From 1584187 at bugs.launchpad.net Wed Jun 1 09:29:43 2016 From: 1584187 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 01 Jun 2016 09:29:43 -0000 Subject: [Openstack-security] [Bug 1584187] Re: Security role should set audit rules for SELinux References: <20160520192300.511.16353.malonedeb@chaenomeles.canonical.com> Message-ID: <20160601092944.18249.57856.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/319438 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=7b313ee1bc6c300869ce557d7ab8e3ddc17b2333 Submitter: Jenkins Branch: master commit 7b313ee1bc6c300869ce557d7ab8e3ddc17b2333 Author: Major Hayden Date: Wed May 25 11:26:56 2016 -0500 Adding audit rule for SELinux policy modifications This patch fixes the auditd rules template so that AppArmor and SELinux policy modifications are logged, depending on which Linux distribution is in use. The security_audit_apparmor_changes variable has been renamed to security_audit_mac_changes to be more generic. Documentation updates and a release note are included. Closes-bug: 1584187 Change-Id: I0955e2cb8a05af4afd36aaca518322a9df6d1ff7 ** Changed in: openstack-ansible Status: In Progress => Fix Released -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1584187 Title: Security role should set audit rules for SELinux Status in openstack-ansible: Fix Released Bug description: V-38541 requires that SELinux modifications are audited. This was configured for Ubuntu, but not for CentOS. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1584187/+subscriptions From 1585349 at bugs.launchpad.net Wed Jun 1 12:44:46 2016 From: 1585349 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 01 Jun 2016 12:44:46 -0000 Subject: [Openstack-security] [Bug 1585349] Change abandoned on openstack-ansible-security (stable/mitaka) References: <20160524195344.25918.65100.malonedeb@chaenomeles.canonical.com> Message-ID: <20160601124446.30008.96018.malone@chaenomeles.canonical.com> Change abandoned by Major Hayden (major at mhtx.net) on branch: stable/mitaka Review: https://review.openstack.org/323536 Reason: Most of the Ansible 2.x users will be using the master (Newton) branch of the security role anyway. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1585349 Title: Security role fails on unlocked accounts in Ansible 2.2 Status in openstack-ansible: Fix Released Bug description: The security role fails on the unlocked accounts check when using Ansible 2.2: TASK [openstack-ansible-security : debug] ************************************** ok: [logs.cloud-ci.ibmcis.com] => { "v38496_violations": "\n" } The tasks end up returning a non-empty violations list even though no unlocked accounts exist on the system. Thanks to phschwartz for reporting this in IRC. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1585349/+subscriptions From 1585349 at bugs.launchpad.net Wed Jun 1 12:44:51 2016 From: 1585349 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 01 Jun 2016 12:44:51 -0000 Subject: [Openstack-security] [Bug 1585349] Change abandoned on openstack-ansible-security (liberty) References: <20160524195344.25918.65100.malonedeb@chaenomeles.canonical.com> Message-ID: <20160601124451.6070.53038.malone@wampee.canonical.com> Change abandoned by Major Hayden (major at mhtx.net) on branch: liberty Review: https://review.openstack.org/323537 Reason: Most of the Ansible 2.x users will be using the master (Newton) branch of the security role anyway. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1585349 Title: Security role fails on unlocked accounts in Ansible 2.2 Status in openstack-ansible: Fix Released Bug description: The security role fails on the unlocked accounts check when using Ansible 2.2: TASK [openstack-ansible-security : debug] ************************************** ok: [logs.cloud-ci.ibmcis.com] => { "v38496_violations": "\n" } The tasks end up returning a non-empty violations list even though no unlocked accounts exist on the system. Thanks to phschwartz for reporting this in IRC. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1585349/+subscriptions From thierry.carrez+lp at gmail.com Wed Jun 1 15:56:35 2016 From: thierry.carrez+lp at gmail.com (Thierry Carrez) Date: Wed, 01 Jun 2016 15:56:35 -0000 Subject: [Openstack-security] [Bug 1516031] Fix included in openstack/glance 13.0.0.0b1 References: <20151113142716.4469.80964.malonedeb@gac.canonical.com> Message-ID: <20160601155635.1269.28106.malone@wampee.canonical.com> This issue was fixed in the openstack/glance 13.0.0.0b1 development milestone. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1516031 Title: Use of MD5 in OpenStack Glance image signature (CVE-2015-8234) Status in Glance: Fix Released Status in OpenStack Security Advisory: Won't Fix Status in OpenStack Security Notes: Fix Released Bug description: This have been reported by Daniel P. Berrange: " In the OpenStack Liberty release, the Glance project added support for image signature verification. http://specs.openstack.org/openstack/glance-specs/specs/liberty/image- signing-and-verification-support.html The verification code was added in the following git commit https://github.com/openstack/glance/commit/484ef1b40b738c87adb203bba6107ddb4b04ff6e Unfortunately the design of this signature verification method is flawed by design. The generalized approach to creating signatures of content is to apply a hash to the content and then encrypt it in some manner. Consider that the signature is defined to use hash=sha256 and cipher=rsa we can describe the signature computation as signature = rsa(sha256(content)) In the case of verifying a disk image, the content we care about verifying is the complete disk image file. Unfortunately, the glance specification chose *not* to compute the signature against the disk image file. Glance already had an MD5 checksum calculated for the disk image file, so they instead chose to compute the signature against the MD5 checksum instead. ie glance is running signature = rsa(sha256(md5(disk-image-content))) This degrades the security of the system to that of the weakest hash, which is obviously MD5 here. The code where glance verifies the signature is in the glance/locations.py, the 'set_data' method where is does result = signature_utils.verify_signature( self.context, checksum, self.image.extra_properties) if result: LOG.info(_LI("Successfully verified signature for image %s"), self.image.image_id) The 'checksum' variable is populate by the glance_store driver, but it is hardcoded to always be md5 in all current glance storage backends: $ git grep hashlib glance_store/_drivers/ | grep checksum glance_store/_drivers/filesystem.py: checksum = hashlib.md5() glance_store/_drivers/rbd.py: checksum = hashlib.md5() glance_store/_drivers/s3.py: checksum = hashlib.md5() glance_store/_drivers/s3.py: checksum = hashlib.md5() glance_store/_drivers/sheepdog.py: checksum = hashlib.md5() glance_store/_drivers/swift/store.py: checksum = hashlib.md5() glance_store/_drivers/vmware_datastore.py: self.checksum = hashlib.md5() Since we will soon be shipping OpenStack Liberty release, we need to at least give a security notice to alert our customers to the fact that the signature verification is cryptographically weak/broken. IMHO, it quite likely deserves a CVE though NB, this is public knowledge as I first became aware of this flawed design in comments / discussion on a public specification proposed to implement the same approach in the Nova project. My suggested way to fix this is to simply abandon the current impl and re-do it such that it directly computes the signature against the disk image, and does not use the existing md5 checksum in any way. Regards, Daniel " Mailing list thread for Nova impl: http://lists.openstack.org/pipermail/openstack-dev/2015-November/079348.html Nova Spec: https://review.openstack.org/#/c/188874/ To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1516031/+subscriptions From 1583744 at bugs.launchpad.net Wed Jun 1 16:40:52 2016 From: 1583744 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 01 Jun 2016 16:40:52 -0000 Subject: [Openstack-security] [Bug 1583744] Fix merged to openstack-ansible-security (master) References: <20160519184446.8326.17404.malonedeb@soybean.canonical.com> Message-ID: <20160601164052.692.48712.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/318905 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=32ce2246371faebf0d910f70e7ec230e5d2c1313 Submitter: Jenkins Branch: master commit 32ce2246371faebf0d910f70e7ec230e5d2c1313 Author: Major Hayden Date: Thu May 19 15:06:57 2016 -0500 Docs: Update dev notes for Cat 3 controls This patch updates the documentation for the developer notes associated with the Cat 3 (High) controls applied by the security role. Partial-bug: 1583744 Change-Id: Ia7dad9e8d1871cfa6d0408c329d6f771704e8d96 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1583744 Title: Security role docs need updates for Xenial/CentOS Status in openstack-ansible: In Progress Bug description: The security role now supports Xenial and CentOS, but the documentation now needs updates. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1583744/+subscriptions From 1584196 at bugs.launchpad.net Wed Jun 1 20:53:12 2016 From: 1584196 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 01 Jun 2016 20:53:12 -0000 Subject: [Openstack-security] [Bug 1584196] Re: Security role should look for unlabeled devices References: <20160520195109.636.50703.malonedeb@chaenomeles.canonical.com> Message-ID: <20160601205312.29189.37590.malone@gac.canonical.com> Reviewed: https://review.openstack.org/319448 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=bf28fdfe90fe5a16c57f5c4c18cff9510bed2423 Submitter: Jenkins Branch: master commit bf28fdfe90fe5a16c57f5c4c18cff9510bed2423 Author: Major Hayden Date: Wed Jun 1 13:22:12 2016 -0500 Search for unlabeled device files The checks for V-51379 didn't apply for Ubuntu and they were unintentionally skipped in CentOS after the multi-distro work was completed. This patch adds a search for unlabeled device files on CentOS 7 systems and halts the playbook if an unlabeled device is found. This is a very rare occurrence. Documentation updates and release notes are provided. Closes-bug: 1584196 Change-Id: Iba4be3bc5fa607685e3b4eeefda35f93894c7f28 ** Changed in: openstack-ansible Status: In Progress => Fix Released -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1584196 Title: Security role should look for unlabeled devices Status in openstack-ansible: Fix Released Bug description: V-51379 requires that no unlabeled devices exist on the system. This doesn't apply for AppArmor, so it was skipped in Ubuntu. However, these devices ought to be checked in CentOS. