hardening role, I found that a small VM would
regularly crash ansible on the chrony configuration templating
task with "A worker was found in a dead state!". An ansible bug[0]
shows that this can be caused by jinja templating that is not casted
to the correct type.
After verifying the crash was reproducible 3-4 times in a row, this
crash stopped occuring once I started casting this variable to a bool.
I don't know if it is coincidence but it can't hurt to cast this
conditional regardless.
[0] https://github.com/ansible/ansible/issues/32554#issuecomment-382360908
Change-Id: Ie34de1808c807fd31099cc7d3d7b140ccfab64df
Using dynamic inclusion (include_tasks) should only be done
if the tasks to include are based on a conditional and there
is no expectation for the tag on the include task to be applied
to all included tasks. Using include_tasks for static inclusion
dramatically raises memory consumption. Using include_tasks also
breaks the ability to use a tag applied to the include.
In this patch we fix all inclusions to ensure that they are set
properly to dynamic or static inclusions where necessary.
We also remove the unnecessary leading whitespace in the main
task file.
Change-Id: Idff86d4a90d3309f0e9ae3b9f0559b37e25dc26f
Closes-Bug: #1800169
This role made use of conditionals that still used filters, this
patch removes them all and switches them to the new system.
Change-Id: I7c68f4e5f7248aedd3cdae734aac6d97a8ce058b
This reverts commit 75e8b0f02a.
The openSUSE bug has been fixed so this workaround is not needed
anymore.
Change-Id: I7d8a93332d0ec925d97b64fc1052b1c3d621e066
openSUSE Leap 15 has a bug in the sudo package and this test always
fails. As such, we need to skip it until the upstream bug is fixed.
Change-Id: Ifa6baa50d0e0c2e2cabba39ba101ef943f14d882
Link: https://bugzilla.suse.com/show_bug.cgi?id=1097643
The systemd command does not have a stable api and can return different
codes when executed. This change converts the task to query the target
unit and disable it if it exists to a single systemd task using the
ansible module.
Closes-Bug: #1787048
Change-Id: I74c43839cd7d3a8620a0fb8e405fbc3f6a0f44d0
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This change adds the option `security_sudoers_nopasswd_check_enable`
when running check "V-71947". This change allows users to skip this
check via ansible extra variable instead of having to skip tags. While
this change has a functional benifit in some environments, it is being
done with the primary intention of providing a better experience to
deploying running clouds where services like cloud-init may be present.
Change-Id: I0d0c95534ace0b00fa64c2f243ad91ce5844d85a
Closes-Bug: #1741225
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
With the more recent versions of ansible, we should now use
"is" instead of the "|" sign for the tests.
This should fix it.
Change-Id: I8d78a2b4ba2a8746cbb809e4f8c9370abe211350
With the previous grep, it was possible that any commented nameserver
entries would be counted. This patch fixes that.
Change-Id: I9925cb9a71c1b58dcf12f70d8ce0872386732f06
Closes-Bug: #1768725
Now that infra is moving from Fedora 26 to 27, we need to update
the role to reflect the changing support for Fedora releases.
Change-Id: Icce8fd7ee2f8c54e6eb33beec7af96c4d1d375d6
Signed-off-by: Major Hayden <major@mhtx.net>
Check to see if a freshclam process is already running before kicking off another; attempting a second update will fail if one is already in progress.
Change-Id: Id5ab344c2408ba64c58612bab33c2ee98aeb97d5
Closes-Bug: 1730998
The ansible_selinux variable is always populated with a 'status'
property, even if SELinux is not installed or configured. This
patch simplifies the check.
Change-Id: Ifddc385fc292ddb7d6c2758b199401c45de0f0f2
Signed-off-by: Major Hayden <major@mhtx.net>
The task that moves the aide database checks to see whether aide
was just initialized, but that task has a "changed_when: false" to
help with idempotency. That means that the database never gets
moved into place.
This patch changes the task to check whether the aide
initialization was skipped or not. If it wasn't skipped, then the
database will be moved.
Closes-Bug: 1745675
Change-Id: I2f186274cbff4b38706603a51429557057843e4e
This patch uses the new import_tasks/include_tasks modules from
Ansible 2.1+ and removes some deprecation warnings from the
beginning of playbook runs.
Change-Id: I17d0a9bcb9964d666e140b832b6f2a26ff948d41
When the openstack-ansible-security role became ansible-hardening,
a new config block was added to `/etc/profile` without removing
the original one with the openstack-ansible-security markers. This
causes errors on the command prompt since `TMOUT` is defined twice.
This patch removes the old config block using blockinfile.
Closes-Bug: 1736702
Change-Id: I2768182f5dde3368028a1a25af69db6ac7a75d9b
When running the role using a specific tag (eg -t auth), some tasks
try to check the status of the async ones and they fail because the
async task was never executed due to missing the 'always' tag. We can
fix that by adding the missing tags to the async tasks.
For example,
TASK [ansible-hardening : Remove .shosts or shosts.equiv files]
******************************************************************************************************************************
fatal: [localhost]: FAILED! => {"failed": true, "msg": "'job_result' is undefined"}
So we add the appropriate tags to the async tasks.
Change-Id: I24a23fb485f2269ae6f627533b3a725f6699d230
GRUB_PASSWORD is not understood by vanilla grub2 installations. As such,
we can use the recommended method by setting the superusers
environment variable and using the password_pbkdf2 command
Change-Id: I07df3decf5e70b85a7dc48b8a8d1ca86e8878d09
Link: https://www.gnu.org/software/grub/manual/grub/grub.html#Security
Closes-Bug: 1735709
Dmitriy Rabotyagov