[release-announce] openstack-ansible-security 14.0.0 (newton)

no-reply at openstack.org no-reply at openstack.org
Fri May 26 07:53:51 UTC 2017


We are chuffed to announce the release of:

openstack-ansible-security 14.0.0: OpenStack-Ansible: Host security
hardening

This release is part of the newton release series.

Download the package from:

    https://tarballs.openstack.org/ansible-hardening/

For more details, please see below.

14.0.0
^^^^^^


New Features
************

* The role now enables auditing during early boot to comply with the
  requirements in V-38438. By default, the GRUB configuration
  variables in "/etc/default/grub.d/" will be updated and the active
  "grub.cfg" will be updated.

  Deployers can opt-out of the change entirely by setting a variable:

     security_enable_audit_during_boot: no

  Deployers may opt-in for the change without automatically updating
  the active "grub.cfg" file by setting the following Ansible
  variables:

     security_enable_audit_during_boot: yes
     security_enable_grub_update: no

* A task was added to disable secure ICMP redirects per the
  requirements in V-38526. This change can cause problems in some
  environments, so it is disabled by default. Deployers can enable the
  task (which disables secure ICMP redirects) by setting
  "security_disable_icmpv4_redirects_secure" to "yes".

* A new task was added to disable ICMPv6 redirects per the
  requirements in V-38548. However, since this change can cause
  problems in running OpenStack environments, it is disabled by
  default. Deployers who wish to enable this task (and disable ICMPv6
  redirects) should set "security_disable_icmpv6_redirects" to "yes".

* AIDE is configured to skip the entire "/var" directory when it
  does the database initialization and when it performs checks. This
  reduces disk I/O and allows these jobs to complete faster.

  This also allows the initialization to become a blocking process and
  Ansible will wait for the initialization to complete prior to
  running the next task.

* The auditd rules template included a rule that audited changes to
  the AppArmor policies, but the SELinux policy changes were not being
  audited. Any changes to SELinux policies in "/etc/selinux" are now
  being logged by auditd.

* Although the STIG requires martian packets to be logged, the
  logging is now disabled by default. The logs can quickly fill up a
  syslog server or make a physical console unusable.

  Deployers that need this logging enabled will need to set the
  following Ansible variable:

     security_sysctl_enable_martian_logging: yes

* The security role now has tasks that will disable the graphical
  interface on a server using upstart (Ubuntu 14.04) or systemd
  (Ubuntu 16.04 and CentOS 7). These changes take effect after a
  reboot.

  Deployers that need a graphical interface will need to set the
  following Ansible variable:

     security_disable_x_windows: no

* An Ansible was added to disable the "rdisc" service on CentOS
  systems if the service is installed on the system.

  Deployers can opt-out of this change by setting
  "security_disable_rdisc" to "no".

* The Linux Security Module (LSM) that is appropriate for the Linux
  distribution in use will be automatically enabled by the security
  role by default. Deployers can opt out of this change by setting the
  following Ansible variable:

     security_enable_linux_security_module: False

  The documentation for STIG V-51337 has more information about how
  each LSM is enabled along with special notes for SELinux.

* A task was added that restricts ICMPv4 redirects to meet the
  requirements of V-38524 in the STIG. This configuration is disabled
  by default since it could cause issues with LXC in some
  environments.

  Deployers can enable this configuration by setting an Ansible
  variable:

     security_disable_icmpv4_redirects: yes

* The audit rules added by the security role now have key fields
  that make it easier to link the audit log entry to the audit rule
  that caused it to appear.

* A new configuration parameter "security_ntp_bind_local_interfaces"
  was added to the security role to restrict the network interface to
  which chronyd will listen for NTP requests.

* The security role now supports the ability to configure whether
  apt/yum tasks install the latest available package, or just ensure
  that the package is present. The default action is to ensure that
  the latest package is present. The action taken may be changed to
  only ensure that the package is present by setting
  "security_package_state" to "present".

* The GPG key checks for package verification in V-38476 are now
  working for Red Hat Enterprise Linux 7 in addition to CentOS 7. The
  checks only look for GPG keys from Red Hat and any other GPG keys,
  such as ones imported from the EPEL repository, are skipped.