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1584196/+subscriptions From davanum at gmail.com Thu Jun 2 19:34:39 2016 From: davanum at gmail.com (Davanum Srinivas (DIMS)) Date: Thu, 02 Jun 2016 19:34:39 -0000 Subject: [Openstack-security] [Bug 1561796] Fix included in openstack/nova 14.0.0.0b1 References: <20160325000544.30735.22681.malonedeb@gac.canonical.com> Message-ID: <20160602193439.12769.16156.malone@soybean.canonical.com> This issue was fixed in the openstack/nova 14.0.0.0b1 development milestone. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1561796 Title: ironic driver does not support ssl cafile Status in OpenStack Compute (nova): Fix Released Bug description: Even though Ironic's python client supports SSL encrypted connections to the ironic service, and securing intra-service connections is a recommended practice, the nova.virt.Ironic driver currently lacks an option to specify a custom CA Certificate for validating the SSL connection to the Ironic service. On the other hand, other OpenStack services which Nova connects to (eg, Glance, Neutron...) have support for this via a service-specific "cafile" config option. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1561796/+subscriptions From davanum at gmail.com Thu Jun 2 19:32:38 2016 From: davanum at gmail.com (Davanum Srinivas (DIMS)) Date: Thu, 02 Jun 2016 19:32:38 -0000 Subject: [Openstack-security] [Bug 1483132] Fix included in openstack/nova 14.0.0.0b1 References: <20150810064713.19114.43085.malonedeb@wampee.canonical.com> Message-ID: <20160602193238.6908.76153.malone@chaenomeles.canonical.com> This issue was fixed in the openstack/nova 14.0.0.0b1 development milestone. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1483132 Title: ssh-keygen-to-Paramiko change breaks third-party tools Status in OpenStack Compute (nova): Fix Released Bug description: Changing ssh key generation from OpenSSH's ssh-keygen to the Paramiko library [1][2] changed (unintentionally?) the ASN.1 encoding format of SSH private keys from DER to BER. (DER is a strict subset of BER, so anything that can read BER can read DER, but not necessarily the other way around.) Some third-party tools only support DER and this has created at least one issue [3] (specifically because Go's standard library only supports DER). I have provided Paramiko with a small change that makes its SSH private key output equal to OpenSSH's ssh-keygen output (and presumably DER formatted) [4]. Providing a change to Paramiko is just one method of addressing this backwards-incompatibility and interoperability issue. Should the Paramiko change be accepted the unit test output vectors will need to be changed, but should it not, is a reversion of or modification to Nova acceptable to maintain backwards-compatibility and interoperability? [1] https://review.openstack.org/157931 [2] http://git.openstack.org/cgit/openstack/nova/commit/?id=3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a [3] https://github.com/mitchellh/packer/issues/2526 [4] https://github.com/paramiko/paramiko/pull/572 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1483132/+subscriptions From davanum at gmail.com Thu Jun 2 20:10:44 2016 From: davanum at gmail.com (Davanum Srinivas (DIMS)) Date: Thu, 02 Jun 2016 20:10:44 -0000 Subject: [Openstack-security] [Bug 1579914] Fix included in openstack/openstack-ansible-security 13.1.2 References: <20160509205442.981.10915.malonedeb@chaenomeles.canonical.com> Message-ID: <20160602201045.19490.44642.malone@wampee.canonical.com> This issue was fixed in the openstack/openstack-ansible-security 13.1.2 release. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1579914 Title: Security role doesn't handle sshd_config with Match Status in openstack-ansible: Fix Released Bug description: The security role makes several changes to the sshd_config file, but it doesn't handle situations where the configuration file might end with Match stanzas. There cannot be any general configuration options after any Match stanzas in the configuration file. The role should: * Handle Match stanzas properly * Validate the sshd_config with each change To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1579914/+subscriptions From vgridnev at mirantis.com Fri Jun 3 09:31:40 2016 From: vgridnev at mirantis.com (Vitaly Gridnev) Date: Fri, 03 Jun 2016 09:31:40 -0000 Subject: [Openstack-security] [Bug 1541122] Re: Vanilla plugin uses hardcoded password for Oozie MySQL database user References: <20160202222341.14647.37585.malonedeb@gac.canonical.com> Message-ID: <20160603093140.12110.29983.launchpad@soybean.canonical.com> ** No longer affects: sahara/liberty -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1541122 Title: Vanilla plugin uses hardcoded password for Oozie MySQL database user Status in OpenStack Security Advisory: Won't Fix Status in Sahara: In Progress Status in Sahara mitaka series: In Progress Bug description: When deploying clusters with the vanilla plugin, the Oozie[1] application must be configured to use a database for storing data related to the scheduling, running, and processing of Hadoop jobs. Oozie is the primary scheduler for jobs entering the Hadoop ecosystem through the vanilla plugin. Sahara configures the credentials for Oozie to access its database, this can be seen in sahara/plugins/vanilla/hadoop2/oozie_helper.py [2]. These credentials are hardcoded, and use a weak password. An intruder with access to the nodes of a cluster that is created by sahara with the vanilla plugin will have access to the database that backs the Oozie installation. With this access, the intruder could change the operational effects of Oozie to produce results other than expected, for example inserting new jobs or altering configurations associated with currently running jobs. As sahara has ultimate control over the deployment and configuration of Oozie on nodes deployed in its clusters, this hardcoded password should be changed in favor of a random password that will be generated uniquely for each deployed cluster. Oozie uses the values associated with the configurations defined in [2] to create the credentials, this means that the change should be a matter of simply changing the source valueof the password for the Oozie user. [1]: https://oozie.apache.org/ [2]: https://github.com/openstack/sahara/blob/master/sahara/plugins/vanilla/hadoop2/oozie_helper.py#L41 To manage notifications about this bug go to: https://bugs.launchpad.net/ossa/+bug/1541122/+subscriptions From major at mhtx.net Fri Jun 3 16:58:17 2016 From: major at mhtx.net (Major Hayden) Date: Fri, 03 Jun 2016 16:58:17 -0000 Subject: [Openstack-security] [Bug 1588544] Re: RHEL7 Support for ansible security References: <20160602215527.19591.65378.malonedeb@wampee.canonical.com> Message-ID: <20160603165817.16828.82154.launchpad@gac.canonical.com> ** Changed in: openstack-ansible Status: New => Confirmed ** Changed in: openstack-ansible Importance: Undecided => Wishlist ** Tags added: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1588544 Title: RHEL7 Support for ansible security Status in openstack-ansible: Confirmed Bug description: I am attempting to take the latest openstack-ansible-security role and run standalone checks against RHEL 7.2 and I am finding that the often used method to exclude items when a --check is executed "when: not check_mode" fails and causes and exit. There are some cases where I have been able to get round this with ignore_errors: yes however that is not a solution. TASK: [security | V-38637 - Contents of auditd package must be verified] ****** fatal: [172.31.255.20] => error while evaluating conditional: not check_mode fatal: [172.31.255.21] => error while evaluating conditional: not check_mode fatal: [172.31.255.18] => error while evaluating conditional: not check_mode fatal: [172.31.255.15] => error while evaluating conditional: not check_mode fatal: [172.31.255.11] => error while evaluating conditional: not check_mode fatal: [172.31.255.12] => error while evaluating conditional: not check_mode fatal: [172.31.255.13] => error while evaluating conditional: not check_mode fatal: [172.31.255.24] => error while evaluating conditional: not check_mode fatal: [172.31.255.16] => error while evaluating conditional: not check_mode FATAL: all hosts have already failed -- aborting To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1588544/+subscriptions From 1588544 at bugs.launchpad.net Fri Jun 3 17:27:17 2016 From: 1588544 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 03 Jun 2016 17:27:17 -0000 Subject: [Openstack-security] [Bug 1588544] Re: RHEL7 Support for ansible security References: <20160602215527.19591.65378.malonedeb@wampee.canonical.com> Message-ID: <20160603172717.6863.30004.malone@chaenomeles.canonical.com> Fix proposed to branch: master Review: https://review.openstack.org/325421 ** Changed in: openstack-ansible Status: Confirmed => In Progress ** Changed in: openstack-ansible Assignee: (unassigned) => Major Hayden (rackerhacker) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1588544 Title: RHEL7 Support for ansible security Status in openstack-ansible: In