The 'Set fact for SNMP being installed' and 'Set fact for vsftpd being
installed' tasks rely on variables being registered by other tasks. If
those other tasks are skipped by tag, Ansible can fail with an undefined
variable error. Add the appropriate STIG ID tags to these set_fact tasks
to include them when skipping by tags.
Change-Id: If6345d7095676cc703140ab95d60a5383a5ebef0
(cherry picked from commit 209ce55e56)
This will fix the follwing issues when using the centos/7 box for role testing:
* TASK [../../../openstack-ansible-security : V-38476 ...
fatal: [centos7]: FAILED! => {"changed": false, "failed": true, "msg": "Missing CentOS 7 GPG keys"}
The required gpg-pubkey packages are created after the import of the provided signing keys
in /etc/pki/rpm-gpg.
* TASK [../../../openstack-ansible-security : V-38574 ...
fatal: [centos7]: FAILED! => {"changed": false, "failed": true, "msg": "Must use SHA512 for password hashing (via PAM)"}
sha512 instead of md5 has to be used in /etc/pam.d/password-auth
* TASK [../../../openstack-ansible-security : Check password hashing algorithm used in login.defs (for V-38576)] ***
fatal: [centos7]: FAILED! => {"changed": true, "cmd": "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs", ...
sha512 instead of md5 has to be used in /etc/login.defs
Change-Id: Ia40119dbf933b8102001cfe914312b17632bcf65
Co-authored-by: David Rabel <rabel@b1-systems.de>
It is not possible to restart auditd with systemctl. Using the service
interface is required. There are chef cookbooks[1] with the same
workaround.
This patch also includes a `cache_valid_time` addition to test.yml to
unblock the gate.
[1] https://github.com/chef-cookbooks/auditd/pull/22/files
Closes-Bug: #1662622
Change-Id: I1aa3faf88f5953c230693600fcbcb786d49a35e0
(cherry picked from commit 23af709fff)
On CentOS the chrony.conf is in /etc/. adding a var to define it.
Depends-On: I1aa3faf88f5953c230693600fcbcb786d49a35e0
Change-Id: Id6afe700f0d908396b4441e6c92dc79e29b228bf
The auditd daemon now resets file permissions on its log directory each
time it restarts and that breaks the idempotence tests. That task now
has "changed_when: False".
These patches should unblock the security role gate.
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1293713
Change-Id: I80b66a6d9e7c8ad97761a1f890ec6a3d2db88659
Partial-Bug: #1662622
This patch addresses two issues that are blocking the security role
CI jobs from completing:
The OpenStack CI image is missing the default audit.rules file and this
causes augenrules to fail when it loads new rules. The first line in
the default rules file deletes existing rules and this must be in
place before loading new rulesets. The contents of the default file
are now in the template file, which is safer anyway. The default
file provided by the OS is removed.
The task that updates the apt cache in test.yml was running more than
once during the CI job run when the gate ran slowly. That's fine, but
it breaks the idempotence checks. A `changed_when` is added to the task
to ensure that the idempotence tests aren't affected by an apt cache
update.
Change-Id: I48be02df02b8a2a401bfd96e16ea0329632d9381
Partial-Bug: #1662622
Using 'bindaddress' in the /etc/chrony/chrony.conf disables both
client and server ntp functionality as it cannot get the ntp
responses from peer servers. The default install will leave the
servers unsynced with an ntp source causing them to skew over
time and eventually break services that rely on synced time.
Setting 'port 0' will disable the server functionality. Using
'bindcmdaddress' will still chronc<->chronyd communictions over
localhost only. This should allow client functionality and
disable server functionality.
Change-Id: Ie9b6e73333d9469a17e4cee06f21aa99b2b3df7e
Closes-Bug: #1656086
(cherry picked from commit 4cb2fa4eaa)
This patch skips the `find` task that searches for unlabeled content on
systems with SELinux disabled. This fails because labels aren't loaded at that
time.
Manual partial backport from I7d30a07bd7e8a4461846660c281b9e53b0783461.
Change-Id: I85d02d6a20c98f1a3d507d9957b9f4d9438412a9
Closes-bug: 1649617
The security role gate is broken because the lxml module cannot
be built without `xslt-config`.
Change-Id: I008f7388762d326bec7cb60526f03e68823330c4
(cherry picked from commit ce386ec8c3)
This patch fixes the gate blocker for CentOS 7 in the Newton branch.
The grep for `rpmverify` needed an update to exclude `/var` and
`/etc`. Files in both directories are updated in the security role.
Also, the `yum-cron` packaging bug affects the Newton branch as well.
The workaround from master (I80b66a6d9e7c8ad97761a1f890ec6a3d2db88659)
is backported to Newton.