* Tasks were added to search for any device files without a proper
  SELinux label on CentOS systems. If any of these device labels are
  found, the playbook execution will stop with an error message.

* The openstack-ansible-security role supports the application of
  the Red Hat Enterprise Linux 6 STIG configurations to systems
  running CentOS 7 and Ubuntu 16.04 LTS.


Upgrade Notes
*************

* The variable "security_audit_apparmor_changes" is now renamed to
  "security_audit_mac_changes" and is enabled by default. Setting
  "security_audit_mac_changes" to "no" will disable syscall auditing
  for any changes to AppArmor policies (in Ubuntu) or SELinux policies
  (in CentOS).

* The variable "security_sysctl_enable_tcp_syncookies" has replaced
  "security_sysctl_tcp_syncookies" and it is now a boolean instead of
  an integer.  It is still enabled by default, but deployers can
  disable TCP syncookies by setting the following Ansible variable:

     security_sysctl_enable_tcp_syncookies: no

* The security role always checks whether the latest package is
  installed when executed. If a deployer wishes to change the check to
  only validate the presence of the package, the option
  "security_package_state" should be set to "present".

* All of the discretionary access control (DAC) auditing is now
  disabled by default. This reduces the amount of logs generated
  during deployments and minor upgrades.  The following variables are
  now set to "no":

     security_audit_DAC_chmod: no
     security_audit_DAC_chown: no
     security_audit_DAC_lchown: no
     security_audit_DAC_fchmod: no
     security_audit_DAC_fchmodat: no
     security_audit_DAC_fchown: no
     security_audit_DAC_fchownat: no
     security_audit_DAC_fremovexattr: no
     security_audit_DAC_lremovexattr: no
     security_audit_DAC_fsetxattr: no
     security_audit_DAC_lsetxattr: no
     security_audit_DAC_setxattr: no

* All variables in the security role are now prepended with
  "security_" to avoid collisions with variables in other roles. All
  deployers who have used the security role in previous releases will
  need to prepend all security role variables with "security_".

  For example, a deployer could have disabled direct root ssh logins
  with the following variable:

     ssh_permit_root_login: yes

  That variable would become:

     security_ssh_permit_root_login: yes


Bug Fixes
*********

* The "/run" directory is excluded from AIDE checks since the files
  and directories there are only temporary and often change when
  services start and stop.

* AIDE initialization is now always run on subsequent playbook runs
  when "security_initialize_aide" is set to "yes". The initialization
  will be skipped if AIDE isn't installed or if the AIDE database
  already exists.

  See bug 1616281 (https://launchpad.net/bugs/1616281) for more
  details.

* The role previously did not restart the audit daemon after
  generating a new rules file. The bug
  (https://launchpad.net/bugs/1590916) has been fixed and the audit
  daemon will be restarted after any audit rule changes.

* The dictionary-based variables in "defaults/main.yml" are now
  individual variables. The dictionary-based variables could not be
  changed as the documentation instructed. Instead it was required to
  override the entire dictionary. Deployers must use the new variable
  names to enable or disable the security configuration changes
  applied by the security role. For more information, see Launchpad
  Bug 1577944 (https://bugs.launchpad.net/openstack-
  ansible/+bug/1577944).

* Failed access logging is now disabled by default and can be
  enabled by changing "security_audit_failed_access" to "yes". The
  rsyslog daemon checks for the existence of log files regularly and
  this audit rule was triggered very frequently, which led to very
  large audit logs.

* An Ansible task was added to disable the "netconsole" service on
  CentOS systems if the service is installed on the system.

  Deployers can opt-out of this change by setting
  "security_disable_netconsole" to "no".

* The security role previously set the permissions on all audit log
  files in "/var/log/audit" to "0400", but this prevents the audit
  daemon from writing to the active log file. This will prevent
  "auditd" from starting or restarting cleanly.

  The task now removes any permissions that are not allowed by the
  STIG. Any log files that meet or exceed the STIG requirements will
  not be modified.

* When the security role was run in Ansible's check mode and a tag
  was provided, the "check_mode" variable was not being set. Any tasks
  which depend on that variable would fail. This bug is fixed
  (https://bugs.launchpad.net/openstack-ansible/+bug/1590086) and the
  "check_mode" variable is now set properly on every playbook run.