Progress Bug description: I am attempting to take the latest openstack-ansible-security role and run standalone checks against RHEL 7.2 and I am finding that the often used method to exclude items when a --check is executed "when: not check_mode" fails and causes and exit. There are some cases where I have been able to get round this with ignore_errors: yes however that is not a solution. TASK: [security | V-38637 - Contents of auditd package must be verified] ****** fatal: [172.31.255.20] => error while evaluating conditional: not check_mode fatal: [172.31.255.21] => error while evaluating conditional: not check_mode fatal: [172.31.255.18] => error while evaluating conditional: not check_mode fatal: [172.31.255.15] => error while evaluating conditional: not check_mode fatal: [172.31.255.11] => error while evaluating conditional: not check_mode fatal: [172.31.255.12] => error while evaluating conditional: not check_mode fatal: [172.31.255.13] => error while evaluating conditional: not check_mode fatal: [172.31.255.24] => error while evaluating conditional: not check_mode fatal: [172.31.255.16] => error while evaluating conditional: not check_mode FATAL: all hosts have already failed -- aborting To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1588544/+subscriptions From major at mhtx.net Fri Jun 3 18:24:01 2016 From: major at mhtx.net (Major Hayden) Date: Fri, 03 Jun 2016 18:24:01 -0000 Subject: [Openstack-security] [Bug 1588544] Re: RHEL7 Support for ansible security References: <20160602215527.19591.65378.malonedeb@wampee.canonical.com> Message-ID: <20160603182401.16642.718.malone@gac.canonical.com> The functional mode should be fixed by https://review.openstack.org/325421 in RHEL 7. As for the check mode, that should be fixed by https://review.openstack.org/#/c/325376/. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1588544 Title: RHEL7 Support for ansible security Status in openstack-ansible: In Progress Bug description: I am attempting to take the latest openstack-ansible-security role and run standalone checks against RHEL 7.2 and I am finding that the often used method to exclude items when a --check is executed "when: not check_mode" fails and causes and exit. There are some cases where I have been able to get round this with ignore_errors: yes however that is not a solution. TASK: [security | V-38637 - Contents of auditd package must be verified] ****** fatal: [172.31.255.20] => error while evaluating conditional: not check_mode fatal: [172.31.255.21] => error while evaluating conditional: not check_mode fatal: [172.31.255.18] => error while evaluating conditional: not check_mode fatal: [172.31.255.15] => error while evaluating conditional: not check_mode fatal: [172.31.255.11] => error while evaluating conditional: not check_mode fatal: [172.31.255.12] => error while evaluating conditional: not check_mode fatal: [172.31.255.13] => error while evaluating conditional: not check_mode fatal: [172.31.255.24] => error while evaluating conditional: not check_mode fatal: [172.31.255.16] => error while evaluating conditional: not check_mode FATAL: all hosts have already failed -- aborting To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1588544/+subscriptions From vgridnev at mirantis.com Fri Jun 3 18:34:14 2016 From: vgridnev at mirantis.com (Vitaly Gridnev) Date: Fri, 03 Jun 2016 18:34:14 -0000 Subject: [Openstack-security] [Bug 1541122] Re: Vanilla plugin uses hardcoded password for Oozie MySQL database user References: <20160202222341.14647.37585.malonedeb@gac.canonical.com> Message-ID: <20160603183415.16569.76094.launchpad@gac.canonical.com> ** Changed in: sahara/mitaka Status: In Progress => Confirmed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1541122 Title: Vanilla plugin uses hardcoded password for Oozie MySQL database user Status in OpenStack Security Advisory: Won't Fix Status in Sahara: In Progress Status in Sahara mitaka series: Confirmed Bug description: When deploying clusters with the vanilla plugin, the Oozie[1] application must be configured to use a database for storing data related to the scheduling, running, and processing of Hadoop jobs. Oozie is the primary scheduler for jobs entering the Hadoop ecosystem through the vanilla plugin. Sahara configures the credentials for Oozie to access its database, this can be seen in sahara/plugins/vanilla/hadoop2/oozie_helper.py [2]. These credentials are hardcoded, and use a weak password. An intruder with access to the nodes of a cluster that is created by sahara with the vanilla plugin will have access to the database that backs the Oozie installation. With this access, the intruder could change the operational effects of Oozie to produce results other than expected, for example inserting new jobs or altering configurations associated with currently running jobs. As sahara has ultimate control over the deployment and configuration of Oozie on nodes deployed in its clusters, this hardcoded password should be changed in favor of a random password that will be generated uniquely for each deployed cluster. Oozie uses the values associated with the configurations defined in [2] to create the credentials, this means that the change should be a matter of simply changing the source valueof the password for the Oozie user. [1]: https://oozie.apache.org/ [2]: https://github.com/openstack/sahara/blob/master/sahara/plugins/vanilla/hadoop2/oozie_helper.py#L41 To manage notifications about this bug go to: https://bugs.launchpad.net/ossa/+bug/1541122/+subscriptions From major at mhtx.net Tue Jun 7 17:12:45 2016 From: major at mhtx.net (Major Hayden) Date: Tue, 07 Jun 2016 17:12:45 -0000 Subject: [Openstack-security] [Bug 1590086] [NEW] check_mode not set when using tags with security role Message-ID: <20160607171245.24975.77161.malonedeb@gac.canonical.com> Public bug reported: If a tag is provided with the security role in check mode, the check_mode variable is not set. This causes any tasks that depend on that variable to fail. ** Affects: openstack-ansible Importance: High Assignee: Major Hayden (rackerhacker) Status: In Progress ** Tags: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590086 Title: check_mode not set when using tags with security role Status in openstack-ansible: In Progress Bug description: If a tag is provided with the security role in check mode, the check_mode variable is not set. This causes any tasks that depend on that variable to fail. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590086/+subscriptions From 1590086 at bugs.launchpad.net Tue Jun 7 17:19:09 2016 From: 1590086 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 07 Jun 2016 17:19:09 -0000 Subject: [Openstack-security] [Bug 1590086] Re: check_mode not set when using tags with security role References: <20160607171245.24975.77161.malonedeb@gac.canonical.com> Message-ID: <20160607171909.2401.76810.malone@chaenomeles.canonical.com> Fix proposed to branch: master Review: https://review.openstack.org/326664 ** Changed in: openstack-ansible Status: Confirmed => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590086 Title: check_mode not set when using tags with security role Status in openstack-ansible: In Progress Bug description: If a tag is provided with the security role in check mode, the check_mode variable is not set. This causes any tasks that depend on that variable to fail. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590086/+subscriptions From major at mhtx.net Tue Jun 7 18:25:59 2016 From: major at mhtx.net (Major Hayden) Date: Tue, 07 Jun 2016 18:25:59 -0000 Subject: [Openstack-security] [Bug 1590102] Re: "V-38579 - Bootloader configuration files must be owned by root" task fails when running ansible standalone in checkmode References: <20160607181557.11891.33821.malonedeb@wampee.canonical.com> Message-ID: <20160607182559.24741.1744.malone@gac.canonical.com> Thanks for tackling this one, Mark! :) ** Changed in: openstack-ansible Status: New => Confirmed ** Changed in: openstack-ansible Importance: Undecided => Medium ** Changed in: openstack-ansible Assignee: (unassigned) => Mark Hooper (hoopernet) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590102 Title: "V-38579 - Bootloader configuration files must be owned by root" task fails when running ansible standalone in checkmode Status in openstack-ansible: Confirmed Bug description: When running openstack-ansible-security in standalone mode on Redhat 7.2 the bootloaded configuration files being owned by root check fails. See below for error output. Command run: ansible-playbook security.yml --check --tags cat2 Output: TASK: [security | V-38579 - Bootloader configuration files must be owned by root] *** fatal: [172.31.255.21] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.20] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.24] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.18] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.15] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.16] => error while evaluating conditional: grub_cfg.stat.exists FATAL: all hosts have already failed -- aborting To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590102/+subscriptions From 1590102 at bugs.launchpad.net Tue Jun 7 19:48:19 2016 From: 1590102 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 07 Jun 2016 19:48:19 -0000 Subject: [Openstack-security] [Bug 1590102] Re: "V-38579 - Bootloader configuration files must be owned by root" task fails when running ansible standalone in checkmode References: <20160607181557.11891.33821.malonedeb@wampee.canonical.com> Message-ID: <20160607194821.11603.89868.launchpad@wampee.canonical.com> ** Changed in: openstack-ansible Status: Confirmed => In Progress ** Changed in: openstack-ansible Assignee: Mark Hooper (hoopernet) => Major Hayden (rackerhacker) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590102 Title: "V-38579 - Bootloader configuration files must be owned by root" task fails when running ansible standalone in checkmode Status in openstack-ansible: In Progress Bug description: When running openstack-ansible-security in standalone mode on Redhat 7.2 the bootloaded configuration files being owned by root check fails. See below for error output. Command run: ansible-playbook security.yml --check --tags cat2 Output: TASK: [security | V-38579 - Bootloader configuration files must be owned by root] *** fatal: [172.31.255.21] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.20] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.24] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.18] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.15] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.16] => error while evaluating conditional: grub_cfg.stat.exists FATAL: all hosts have already failed -- aborting To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590102/+subscriptions From 1590102 at bugs.launchpad.net Wed Jun 8 10:05:41 2016 From: 1590102 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 08 Jun 2016 10:05:41 -0000 Subject: [Openstack-security] [Bug 1590102] Re: "V-38579 - Bootloader configuration files must be owned by root" task fails when running ansible standalone in checkmode References: <20160607181557.11891.33821.malonedeb@wampee.canonical.com> Message-ID: <20160608100541.31308.70473.