With sphinx release of 5.0.0, they changed default for language variable
to 'en' from None. With that current None valuable is not valid and should
not be used.
Change-Id: I159a23ae2c147f75c0944a0a5e92f1a19ba20e2b
This patch adds variable `security_rhel7_enable_aide`. When it's False,
all AIDE related tasks would be ommited.
Change-Id: I64af348d9f49922ab51d8cd348d987df4263faa1
The sync from https://review.opendev.org/733244 updated to
openstackdocstheme 2.2.1 and reno 3.1.0 versions.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: Id2c810e9214981f381d5a9d4f1f2e40cb63a02af
The docs job is failing in https://review.opendev.org/671840 and thus
nothing is synced in from openstack-ansible-tests. The failure is due to
the removal of entries from doc/requirements.txt. Add those
to test-requirements.txt instead.
Change-Id: I21bcbde8acc8d4fd83b28026bcec33f388e69912
New version of openstackdocstheme (Victoria+) respects pygments_style.
Since this repo is using now Victoria (master) requirements but has
not branched for Ussuri yet, it uses the new version.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
Change-Id: I3fe3956b80df054c8b56761e4c009457af5c98f0
This repo is now testing only with Python 3, so let's make
a few cleanups:
- Remove python 2.7 stanza from setup.py
- Remove obsolete sections from setup.cfg
- Update requirements, no need for python_version anymore
- Use newer openstackdocstheme and Sphinx versions
- Cleanup */source/conf.py to remove now obsolete content.
- Remove install_command from tox.ini, the default is fine
Change-Id: Ic96b71596d4523e55fa4b451c99a8521dd581e4d
Some options are now automatically configured by the version 1.20:
- project
- html_last_updated_fmt
- latex_engine
- latex_elements
- version
- release.
Change-Id: I14b62b4010950877d58a615de5f671ab6c866b48
This patch adds a `pdf-docs` tox target that will build
PDF versions of our docs. As per the Train community goal:
https://governance.openstack.org/tc/goals/selected/train/pdf-doc-generation.html
Add sphinxcontrib-svg2pdfconverter to doc/requirements.txt
to convert our SVGs.
Change-Id: I04319a1195873d63bfc45ffb0f5c7c89fb797652
Story: 2006105
This change adds the option `security_sudoers_nopasswd_check_enable`
when running check "V-71947". This change allows users to skip this
check via ansible extra variable instead of having to skip tags. While
this change has a functional benifit in some environments, it is being
done with the primary intention of providing a better experience to
deploying running clouds where services like cloud-init may be present.
Change-Id: I0d0c95534ace0b00fa64c2f243ad91ce5844d85a
Closes-Bug: #1741225
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The docs previously specified that the wrong boolean value should be set
in order to opt-in to control V-72115. The variable
security_rhel7_audit_lsetxattr has a value of no by default.
Change-Id: I2701ada847404a629de44a548ace2f5e9424638d
Now that infra is moving from Fedora 26 to 27, we need to update
the role to reflect the changing support for Fedora releases.
Change-Id: Icce8fd7ee2f8c54e6eb33beec7af96c4d1d375d6
Signed-off-by: Major Hayden <major@mhtx.net>
PermitRootLogin can be 'yes', 'no', 'without-password',
'prohibit-password' or 'forced-commands-only'.
This patch changes the functionality to ensure that
security_sshd_permit_root_login is one of the above settings - if so, it
will use that value.
Due to the way Ansible handles "no" and "yes", we have to check if the
value is "False" (string equivalent for boolean no), and if so output
"no", otherwise output the string (which would be one of the above
options).
Previously, we could only set this value to 'no'.
Change-Id: I5ee5ff6abc4578d17d4b23d8a2fa1648508ceeed
This patch adds the basic scaffolding for developer-contributed
hardening standards that are outside the scope of the Security
Technical Implementation Guide (STIG). Deployers have the option
to deploy these hardening standards as well.
Change-Id: I33175ffd36a75d27e5ac6c13aaf1584e5fdf23dd
This patch updates the tasks to match the changes in Version 1,
Release 3 of the RHEL 7 STIG. It adds four new configurations:
- V-77819 (docs only, manual intervention req'd)
- V-77821 (disabling DCCP, implemented)
- V-77823 (docs only, manual intervention req'd)
- V-77825 (enabling ASLR, implemented)
Closes-Bug: 1729344
Change-Id: I009fb31139e654f839d94781baf3d392c6613f46
The search for world-writable files is very intensive and causes
some long delays when running playbooks. This patch makes it
optional and updates the documentation to match.
Change-Id: I206f75597c48023a889bd7027daff2eff82b1a16
This patch updates the STIG XML to version 1 release 2.
The new release does not have V-72181 included, so the relevant
tasks and variables have been removed.
Closes-Bug: 1718772
Change-Id: I441dbacdfa82e49c0c24f86e303706ae79c7d4dd
This patch begins the teardown of the RHEL 6 STIG content from the
ansible-hardening repository. It will still be maintained in
Pike and earlier branches.
This patch also updates the ansible-hardening documentation for the
Queens release and notes that Pike is the latest stable version.
Closes-Bug: 1715745
Change-Id: Iaae52c97a35d82dd807ef78a1a6593ce3aa33540
The current behavior of the hardening role is to install the
epel-release package on all deployments. This patch changes
the logic to only install the EPEL repository if the deployer
has asked for ClamAV to be installed.
The patch also provides an option to disable the installation
of EPEL entirely using a variable.
Closes-Bug: 1702167
Change-Id: I9c5e6048f95636faf2a6d71ac9217ba69ca41296
Dmitriy Rabotyagov