Now that run_tests.sh handles the tests repo clone, we can
remove the use of the older tests-repo-clone.sh script.
Change-Id: I839a959565585af033188ef13087d52dc320bc1f
The setuid bit is ignored on directories, so it's not necessary
to remove it. The tasks currently remove the user's ability to
use their home directory.
The patch fixes the permissions problem, ensures that the 'nobody'
user is skipped, and enables testing for the tasks in the gate.
Closes-Bug: 1731005
Closes-Bug: 1730994
Change-Id: Id7be77b2eaa707c4c27d46f97d07f34825813749
This patch adds the basic scaffolding for developer-contributed
hardening standards that are outside the scope of the Security
Technical Implementation Guide (STIG). Deployers have the option
to deploy these hardening standards as well.
Change-Id: I33175ffd36a75d27e5ac6c13aaf1584e5fdf23dd
This patch begins the teardown of the RHEL 6 STIG content from the
ansible-hardening repository. It will still be maintained in
Pike and earlier branches.
This patch also updates the ansible-hardening documentation for the
Queens release and notes that Pike is the latest stable version.
Closes-Bug: 1715745
Change-Id: Iaae52c97a35d82dd807ef78a1a6593ce3aa33540
This syncs most of the common files with the openstack-tests repository.
This effectively removes the Ubuntu 14.04 support from the Vagrantfile
as well as the RHEL6 STIG V-38496 workaround for it. This also removes
the now unused tests/vagrant.yml file and uses the tests/test.yml like
the upstream OpenStack CI does.
However, it doesn't sync the bindep.txt file since it doesn't quite
match what we have in the openstack-ansible-tests repository so the
shared one needs to be fixed first.
Finally, it adds a new doc/.gitignore file to exclude the generated
documentation file. This is necessary in order for the shared .gitignore
one to be used in the root of the repository.
Change-Id: Ia34979af9029ffb03fb525679356e6d9f3a039a6
This patch changes the tasks for V-71927 and V-71931 to actually set
the minimum password age on user accounts rather than printing
useless debug messages.
Change-Id: I3e085160baef1ecc12a3c96f08ede3845c68449f
The old 'physical_host' configuration is no longer needed and it
is causing an error in the gate jobs:
ERROR! Unexpected Exception: 'ansible_host'
Change-Id: Ibc24a1077ad903d6adce3348e053a7c5ff4e3ea0
When executing the tests repo clone in OpenStack-CI,
use zuul-cloner instead of git to enable cross-repo
testing. This ensures that if a dependent patch from
the tests repo is noted using 'Depends-On: <change-id>'
in the commit message, that patch will be included.
Depends-On: Idce7abebf32f24c356a27e099fbca954d917402b
Depends-On: I5da7802d61d2ab6b03908138e3a3ed2db22e3d29
Change-Id: I4da173e3c41e70ff48b3c88c430a6a65eded295a
This commit removes the verbose options from the gate job and disables
clamav installation in the CI jobs. The clamav package is only available
in the EPEL repository, but the EPEL repo has been removed from
the CentOS images in the OpenStack gate. This will need to be handled
carefully in a later patch.
It also removes an apostrophe from `tasks/main.yml` that breaks syntax
highlighting in vim.
Change-Id: Ifbfc56ed5fe92887cf5beb6b2703fdc3e1c8bb05
This patch disables the ClamAV database update in the gate jobs. The
update often fails due to upstream server issues.
Change-Id: I39cfcc102bc98895823b4de9df930e6f273aaf15
This patch makes the search for .shosts/shosts.equiv files an opt in
operation.
Closes-Bug: 1665568
Change-Id: Ide0c69a4112981e75defeaa317609e6a5f930225
Although setting file permissions and ownership based on the contents
of the RPM database is a good practice, it causes significant
deployment delays and can cause issues if a system administrator has
intentionally changed file permissions or ownership to meet their
specific needs.
This patch disables the tasks that set the permissions/ownership back
to their original values but leaves them enabled in the gate job.