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/326705 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=03d436f86403d5635759ed4dcfc2d36567aeca20 Submitter: Jenkins Branch: master commit 03d436f86403d5635759ed4dcfc2d36567aeca20 Author: Mark Hooper Date: Tue Jun 7 14:03:04 2016 -0500 Fix grub configuration file path in RHEL/CentOS 7 CentOS and RHEL 7 both use /boot/grub2/grub.cfg, but the tasks in the security role expect it to be in /boot/grub/grub.cfg. This patch adds a variable for the grub configuration file path. Closes-bug: 1590102 Change-Id: I724d6eb3b716bd9b0006d0d2e5ad201481d52e59 ** Changed in: openstack-ansible Status: In Progress => Fix Released -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590102 Title: "V-38579 - Bootloader configuration files must be owned by root" task fails when running ansible standalone in checkmode Status in openstack-ansible: Fix Released Bug description: When running openstack-ansible-security in standalone mode on Redhat 7.2 the bootloaded configuration files being owned by root check fails. See below for error output. Command run: ansible-playbook security.yml --check --tags cat2 Output: TASK: [security | V-38579 - Bootloader configuration files must be owned by root] *** fatal: [172.31.255.21] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.20] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.24] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.18] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.15] => error while evaluating conditional: grub_cfg.stat.exists fatal: [172.31.255.16] => error while evaluating conditional: grub_cfg.stat.exists FATAL: all hosts have already failed -- aborting To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590102/+subscriptions From doug at doughellmann.com Wed Jun 8 21:19:58 2016 From: doug at doughellmann.com (Doug Hellmann) Date: Wed, 08 Jun 2016 21:19:58 -0000 Subject: [Openstack-security] [Bug 1532317] Fix included in openstack/murano 2015.1.1 References: <20160108202404.8643.13925.malonedeb@wampee.canonical.com> Message-ID: <20160608211958.25149.11892.malone@gac.canonical.com> This issue was fixed in the openstack/murano 2015.1.1 release. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1532317 Title: Only ingress rules are supported in security groups Status in Murano: Fix Released Status in Murano kilo series: Fix Released Status in Murano liberty series: Fix Released Status in Murano mitaka series: Fix Released Bug description: There is no way to specify in which direction security rule should be applied, only ingress is supported. Also there should be an optional key in existing parameter specifying rule IP protocol version (IPv4/IPv6) https://github.com/openstack/murano/blob/master/meta/io.murano/Classes/system/NeutronSecurityGroupManager.yaml#L56 https://github.com/openstack/heat/blob/stable/kilo/heat/engine/resources/openstack/neutron/security_group.py#L50 To manage notifications about this bug go to: https://bugs.launchpad.net/murano/+bug/1532317/+subscriptions From doug at doughellmann.com Wed Jun 8 21:20:32 2016 From: doug at doughellmann.com (Doug Hellmann) Date: Wed, 08 Jun 2016 21:20:32 -0000 Subject: [Openstack-security] [Bug 1472331] Fix included in openstack/murano 2015.1.1 References: <20150707162751.20498.27948.malonedeb@soybean.canonical.com> Message-ID: <20160608212032.31275.21807.malone@soybean.canonical.com> This issue was fixed in the openstack/murano 2015.1.1 release. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1472331 Title: Trust id is not hidden in logs Status in Murano: Fix Released Status in Murano kilo series: Fix Committed Bug description: When murano creates trustes and operates with data, contains it, the value of trust is not hidden: "SystemData": {"TrustId": "d5f1261a5a4f482d9c65a01bd385255b"}}, "token": "*** SANITIZED ***", Need to use *** like it's done with token To manage notifications about this bug go to: https://bugs.launchpad.net/murano/+bug/1472331/+subscriptions From vgridnev at mirantis.com Wed Jun 8 21:45:51 2016 From: vgridnev at mirantis.com (Vitaly Gridnev) Date: Wed, 08 Jun 2016 21:45:51 -0000 Subject: [Openstack-security] [Bug 1541122] Re: Vanilla plugin uses hardcoded password for Oozie MySQL database user References: <20160202222341.14647.37585.malonedeb@gac.canonical.com> Message-ID: <20160608214551.31647.33899.launchpad@soybean.canonical.com> ** No longer affects: sahara/mitaka -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1541122 Title: Vanilla plugin uses hardcoded password for Oozie MySQL database user Status in OpenStack Security Advisory: Won't Fix Status in Sahara: In Progress Bug description: When deploying clusters with the vanilla plugin, the Oozie[1] application must be configured to use a database for storing data related to the scheduling, running, and processing of Hadoop jobs. Oozie is the primary scheduler for jobs entering the Hadoop ecosystem through the vanilla plugin. Sahara configures the credentials for Oozie to access its database, this can be seen in sahara/plugins/vanilla/hadoop2/oozie_helper.py [2]. These credentials are hardcoded, and use a weak password. An intruder with access to the nodes of a cluster that is created by sahara with the vanilla plugin will have access to the database that backs the Oozie installation. With this access, the intruder could change the operational effects of Oozie to produce results other than expected, for example inserting new jobs or altering configurations associated with currently running jobs. As sahara has ultimate control over the deployment and configuration of Oozie on nodes deployed in its clusters, this hardcoded password should be changed in favor of a random password that will be generated uniquely for each deployed cluster. Oozie uses the values associated with the configurations defined in [2] to create the credentials, this means that the change should be a matter of simply changing the source valueof the password for the Oozie user. [1]: https://oozie.apache.org/ [2]: https://github.com/openstack/sahara/blob/master/sahara/plugins/vanilla/hadoop2/oozie_helper.py#L41 To manage notifications about this bug go to: https://bugs.launchpad.net/ossa/+bug/1541122/+subscriptions From 1590086 at bugs.launchpad.net Thu Jun 9 03:26:05 2016 From: 1590086 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 09 Jun 2016 03:26:05 -0000 Subject: [Openstack-security] [Bug 1590086] Re: check_mode not set when using tags with security role References: <20160607171245.24975.77161.malonedeb@gac.canonical.com> Message-ID: <20160609032605.31796.10376.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/326664 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=d8ae1e3b04550f271d5561430a9008dee1cf4187 Submitter: Jenkins Branch: master commit d8ae1e3b04550f271d5561430a9008dee1cf4187 Author: Major Hayden Date: Tue Jun 7 13:05:49 2016 -0500 Set check_mode variable every time In check mode, the security role will fail when tags are used. This is because the check_mode variable wasn't being set when tags were provided. This patch ensures that the tasks that check for check mode and set the subsequent check_mode variable will run every time. Closes-bug: 1590086 Change-Id: Ib6a29ee4c36632cd6d982ce87105f0ddec4a891d ** Changed in: openstack-ansible Status: In Progress => Fix Released -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590086 Title: check_mode not set when using tags with security role Status in openstack-ansible: Fix Released Bug description: If a tag is provided with the security role in check mode, the check_mode variable is not set. This causes any tasks that depend on that variable to fail. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590086/+subscriptions From 1590086 at bugs.launchpad.net Thu Jun 9 13:24:43 2016 From: 1590086 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 09 Jun 2016 13:24:43 -0000 Subject: [Openstack-security] [Bug 1590086] Fix proposed to openstack-ansible-security (stable/mitaka) References: <20160607171245.24975.77161.malonedeb@gac.canonical.com> Message-ID: <20160609132443.24741.15223.malone@gac.canonical.com> Fix proposed to branch: stable/mitaka Review: https://review.openstack.org/327657 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590086 Title: check_mode not set when using tags with security role Status in openstack-ansible: Fix Released Bug description: If a tag is provided with the security role in check mode, the check_mode variable is not set. This causes any tasks that depend on that variable to fail. