Ansible role for security hardening
Go to file
Major Hayden cee2e0b5b4 Move aide db when needed
The task that moves the aide database checks to see whether aide
was just initialized, but that task has a "changed_when: false" to
help with idempotency. That means that the database never gets
moved into place.

This patch changes the task to check whether the aide
initialization was skipped or not. If it wasn't skipped, then the
database will be moved.

Closes-Bug: 1745675
Change-Id: I2f186274cbff4b38706603a51429557057843e4e
(cherry picked from commit 295ef13395)
2018-02-14 22:52:58 +00:00
defaults Change PermitRootLogin to allow alternate options 2017-11-27 10:00:34 +00:00
doc Change PermitRootLogin to allow alternate options 2017-11-27 10:00:34 +00:00
files Add support for the openSUSE Leap distributions 2017-06-27 15:43:53 +01:00
handlers Always quote the filesystem permissions 2017-11-13 14:11:44 +00:00
library Verify password age limits [+Docs] 2016-12-08 09:44:23 -06:00
meta Correct the list of supported OS versions 2017-06-28 15:51:05 -05:00
releasenotes Change PermitRootLogin to allow alternate options 2017-11-27 10:00:34 +00:00
tasks Move aide db when needed 2018-02-14 22:52:58 +00:00
templates Change PermitRootLogin to allow alternate options 2017-11-27 10:00:34 +00:00
test_plugins Add equalto Jinja2 test for EL7 2017-06-30 09:13:16 -05:00
tests Fix filesystem permission masks 2017-11-13 14:12:32 +00:00
vars tasks: auth: Pass --unrestricted to Linux Grub2 entries 2018-01-12 14:07:24 +00:00
zuul.d Zuul: Remove project name 2018-02-09 15:54:10 -08:00
.gitignore Sync test files with the openstack-ansible-tests repository 2017-06-27 13:25:35 +01:00
.gitreview Update vars and test tooling for Pike 2017-08-30 13:16:21 +00:00
LICENSE Initial import of openstack-ansible-security role 2015-10-07 07:27:39 -05:00
README.md Fedora 26 support 2017-08-29 15:45:24 +00:00
README.rst [Docs] Replace security role references 2017-06-12 18:59:28 +00:00
Vagrantfile Manually check apparmor_status 2017-08-16 09:02:42 -05:00
bindep.txt Updated from OpenStack Ansible Tests 2017-08-30 13:18:07 +00:00
manual-test.rc Use centralised test scripts 2016-09-28 12:16:50 +01:00
run_tests.sh Updated from OpenStack Ansible Tests 2017-11-01 19:07:44 +00:00
setup.cfg [Docs] Replace security role references 2017-06-12 18:59:28 +00:00
setup.py Updated from global requirements 2017-03-02 11:52:32 +00:00
test-requirements.txt Updated from global requirements 2017-08-18 03:10:06 +00:00
tox.ini Update vars and test tooling for Pike 2017-08-30 13:16:21 +00:00

README.md

ansible-hardening

ansible-hardening-logo

The ansible-hardening role applies security hardening configurations from the Security Technical Implementation Guide (STIG) to systems running the following distributions:

  • CentOS 7
  • Debian Jessie
  • Fedora 26
  • openSUSE Leap 42.2 and 42.3
  • Red Hat Enterprise Linux 7
  • SUSE Linux Enterprise 12 (experimental)
  • Ubuntu 14.04 (deprecated)
  • Ubuntu 16.04

For more details, review the ansible-hardening documentation.

Requirements

This role can be used with or without OpenStack-Ansible. It requires Ansible 2.3 or later.

Role Variables

All of the variables for this role are in defaults/main.yml.

Dependencies

This role has no dependencies.

Example Playbook

Using the role is fairly straightforward:

- hosts: servers
  roles:
     - ansible-hardening

Running with Vagrant

This role can be tested easily on multiple platforms using Vagrant.

The Vagrantfile supports testing on:

  • Ubuntu 14.04
  • Ubuntu 16.04
  • CentOS 7

To test on all platforms:

vagrant destroy --force && vagrant up

To test on Ubuntu 14.04 only:

vagrant destroy ubuntu1404 --force && vagrant up ubuntu1404

To test on Ubuntu 16.04 only:

vagrant destroy ubuntu1604 --force && vagrant up ubuntu1604

To test on CentOS 7 only:

vagrant destroy centos7 --force && vagrant up centos7

License

Apache 2.0

Author Information

For more information, join #openstack-ansible on Freenode.