* Update ansible-hardening from branch 'master'
to 510a0778a7172c047486f919b93b77e2a6671d8d
- Use valid value for CREATE_HOME
At the moment we pass boolean value to CREATE_HOME instead of yes/no.
Leveraging ternary allows to always supply expected values despite of
variable type in ansible.
Closes-Bug: #1850200
Change-Id: I957dc9b98f1de23ea66ea0e225989e4f907a02cb
* Update ansible-hardening from branch 'master'
to 9d7f0ad471c07e5b25e2d32a7c4b5044567aa807
- reno: Update master for unmaintained/xena
Update the xena release notes configuration to build from
unmaintained/xena.
Change-Id: I4d2aeb0613c5c975b2a62d3fb47c84b11865c1dc
* Update ansible-hardening from branch 'master'
to db284ddf93dae00fecec76618cb1f743101019de
- Use replace module instead of lineinfile for disabling dynamic motd
Lineinfile module can manage only single occurance of line in the file,
while pam.d/sshd contains multiple occurances of pam_motd which
results in not disabling it fully.
In order to properly comment out/uncomment all occurances replace module
should be used instead.
Change-Id: I73babb2431d4fda5aa90d9a1e230c1796449c0fc
* Update ansible-hardening from branch 'master'
to ced5df4956c90fe72635646d0fb91e36f8d061c0
- Update master for stable/2023.2
Add file to the reno documentation build to show release notes for
stable/2023.2.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.2.
Sem-Ver: feature
Change-Id: I4f820c0073b76009ddc224cf6419d8379e4bc1d7
* Update ansible-hardening from branch 'master'
to b31cd46c180bb12d7ab2dffa3486a32e8353b91c
- Disable dynamic motd message
Right now default cloud images of Ubuntu does contain dynamic MOTD
by default, that takes around extra 0.4 sec for establishing connection.
Disabiling MOTD should improve responsivness of hosts and speedup
ansible execution as well.
With that we're keeping static MOTD that has no impact on connection
speed.
Change-Id: Iaf25f6f444055cefd60dd2e3b4d5579f2a6fcdb1
* Update ansible-hardening from branch 'master'
to abfa76ba93e52c97fe286253845e81f0291e9416
- Disable GSSAPIAuthentication for SSH
This implements STIG V-204598 [1] and disables
GSSAPIAuthentication that is enabled by default on EL
systems.
This also should speedup deployments on such systems, as
enabled GSSAPIAuthentication requires some time while
initiating connection.
[1] https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2020-12-08/finding/V-204598
Change-Id: I2d92541ccfc27e91224fd481c3792993428a052e
* Update ansible-hardening from branch 'master'
to db5c6f2d66cb1c78d2bff8bd24b016be1c6e4439
- Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
* Update ansible-hardening from branch 'master'
to 2c7889852c7e8c6e8ecd14e4ce5304f01792cc01
- Remove warn argument for command/shell
Since ansible-core 2.14 you can't use warn as module argument.
Instead, noqa should be used to instruct ansible-lint to
supress alerts.
Change-Id: Ie448fa182db8c1c9f64744ea72f27f285aa64366
* Update ansible-hardening from branch 'master'
to 037e5493b6b09c08bba8e63dd162267b007d0d03
- Remove commandkey from chrony config
Since version 2.2 chorny has removed commandkey options and
it's not a valid option for any currently supported distro.
Change-Id: I7c02cf6b7575a9ab753d85cdd6582f209f39be1b
* Update ansible-hardening from branch 'master'
to a07f0c5a9d615f04826eea37c5b87eaf0b8ad18b
- Disable UsePriviledgeSeparation directive for sshd
This was deprecated a long time ago in openssh-server 7.4 and has
been generating warnings in the log file ever since.
Change-Id: Ic3f7afadcaa875e6ce871c0ce36b4b11f10a7044
* Update ansible-hardening from branch 'master'
to e77c311442cb1d1ef8caa7df9d9c00471afa75e7
- Update tox.ini to work with 4.0
With tox release of 4.0, some parameters were deprecated and are ignored now
which causes tox failures. One of the most spread issues we have is using
`whitelist_externals` isntead of `allowlist_externals`
Change-Id: I7807b7d29f4504404253f5c42b624639c8b19c97
* Update ansible-hardening from branch 'master'
to 4eeac146d186b04deb699c6d2b4c78777dda130b
- Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I664bf44a2202856a12e6484f63a0944535dc071e
* Update ansible-hardening from branch 'master'
to b709007104d8f6e77435f55d777f19438e7f32d5
- Remove sebang from get_users
Shebang is not required for modern ansible versions. But in some cases
it might lead to incorrect behaviour by using incorrect interpreter.