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590086/+subscriptions From 1590086 at bugs.launchpad.net Thu Jun 9 13:24:59 2016 From: 1590086 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 09 Jun 2016 13:24:59 -0000 Subject: [Openstack-security] [Bug 1590086] Fix proposed to openstack-ansible-security (liberty) References: <20160607171245.24975.77161.malonedeb@gac.canonical.com> Message-ID: <20160609132459.31831.37019.malone@soybean.canonical.com> Fix proposed to branch: liberty Review: https://review.openstack.org/327658 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590086 Title: check_mode not set when using tags with security role Status in openstack-ansible: Fix Released Bug description: If a tag is provided with the security role in check mode, the check_mode variable is not set. This causes any tasks that depend on that variable to fail. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590086/+subscriptions From major at mhtx.net Thu Jun 9 18:30:45 2016 From: major at mhtx.net (Major Hayden) Date: Thu, 09 Jun 2016 18:30:45 -0000 Subject: [Openstack-security] [Bug 1590916] [NEW] Running augenrules should trigger an auditd restart Message-ID: <20160609183045.31455.50670.malonedeb@soybean.canonical.com> Public bug reported: The security role runs augenrules to create the main audit rules file whenever the rules template changes, but the handlers weren't set up to restart the audit daemon right after. We should chain the handlers so that the augenrules handler will trigger a restart of auditd. This bug exists in master, mitaka, and liberty. ** Affects: openstack-ansible Importance: Medium Assignee: Major Hayden (rackerhacker) Status: Confirmed ** Tags: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590916 Title: Running augenrules should trigger an auditd restart Status in openstack-ansible: Confirmed Bug description: The security role runs augenrules to create the main audit rules file whenever the rules template changes, but the handlers weren't set up to restart the audit daemon right after. We should chain the handlers so that the augenrules handler will trigger a restart of auditd. This bug exists in master, mitaka, and liberty. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590916/+subscriptions From major at mhtx.net Thu Jun 9 18:13:17 2016 From: major at mhtx.net (Major Hayden) Date: Thu, 09 Jun 2016 18:13:17 -0000 Subject: [Openstack-security] [Bug 1590911] [NEW] Security role audit rules should have key fields Message-ID: <20160609181317.31455.73339.malonedeb@soybean.canonical.com> Public bug reported: The audit rules added by the security role should have a key field added so that it's easier to figure out which rule caused something to be audited. ** Affects: openstack-ansible Importance: Low Assignee: Major Hayden (rackerhacker) Status: Confirmed ** Tags: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590911 Title: Security role audit rules should have key fields Status in openstack-ansible: Confirmed Bug description: The audit rules added by the security role should have a key field added so that it's easier to figure out which rule caused something to be audited. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590911/+subscriptions From 1590916 at bugs.launchpad.net Thu Jun 9 19:06:14 2016 From: 1590916 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 09 Jun 2016 19:06:14 -0000 Subject: [Openstack-security] [Bug 1590916] Re: Running augenrules should trigger an auditd restart References: <20160609183045.31455.50670.malonedeb@soybean.canonical.com> Message-ID: <20160609190615.2775.54894.malone@chaenomeles.canonical.com> Fix proposed to branch: master Review: https://review.openstack.org/327863 ** Changed in: openstack-ansible Status: Confirmed => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590916 Title: Running augenrules should trigger an auditd restart Status in openstack-ansible: In Progress Bug description: The security role runs augenrules to create the main audit rules file whenever the rules template changes, but the handlers weren't set up to restart the audit daemon right after. We should chain the handlers so that the augenrules handler will trigger a restart of auditd. This bug exists in master, mitaka, and liberty. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590916/+subscriptions From 1590911 at bugs.launchpad.net Thu Jun 9 19:10:11 2016 From: 1590911 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 09 Jun 2016 19:10:11 -0000 Subject: [Openstack-security] [Bug 1590911] Re: Security role audit rules should have key fields References: <20160609181317.31455.73339.malonedeb@soybean.canonical.com> Message-ID: <20160609191012.2626.18130.malone@chaenomeles.canonical.com> Fix proposed to branch: master Review: https://review.openstack.org/327872 ** Changed in: openstack-ansible Status: Confirmed => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590911 Title: Security role audit rules should have key fields Status in openstack-ansible: In Progress Bug description: The audit rules added by the security role should have a key field added so that it's easier to figure out which rule caused something to be audited. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590911/+subscriptions From 1541122 at bugs.launchpad.net Thu Jun 9 19:12:48 2016 From: 1541122 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 09 Jun 2016 19:12:48 -0000 Subject: [Openstack-security] [Bug 1541122] Change abandoned on sahara (master) References: <20160202222341.14647.37585.malonedeb@gac.canonical.com> Message-ID: <20160609191248.25043.12986.malone@gac.canonical.com> Change abandoned by Michael McCune (msm at redhat.com) on branch: master Review: https://review.openstack.org/312497 Reason: abandoning this as there is a change coming from another author -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1541122 Title: Vanilla plugin uses hardcoded password for Oozie MySQL database user Status in OpenStack Security Advisory: Won't Fix Status in Sahara: In Progress Bug description: When deploying clusters with the vanilla plugin, the Oozie[1] application must be configured to use a database for storing data related to the scheduling, running, and processing of Hadoop jobs. Oozie is the primary scheduler for jobs entering the Hadoop ecosystem through the vanilla plugin. Sahara configures the credentials for Oozie to access its database, this can be seen in sahara/plugins/vanilla/hadoop2/oozie_helper.py [2]. These credentials are hardcoded, and use a weak password. An intruder with access to the nodes of a cluster that is created by sahara with the vanilla plugin will have access to the database that backs the Oozie installation. With this access, the intruder could change the operational effects of Oozie to produce results other than expected, for example inserting new jobs or altering configurations associated with currently running jobs. As sahara has ultimate control over the deployment and configuration of Oozie on nodes deployed in its clusters, this hardcoded password should be changed in favor of a random password that will be generated uniquely for each deployed cluster. Oozie uses the values associated with the configurations defined in [2] to create the credentials, this means that the change should be a matter of simply changing the source valueof the password for the Oozie user. [1]: https://oozie.apache.org/ [2]: https://github.com/openstack/sahara/blob/master/sahara/plugins/vanilla/hadoop2/oozie_helper.py#L41 To manage notifications about this bug go to: https://bugs.launchpad.net/ossa/+bug/1541122/+subscriptions From 1590086 at bugs.launchpad.net Thu Jun 9 20:33:54 2016 From: 1590086 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 09 Jun 2016 20:33:54 -0000 Subject: [Openstack-security] [Bug 1590086] Re: check_mode not set when using tags with security role References: <20160607171245.24975.77161.malonedeb@gac.canonical.com> Message-ID: <20160609203354.12169.94734.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/327657 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=f0848de629f9e9e595749ceef727ef53693f624d Submitter: Jenkins Branch: stable/mitaka commit f0848de629f9e9e595749ceef727ef53693f624d Author: Major Hayden Date: Thu Jun 9 08:19:27 2016 -0500 Set check_mode variable every time In check mode, the security role will fail when tags are used. This is because the check_mode variable wasn't being set when tags were provided. This patch ensures that the tasks that check for check mode and set the subsequent check_mode variable will run every time. This is a manual backport of Ib6a29ee4c36632cd6d982ce87105f0ddec4a891d since the master/Newton branch includes some new things for systemd that doesn't make sense in Mitaka/Liberty. Closes-bug: 1590086 Change-Id: Ib6a29ee4c36632cd6d982ce87105f0ddec4a891d ** Tags added: in-stable-mitaka ** Tags added: in-liberty -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590086 Title: check_mode not set when using tags with security role Status in openstack-ansible: Fix Released Bug description: If a tag is provided with the security role in check mode, the check_mode variable is not set. This causes any tasks that depend on that variable to fail. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590086/+subscriptions From 1590086 at bugs.launchpad.net Thu Jun 9 20:34:01 2016 From: 1590086 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 09 Jun 2016 20:34:01 -0000 Subject: [Openstack-security] [Bug 1590086] Fix merged to openstack-ansible-security (liberty) References: <20160607171245.24975.77161.malonedeb@gac.canonical.com> Message-ID: <20160609203401.25149.51355.malone@gac.canonical.com> Reviewed: https://review.openstack.org/327658 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=6213c87d51d00416475e1e97c13686e726c8f288 Submitter: Jenkins Branch: liberty commit 6213c87d51d00416475e1e97c13686e726c8f288 Author: Major Hayden Date: Thu Jun 9 08:19:27 2016 -0500 Set check_mode variable every time In check mode, the security role will fail when tags are used. This is because the check_mode variable wasn't being set when tags were provided. This patch ensures that the tasks that check for check mode and set the subsequent check_mode variable will run every time. This is a manual backport of Ib6a29ee4c36632cd6d982ce87105f0ddec4a891d since the master/Newton branch includes some new things for systemd that doesn't make sense in Mitaka/Liberty. Closes-bug: 1590086 Change-Id: Ib6a29ee4c36632cd6d982ce87105f0ddec4a891d -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590086 Title: check_mode not set when using tags with security role Status in openstack-ansible: Fix Released Bug description: If a tag is provided with the security role in check mode, the check_mode variable is not set. This causes any tasks that depend on that variable to fail. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590086/+subscriptions From 1590916 at bugs.launchpad.net Fri Jun 10 05:03:39 2016 From: 1590916 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 10 Jun 2016 05:03:39 -0000 Subject: [Openstack-security] [Bug 1590916] Re: Running augenrules should trigger an auditd restart References: <20160609183045.31455.50670.malonedeb@soybean.canonical.com> Message-ID: <20160610050339.12134.94483.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/327863 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=809b6cb52db069fc2cfc4e22f11fef417a893195 Submitter: Jenkins Branch: master commit 809b6cb52db069fc2cfc4e22f11fef417a893195 Author: Major Hayden Date: Thu Jun 9 15:14:42 2016 -0500 Restart auditd after running augenrules The augenrules command joins together all of the audit rules from rules.d and it is run any time the audit rules template changes. However, the augenrules handler didn't actually restart auditd to apply the changes to the system. This patch fires off the auditd restart handler anytime the augenrules handler is notified. Closes-bug: 1590916 Change-Id: Ice83fe17ebb0e9edff9da897e435ae96c1778580 ** Changed in: openstack-ansible Status: In Progress => Fix Released -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590916 Title: Running augenrules should trigger an auditd restart Status in openstack-ansible: Fix Released Bug description: The security role runs augenrules to create the main audit rules file whenever the rules template changes, but the handlers weren't set up to restart the audit daemon right after. We should chain the handlers so that the augenrules handler will trigger a restart of auditd. This bug exists in master, mitaka, and liberty. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590916/+subscriptions From 1588544 at bugs.launchpad.net Fri Jun 10 07:43:03 2016 From: 1588544 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 10 Jun 2016 07:43:03 -0000 Subject: [Openstack-security] [Bug 1588544] Fix merged to openstack-ansible-security (master) References: <20160602215527.19591.65378.malonedeb@wampee.canonical.com> Message-ID: <20160610074304.11671.88054.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/325421 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=ef69ba2fadfd9c484a5b009b79c0d27ee282613d Submitter: Jenkins Branch: master commit ef69ba2fadfd9c484a5b009b79c0d27ee282613d Author: Major Hayden Date: Thu Jun 9 09:02:50 2016 -0500 Add initial support for Red Hat Enterprise Linux 7 This patch adds initial support for Red Hat Enterprise Linux 7. Although it has been tested on release 7.2, it's not possible to test Red Hat Enterprise Linux in the OpenStack CI gate jobs. Release notes are included. Change-Id: I62e06b9b105bc901eab6a019a378b29691862658 Partial-bug: 1588544 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1588544 Title: RHEL7 Support for ansible security Status in openstack-ansible: In Progress Bug description: I am attempting to take the latest openstack-ansible-security role and run standalone checks against RHEL 7.2 and I am finding that the often used method to exclude items when a --check is executed "when: not check_mode" fails and causes and exit. There are some cases where I have been able to get round this with ignore_errors: yes however that is not a solution. TASK: [security | V-38637 - Contents of auditd package must be verified] ****** fatal: [172.31.255.20] => error while evaluating conditional: not check_mode fatal: [172.31.255.21] => error while evaluating conditional: not check_mode fatal: [172.31.255.18] => error while evaluating conditional: not check_mode fatal: [172.31.255.15] => error while evaluating conditional: not check_mode fatal: [172.31.255.11] => error while evaluating conditional: not check_mode fatal: [172.31.255.12] => error while evaluating conditional: not check_mode fatal: [172.31.255.13] => error while evaluating conditional: not check_mode fatal: [172.31.255.24] => error while evaluating conditional: not check_mode fatal: [172.31.255.16] => error while evaluating conditional: not check_mode FATAL: all hosts have already failed -- aborting To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1588544/+subscriptions From 1590911 at bugs.launchpad.net Fri Jun 10 07:46:04 2016 From: 1590911 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 10 Jun 2016 07:46:04 -0000 Subject: [Openstack-security] [Bug 1590911] Re: Security role audit rules should have key fields References: <20160609181317.31455.73339.malonedeb@soybean.canonical.com> Message-ID: <20160610074604.24623.96882.malone@gac.canonical.com> Reviewed: https://review.openstack.org/327872 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=44e6056a933a53456711b6e8b3f2dae906830f8e Submitter: Jenkins Branch: master commit 44e6056a933a53456711b6e8b3f2dae906830f8e Author: Major Hayden Date: Thu Jun 9 13:42:18 2016 -0500 Add key fields to audit rules This patch adjusts the key fields in the audit rules that are added by the security rule to make it easier to link a log entry with the audit rules that caused it. Deployers with overflowing logs should be able to narrow down the rule much more easily. Closes-Bug: 1590911 Change-Id: I39c673d515467f685004463e914a0a1aaec3c153 ** Changed in: openstack-ansible Status: In Progress => Fix Released -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590911 Title: Security role audit rules should have key fields Status in openstack-ansible: Fix Released Bug description: The audit rules added by the security role should have a key field added so that it's easier to figure out which rule caused something to be audited. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590911/+subscriptions From 1590916 at bugs.launchpad.net Fri Jun 10 12:54:58 2016 From: 1590916 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 10 Jun 2016 12:54:58 -0000 Subject: [Openstack-security] [Bug 1590916] Fix proposed to openstack-ansible-security (stable/mitaka) References: <20160609183045.31455.50670.malonedeb@soybean.canonical.com> Message-ID: <20160610125458.31112.32146.malone@soybean.canonical.com> Fix proposed to branch: stable/mitaka Review: https://review.openstack.org/328278 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590916 Title: Running augenrules should trigger an auditd restart Status in openstack-ansible: Fix Released Bug description: The security role runs augenrules to create the main audit rules file whenever the rules template changes, but the handlers weren't set up to restart the audit daemon right after. We should chain the handlers so that the augenrules handler will trigger a restart of auditd. This bug exists in master, mitaka, and liberty. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590916/+subscriptions From 1590916 at bugs.launchpad.net Fri Jun 10 12:55:12 2016 From: 1590916 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 10 Jun 2016 12:55:12 -0000 Subject: [Openstack-security] [Bug 1590916] Fix proposed to openstack-ansible-security (liberty) References: <20160609183045.31455.50670.malonedeb@soybean.canonical.com> Message-ID: <20160610125512.2181.86759.malone@chaenomeles.canonical.com> Fix proposed to branch: liberty Review: https://review.openstack.org/328279 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590916 Title: Running augenrules should trigger an auditd restart Status in openstack-ansible: Fix Released Bug description: The security role runs augenrules to create the main audit rules file whenever the rules template changes, but the handlers weren't set up to restart the audit daemon right after. We should chain the handlers so that the augenrules handler will trigger a restart of auditd. This bug exists in master, mitaka, and liberty. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590916/+subscriptions From 1590911 at bugs.launchpad.net Fri Jun 10 12:59:18 2016 From: 1590911 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 10 Jun 2016 12:59:18 -0000 Subject: [Openstack-security] [Bug 1590911] Fix proposed to openstack-ansible-security (stable/mitaka) References: <20160609181317.31455.73339.malonedeb@soybean.canonical.com> Message-ID: <20160610125918.25079.72450.malone@gac.canonical.com> Fix proposed to branch: stable/mitaka Review: https://review.openstack.org/328285 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590911 Title: Security role audit rules should have key fields Status in openstack-ansible: Fix Released Bug description: The audit rules added by the security role should have a key field added so that it's easier to figure out which rule caused something to be audited. