Add support for the openSUSE Leap distributions. The security rules
are similar to the RedHat and Ubuntu ones. We also replace
ansible_os_family with ansible_pkg_mgr since the former does not
return consistent results across different SUSE distributions especially
on older Ansible versions.
Change-Id: I20ffe17039bb641aad70d8123f0b7e7417a42cba
This patch ensures that AIDE is fully configured before the first
database initialization process begins.
Closes-Bug: 1686110
Change-Id: I209b88afb305828fa6e46de255ef11f5a6645427
CentOS/RHEL have strict AIDE configs, but Ubuntu's configuration needs
extra configuration. This patch adds lines to the end of Ubuntu's AIDE
confgiuration to meet the requirements of RHEL-07-021600,
RHEL-07-021610, and RHEL-07-021620.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I107fa931f80d6871195027be0ed8db4105e2ddf4
This patch enables login warning banners on graphical logins. Docs
will be in a follow-on patch.
Implements: blueprint security-rhel7-stig
Change-Id: I9aa7e2c2691b0d2c0659826037909bf43cef0505
This patch applies the graphical session lock settings from the following
STIG controls:
- RHEL-07-010060
- RHEL-07-010070
- RHEL-07-010071
- RHEL-07-010073
- RHEL-07-010074
Docs will be provided in a follow-on patch.
Implements: blueprint security-rhel7-stig
Change-Id: I306ea5e2e274a2ca63158ba8b039686b27a5d923
This commit adds the ability to enable automatic package upgrades via
openstack-ansible-security. To enable, add the following variable to
your /etc/openstack_deploy/user_variables.yml file:
unattended_upgrades_enabled: true
To have the unattended upgrades system send e-mail notifications
when packages need updating or errors are encountered, add the
following to user_variables.yml:
unattended_upgrades_notifications: true
As many organisations do not subscribe to auto updates, this
functionality will remain disabled by default.
Note that the first iteration of this change does not allow deep
customisation of unatteded-upgrades. This means that as it stands
only trusty-security (or $distro-security) updates will be applied.
Closes-Bug: #1568075
Change-Id: I22ba1a02acfbe2befb601af6a4099d53d988d856
This patch adds the bits needed to implement automated syntax/lint
role testing. It also moves the role into the base repository so
that the role becomes fully compatible with ansible-galaxy to
improve the role's consumability.
Change-Id: Ia79cd5dedbbe50dfdf46688830a989ff0897832a
Bernd Müller