Change-Id: I11763ed4563506b7d25585f8c633df08a123e731
* Update ansible-hardening from branch 'master'
to 02edef4106227e868942c8fc32709ca5413c97a6
- Merge "Clean out SSH options we managing"
- Clean out SSH options we managing
With current behaviour we duplicate SSH options and don't care if same
thing is defined anywhere down the line.
With that change we change how options are defined - instead of the
template we use a list of mappings. With that
we can select and remove options that playbook supposed to manage.
With that we also keep playbook idempotency. As side effect we still
can have options duplicated but only if they have exact same value.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/840353
Change-Id: I140606f7e724fbe2a4f0b03f6a0501da7bdd5964
Closes-Bug: #1958649
* Update ansible-hardening from branch 'master'
to 38909eae0e4653e0a78634a990791c4f59834b4b
- Switch sphinx language to en
With sphinx release of 5.0.0, they changed default for language variable
to 'en' from None. With that current None valuable is not valid and should
not be used.
Change-Id: I159a23ae2c147f75c0944a0a5e92f1a19ba20e2b
* Update ansible-hardening from branch 'master'
to 7626153a08141913c41fd552865ba6e94f5b3852
- Merge "Refactor use of include_vars"
- Refactor use of include_vars
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I078590020a98f0b5759f3de524753e01bb9c5597
* Update ansible-hardening from branch 'master'
to a82570f1a573e8481a7b7baf847ba1dd3d250745
- Use pipefail for shell module
It's not safe to run pipes without pipefail, but for some cases we
expect it to fail and working this around. In such case we ignore rule
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-tests/+/784751
Change-Id: I79a630ebe8ff54bc9f4600e1f3c0fda653cc4b71
* Update ansible-hardening from branch 'master'
to f80502a2fa3a3291032a6c9176bbf2269da3b8cb
- Update master for stable/xena
Add file to the reno documentation build to show release notes for
stable/xena.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/xena.
Sem-Ver: feature
Change-Id: I4dffba103892d243d460e120ac5262f6752b2af1
* Update ansible-hardening from branch 'master'
to 4ba0de970ab905c683fd4ea78176f22d55dc0eaf
- Merge "Explicitly create clamav socket directory"
- Explicitly create clamav socket directory
While most our supported distributions does create LocalSocket on their
own, it's not always the case and shouldn't be trusted that much.
Change-Id: I56851f56aa85108a4898ef99c48ac77c898ccb69
Closes-Bug: #1944564
* Update ansible-hardening from branch 'master'
to 480dd9d8662ba28b43027a0e909e859c45c5ccf0
- Remove references to unsupported operating systems
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: Id3136a5eed068e317aa1a7b33a1149629dc76d77
* Update ansible-hardening from branch 'master'
to 6f354a7a4b1e44f5aaa0e4860896e3cb8bbb88e1
- Switch hardening to integrated tests
We aim to decrease usage of the tests repo as much as we can, so we
are switching roles to the tests completed by integrated repo.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/792639
Change-Id: Ice89ada6e009d3aaaff5fa261c7b9cf23216f159
* Update ansible-hardening from branch 'master'
to e4b55822cf1bf12f205d3b7d08dcdb634c2f505f
- Extend timeout for RPM verification
For systems with many packages deployed or heavy loaded environments
rpm verification takes the way more time then 5 minutes ending up in
corrupted database of the rpm packages. So we set limit to 1 hour
and extending amount of retries to wait for result to match the async
timeout
Change-Id: I30d29630214914bea99fc7fd66afa3218705d733
Closes-Bug: #1921292
* Update ansible-hardening from branch 'master'
to c2b4675ac924b2d7bc4736779f17dc24f25cfd7d
- Merge "Use ansible_facts[] instead of fact variables"
- Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654
Change-Id: I3dc2486a0666367d673b23403f2510c94c40eaf4
* Update ansible-hardening from branch 'master'
to 087919c425655947516ce3504c1a9680c8b0423d
- Merge "Make possible to avoid aide installation"
- Make possible to avoid aide installation
This patch adds variable `security_rhel7_enable_aide`. When it's False,
all AIDE related tasks would be ommited.
Change-Id: I64af348d9f49922ab51d8cd348d987df4263faa1
* Update ansible-hardening from branch 'master'
to b7b945b21ed2cdf2309e40707576309f18392a49
- Exclude system directories (/sys, /proc, /dev) from the shosts file search
This halves the number of files examined by the find module on an ubuntu
focal system and nearly halves the runtime of the task on a ceph backed
VM.
