Use RHEL 7 STIG content in OSA

This patch applies the RHEL 7 STIG security content from the openstack-ansible-security role to OpenStack-Ansible deployments by default. Implements: blueprint security-rhel7-stig Change-Id: I7981d73660adf877d91b63ca8387ec27e863c73c
2017-01-16 11:21:39 -06:00 · 2017-01-16 11:21:39 -06:00 · 32ca3e6909
commit 32ca3e6909
parent 7cc13fd1c9
4 changed files with 14 additions and 15 deletions
--- a/playbooks/inventory/group_vars/hosts.yml
+++ b/playbooks/inventory/group_vars/hosts.yml
@ -21,7 +21,5 @@ security_package_state: "{{ package_state }}"
 # Disable /etc/hosts management if unbound DNS resolution containers exist
 openstack_host_manage_hosts_file: "{{ groups['unbound_all'] is not defined or groups['unbound_all'] | length < 1 }}"

-# Use the RHEL 6 STIG content from the security role.
-# NOTE(mhayden): Remove this variable when the RHEL 7 STIG content becomes the
-# default and tests well with the integrated repository.
-stig_version: rhel6
+# Use the RHEL 7 STIG content from the openstack-ansible-security role
+stig_version: rhel7
--- a/releasenotes/notes/osa-security-rhel7-content-b55ed1d1bae02295.yaml
+++ b/releasenotes/notes/osa-security-rhel7-content-b55ed1d1bae02295.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The openstack-ansible-security role is now configured to apply the
+    security configurations from the Red Hat Enterprise Linux 7 STIG to
+    OpenStack-Ansible deployments.
--- a/scripts/run-playbooks.sh
+++ b/scripts/run-playbooks.sh
@ -95,17 +95,7 @@ function playbook_run {
      # Set the playbook log path so that we can review specific execution later.
      export ANSIBLE_LOG_PATH="${PLAYBOOK_LOGS}/${COUNTER}-${include_file_name}.txt"
      let COUNTER=COUNTER+=1
-      if [[ "${DEPLOY_AIO}" = true ]] && [[ "${include_file_name}" == "security-hardening.yml" ]]; then
-        # NOTE(mattt): We have to skip V-38462 as openstack-infra are now building
-        #              images with apt config Apt::Get::AllowUnauthenticated set
-        #              to true.
-        # NOTE(odyssey4me): We skip V-38471 as it generates a huge amount of log
-        #                   entries in syslog and the syslog files are gathered
-        #                   in OpenStack-CI. ref: bug/1620849
-        # NOTE(mhayden): Skipping V-38660 since it breaks the Xenial gate. The
-        #                CI Xenial image has non-SNMPv3 configurations.
-        install_bits "${include_playbook}" --skip-tag V-38462,V-38471,V-38660
-      else
+      if [[ "${DEPLOY_AIO}" = true ]]; then
        install_bits "${include_playbook}"
      fi
      # Remove the generate playbook when done with it
--- a/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
+++ b/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
@ -94,3 +94,8 @@ neutron_plugin_base:
 ## Always setup tempest, the resources for it, then execute tests
 tempest_install: yes
 tempest_run: yes
+
+{% if nodepool_dir.stat.exists %}
+# Disable chronyd in OpenStack CI
+security_rhel7_enable_chrony: no
+{% endif %}