openstack
/
ansible-hardening
Code Issues Proposed changes

Initial Fedora 25 support 

This patch adds the initial support for Fedora 25 in the security
role. A non-voting gate job is proposed in the following review:

  https://review.openstack.org/#/c/467297/

Docs and general cleanup for Fedora/Debian support is coming soon.

Change-Id: Ia6c551d2f33255f7f71f7ba9bb328fc8f17f61e0
This commit is contained in:
Major Hayden 2017-05-24 07:18:19 -05:00
parent ff4e1df690
commit 97186f8339
7 changed files with 75 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
bindep.txt
View File

@ -10,7 +10,7 @@
# will fall back to installing its default packages which # will fall back to installing its default packages which
# will potentially be detrimental to the tests executed. # will potentially be detrimental to the tests executed.
# Base requirements for Ubuntu # Base requirements for Ubuntu and Debian
build-essential [platform:dpkg] build-essential [platform:dpkg]
git-core [platform:dpkg] git-core [platform:dpkg]
libssl-dev [platform:dpkg] libssl-dev [platform:dpkg]
@ -20,7 +20,8 @@ python2.7 [platform:dpkg]
python-dev [platform:dpkg] python-dev [platform:dpkg]
python-apt [platform:dpkg] python-apt [platform:dpkg]
# Base requirements for CentOS # Base requirements for CentOS and Fedora
redhat-rpm-config [platform:rpm]
gcc [platform:rpm] gcc [platform:rpm]
gcc-c++ [platform:rpm] gcc-c++ [platform:rpm]
git [platform:rpm] git [platform:rpm]
@ -38,7 +39,11 @@ libselinux-python [platform:rpm]
python-pyasn1 [platform:dpkg] python-pyasn1 [platform:dpkg]
python-openssl [platform:dpkg] python-openssl [platform:dpkg]
python2-pyasn1 [platform:rpm] python2-pyasn1 [platform:rpm]
python2-pyOpenSSL [platform:rpm] python2-pyOpenSSL [platform:centos]
pyOpenSSL [platform:fedora]
# Other Ansible requirements
python2-dnf [platform:fedora]
# Required for compressing collected log files in CI # Required for compressing collected log files in CI
gzip gzip

12
run_tests.sh
View File

@ -26,10 +26,14 @@ fi
# Install bindep and tox with pip. # Install bindep and tox with pip.
sudo pip install bindep tox sudo pip install bindep tox
## Bindep pre-requisites
# Fedora requires the redhat-lsb-core package.
# CentOS 7 requires two additional packages: # CentOS 7 requires two additional packages:
# redhat-lsb-core - for bindep profile support # redhat-lsb-core - for bindep profile support
# epel-release - required to install python-ndg_httpsclient/python2-pyasn1 # epel-release - required to install python-ndg_httpsclient/python2-pyasn1
if which yum; then if [ -e /etc/fedora-release ]; then
sudo dnf -y install redhat-lsb-core
elif [ -e /etc/centos-release ]; then
sudo yum -y install redhat-lsb-core epel-release sudo yum -y install redhat-lsb-core epel-release
fi fi
@ -44,7 +48,11 @@ if which apt-get; then
DEBIAN_FRONTEND=noninteractive \ DEBIAN_FRONTEND=noninteractive \
sudo apt-get -q --option "Dpkg::Options::=--force-confold" \ sudo apt-get -q --option "Dpkg::Options::=--force-confold" \
--assume-yes install $BINDEP_PKGS --assume-yes install $BINDEP_PKGS
elif which yum; then elif [ -e /etc/fedora-release ]; then
if [[ ${#BINDEP_PKGS} > 0 ]]; then
sudo dnf install -y $BINDEP_PKGS
fi
elif [ -e /etc/centos-release]; then
# Don't run yum with an empty list of packages. # Don't run yum with an empty list of packages.
# It will fail and cause the script to exit with an error. # It will fail and cause the script to exit with an error.
if [[ ${#BINDEP_PKGS} > 0 ]]; then if [[ ${#BINDEP_PKGS} > 0 ]]; then

1
tasks/rhel7stig/dnf.yml Symbolic link
View File

@ -0,0 +1 @@
yum.yml

6
tasks/rhel7stig/main.yml
View File

@ -62,11 +62,7 @@
# Package managers are managed first since the changes in these tasks will # Package managers are managed first since the changes in these tasks will
# affect the remainder of the tasks in the role. # affect the remainder of the tasks in the role.
- include: apt.yml - include: "{{ ansible_pkg_mgr }}.yml"
when: ansible_os_family | lower == 'debian'
- include: rpm.yml
when: ansible_os_family | lower == 'redhat'
# The bulk of the security changes are applied in these tasks. The tasks in # The bulk of the security changes are applied in these tasks. The tasks in
# each file are tagged with the same name (for example, tasks in `auth.yml` # each file are tagged with the same name (for example, tasks in `auth.yml`

