At the moment we pass boolean value to CREATE_HOME instead of yes/no.
Leveraging ternary allows to always supply expected values despite of
variable type in ansible.
Closes-Bug: #1850200
Change-Id: I957dc9b98f1de23ea66ea0e225989e4f907a02cb
Right now default cloud images of Ubuntu does contain dynamic MOTD
by default, that takes around extra 0.4 sec for establishing connection.
Disabiling MOTD should improve responsivness of hosts and speedup
ansible execution as well.
With that we're keeping static MOTD that has no impact on connection
speed.
Change-Id: Iaf25f6f444055cefd60dd2e3b4d5579f2a6fcdb1
This implements STIG V-204598 [1] and disables
GSSAPIAuthentication that is enabled by default on EL
systems.
This also should speedup deployments on such systems, as
enabled GSSAPIAuthentication requires some time while
initiating connection.
[1] https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2020-12-08/finding/V-204598
Change-Id: I2d92541ccfc27e91224fd481c3792993428a052e
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
With current behaviour we duplicate SSH options and don't care if same
thing is defined anywhere down the line.
With that change we change how options are defined - instead of the
template we use a list of mappings. With that
we can select and remove options that playbook supposed to manage.
With that we also keep playbook idempotency. As side effect we still
can have options duplicated but only if they have exact same value.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/840353
Change-Id: I140606f7e724fbe2a4f0b03f6a0501da7bdd5964
Closes-Bug: #1958649
While most our supported distributions does create LocalSocket on their
own, it's not always the case and shouldn't be trusted that much.
Change-Id: I56851f56aa85108a4898ef99c48ac77c898ccb69
Closes-Bug: #1944564
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: Id3136a5eed068e317aa1a7b33a1149629dc76d77
This patch adds variable `security_rhel7_enable_aide`. When it's False,
all AIDE related tasks would be ommited.
Change-Id: I64af348d9f49922ab51d8cd348d987df4263faa1
Make hardening compatible with CentOS-8. Dependant patch [1] already
passes hardening and another one resolves issue with installing
non-existent packages. So we should merge this one without passing
CentOS 8 tests not to create circular dependency
[1] https://review.opendev.org/689629
Change-Id: I33160b9a6e8331d6db39824e420033c7ab06780b
Now that infra is moving from Fedora 26 to 27, we need to update
the role to reflect the changing support for Fedora releases.
Change-Id: Icce8fd7ee2f8c54e6eb33beec7af96c4d1d375d6
Signed-off-by: Major Hayden <major@mhtx.net>
The path of chrony.keys on CentOS is different
from the one on Ubuntu. So change the definition
of keyfile to use variable defined in vars.
Change-Id: Ibb54318d5fff452857d917e3b13af6bae26a1b55
Signed-off-by: Yifei Xue <xueyifei@huawei.com>
GRUB_PASSWORD is not understood by vanilla grub2 installations. As such,
we can use the recommended method by setting the superusers
environment variable and using the password_pbkdf2 command
Change-Id: I07df3decf5e70b85a7dc48b8a8d1ca86e8878d09
Link: https://www.gnu.org/software/grub/manual/grub/grub.html#Security
Closes-Bug: 1735709
This patch adds the basic scaffolding for developer-contributed
hardening standards that are outside the scope of the Security
Technical Implementation Guide (STIG). Deployers have the option
to deploy these hardening standards as well.
Change-Id: I33175ffd36a75d27e5ac6c13aaf1584e5fdf23dd
This patch updates the tasks to match the changes in Version 1,
Release 3 of the RHEL 7 STIG. It adds four new configurations:
- V-77819 (docs only, manual intervention req'd)
- V-77821 (disabling DCCP, implemented)
- V-77823 (docs only, manual intervention req'd)
- V-77825 (enabling ASLR, implemented)
Closes-Bug: 1729344
Change-Id: I009fb31139e654f839d94781baf3d392c6613f46
This patch updates the STIG XML to version 1 release 2.
The new release does not have V-72181 included, so the relevant
tasks and variables have been removed.
Closes-Bug: 1718772
Change-Id: I441dbacdfa82e49c0c24f86e303706ae79c7d4dd
This patch begins the teardown of the RHEL 6 STIG content from the
ansible-hardening repository. It will still be maintained in
Pike and earlier branches.
This patch also updates the ansible-hardening documentation for the
Queens release and notes that Pike is the latest stable version.
Closes-Bug: 1715745
Change-Id: Iaae52c97a35d82dd807ef78a1a6593ce3aa33540
The intended functionality for "enabled: no" on sysctl configurations
was to skip the config entirely and leave the variable unaltered.
However, setting "enabled: no" was causing the configuration to be
removed entirely.
This patch ensures that any sysctl variables with "enabled: no" are
skipped and left unaltered.