Change-Id: I9b0f77eceb32d18a0d07f53ff1dbac2117b29da4
This patch is a backport of the package installation/removal work
done in the ocata branch. It is a manual backport of:
I1def033953b50be3911cd932fd17b10dd2c658b7
Change-Id: I6c74e45f6e8d3b344508c87d20f4cf4250f713a9
The OpenStack CI runs ntpd in the gate images and this causes chrony
to fail on startup. This patch skips V-38620 so that chrony won't
cause gate failures.
Closes-Bug: 1629936
Change-Id: I0c67241c0725621715877e728a6c6c17d771a596
(cherry picked from commit 401ccd7d97)
This patch consumes the test scripts implemented by
https://review.openstack.org/375061 to ensure that
the tests and test preparation is consistent and
more maintainable.
Change-Id: I2c26eb12711128082a7136ab962f8239b59124b4
(cherry picked from commit ec1b42a2f9)
This patch adds a workaround for the pickling error that occasionally
causes security role docs builds to fail, which certainly gets us in
a pickle from time to time.
The upstream bug is: sphinx-doc/sphinx#2324
Closes-Bug: 1627732
Change-Id: Iefbb9c920936634d276053d24bc225b2dec44362
Ansible 2.1.1 introduces a regression in the way conditional
includes are handled which results in every task in the
included file being evaluated even if the condition for the
include is not met. This extends the run time significantly
for a deployment.
This patch forces all conditional includes to be dynamic.
Change-Id: I638b9e20176e0205a378704150e88d098b925c83
Related-Bug: https://github.com/ansible/ansible/issues/17687
This patch cleans up various parts of the security role docs:
* Updates README files
* Uses jinja2 includes rather than sphinx includes (faster builds)
* Adds sphinx refs for each STIG control and implementation status
* Adds ToC's to pages that didn't have them
* Updated getting started and special notes guide
* Makes deviations more clear
Change-Id: I1eed2705c64a857bd94577dbe735f2516ca87732
This patch adds the right tags to each piece of metadata and corrects
small errors found in the deployer notes.
Closes-bug: 1595669
Change-Id: Ic04aaad85ebf111be5a0bdb01a350442fdea1433
With the upcoming changes to rebase onto the RHEL 7 STIG controls,
there needs to be a new solution for documentation that is easier
to manage and filter. This patch automates the generation of the STIG
control documentation in the following way:
* A Sphinx extension runs early in the doc build process that writes
all of the individual STIG control docs as well as ToC pages.
* ToC pages are now sorted by severity, tag, and implementation status.
* A giant listing of controls is easier to navigate now.
* Docs are generated from metadata in the /doc/metadata directory. New
documentation only needs to be added there. (Will explain this in
the developer notes in a subsequent patch.)
Implements: blueprint security-rhel7-stig
Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
To avoid executing an alias and therefore get the default behavior
from gzip, executing gzip with command is better than using which.
Change-Id: I376af163a0b7c7aec3ba5d323d3f9c4128b55735
OpenStack-CI facilitates the ability to view compressed
files on the log server if they have the suffix .txt.gz.
This patch ensures that all collected log files are renamed
to have a .txt suffix before compressing them.
The following changes are also made:
- The bindep file is also cleaned up a little to reduce
unnecessary duplication.
- PYTHONUNBUFFERED is set to ensure that the console log
from the CI jobs are in the exact order of execution.
Change-Id: I89f5734275dc2789f44b5bd9c0b45dc34c4a7a50
This patch disables all of the discretionary access control (DAC)
auditing in auditd. This should reduce the volume of logs created
during deployments and during OpenStack CI jobs.
The patch also corrects an incorrect key in the audit logs for
V-38568.
Closes-Bug: 1620849
Change-Id: I193f739647cfb7d0ce395984b51867bf6bd46cd8
This change enables log collection within the gate so that further
analysis on gate tasks can be performed post build. This is very
useful when debugging problems and also for investigating the
consequences of patches once they've been tested.
Related-Bug: #1620849
Change-Id: I2bb923ebcd73114c1199b14f9b769435596091eb
This patch adds a task and handlers for enabling the audit daemon
during the boot sequence to comply with V-38438. Deployers have
the option to opt-out of the entire change, or they can apply the
change without updating the active grub.cfg file.
Change-Id: Ia8702b8439a5993516397363b21356f1216be403
This patch disables martian packet logging and updates the
documentation to reflect the new default. A release note
is also included to make deployers aware of the change.
Closes-bug: 1619039
Change-Id: I4b19aa1200298a92c85824e319bb919260e5a6d0
This change enables log collection within the gate so that further analysis
on gate tasks can be performed post build. This is very useful when
debugging problems.
Change-Id: I41e70d0f6a0e5fed78e0a5462ee4d1730c94ec21
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
OpenDev Sysadmins