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590911/+subscriptions From 1590911 at bugs.launchpad.net Fri Jun 10 13:00:44 2016 From: 1590911 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 10 Jun 2016 13:00:44 -0000 Subject: [Openstack-security] [Bug 1590911] Fix proposed to openstack-ansible-security (liberty) References: <20160609181317.31455.73339.malonedeb@soybean.canonical.com> Message-ID: <20160610130044.24506.10436.malone@gac.canonical.com> Fix proposed to branch: liberty Review: https://review.openstack.org/328288 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590911 Title: Security role audit rules should have key fields Status in openstack-ansible: Fix Released Bug description: The audit rules added by the security role should have a key field added so that it's easier to figure out which rule caused something to be audited. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590911/+subscriptions From gerrit2 at review.openstack.org Mon Jun 13 13:02:04 2016 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 13 Jun 2016 13:02:04 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change Id586b2558fd4c7ed0eda3d3555d51fcd019eb414 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/115483 Log: commit ba67bb033db995798124a534404c04224fb37a9a Author: Solly Ross Date: Tue Aug 19 18:48:00 2014 -0400 Introduce VNC Security Proxy Framework This commit introduces the security proxying framework for VNC. Which class is being used to do the security proxying can be set on a per-traffic-type basis by pointing the appropriate configuration option to an appropriate subclass. Currently, only VNC is supported, via the configuration option 'novncproxy_security_driver'. The workflow for adding a new VNC security proxy driver is to subclass the traffic-type-specific security proxy base classes (e.g. RFBSecurityProxyHelper), and implement the `choose_security_type` and `security_handshake` methods. DocImpact SecurityImpact Implements bp: websocket-proxy-to-host-security Change-Id: Id586b2558fd4c7ed0eda3d3555d51fcd019eb414 From gerrit2 at review.openstack.org Mon Jun 13 13:02:10 2016 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 13 Jun 2016 13:02:10 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change I64859ad01120782fb17308aac3abb125597c3ea2 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/115484 Log: commit e84d58523d0f38ba803adb272b67c13a66c5684a Author: Solly Ross Date: Tue Aug 19 19:21:52 2014 -0400 Add VeNCrypt (TLS/x509) Security Proxy Driver This adds support for using x509/TLS security between the compute node and websocket proxy when using websockify to proxy VNC traffic. In order to use this with x509, an operator would have to set up client keys and certificates, as well as CA certificates, and configure libvirt to pass the appropriate options to QEmu (this is configured globally for libvirt, not by Nova). This process is documented on the libvirt website. Then, the operator would enable this driver and set the following options in /etc/nova/nova.conf: [console_proxy_tls] client_key = /path/to/client/keyfile client_cert = /path/to/client/cert.pem ca_certs = /path/to/ca/cert.pem SecurityImpact DocImpact Implements bp: websocket-proxy-to-host-security Change-Id: I64859ad01120782fb17308aac3abb125597c3ea2 From 1588544 at bugs.launchpad.net Mon Jun 13 15:57:34 2016 From: 1588544 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 13 Jun 2016 15:57:34 -0000 Subject: [Openstack-security] [Bug 1588544] Fix proposed to openstack-ansible-security (master) References: <20160602215527.19591.65378.malonedeb@wampee.canonical.com> Message-ID: <20160613155734.2112.98091.malone@chaenomeles.canonical.com> Fix proposed to branch: master Review: https://review.openstack.org/329072 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1588544 Title: RHEL7 Support for ansible security Status in openstack-ansible: In Progress Bug description: I am attempting to take the latest openstack-ansible-security role and run standalone checks against RHEL 7.2 and I am finding that the often used method to exclude items when a --check is executed "when: not check_mode" fails and causes and exit. There are some cases where I have been able to get round this with ignore_errors: yes however that is not a solution. TASK: [security | V-38637 - Contents of auditd package must be verified] ****** fatal: [172.31.255.20] => error while evaluating conditional: not check_mode fatal: [172.31.255.21] => error while evaluating conditional: not check_mode fatal: [172.31.255.18] => error while evaluating conditional: not check_mode fatal: [172.31.255.15] => error while evaluating conditional: not check_mode fatal: [172.31.255.11] => error while evaluating conditional: not check_mode fatal: [172.31.255.12] => error while evaluating conditional: not check_mode fatal: [172.31.255.13] => error while evaluating conditional: not check_mode fatal: [172.31.255.24] => error while evaluating conditional: not check_mode fatal: [172.31.255.16] => error while evaluating conditional: not check_mode FATAL: all hosts have already failed -- aborting To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1588544/+subscriptions From gerrit2 at review.openstack.org Mon Jun 13 16:35:36 2016 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 13 Jun 2016 16:35:36 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change Id586b2558fd4c7ed0eda3d3555d51fcd019eb414 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/115483 Log: commit a30f02e39e8e5b2ee9ab053f7771078f6ce3985f Author: Solly Ross Date: Tue Aug 19 18:48:00 2014 -0400 Introduce VNC Security Proxy Framework This commit introduces the security proxying framework for VNC. Which class is being used to do the security proxying can be set on a per-traffic-type basis by pointing the appropriate configuration option to an appropriate subclass. Currently, only VNC is supported, via the configuration option 'novncproxy_security_driver'. The workflow for adding a new VNC security proxy driver is to subclass the traffic-type-specific security proxy base classes (e.g. RFBSecurityProxyHelper), and implement the `choose_security_type` and `security_handshake` methods. DocImpact SecurityImpact Implements bp: websocket-proxy-to-host-security Change-Id: Id586b2558fd4c7ed0eda3d3555d51fcd019eb414 From gerrit2 at review.openstack.org Mon Jun 13 16:35:45 2016 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 13 Jun 2016 16:35:45 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change I64859ad01120782fb17308aac3abb125597c3ea2 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/115484 Log: commit 6cc5aa085f79871586098a6566b098a75c0eada3 Author: Solly Ross Date: Tue Aug 19 19:21:52 2014 -0400 Add VeNCrypt (TLS/x509) Security Proxy Driver This adds support for using x509/TLS security between the compute node and websocket proxy when using websockify to proxy VNC traffic. In order to use this with x509, an operator would have to set up client keys and certificates, as well as CA certificates, and configure libvirt to pass the appropriate options to QEmu (this is configured globally for libvirt, not by Nova). This process is documented on the libvirt website. Then, the operator would enable this driver and set the following options in /etc/nova/nova.conf: [console_proxy_tls] client_key = /path/to/client/keyfile client_cert = /path/to/client/cert.pem ca_certs = /path/to/ca/cert.pem SecurityImpact DocImpact Implements bp: websocket-proxy-to-host-security Change-Id: I64859ad01120782fb17308aac3abb125597c3ea2 From 1588544 at bugs.launchpad.net Mon Jun 13 19:30:19 2016 From: 1588544 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 13 Jun 2016 19:30:19 -0000 Subject: [Openstack-security] [Bug 1588544] Re: RHEL7 Support for ansible security References: <20160602215527.19591.65378.malonedeb@wampee.canonical.com> Message-ID: <20160613193021.12204.33919.launchpad@wampee.canonical.com> ** Changed in: openstack-ansible Assignee: Major Hayden (rackerhacker) => Amy Marrich (amy-marrich) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1588544 Title: RHEL7 Support for ansible security Status in openstack-ansible: In Progress Bug description: I am attempting to take the latest openstack-ansible-security role and run standalone checks against RHEL 7.2 and I am finding that the often used method to exclude items when a --check is executed "when: not check_mode" fails and causes and exit. There are some cases where I have been able to get round this with ignore_errors: yes however that is not a solution. TASK: [security | V-38637 - Contents of auditd package must be verified] ****** fatal: [172.31.255.20] => error while evaluating conditional: not check_mode fatal: [172.31.255.21] => error while evaluating conditional: not check_mode fatal: [172.31.255.18] => error while evaluating conditional: not check_mode fatal: [172.31.255.15] => error while evaluating conditional: not check_mode fatal: [172.31.255.11] => error while evaluating conditional: not check_mode fatal: [172.31.255.12] => error while evaluating conditional: not check_mode fatal: [172.31.255.13] => error while evaluating conditional: not check_mode fatal: [172.31.255.24] => error while evaluating conditional: not check_mode fatal: [172.31.255.16] => error while evaluating conditional: not check_mode FATAL: all hosts have already failed -- aborting To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1588544/+subscriptions From 1590911 at bugs.launchpad.net Tue Jun 14 10:31:00 2016 From: 1590911 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 14 Jun 2016 10:31:00 -0000 Subject: [Openstack-security] [Bug 1590911] Re: Security role audit rules should have key fields References: <20160609181317.31455.73339.malonedeb@soybean.canonical.com> Message-ID: <20160614103100.25043.23752.malone@gac.canonical.com> Reviewed: https://review.openstack.org/328288 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=fd51d68c4df13b1d8e35b35c38ce8e2c0860a1fb Submitter: Jenkins Branch: liberty commit fd51d68c4df13b1d8e35b35c38ce8e2c0860a1fb Author: Major Hayden Date: Thu Jun 9 13:42:18 2016 -0500 Add key fields to audit rules This patch adjusts the key fields in the audit rules that are added by the security rule to make it easier to link a log entry with the audit rules that caused it. Deployers with overflowing logs should be able to narrow down the rule much more easily. A manual cherry-pick of I39c673d515467f685004463e914a0a1aaec3c153 is required since the master branch has some additions for SELinux that don't make sense in Mitaka or Liberty. Closes-Bug: 1590911 Change-Id: I5c8757333eb22f35a120d78c8772f53c1c0bb9ca ** Tags added: in-liberty ** Tags added: in-stable-mitaka -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590911 Title: Security role audit rules should have key fields Status in openstack-ansible: Fix Released Bug description: The audit rules added by the security role should have a key field added so that it's easier to figure out which rule caused something to be audited. