From 32ca3e6909eac7364d0af2fc4188448119b927ef Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Mon, 16 Jan 2017 11:21:39 -0600
Subject: [PATCH] Use RHEL 7 STIG content in OSA

This patch applies the RHEL 7 STIG security content from the
openstack-ansible-security role to OpenStack-Ansible deployments by
default.

Implements: blueprint security-rhel7-stig
Change-Id: I7981d73660adf877d91b63ca8387ec27e863c73c
---
 playbooks/inventory/group_vars/hosts.yml             |  6 ++----
 .../osa-security-rhel7-content-b55ed1d1bae02295.yaml |  6 ++++++
 scripts/run-playbooks.sh                             | 12 +-----------
 .../templates/user_variables.aio.yml.j2              |  5 +++++
 4 files changed, 14 insertions(+), 15 deletions(-)
 create mode 100644 releasenotes/notes/osa-security-rhel7-content-b55ed1d1bae02295.yaml

diff --git a/playbooks/inventory/group_vars/hosts.yml b/playbooks/inventory/group_vars/hosts.yml
index 19059a318e..f28d057008 100644
--- a/playbooks/inventory/group_vars/hosts.yml
+++ b/playbooks/inventory/group_vars/hosts.yml
@@ -21,7 +21,5 @@ security_package_state: "{{ package_state }}"
 # Disable /etc/hosts management if unbound DNS resolution containers exist
 openstack_host_manage_hosts_file: "{{ groups['unbound_all'] is not defined or groups['unbound_all'] | length < 1 }}"
 
-# Use the RHEL 6 STIG content from the security role.
-# NOTE(mhayden): Remove this variable when the RHEL 7 STIG content becomes the
-# default and tests well with the integrated repository.
-stig_version: rhel6
+# Use the RHEL 7 STIG content from the openstack-ansible-security role
+stig_version: rhel7
diff --git a/releasenotes/notes/osa-security-rhel7-content-b55ed1d1bae02295.yaml b/releasenotes/notes/osa-security-rhel7-content-b55ed1d1bae02295.yaml
new file mode 100644
index 0000000000..40d0e54a9a
--- /dev/null
+++ b/releasenotes/notes/osa-security-rhel7-content-b55ed1d1bae02295.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The openstack-ansible-security role is now configured to apply the
+    security configurations from the Red Hat Enterprise Linux 7 STIG to
+    OpenStack-Ansible deployments.
diff --git a/scripts/run-playbooks.sh b/scripts/run-playbooks.sh
index 0b4bf9790d..1bc88fcd17 100755
--- a/scripts/run-playbooks.sh
+++ b/scripts/run-playbooks.sh
@@ -95,17 +95,7 @@ function playbook_run {
       # Set the playbook log path so that we can review specific execution later.
       export ANSIBLE_LOG_PATH="${PLAYBOOK_LOGS}/${COUNTER}-${include_file_name}.txt"
       let COUNTER=COUNTER+=1
-      if [[ "${DEPLOY_AIO}" = true ]] && [[ "${include_file_name}" == "security-hardening.yml" ]]; then
-        # NOTE(mattt): We have to skip V-38462 as openstack-infra are now building
-        #              images with apt config Apt::Get::AllowUnauthenticated set
-        #              to true.
-        # NOTE(odyssey4me): We skip V-38471 as it generates a huge amount of log
-        #                   entries in syslog and the syslog files are gathered
-        #                   in OpenStack-CI. ref: bug/1620849
-        # NOTE(mhayden): Skipping V-38660 since it breaks the Xenial gate. The
-        #                CI Xenial image has non-SNMPv3 configurations.
-        install_bits "${include_playbook}" --skip-tag V-38462,V-38471,V-38660
-      else
+      if [[ "${DEPLOY_AIO}" = true ]]; then
         install_bits "${include_playbook}"
       fi
       # Remove the generate playbook when done with it
diff --git a/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2 b/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
index cd70c077f5..28054061e1 100644
--- a/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
+++ b/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
@@ -94,3 +94,8 @@ neutron_plugin_base:
 ## Always setup tempest, the resources for it, then execute tests
 tempest_install: yes
 tempest_run: yes
+
+{% if nodepool_dir.stat.exists %}
+# Disable chronyd in OpenStack CI
+security_rhel7_enable_chrony: no
+{% endif %}