Closes-Bug: 1710490
Depends-On: I2607f295a924a2ec51920b5f2b27c34d5222e8ff
Change-Id: If9c8c008538b2ff631a714a8ffe16df9376dedf3
The password quality adjustments only work if libpam-pwquality is
installed on Ubuntu. This patch installs the package if
`security_pwquality_apply_rules` is set to `yes`.
Closes-Bug: 1702526
Change-Id: Ic1a21b12138f57d4d54bfbdc6804a195573baf52
Add support for the openSUSE Leap distributions. The security rules
are similar to the RedHat and Ubuntu ones. We also replace
ansible_os_family with ansible_pkg_mgr since the former does not
return consistent results across different SUSE distributions especially
on older Ansible versions.
Change-Id: I20ffe17039bb641aad70d8123f0b7e7417a42cba
This patch adjusts main.yml to retrieve a list of all users and a
list of just interactive users using the get_users module.
Change-Id: I4ff3ceeb068e339c62456f2e5c62ec97b72751f4
This patch adds the initial support for Fedora 25 in the security
role. A non-voting gate job is proposed in the following review:
https://review.openstack.org/#/c/467297/
Docs and general cleanup for Fedora/Debian support is coming soon.
Change-Id: Ia6c551d2f33255f7f71f7ba9bb328fc8f17f61e0
Ubuntu 14.04 and CentOS 7 have their daemon inititalization
parameters file in different places. This fixes a bug where
the path in CentOS was incorrect.
Closes-Bug: 1662545
Change-Id: Ie0b30848a73f8a1fbc7fe6a475d93d87a72ce40f
This patch gets the docs adjusted to work with the new RHEL 7 STIG
version 1 release. The new STIG release has changed all of the
numbering, but it maintains a link to (most) of the old STIG IDs in
the XML.
Closes-bug: 1676865
Change-Id: I65023fe63163c9804a3aec9dcdbf23c69bedb604
The file vars/main.yml is automatically loaded
so by using this file name we're able to get
rid of the task that loads vars/common.yml which
is a small optimisation.
Change-Id: I4e0a1b81c42a90b7cd28830f1c2e72c7bd62efaf
As noted in the bug, Ubuntu 16.04 doesn't use FAIL_DELAY in
`/etc/login.defs` as CentOS 7 does. This patch ensures that
`pam_faildelay` is properly configured on Xenial.
Closes-Bug: 1659120
Change-Id: I9ff9f45c0c5bdd749c9491431e2dcb8836587e78
Chrony was not being installed by the RHEL7 STIG package list when
enabled, causing a failure when the service configuration was
attempted.
This fixes the following failure:
http://cdn.pasteraw.com/7vo74lbz1jyf9qm5010mfqa169a8zpf
Change-Id: I6accac5504abe6fb1f2d0d0db5baa9b5a42a5c70
This patch installs `dracut-fips` and checks to see if the deployer has FIPS
enabled at boot time. Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I9a6da4dc753fbfc3949f0c78e53af3bb5e3083ef
This patch sets `action_email_acct` to `root` in the auditd configuration.
Deployers can customize the email recipient if needed.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: Ief6e6c8c6c2139e09f1ab9c97594576a5d72701e
This patch configures auditd to send emails to the administrator when the
`space_left` threshold is reached. Deployers can customize this setting if
needed.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I93673193b74dacb3def92b761b315eabd41cea41
This patch sets the `space_left` in the auditd config to 25% of the disk
space on the root disk. Deployers can customize this variable.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I7a91a756fb920decbd1056e7f11f7dd548f2cac8
This patch adds a verification check for `pam_lastlogin` in PAM's
configuration.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: Ib2135331efc0cfb6dca581ac7c70fac6dc7d3224
This patch allows deployers to optionally set a GRUB 2 password for accessing
single-user and maintenance runlevels. Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I33d1ef4dec72d196deaca142169675aa5077740b
This patch allows a deployer to optionally enable automatic package updates.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I79d38971ea847096e7f20f0912363deaf5028a74
This patch installs AIDE and optionally initializes the AIDE database. A
cron job is also deployed for CentOS/RHEL since it doesn't come with
the AIDE package itself.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: Iae04c95903960deee2d750037c08b50c4ce4f800
This patch adds configurations for audisp when the disk is rull on the remote
server or when there is a network interruption between the local system and
the remote audisp server.
It also explicitly installs auditd/audisp-plugins to ensure that auditd and
the remote audisp log sender are installed on CentOS/RHEL.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I589ae00a70582ee3f5d48453b3c20f23752adfa6
This patch allows deployers to opt in for a minimum password
length restriction. Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: Ia1d5d6677233ae21ce585b4a363d130e1bb003fa
Dmitriy Rabotyagov