Commit Graph

33 Commits

Author SHA1 Message Date
Dmitriy Rabotyagov db5c6f2d66 Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
2023-07-17 14:25:21 +02:00
Dmitriy Rabotyagov a82570f1a5 Use pipefail for shell module
It's not safe to run pipes without pipefail, but for some cases we
expect it to fail and working this around. In such case we ignore rule

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-tests/+/784751
Change-Id: I79a630ebe8ff54bc9f4600e1f3c0fda653cc4b71
2022-01-04 13:07:09 +00:00
Dmitriy Rabotyagov 9d6a927d8c Explicitly create clamav socket directory
While most our supported distributions does create LocalSocket on their
own, it's not always the case and shouldn't be trusted that much.

Change-Id: I56851f56aa85108a4898ef99c48ac77c898ccb69
Closes-Bug: #1944564
2021-10-20 15:27:21 +03:00
Jonathan Rosser b9a9310d7c Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: I3dc2486a0666367d673b23403f2510c94c40eaf4
2021-03-10 16:54:58 +00:00
Jonathan Rosser c6703cd5e5 Fix linter errors
Work around the mutually incompatible W503 and W504.

Change-Id: I45d0ca8a911d9cf1af2df52a1cf911db817b13b3
2021-02-02 16:11:03 +02:00
Ghanshyam Mann 83ac8bfd6d [ussuri][goal] Updates for python 2.7 drop
OpenStack is dropping the py2.7 support in ussuri cycle.

openstack-ansible repos only need updates on requirements
and tox file.

Complete discussion & schedule can be found in
- http://lists.openstack.org/pipermail/openstack-discuss/2019-October/010142.html
- https://etherpad.openstack.org/p/drop-python2-support

Ussuri Communtiy-wide goal:
https://governance.openstack.org/tc/goals/selected/ussuri/drop-py27.html

Change-Id: Idf700e627b5c88059762690aec6dc3e3a345a39f
2020-04-03 21:18:52 +03:00
Logan V 00ad3500c8 Fix conditional cast to bool
While running the hardening role, I found that a small VM would
regularly crash ansible on the chrony configuration templating
task with "A worker was found in a dead state!". An ansible bug[0]
shows that this can be caused by jinja templating that is not casted
to the correct type.

After verifying the crash was reproducible 3-4 times in a row, this
crash stopped occuring once I started casting this variable to a bool.

I don't know if it is coincidence but it can't hurt to cast this
conditional regardless.

[0] https://github.com/ansible/ansible/issues/32554#issuecomment-382360908

Change-Id: Ie34de1808c807fd31099cc7d3d7b140ccfab64df
2019-03-15 23:01:45 -05:00
Kevin Carter 111f48b2f6
Correct issue with ansible hardening and systemd
The systemd command does not have a stable api and can return different
codes when executed. This change converts the task to query the target
unit and disable it if it exists to a single systemd task using the
ansible module.

Closes-Bug: #1787048
Change-Id: I74c43839cd7d3a8620a0fb8e405fbc3f6a0f44d0
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-08-21 11:32:23 -05:00
Mohammed Naser 6cae2c1e46 Ensure that comments are not counted
With the previous grep, it was possible that any commented nameserver
entries would be counted.  This patch fixes that.

Change-Id: I9925cb9a71c1b58dcf12f70d8ce0872386732f06
Closes-Bug: #1768725
2018-05-08 12:19:02 -04:00
Russell Tweed f1a52aad91 Add check to ClamAV task to prevent simeltaneous content updates
Check to see if a freshclam process is already running before kicking off another; attempting a second update will fail if one is already in progress.

Change-Id: Id5ab344c2408ba64c58612bab33c2ee98aeb97d5
Closes-Bug: 1730998
2018-03-07 09:36:37 +00:00
Major Hayden c8a59a1c9a Remove old /etc/profile config block
When the openstack-ansible-security role became ansible-hardening,
a new config block was added to `/etc/profile` without removing
the original one with the openstack-ansible-security markers. This
causes errors on the command prompt since `TMOUT` is defined twice.

This patch removes the old config block using blockinfile.

Closes-Bug: 1736702
Change-Id: I2768182f5dde3368028a1a25af69db6ac7a75d9b
2017-12-15 20:05:02 +00:00
Major Hayden 38270e7870 [Docs] Replace security role references
This patch changes any reference of openstack-ansible-security to
ansible-hardening.

Change-Id: Ib264e31a926c05380b0d1dcd630ad8f3fd1e58f3
2017-06-12 18:59:28 +00:00
Major Hayden d8336717aa Fix warnings about jinja2 in when
This patch fixes the warnings from jinja2 templates in when lines.

Change-Id: Ib8c35d250f2d68a0288baa6080c1fa39fbe688d9
2017-04-25 16:06:52 +00:00
Major Hayden ab9357dd54
Skip ClamAV db update in gate
This patch disables the ClamAV database update in the gate jobs. The
update often fails due to upstream server issues.

Change-Id: I39cfcc102bc98895823b4de9df930e6f273aaf15
2017-04-21 14:27:16 -05:00
Major Hayden 005fa52c66
Make login banner customizable
This patch makes it easier for deployers to customize their login
banner and it also fixes some documentation bugs around how to
configure the graphical login banner.

Closes-bug: 1679749
Change-Id: I755de63cc3965f065077c983dbf1015ad93dfa6c
2017-04-05 08:32:39 -05:00
Major Hayden dccce1d5cc
Handle RHEL 7 STIG renumbering
This patch gets the docs adjusted to work with the new RHEL 7 STIG
version 1 release. The new STIG release has changed all of the
numbering, but it maintains a link to (most) of the old STIG IDs in
the XML.