* The security role now handles "ssh_config" files that contain
  "Match" stanzas. A marker is added to the configuration file and any
  new configuration items will be added below that marker. In
  addition, the configuration file is validated for each change to the
  ssh configuration file.

* The auditd rules for auditing V-38568 (filesystem mounts) were
  incorrectly labeled in the auditd logs with the key of
  "export-V-38568". They are now correctly logged with the key
  "filesystem_mount-V-38568".

Changes in openstack-ansible-security 13.0.0..14.0.0
----------------------------------------------------

72ef48f Update tox.ini tests target for stable/newton
5ee9ead Skip V-38620 (chrony) in gate
5f263af Use centralised test scripts
081e46e Update UPPER_CONSTRAINTS_FILE for stable/newton
888fd8e Update .gitreview for stable/newton
f460a97 [Docs] Fix sphinx pickling error
481ad31 Force Ansible to use dynamic includes
bb37cfd Fix a minor typo in documentation
e5a346f Update testing bits for consistency
4cdf533 [Docs] More cleanup
c93b167 Add network conf auditing on CentOS
3d6cac0 [Docs] Update configuration/controls docs
3c19f00 [Docs] Metadata cleanup
4b6cbd5 [Docs] Update dev guide for metadata docs
79eeaa4 Updated from global requirements
e57593d Automate the STIG documentation
28c73b4 Use command to avoid alias execution for log compression in CI
6d67b6a Rename collected logs for easier CI viewing
98fdd52 Disable DAC change auditing
1889953 Collect compressed logs after functional test execution
2aca828 Adding V-38438 (auditd during boot)
e58ae24 Disable martian logging by default
83dd342 Add additional nullok check
427cd00 Enable log collection after functional testing
1fdd5b4 Remove extra AIDE tasks
129e629 Exclude /run from AIDE checks
4525cae Updated from global requirements
87e2190 Disable automatic ToC generation
578ce32 Ensure AIDE initializes on subsequent runs
31823b7 Implemented: V-38548.
a189e05 Fix numbering on V-38583
fb33be7 Update to Ansible 2.1.1
8945ecb Restore logrotate cron job in CI
9ea5033 Fix AIDE cron job creation
862b713 Make all linting tests use upper-constraints
2c4393f Added SNI support for os_security role via OS packages
822ffad Add AIDE cron job in CentOS 7
704e1c8 Implemented: V-38526.
36e7d54 Updated from global requirements
f85e9e4 Skip SNMPv1/2 (V-38660) checks in gate
06997d1 Add python packages for SNI support in tests
f1acb0f Move other-requirements.txt to bindep.txt
1625f2a Add workaround for CVE-2016-5696
675c9e8 Show idempotency check output
a715acf Fix auditd rpmverify check
8d2cde7 Add python-apt for check mode
c458db6 Include ansible commands for ansible linting
43c81eb Adjust TCP syncookes variable to bool
08bd55d Correct tags attribute typo
70d9224 Add ability to change apt/yum package state
088884c Ensure that doc linting is included in the linters test
5e70944 Add audit rules to support ppc64le architecture.
fa11dd4 Add idempotency check
983f20a Updated from global requirements
20b8d9a Fix duplicated config options in auditd.conf
7f7098c Restore check/audit test in tox.ini
b5b92c1 Fix chrony daemon name for rh derivatives