Change-Id: I185f6755d9bddf58e23d6512f4728522c36306c0
This patch addresses two issues that are blocking the security role
CI jobs from completing:
The OpenStack CI image is missing the default audit.rules file and this
causes augenrules to fail when it loads new rules. The first line in
the default rules file deletes existing rules and this must be in
place before loading new rulesets. The contents of the default file
are now in the template file, which is safer anyway. The default
file provided by the OS is removed.
The task that updates the apt cache in test.yml was running more than
once during the CI job run when the gate ran slowly. That's fine, but
it breaks the idempotence checks. A `changed_when` is added to the task
to ensure that the idempotence tests aren't affected by an apt cache
update.
Change-Id: I9c2b50389cc2e4fa81717dcceccf6da1d973d34c
This patch sets the mode, owner, and group owner for each home directory to
the correct values.
The STIG also requires ownership/permission changes for files/directories
within each user's home directory, but these changes can be highly disruptive
for certain users.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I1c4a8dfb1e752d4426b471325cd09b2abf5a4ca7
The `systemctl status` commands now return a code of `4` instead of `3`
when the systemd unit isn't found. This patch adds checks for those.
A packaging bug[0] causes `yum-cron` installations to fail. The
unattended upgrade tasks are now skipped for CentOS 7 until a better
workaround can be found.
The auditd daemon now resets file permissions on its log directory each
time it restarts and that breaks the idempotence tests. That task now
has "changed_when: False".
These patches should unblock the security role gate.
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1293713
Change-Id: I80b66a6d9e7c8ad97761a1f890ec6a3d2db88659
This patch allows deployers to optionally set a GRUB 2 password for accessing
single-user and maintenance runlevels. Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I33d1ef4dec72d196deaca142169675aa5077740b
This patch allows a deployer to optionally enable automatic package updates.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I79d38971ea847096e7f20f0912363deaf5028a74
This patch installs AIDE and optionally initializes the AIDE database. A
cron job is also deployed for CentOS/RHEL since it doesn't come with
the AIDE package itself.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: Iae04c95903960deee2d750037c08b50c4ce4f800
This patch allows deployers to optionally disable accounts that have
expired passwords. This can be disruptive in some environments and that
is noted in the documentation.
Implements: blueprint security-rhel7-stig
Change-Id: I25233162900786fe100edd09d055b47025830b8c
This patch adds a restriction for password re-use. Deployers must opt in for
the change.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I5795bc28bd9270623d0d320b0e38746cc1700663
This patch allows deployers to opt-in for firewalld. The firewalld package
is installed and the service is enabled when `security_enable_firewalld` is
set to `yes`.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I641a8c7e468ed1b7908d2b62296fa309de6979b5
This patch adds tasks that search the filesystem for files/directories
without a valid user or group owner. Running find is disruptive to some
systems, so this is disabled by default. The following controls are
covered:
- RHEL-07-020360
- RHEL-07-020370
Docs are included.
Implements: blueprint security-rhel7-stig
Change-Id: I5626c107663d8f3f12d71cc649de242dc4ee3409
This patch applies password quality rules and satisfies the following
controls:
- RHEL-07-010090
- RHEL-07-010100
- RHEL-07-010110
- RHEL-07-010120
- RHEL-07-010130
- RHEL-07-010140
- RHEL-07-010150
- RHEL-07-010160
Each password quality requirement can be turned on/off with variables
and there is one master switch variable that turns them all off. The
master switch is off by default because these rules can cause problems
with existing systems if users aren't aware of the new requirements.
This will be explained in detail in the docs in the follow-on patch.
Implements: blueprint security-rhel7-stig
Change-Id: I3023715933321f11668c060046c065c17d7d2c6b
The STIG requires that a virus scanner is installed and running. This
won't be popular on many hypervisors or OpenStack control plane servers,
so the tasks are disabled by default.
Implements: blueprint security-rhel7-stig
Change-Id: I3b4803139e63aae3b740e8e150cb552a298c4ece
This patch applies the graphical session lock settings from the following
STIG controls:
- RHEL-07-010060
- RHEL-07-010070
- RHEL-07-010071
- RHEL-07-010073
- RHEL-07-010074
Docs will be provided in a follow-on patch.
