Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey there,

The existing openstack-ansible-security role uses security configurations from the Security Technical Implementation Guide (STIG) and the new Red Hat Enterprise Linux 7 STIG is due out soon.  The role is currently based on the RHEL 6 STIG, and although this works quite well for Ubuntu 14.04, the RHEL 7 STIG has plenty of improvements that work better with Ubuntu 16.04, CentOS 7 and RHEL 7.

I'd like to make the following changes around which STIG is applied to each OS:

  * RHEL 6 STIG
    - Ubuntu 14.04
  * RHEL 7 STIG
    - Ubuntu 16.04
    - CentOS 7
    - RHEL 7

Challenges
- ----------

There are a few challenges to rebasing the role on the RHEL 7 STIG:

  * All of the configurations have been renumbered in the new STIG
  * Many of the new configurations have no overlap with the RHEL 6 STIG
  * Users of the role on CentOS 7 / Ubuntu 16.04 will have different configurations applied than they did previously
  * The Newton deadline is rapidly approaching

I have a couple of ideas on how to implement this:

Idea #1: Update what exists today
- ---------------------------------
This would keep the same role structure as it stands right now and it would intermingle RHEL 6/7 STIGs in the same tasks.  Some tasks are identical between both STIGs, but some are different.  It's nice because it's less of an overall change, but it could get messy with lots of 'when' statements all over the place.

Idea #2: Put a fork in the road
- -------------------------------
This would involve restructuring the role so that there's a big fork in main.yml. The structure might look something like this:

  /main.yml
  /rhel6/main.yml
  /rhel6/auth.yml
  /rhel6/audit.yml
  /rhel6/...
  /rhel7/main.yml
  /rhel7/auth.yml
  /rhel7/audit.yml

Note that the 'rhel6' directory would contain RHEL 6 STIG content for Ubuntu 14.04 while the 'rhel7' directory would contain RHEL 7 content for Ubuntu 16.04, CentOS 7 and RHEL 7.  The root 'main.yml' would have an include line that would check the OS and include the correct main.yml from the 'rhel6' or 'rhel7' directory.

This would involve more changes, and possibly a little bit of repeated tasks between the two STIGs.  However, it should be cleaner and easier to maintain.  when support for UBuntu 14.04 needs to be removed, the 'rhel6' directory could be dropped entirely.

Requested feedback
- ------------------
I'd really like to hear feedback from users, especially those who use this role on a regular basis.  Here are my questions:

1) Which plan makes the most sense?
2) Is there another idea that makes more sense than these two?

Thanks in advance for your help!  I plan to put a spec together once I get some feedback.

- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXo38iAAoJEHNwUeDBAR+xH5YP/0kmhZC4a1FAyV+OlEWcKM4p
qYZhHscgWqtmYHLgX5q51IyGEas9ae89cxF2ThskvF+LZ37+RfwaUAjpCwFR6wgB
AjouNKXWE7skRmNcsfvhU8m19vAdf8DV6qvZzcc8Ii5xxiuNIwKaJKgcMNAWnHww
GndfleJjUFdG4YUGf/I/UFodKuxM0PGjHDxGbCQVEtJsJMTBl0O8CPhTDnk2FFoy
oHtzeemDRyEWwrMgj5meqyxIi6E+LI78Ougoti4TiX32VgsT16mzfjMagqhYspLV
c4fYIfgX8fguGYNfTpKNv9XyeZaNWJWtW8ia7zgeLhuzgLJtyihZl2dd0MGc2qBf
laa7o8lVeUGLwpDGDISewISaL7kZariaVNF3zA59mOYlCN7eVhUsVKaxgG6RANNW
OD+cNA3m6zPgPpcY3FzD6mHD10fcnZLxULiyccGceeetCVB2ibRsEeddPC9rX8lv
uiBlc8Tq8Z808bKWygQC05TcIg/vP7CIO1eHcJwWLnFe5fhQ7Z15pnuaMWZOtMur
dCbp+EIiuLwbpOcRPYTRMrhxYCXsKCoGyKANvEjBROBnbc5T3fjTATkqAXfYQUGy
onogutZ5eF3n4hAzEYbmk1oSW5Z6gZOzvuNB2k98DB0RpT8/X/30BwpIcwutPZ7X
ccaa8MfgA0yDR5x7bH0k
=arAJ
-----END PGP SIGNATURE-----