52
tasks/rhel7stig/packages.yml
View File

@ -36,7 +36,7 @@
- name: V-71987 - Clean requirements/dependencies when removing packages (rpm) - name: V-71987 - Clean requirements/dependencies when removing packages (rpm)
lineinfile: lineinfile:
dest: /etc/yum.conf dest: "{{ pkg_mgr_config }}"
regexp: "^(#)?clean_requirements_on_remove" regexp: "^(#)?clean_requirements_on_remove"
line: "clean_requirements_on_remove=1" line: "clean_requirements_on_remove=1"
state: present state: present
@ -68,10 +68,13 @@
path: /etc/yum/yum-cron.conf path: /etc/yum/yum-cron.conf
check_mode: no check_mode: no
register: yum_cron_config_check register: yum_cron_config_check
when:
- ansible_os_family | lower == 'redhat'
- ansible_pkg_mgr == 'yum'
tags: tags:
- always - always
- name: V-71999 - System security patches and updates must be installed and up to date. (yum) - name: Enable automatic package updates (yum)
lineinfile: lineinfile:
dest: /etc/yum/yum-cron.conf dest: /etc/yum/yum-cron.conf
regexp: "^apply_updates" regexp: "^apply_updates"
@ -79,6 +82,7 @@
state: present state: present
when: when:
- ansible_os_family | lower == 'redhat' - ansible_os_family | lower == 'redhat'
- ansible_pkg_mgr == 'yum'
- yum_cron_config_check.stat.exists | bool - yum_cron_config_check.stat.exists | bool
- security_rhel7_automatic_package_updates | bool - security_rhel7_automatic_package_updates | bool
tags: tags:
@ -86,7 +90,49 @@
- medium - medium
- V-71999 - V-71999
- name: V-71999 - System security patches and updates must be installed and up to date. (apt) - name: Check if /etc/dnf/automatic.conf exists
stat:
path: /etc/dnf/automatic.conf
check_mode: no
register: dnf_automatic_config_check
when:
- ansible_os_family | lower == 'redhat'
- ansible_pkg_mgr == 'dnf'
tags:
- always
- name: Enable automatic package updates (dnf)
lineinfile:
dest: /etc/dnf/automatic.conf
regexp: "^apply_updates"
line: "apply_updates = yes"
state: present
when:
- ansible_os_family | lower == 'redhat'
- ansible_pkg_mgr == 'dnf'
- dnf_automatic_config_check.stat.exists | bool
- security_rhel7_automatic_package_updates | bool
tags:
- packages
- medium
- V-71999
- name: Enable dnf-automatic timer for automatic package updates
systemd:
name: dnf-automatic.timer
enabled: yes
state: started
when:
- ansible_os_family | lower == 'redhat'
- ansible_pkg_mgr == 'dnf'
- dnf_automatic_config_check.stat.exists | bool
- security_rhel7_automatic_package_updates | bool
tags:
- packages
- medium
- V-71999
- name: Enable automatic package updates (apt)
copy: copy:
src: 20auto-upgrades src: 20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades

2
tasks/rhel7stig/rpm.yml → tasks/rhel7stig/yum.yml
View File

@ -58,7 +58,7 @@
- name: V-71977 - Require digital signatures for all packages - name: V-71977 - Require digital signatures for all packages
lineinfile: lineinfile:
dest: /etc/yum.conf dest: "{{ pkg_mgr_config }}"
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
line: "{{ item.line }}" line: "{{ item.line }}"
state: present state: present

9
vars/redhat.yml
View File

@ -13,9 +13,9 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
## Variables for CentOS 7 and Red Hat Enterprise Linux 7 ## Variables for CentOS 7, Red Hat Enterprise Linux 7 and Fedora 25.
# The following variables apply only to CentOS 7 and Red Hat Enterprise Linux 7 # The following variables apply only to CentOS 7, Red Hat Enterprise Linux 7
# and deployers should not override them. # and Fedora 25. Deployers should not override these.
# #
# For more details, see 'vars/main.yml'. # For more details, see 'vars/main.yml'.
@ -31,6 +31,7 @@ aide_cron_job_path: /etc/cron.d/aide
aide_database_file: /var/lib/aide/aide.db.gz aide_database_file: /var/lib/aide/aide.db.gz
chrony_conf_file: /etc/chrony.conf chrony_conf_file: /etc/chrony.conf
daemon_init_params_file: /etc/init.d/functions daemon_init_params_file: /etc/init.d/functions
pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
# Service names # Service names
cron_service: crond cron_service: crond
@ -144,7 +145,7 @@ stig_packages_rhel7:
state: "{{ security_package_state }}" state: "{{ security_package_state }}"
enabled: "{{ security_enable_firewalld }}" enabled: "{{ security_enable_firewalld }}"
- packages: - packages:
- yum-cron - "{{ (ansible_pkg_mgr == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
state: "{{ security_package_state }}" state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_automatic_package_updates }}" enabled: "{{ security_rhel7_automatic_package_updates }}"
- packages: - packages: