[openstack-dev] [openstack-ansible][security] Adding RHEL 7 STIG to openstack-ansible-security
major.hayden at rackspace.com
Thu Aug 4 17:45:09 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
The existing openstack-ansible-security role uses security configurations from the Security Technical Implementation Guide (STIG) and the new Red Hat Enterprise Linux 7 STIG is due out soon. The role is currently based on the RHEL 6 STIG, and although this works quite well for Ubuntu 14.04, the RHEL 7 STIG has plenty of improvements that work better with Ubuntu 16.04, CentOS 7 and RHEL 7.
I'd like to make the following changes around which STIG is applied to each OS:
* RHEL 6 STIG
- Ubuntu 14.04
* RHEL 7 STIG
- Ubuntu 16.04
- CentOS 7
- RHEL 7
There are a few challenges to rebasing the role on the RHEL 7 STIG:
* All of the configurations have been renumbered in the new STIG
* Many of the new configurations have no overlap with the RHEL 6 STIG
* Users of the role on CentOS 7 / Ubuntu 16.04 will have different configurations applied than they did previously
* The Newton deadline is rapidly approaching
I have a couple of ideas on how to implement this:
Idea #1: Update what exists today
This would keep the same role structure as it stands right now and it would intermingle RHEL 6/7 STIGs in the same tasks. Some tasks are identical between both STIGs, but some are different. It's nice because it's less of an overall change, but it could get messy with lots of 'when' statements all over the place.
Idea #2: Put a fork in the road
This would involve restructuring the role so that there's a big fork in main.yml. The structure might look something like this:
Note that the 'rhel6' directory would contain RHEL 6 STIG content for Ubuntu 14.04 while the 'rhel7' directory would contain RHEL 7 content for Ubuntu 16.04, CentOS 7 and RHEL 7. The root 'main.yml' would have an include line that would check the OS and include the correct main.yml from the 'rhel6' or 'rhel7' directory.
This would involve more changes, and possibly a little bit of repeated tasks between the two STIGs. However, it should be cleaner and easier to maintain. when support for UBuntu 14.04 needs to be removed, the 'rhel6' directory could be dropped entirely.
I'd really like to hear feedback from users, especially those who use this role on a regular basis. Here are my questions:
1) Which plan makes the most sense?
2) Is there another idea that makes more sense than these two?
Thanks in advance for your help! I plan to put a spec together once I get some feedback.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the OpenStack-dev