[openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?

Major Hayden major at mhtx.net
Wed Jan 13 15:10:22 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey there,

After presenting openstack-ansible-security at the Security Project Mid-Cycle meeting yesterday, the question came up around how to handle situations where automation might cause problems.

For example, the STIG requires[1] that all system accounts other than root are locked.  This could be dangerous on a running production system as Ubuntu has non-root accounts that are not locked.  At the moment, the playbook does a hard stop (using the fail module) when this check fails[2].  Although that can be skipped with --skip-tag, it can be a little annoying if you have automation that depends on the playbook running without stopping.

Is there a good alternative for this?  I've found a few options:

  1) Leave it as-is and do a hard stop on these tasks
  2) Print a warning to the console but let the playbook continue
  3) Use an Ansible callback plugin to catch these and print them at the end of the playbook run

Thanks in advance for any advice!

[1] https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496
[2] https://github.com/openstack/openstack-ansible-security/blob/master/tasks/auth.yml#L60-L87

- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWlmjbAAoJEHNwUeDBAR+x7zAP/RfGnihciZV0m7Jf+hVKSrzf
PEc4gauKRA1mZEFdgX4Ib137Vrztu9p1mPB29bRx9GN8aMcY2TtRwrR1QKmUOHX9
gtrjif9m5XgCM0ja/DMbj82j7pPpIQC5Tby0+CIhX27ZdgGxBpo/9UOj1Dns39Mg
DzOdNGkGVO6ngmBKdqKetjkT+i0wSKXGQyS341PvyJDy77JCRaGFKc+jRnJWTdVc
Tpdkc+TL5Rv92gMkMlLnW6txHmtPEJDKjgndhrzWExhY6CLn6XogRMTdZ/1fMP2Y
x02S4s0VehuNF/9L5nmZ+lBS7HNhtiiSC6KGIo/0X7rZVo9VJ4KNjVaXGQ7clbxS
sDrqO9uXl98n4S7H44jzBiukYO8MtXVf9djQwujN5A5oN+d1r+sCDDLhxlsLDMVN
fMlj2LItNREzKe+ZFWBuEkl6GLAO3y0TQPRWYdc3L8PhiwqVJiJ0+WefYO2PNcZe
Csik3IHCn+jdIq1WdsPQXDEYhAHL1Y1OqEMoBnte/FHeq1BmnojXxuVNtrY1EKtL
APGGrUbhUWLtZ6v6ke3OT83BSd1FFmLLe/0MlIJ5LYZZZFR/bHgxuEiHcYNr6Fm1
Dnlrg0NNeeQgClABcB5wK2T8lbDahhxp6Nq7F3MTirnIVYHGo7CYa7g5Gw2b7BMu
qWWgC8FnH0FzwE7P1LSj
=wi7P
-----END PGP SIGNATURE-----



More information about the OpenStack-dev mailing list