Change-Id: I862351badc70fa091bebf55dd2910cccfa731ca2
* Update ansible-hardening from branch 'master'
to c6703cd5e5a61a85bd2627946b42d362314dddf0
- Fix linter errors
Work around the mutually incompatible W503 and W504.
Change-Id: I45d0ca8a911d9cf1af2df52a1cf911db817b13b3
* Update ansible-hardening from branch 'master'
- Ensure that motd is not displayed twice
motd is handled by default with pam_motd.so module. Setting Banner option
for sshd_config makes motd to be shown twice, which is excessive
Change-Id: I4e8bdbe8f482f61235b4b14a619e4ed91b01f2f4
* Update ansible-hardening from branch 'master'
- Cleanup ansible_python_interpreter
ansible_pyhton_interpreter is set to auto, it's not needed anywhere now.
Change-Id: I204db302995d779d390444f3f6a865ead750fed5
* Update ansible-hardening from branch 'master'
- Use newer openstackdocstheme and reno versions
The sync from https://review.opendev.org/733244 updated to
openstackdocstheme 2.2.1 and reno 3.1.0 versions.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: Id2c810e9214981f381d5a9d4f1f2e40cb63a02af
* Update ansible-hardening from branch 'master'
- Enable syncing of docs
The docs job is failing in https://review.opendev.org/671840 and thus
nothing is synced in from openstack-ansible-tests. The failure is due to
the removal of entries from doc/requirements.txt. Add those
to test-requirements.txt instead.
Change-Id: I21bcbde8acc8d4fd83b28026bcec33f388e69912
* Update ansible-hardening from branch 'master'
- Update master for stable/ussuri
Add file to the reno documentation build to show release notes for
stable/ussuri.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/ussuri.
Change-Id: I29c8a8f1df649c9e01213ff5937ea72a12b14e5d
Sem-Ver: feature
* Update ansible-hardening from branch 'master'
- Merge "Add Centos-8 support"
- Add Centos-8 support
Make hardening compatible with CentOS-8. Dependant patch [1] already
passes hardening and another one resolves issue with installing
non-existent packages. So we should merge this one without passing
CentOS 8 tests not to create circular dependency
[1] https://review.opendev.org/689629
Change-Id: I33160b9a6e8331d6db39824e420033c7ab06780b
* Update ansible-hardening from branch 'master'
- Update docstheme for style
New version of openstackdocstheme (Victoria+) respects pygments_style.
Since this repo is using now Victoria (master) requirements but has
not branched for Ussuri yet, it uses the new version.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
Change-Id: I3fe3956b80df054c8b56761e4c009457af5c98f0
* Update ansible-hardening from branch 'master'
- Remove ⌘ symbol from docs
LaTex was failing because it isn't configured to render this symbol.
Change-Id: I77a5c7b9af578bcadc6b1027cf4d667e85f04e8b
* Update ansible-hardening from branch 'master'
- Merge "Remove CI for fedora-latest"
- Remove CI for fedora-latest
The fedora-latest build is broken on master and stable branches. OSA
do not support depoyment on Fedora so this job is removed to allow
other code to merge.
Change-Id: Iee174f76d732941ef97b75612c1420c3dee335f3
* Update ansible-hardening from branch 'master'
- Fix role to work with Jinja 2.7
By default Centos is shipped with Jinja 2.7.2 which do not have `in`
test. So we replace that logic with rejecting absent packages
and suggest that the rest of statuses are valid for
package installation.
Change-Id: Ibeb3aba5cccddc1af1f968c57bdc0be75e7f22d9
* Update ansible-hardening from branch 'master'
- Remove duplicated Zuul config file
All templates defined are in zuul.d/project.yaml as well, remove
.zuul.yaml since Zuul will only use the former.
Change-Id: Ib135b127add8caecdd803d92ec8ac4c776b198ec
* Update ansible-hardening from branch 'master'
- Cleanup py27 support
This repo is now testing only with Python 3, so let's make
a few cleanups:
- Remove python 2.7 stanza from setup.py
- Remove obsolete sections from setup.cfg
- Update requirements, no need for python_version anymore
- Use newer openstackdocstheme and Sphinx versions
- Cleanup */source/conf.py to remove now obsolete content.
- Remove install_command from tox.ini, the default is fine
Change-Id: Ic96b71596d4523e55fa4b451c99a8521dd581e4d