Implements: blueprint security-rhel7-stig
Change-Id: I306ea5e2e274a2ca63158ba8b039686b27a5d923
This patch adds functionality to enable autoremoval of dependencies when a
package is removed. This can be dangerous, so it is disabled by default.
Docs are included.
Implements: blueprint security-rhel7-stig
Change-Id: Ie88ffaec33249ac2ff03bf3d712533b382fac877
It is not possible to restart auditd with systemctl. Using the service
interface is required. There are chef cookbooks[1] with the same
workaround.
This patch also includes a `cache_valid_time` addition to test.yml to
unblock the gate.
[1] https://github.com/chef-cookbooks/auditd/pull/22/files
Change-Id: I1aa3faf88f5953c230693600fcbcb786d49a35e0
This patch consumes the centralised Ansible test scripts
implemented in https://review.openstack.org/381853
Depends-On: I5c1f2f0949d6b7ad7bfc4151257b081728ba956f
Depends-On: Ie379de765c6ebba958ce8e7f9dc27b7a3af74ff8
Change-Id: Ib7fe11b666322b11b1e30dea775304fd5d236f2f
This patch skips the assertions on the test tasks that run after
the security role is applied. These should only run on the RHEL6
STIG content for now.
Change-Id: Ibee89def31fea8263f92666e593f7d44bd21cbc6
This patch consumes the test scripts implemented by
https://review.openstack.org/375061 to ensure that
the tests and test preparation is consistent and
more maintainable.
Change-Id: I2c26eb12711128082a7136ab962f8239b59124b4
The infra images in the gate have the logrotate package installed
on CentOS, but the cron job file has been removed. This patch
ensures that the cron job is present in the OpenStack gate.
Logrotate is installed by default on CentOS/RHEL 7 systems, so this
won't cause issues on non-test systems.
Change-Id: I4b4cdbe4f36a957ae3c75b210a9df1f67d5c4127
Checking or auditing an existing environment is a first class feature
in the security role, but we're not currently checking that feature
in the gate. A few users of the role have come forward with some
bugs around the check mode functionality and we should test this
more regularly.
This patch adds a quick audit check right before the functional test runs.
This adds about 30-60 seconds onto the gate test, but it should help
with catching these bugs.
Change-Id: I5f4adc292f027b2eb7429be843c167d152c0169d
This patch adds initial support for CentOS 7 and Ubuntu 16.04
to the security role. Documentation and tests still need updates
in subsequent patches.
Release notes are included.
Change-Id: Iae936bb307a5938651c55e703d68d39a7716d178
This patch migrates all of the remaining non-unique variable names
in the security role to a pattern that begins with `security_*`.
This will reduce potential variable collisions with other roles.
This is a breaking change for deployers and users who are moving
from the liberty or stable/mitaka branches to master. Release notes
are included with additional details to help with the transition.
Closes-Bug: 1578326
Change-Id: Ib716e81e6fed971b21dc5579ae1a871736e21189
This commit adds the ability to enable automatic package upgrades via
openstack-ansible-security. To enable, add the following variable to
your /etc/openstack_deploy/user_variables.yml file:
unattended_upgrades_enabled: true
To have the unattended upgrades system send e-mail notifications
when packages need updating or errors are encountered, add the
following to user_variables.yml:
unattended_upgrades_notifications: true
As many organisations do not subscribe to auto updates, this
functionality will remain disabled by default.
Note that the first iteration of this change does not allow deep
customisation of unatteded-upgrades. This means that as it stands
only trusty-security (or $distro-security) updates will be applied.
Closes-Bug: #1568075
Change-Id: I22ba1a02acfbe2befb601af6a4099d53d988d856
As noted in bug 1550426, the tasks for grub.cfg will fail if
the file is not present. This patch checks for the grub.cfg
and only tries to make changes if the file is present.
Closes-bug: 1550426
Change-Id: Id5368dfa2c24d555c59f9ceef4676f3d15706ad9
Jonathan Rosser