cc01563 Use plugins repo version of the human_log callback plugin
7eeaf92 Updated from global requirements
e75613e Resolve 'E501 line too long' linters error
7003129 Remove doc8 check ignores
7751415 Update sphinx configuration
65293e8 Update tox configuration
e831f70 Docs: Add note about RHEL 7 testing
432a9eb Switch to openstackdocs theme
5f8a93c Ignore ansible-lint warnings about rpm command usage
076be96 Docs: Fix rendering of :orphan:
a95aeaa Pin test-requirements to match OpenStack requirements
ff07803 Add support for Xenial and CentOS 7 to the Vagrantfile
2538d3c Fix documentation warnings from sphinx
6a9230c Ensure aide-common package is installed
ba25681 Use standard check for systemd
b937e5b Docs: Specify supported distributions
809b6cb Restart auditd after running augenrules
44e6056 Add key fields to audit rules
ef69ba2 Add initial support for Red Hat Enterprise Linux 7
24f3f73 Add release note for V-38524 implementation
d56468f Docs: Add developer guide for security role
03d436f Fix grub configuration file path in RHEL/CentOS 7
d8ae1e3 Set check_mode variable every time
ee00627 Add check/audit to gate testing
5112569 Implemented: V-38524.
2683e56 Fix broken check mode for CentOS 7
45330fe Don't start LSM in check mode
ecb0329 Consistency for multi-os in the includes
bf28fdf Search for unlabeled device files
42deedc Remove one more "FAILED" from a custom fail message
40634db Add /etc/apparmor.d/ for auditing
6476ef7 Ensure V-38574 works reliably on CentOS
65a7bc4 Setting default runlevel/target to non-graphical
9fbe88a Fix unlocked account check on Ansible 2.2
09a60bf Remove "FAILED" from custom fail messages
7d2964a Add a note to the README file where to report bugs
7b313ee Adding audit rule for SELinux policy modifications
3114703 Add new parameter 'security_ntp_bind_local_interfaces_only'
31424a4 Enable LSM instead of checking status
a841e18 Docs: Update dev notes for Cat 2 controls
32ce224 Docs: Update dev notes for Cat 3 controls
e954ff5 Docs: Update dev notes for Cat 1 controls
a972b4f Fix null password auth in CentOS
490d2f4 Fix auditd log permission bug
5cd0192 Fixing the "dry-run" errors.
2459cb4 Disable the rdisc service (if present)
3107e7c Disable the netconsole service (if present)
750260d Use ansible_managed variable in templates
05e3a1f Do not use bare variables with with_items
b562271 Use fail module instead of debug module with failed_when
8a3a83a Add multi-release docs index
22c4c21 Add CentOS 7 and Ubuntu 16.04 support
fa28004 Migrate to unique variable names
54de1b5 Handle Match properly in sshd_config
6f8b686 Removing equal signs in docs
f5061fd Switch from dict to individual variables
c7d2d84 Add .swp files to .gitignore
e57f251 Fix verbiage in docs on auditd rule
19999b4 Add dependencies for paramiko 2.0
77b8b45 Disable failed access auditd logging
8389ec0 Add reno scaffolding for release notes management
5b5eabd blacklist Ansible 1.9.6
d1ca8db Add ability to enable unattended upgrades
e44efd0 Doc updates
72cbd94 Fix flake8 violation in conf.py
9058a3f Improved search for unlocked system accounts