Closes-bug: 1676865
Change-Id: I65023fe63163c9804a3aec9dcdbf23c69bedb604
2017-04-04 07:22:12 -05:00
Major Hayden a2b3fe1598 Use async for updating ClamAV DB
This patch updates the ClamAV task to run asynchronously and this
should improve playbook run times.

Change-Id: Ifbe9ded881baf72664dc3ac763dab28c2aa93cfa
2017-02-12 17:47:14 +00:00
Major Hayden 354b87c261 Fix copy/paste error in task name
The STIG id from the RHEL 6 STIG was accidentally copy/pasted into
one of the tasks for the RHEL 7 STIG.

Change-Id: Idd3245c105d656b2f30fe956e29b1e27518805b4
2017-01-12 08:11:33 -06:00
Major Hayden a0b88da6bb Add checks for remote syslog [+Docs]
This patch adds a check for remote syslog configurations.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I3e05aa30c0d1d838a7f604c6ca7cce27a4d0e86a
2016-12-12 19:57:33 +00:00
Major Hayden 71a3847862 Fix issues from new CentOS 7 release
The `systemctl status` commands now return a code of  `4` instead of `3`
when the systemd unit isn't found. This patch adds checks for those.

A packaging bug[0] causes `yum-cron` installations to fail. The
unattended upgrade tasks are now skipped for CentOS 7 until a better
workaround can be found.

The auditd daemon now resets file permissions on its log directory each
time it restarts and that breaks the idempotence tests. That task now
has "changed_when: False".

These patches should unblock the security role gate.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1293713

Change-Id: I80b66a6d9e7c8ad97761a1f890ec6a3d2db88659
2016-12-12 18:35:50 +00:00
Major Hayden 325fe758d3 Ensure separate filesystems exist [+Docs]
This STIG has requirements for separate filesystems for some mounts, but this
can only be done during the initial provisioning process.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I70b6e929b54648bfa7af62005a7d9ab2f397db22
2016-12-09 18:22:44 +00:00
Major Hayden 7534fbaa29 Check for default SNMP comm strings [+Docs]
This patch adds checks for default SNMP community strings if snmpd is
installed.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: Ib5c3a0adef92d5f3853fa17f5ce43c3b31577f6c
2016-12-09 12:09:37 +00:00
Major Hayden 5b06a4484f Check for TFTP secure mode [+Docs]
This patch adds tasks that verify if TFTP is running in secure mode.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I73fd30e295cef9a3d9d7ebb5769df6b3f45db668
2016-12-09 11:15:03 +00:00
Major Hayden fc2c356bc4 Restrict mail relaying [+Docs]
This patch adds tasks that check for postfix and set restrictions for mail
relaying.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I8c0ae38f2264fae20fe9055fde47e9abbb355767
2016-12-09 10:53:41 +00:00
Major Hayden 14fa6e5060 Enable chrony [+Docs]
This patch enables chrony and performs basic configuration to meet the
STIG requirements.

These tasks can't be enabled in OpenStack CI due to conflicts with existing
NTP daemons in the CI image.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: If6736c0f4a16de1ba41a4cfa00f5f72f8baf0054
2016-12-09 10:32:24 +00:00
Major Hayden b1435ff429 Set TMOUT variable for all sessions [+Docs]
This patch sets a session timeout for 10 minutes using the TMOUT environment
variable. Deployers can adjust the timeout from the default if needed.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: Iccb49d5fe4517b053e8dcf63a783de04513cf85f
2016-12-09 10:04:50 +00:00
Major Hayden 81807a1d83 Check for promiscuous interfaces [+Docs]
This patch adds tasks to check for interfaces that are in promiscuous
mode. If any are found, a warning is printed.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: Ia5344a298ddd34d98b00d1a3b14e40883fc4e69f
2016-12-09 09:37:25 +00:00
Major Hayden f9a3a1606e Check for two nameservers [+Docs]
This patch adds tasks to verify that two or more nameservers
are configured on each server in `/etc/resolv.conf`. If not,
a warning is printed in a debug message.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I60a75be3fb3af031464f9a9defe8b2434dad7f56
2016-12-01 20:07:56 +00:00
Major Hayden 00857924d3 Add firewalld rate limit rule [+Docs]
This patch adds tasks that set a rate limit rule for new TCP connections.
The limit can cause issues with applications that handle large amounds of
TCP connections, so the limit is opt in only.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: If448508ae6f629c9e162beeea420100da9e08d52
2016-12-01 20:07:48 +00:00
Major Hayden c777f734ac Enable firewalld [+Docs]
This patch allows deployers to opt-in for firewalld. The firewalld package
is installed and the service is enabled when `security_enable_firewalld` is
set to `yes`.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I641a8c7e468ed1b7908d2b62296fa309de6979b5
2016-11-30 13:00:23 -06:00
Major Hayden 40ca9cf990 Disable ctrl-alt-del key sequence [+Docs]
This patch masks the systemd unit that controls the C-A-D key sequence.

Implements: blueprint security-rhel7-stig
Change-Id: I9bd01641fd8787fab90921e360e5933953871d51
2016-11-30 12:49:38 -06:00
Major Hayden 9880cebafe Disable autofs [+Docs]
This patch disables the autofs server if it is present
on the system. Docs are included.

Implements: blueprint security-rhel7-stig
Change-Id: Ic8c2fe80cadc6a80a06852466e8f8267c17227b7
2016-11-30 12:48:21 -06:00
Major Hayden 3c0cc41969 Enable virus scanner
The STIG requires that a virus scanner is installed and running. This
won't be popular on many hypervisors or OpenStack control plane servers,
so the tasks are disabled by default.

Implements: blueprint security-rhel7-stig
Change-Id: I3b4803139e63aae3b740e8e150cb552a298c4ece
2016-11-14 08:23:38 -06:00