This repo is not properly retired. Retired repos can only have two files:
- README.rst
- gitreview
To cleanup the retirement of this repo, keeping these two files only and
removing the other remaining files if there is any.
Detail: https://etherpad.opendev.org/p/tc-retirement-cleanup
Change-Id: I69cb089425ad889f4cd0aad17c10de6bd19eb1b0
Now that stable/pike has been released we can re-retire the
openstack-ansible-security role.
NB the .gitreview file has remained in place, so that future stable
releases will be successful.
This reverts commit fe39a30c98.
Change-Id: I1137ca951de2fba3b692c2c77b2030d9b0bd10eb
This reverts commit ea9b39d723.
In order to release stable/pike we need this to still be present.
https://review.openstack.org/#/c/502063/ is failing.
Once we release stable/pike we can figure out how to properly remove
this repository.
Change-Id: I50308b1c3001371d4554b6c2640bd5384e870a53
This patch fully retires the openstack-ansible-security role and
repository. Consumers are encouraged to use the ansible-hardening
project:
https://docs.openstack.org/ansible-hardening/
Depends-On: I033eea2d5ad23156e46ddbc1c10486d2a90d503b
Closes-Bug: 1716504
Change-Id: I219d0d9d7a3463fb63ee3eef28bfb9e753c37b91
This patch adds deprecation/retirement warnings to the documentation,
README files, and the role itself.
Change-Id: I419ee0d3bcd3a772f6864acd3d07b062bf6cd7c5
Currently the role tests use whatever versions of pip,
setuptools and wheel are already installed on the host.
When a version of these tools changes it often causes
problems for our testing.
This will ensure that we use a known good set of pins
which is maintained in the general SHA bumping process.
Change-Id: Ibd12a320b90f687e1d5bb90fbb6dba40b7ff78a8
The task that checks for AppArmor being disabled at boot time
fails if the line isn't present in dmesg. This patch ensures that
the output from dmesg is always maintained and the shell always
comes back with success.
Closes-Bug: 1694508
Change-Id: Ied083e02855b2173d766c7cfd33045e737a79a43
The tag for V-72267 was set to 'implemented' in an interesting
copy/paste failure. It should be 'sshd'.
Change-Id: I0467e8b2d2cfa4a73ff93690ea30e944b39b419d
The pam_password_variable didn't have jinja tags around it and it
wasn't being handled correctly. This patch fixes the bug and makes
the task name easier to read.
Closes-Bug: 1693343
Change-Id: Ie469c32a71c3c0e1b381739290ffb608bb04a21c
Several tasks in the auth.yml file were actually more closely related
to accounts rather than authentication. This patch moves tasks from
the auth.yml into accounts.yml and adjusts the docs to match.
This should alleviate confusion and allow deployers to fine-tune
their Ansible playbook runs.
Change-Id: I962014ba9022dd256dc04da6b4ac0860797fbc24
It makes more sense to have the "getting started" docs above the
FAQ. Readers probably want to know about getting started first. ;)
Change-Id: Idc77b2ee667fe9d2de4ab217e25ad57b25ebd533
One of the STIG notes was missing a hyphen in "opt-in" and it
caused a new implementation status category to appear.
Change-Id: I9ec8d4817597f54f2ca8e71af81dfdb87f60afdb
The STIG numbering in the AIDE config block wasn't updated with the
big STIG renumbering effort. This patch fixes the numbers.
Change-Id: Id0393ce739f1b956931f239a65d548586a0994e0
This patch adds a check for the grub2 defaults file. On some systems,
especially ARM, grub is not present.
Closes-Bug: 1691210
Change-Id: I310565e6d72a89d0e3be85598ad1e0e114af16fc
When executing the tests repo clone in OpenStack-CI,
use zuul-cloner instead of git to enable cross-repo
testing. This ensures that if a dependent patch from
the tests repo is noted using 'Depends-On: <change-id>'
in the commit message, that patch will be included.
Depends-On: Idce7abebf32f24c356a27e099fbca954d917402b
Depends-On: I5da7802d61d2ab6b03908138e3a3ed2db22e3d29
Change-Id: I4da173e3c41e70ff48b3c88c430a6a65eded295a
This patch ensures that AIDE is fully configured before the first
database initialization process begins.
Closes-Bug: 1686110
Change-Id: I209b88afb305828fa6e46de255ef11f5a6645427
Now that the `greaterthan` test exists in upstream Jinja, we can
remove this plugin from the role.
Change-Id: I8a0624fee701892e069a741c3c486c795e0f3a7c
This commit removes the verbose options from the gate job and disables
clamav installation in the CI jobs. The clamav package is only available
in the EPEL repository, but the EPEL repo has been removed from
the CentOS images in the OpenStack gate. This will need to be handled
carefully in a later patch.
It also removes an apostrophe from `tasks/main.yml` that breaks syntax
highlighting in vim.
Change-Id: Ifbfc56ed5fe92887cf5beb6b2703fdc3e1c8bb05
This patch removes the `func_rhel7` environment and brings over the
verbose options from the tests role.
Change-Id: I44c2e089ff6175b3004ef7f6713622ac615bf6db
This patch disables the ClamAV database update in the gate jobs. The
update often fails due to upstream server issues.
Change-Id: I39cfcc102bc98895823b4de9df930e6f273aaf15