Diffstat (except docs and test files)
-------------------------------------

.gitignore                                         |   19 +-
.gitreview                                         |    1 +
README.md                                          |   50 +-
README.rst                                         |   26 +-
Vagrantfile                                        |   59 +-
bindep.txt                                         |   44 +
defaults/main.yml                                  |  237 +-
files/20auto-upgrades                              |    2 +
handlers/main.yml                                  |   23 +-
manual-test.rc                                     |   33 +
meta/main.yml                                      |    4 +
other-requirements.txt                             |   16 -
releasenotes/notes/.placeholder                    |    0
.../notes/add-v38438-3f7e905892be4b4f.yaml         |   21 +
.../notes/adding-v38526-381a407caa566b14.yaml      |    8 +
.../notes/adding-v38548-9c51b30bf9780ff3.yaml      |    8 +
.../notes/aide-exclude-run-4d3c97a2d08eb373.yaml   |    6 +
.../aide-initialization-fix-16ab0223747d7719.yaml  |   17 +
...diting-mac-policy-changes-fb83e0260a6431ed.yaml |   15 +
.../notes/augenrules-restart-39fe3e1e2de3eaba.yaml |    5 +
...figurable-martian-logging-370ede40b036db0b.yaml |   13 +
...tionary-variables-removed-957c7b7b2108ba1f.yaml |    9 +
...iled-access-audit-logging-789dc01c8bcbef17.yaml |    6 +
...sable-graphical-interface-5db89cd1bef7e12d.yaml |   13 +
...isable-netconsole-service-915bb33449b4012c.yaml |    7 +
.../disabling-rdisc-centos-75115b3509941bfa.yaml   |    8 +
.../notes/enable-lsm-bae903e463079a3f.yaml         |   14 +
...ble-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml |   11 +
...-audit-log-permission-bug-81a772e2e6d0a5b3.yaml |   10 +
.../fix-check-mode-with-tags-bf798856a27c53eb.yaml |    7 +
...ndling-sshd-match-stanzas-fa40b97689004e46.yaml |    7 +
.../notes/implemented-v38524-b357edec95128307.yaml |   12 +
.../improved-audit-rule-keys-9fa85f758386446c.yaml |    5 +
...ind-local-interfaces-only-05f03de632e81097.yaml |    5 +
.../notes/package-state-6684c5634bdf127a.yaml      |   13 +
.../reduce-auditd-logging-633677a74aee5481.yaml    |   25 +
.../notes/rhel-gpg-check-0b483a824314d1b3.yaml     |    7 +
...rch-for-unlabeled-devices-cb047c5f767e93ce.yaml |    6 +
...support-for-centos-xenial-2b89c318cc3df4b0.yaml |    5 +
...unique-variable-migration-c0639030b495438f.yaml |   20 +
releasenotes/source/_static/.placeholder           |    0
releasenotes/source/_templates/.placeholder        |    0
releasenotes/source/conf.py                        |  281 ++
releasenotes/source/index.rst                      |   10 +
releasenotes/source/liberty.rst                    |    6 +
releasenotes/source/mitaka.rst                     |    6 +
releasenotes/source/unreleased.rst                 |    5 +
setup.cfg                                          |    2 +-
setup.py                                           |   11 +-
tasks/aide.yml                                     |  115 +
tasks/apt.yml                                      |   60 +-
tasks/auditd.yml                                   |   97 +-
tasks/auth.yml                                     |  167 +-
tasks/boot.yml                                     |   32 +-
tasks/console.yml                                  |   27 +-
tasks/file_perms.yml                               |   18 +-
tasks/kernel.yml                                   |   67 +-
tasks/lsm.yml                                      |   83 +
tasks/mail.yml                                     |   27 +-
tasks/main.yml                                     |   56 +-
tasks/misc.yml                                     |  218 +-
tasks/nfsd.yml                                     |   24 +-
tasks/rpm.yml                                      |  109 +
tasks/services.yml                                 |  191 +-
tasks/sshd.yml                                     |   82 +-
templates/ZZ_aide_exclusions.j2                    |    5 +-
templates/chrony.conf.j2                           |   14 +-
templates/jail.local.j2                            |    6 +-
templates/osas-auditd.j2                           |  346 +-
test-requirements.txt                              |   22 +-
tox.ini                                            |  172 +-
vars/redhat.yml                                    |   38 +
vars/ubuntu.yml                                    |   41 +
889 files changed, 10206 insertions(+), 10525 deletions(-)


Requirements updates
--------------------

diff --git a/test-requirements.txt b/test-requirements.txt
index 3422d65..73b06a3 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,4 +1,9 @@
-ansible-lint<=2.3.9
-ansible>=1.9.1,<2.0.0
-bashate
-flake8
+# The order of packages is significant, because pip processes them in the order
+# of appearance. Changing the order has an impact on the overall integration
+# process, which may cause wedges in the gate later.
+bashate>=0.2 # Apache-2.0
+flake8<2.6.0,>=2.5.4 # MIT
+pyasn1 # BSD
+pyOpenSSL>=0.14 # Apache-2.0
+requests>=2.10.0 # Apache-2.0
+ndg-httpsclient>=0.4.2;python_version<'3.0' # BSD
@@ -7,2 +12,7 @@ flake8
-sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2
-oslosphinx>=2.5.0 # Apache-2.0
+sphinx!=1.3b1,<1.3,>=1.2.1 # BSD
+oslosphinx!=3.4.0,>=2.5.0 # Apache-2.0
+openstackdocstheme>=1.5.0 # Apache-2.0
+doc8 # Apache-2.0
+reno>=1.8.0 # Apache2
+Jinja2>=2.8 # BSD License (3 clause)
+lxml>=2.3 # BSD





More information about the Release-announce mailing list