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590911/+subscriptions From 1590911 at bugs.launchpad.net Tue Jun 14 10:33:14 2016 From: 1590911 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 14 Jun 2016 10:33:14 -0000 Subject: [Openstack-security] [Bug 1590911] Fix merged to openstack-ansible-security (stable/mitaka) References: <20160609181317.31455.73339.malonedeb@soybean.canonical.com> Message-ID: <20160614103314.31610.57403.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/328285 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=cc45bade6a63472a704deb2093c845f5541d895b Submitter: Jenkins Branch: stable/mitaka commit cc45bade6a63472a704deb2093c845f5541d895b Author: Major Hayden Date: Thu Jun 9 13:42:18 2016 -0500 Add key fields to audit rules This patch adjusts the key fields in the audit rules that are added by the security rule to make it easier to link a log entry with the audit rules that caused it. Deployers with overflowing logs should be able to narrow down the rule much more easily. A manual cherry-pick of I39c673d515467f685004463e914a0a1aaec3c153 is required since the master branch has some additions for SELinux that don't make sense in Mitaka or Liberty. Closes-Bug: 1590911 Change-Id: I5c8757333eb22f35a120d78c8772f53c1c0bb9ca -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590911 Title: Security role audit rules should have key fields Status in openstack-ansible: Fix Released Bug description: The audit rules added by the security role should have a key field added so that it's easier to figure out which rule caused something to be audited. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590911/+subscriptions From major at mhtx.net Tue Jun 14 12:51:46 2016 From: major at mhtx.net (Major Hayden) Date: Tue, 14 Jun 2016 12:51:46 -0000 Subject: [Openstack-security] [Bug 1588544] Re: RHEL7 Support for ansible security References: <20160602215527.19591.65378.malonedeb@wampee.canonical.com> Message-ID: <20160614125147.2181.77043.launchpad@chaenomeles.canonical.com> ** Changed in: openstack-ansible Assignee: Amy Marrich (amy-marrich) => Major Hayden (rackerhacker) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1588544 Title: RHEL7 Support for ansible security Status in openstack-ansible: In Progress Bug description: I am attempting to take the latest openstack-ansible-security role and run standalone checks against RHEL 7.2 and I am finding that the often used method to exclude items when a --check is executed "when: not check_mode" fails and causes and exit. There are some cases where I have been able to get round this with ignore_errors: yes however that is not a solution. TASK: [security | V-38637 - Contents of auditd package must be verified] ****** fatal: [172.31.255.20] => error while evaluating conditional: not check_mode fatal: [172.31.255.21] => error while evaluating conditional: not check_mode fatal: [172.31.255.18] => error while evaluating conditional: not check_mode fatal: [172.31.255.15] => error while evaluating conditional: not check_mode fatal: [172.31.255.11] => error while evaluating conditional: not check_mode fatal: [172.31.255.12] => error while evaluating conditional: not check_mode fatal: [172.31.255.13] => error while evaluating conditional: not check_mode fatal: [172.31.255.24] => error while evaluating conditional: not check_mode fatal: [172.31.255.16] => error while evaluating conditional: not check_mode FATAL: all hosts have already failed -- aborting To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1588544/+subscriptions From 1590916 at bugs.launchpad.net Tue Jun 14 14:12:36 2016 From: 1590916 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 14 Jun 2016 14:12:36 -0000 Subject: [Openstack-security] [Bug 1590916] Re: Running augenrules should trigger an auditd restart References: <20160609183045.31455.50670.malonedeb@soybean.canonical.com> Message-ID: <20160614141236.12134.78409.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/328279 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=e26c9112f95b2b3503dd8650bb9f49c11940d5a6 Submitter: Jenkins Branch: liberty commit e26c9112f95b2b3503dd8650bb9f49c11940d5a6 Author: Major Hayden Date: Thu Jun 9 15:14:42 2016 -0500 Restart auditd after running augenrules The augenrules command joins together all of the audit rules from rules.d and it is run any time the audit rules template changes. However, the augenrules handler didn't actually restart auditd to apply the changes to the system. This patch fires off the auditd restart handler anytime the augenrules handler is notified. Closes-bug: 1590916 Change-Id: Ice83fe17ebb0e9edff9da897e435ae96c1778580 (cherry picked from commit 809b6cb52db069fc2cfc4e22f11fef417a893195) ** Tags added: in-liberty ** Tags added: in-stable-mitaka -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590916 Title: Running augenrules should trigger an auditd restart Status in openstack-ansible: Fix Released Bug description: The security role runs augenrules to create the main audit rules file whenever the rules template changes, but the handlers weren't set up to restart the audit daemon right after. We should chain the handlers so that the augenrules handler will trigger a restart of auditd. This bug exists in master, mitaka, and liberty. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590916/+subscriptions From 1590916 at bugs.launchpad.net Tue Jun 14 14:13:02 2016 From: 1590916 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 14 Jun 2016 14:13:02 -0000 Subject: [Openstack-security] [Bug 1590916] Fix merged to openstack-ansible-security (stable/mitaka) References: <20160609183045.31455.50670.malonedeb@soybean.canonical.com> Message-ID: <20160614141302.24975.41548.malone@gac.canonical.com> Reviewed: https://review.openstack.org/328278 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=bf195e2ec7c85b4e521385092f2d30adae05205e Submitter: Jenkins Branch: stable/mitaka commit bf195e2ec7c85b4e521385092f2d30adae05205e Author: Major Hayden Date: Thu Jun 9 15:14:42 2016 -0500 Restart auditd after running augenrules The augenrules command joins together all of the audit rules from rules.d and it is run any time the audit rules template changes. However, the augenrules handler didn't actually restart auditd to apply the changes to the system. This patch fires off the auditd restart handler anytime the augenrules handler is notified. Closes-bug: 1590916 Change-Id: Ice83fe17ebb0e9edff9da897e435ae96c1778580 (cherry picked from commit 809b6cb52db069fc2cfc4e22f11fef417a893195) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590916 Title: Running augenrules should trigger an auditd restart Status in openstack-ansible: Fix Released Bug description: The security role runs augenrules to create the main audit rules file whenever the rules template changes, but the handlers weren't set up to restart the audit daemon right after. We should chain the handlers so that the augenrules handler will trigger a restart of auditd. This bug exists in master, mitaka, and liberty. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1590916/+subscriptions From 1590185 at bugs.launchpad.net Tue Jun 14 16:08:00 2016 From: 1590185 at bugs.launchpad.net (Jean-Philippe Evrard) Date: Tue, 14 Jun 2016 16:08:00 -0000 Subject: [Openstack-security] [Bug 1590185] Re: "V-38496 - Gather problematic system accounts" check fails on RHEL 7 References: <20160607232139.12031.65314.malonedeb@wampee.canonical.com> Message-ID: <20160614160801.12385.81164.launchpad@wampee.canonical.com> ** Changed in: openstack-ansible Importance: Undecided => Low ** Changed in: openstack-ansible Status: New => Confirmed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1590185 Title: "V-38496 - Gather problematic system accounts" check fails on RHEL 7 Status in openstack-ansible: Confirmed Bug description: The check "V-38496 - Gather problematic system accounts" fails gloriously due to RHEL 7 not using jinja2.8 by default. The specific issue is due to Jinja being 2.7 and not 2.8. If see the following error then you need to run "pip install Jinja2 --upgrade": TASK: [openstack-ansible-security | V-38496 - Gather problematic system accounts] *** fatal: [172.31.255.20] => Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 586, in _executor exec_rc = self._executor_internal(host, new_stdin) File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 789, in _executor_internal return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args) File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 1013, in _executor_internal_inner complex_args = template.template(self.basedir, complex_args, inject, fail_on_undefined=self.error_on_undefined_vars) File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line 140, in template d[k] = template(basedir, v, templatevars, lookup_fatal, depth, expand_lists, convert_bare, fail_on_undefined, filter_fatal) File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line 124, in template varname = template_from_string(basedir, varname, templatevars, fail_on_undefined) File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line 382, in template_from_string res = jinja2.utils.concat(rf) File "