[release-announce] openstack-ansible-security 15.0.0 (ocata)

no-reply at openstack.org no-reply at openstack.org
Fri May 26 07:54:15 UTC 2017


We are tickled pink to announce the release of:

openstack-ansible-security 15.0.0: OpenStack-Ansible: Host security
hardening

This release is part of the ocata release series.

Download the package from:

    https://tarballs.openstack.org/ansible-hardening/

For more details, please see below.

Changes in openstack-ansible-security 14.0.0.0rc2..15.0.0
---------------------------------------------------------

2d4fb83 Add missing STIG ID tags
82cc48f Install python2-pyOpenSSL package on CentOS
333d11c Install python2-pyOpenSSL package on CentOS
dcad939 Only enable ssh, not start
656dad3 Use async for file perms corrections
9f4a20d Use async for updating ClamAV DB
602f3e0 Use async for RPM verification
a678596 Fix the regex
9b820be Update repo for stable/ocata
4c23bf1 Update UPPER_CONSTRAINTS_FILE for stable/ocata
bf514f7 Update .gitreview for stable/ocata
1025238 Restore RHEL 6 STIG content gating
8d223fe Move test plugins into security role
87b635e Always check for EFI
b14056e Don't fail when checking for FIPS
dc8dc3d Install chrony when enabled in RHEL7 STIG
dc949de Add Ubuntu audit packages for RHEL 7 STIG
cdcfb46 Fix clamav_service variable to "clamav-daemon"
6f6c08f Enable RHEL 7 STIG tasks as default [+Docs]
cd0fad3 Make umask change opt-in
354b87c Fix copy/paste error in task name
c322abe Updated from global requirements
ea8a0f0 Remove groupby filter to avoid bug
30ad9d5 DOC Remove some repeated words
f69e851 Updated the broken link
672c028 Fix pip check in run_tests.sh
2a11c9c Add openstack-ansible-plugins dependency
cce8ed6 Update and clean up run_tests.sh
17a4661 Fix invalid user/group checks bug
3e908d3 Handle SELinux properly when it is disabled
3942b20 Unblock security role gate
f60dc47 Fix a typo
de5f161 Updated from global requirements
9294b06 [Docs] Exceptions for user init files
8e82b13 Set cron.allow owner/group owner [+Docs]
c0517ec Find world-writable dirs with bad group owners
5fdee29 Set home dir mode/owner/group owner [+Docs]
ce386ec Add libxslt headers to bindep
1cf9fba Enable FIPS [+Docs]
111fa30 [Docs] Fix missing code-block property
61dd6e6 [Docs] Update for RHEL7 STIG
a0b88da Add checks for remote syslog [+Docs]
71a3847 Fix issues from new CentOS 7 release
325fe75 Ensure separate filesystems exist [+Docs]
f92f29d Set permissions on sshd host keys [+Docs]
7534fba Check for default SNMP comm strings [+Docs]
5b06a44 Check for TFTP secure mode [+Docs]
fc2c356 Restrict mail relaying [+Docs]
14fa6e5 Enable chrony [+Docs]
b1435ff Set TMOUT variable for all sessions [+Docs]
81807a1 Check for promiscuous interfaces [+Docs]
553ad01 Set action_email_acct in auditd [+Docs]
9f3921a Set space_left_action in auditd [+Docs]
42ca47b Set space_left in auditd [+Docs]
efbeb69 Add AIDE checks for ACL/xattrs [+Docs]
af84a27 Remove .shosts/shosts.equiv files [+Docs]
28cd873 Check for pam_lastlogin [+Docs]
404175d Check for cackey/coolkey values [+Docs]
4bee87b Check for ocsp_on in PKCS config [+Docs]
280e797 Set grub2 password [+Docs]
e5db852 Enable automatic package updates [+Docs]
505a4a9 Enable AIDE [+Docs]
0e05d2e Search for unlabeled device files [+Docs]
46bb44c [Docs] User init file exceptions
222627c [Docs] Refer to other control for firewalld
2944081 [Docs] Exception: firewall port auditing
0e8feaf Verify password age limits [+Docs]
d5ee4c3 Check for groups that don't exist [+Docs]
30c225b Extend get_users module to get groups
9c7b923 [Docs] Exception for firewalld config
d63a709 [Docs] Exception: Disable syslog reception
3d51712 [Docs] Exception: Add AUTH_GSS for NFS
fd4fa2d Set audisp failure options [+Docs]
806e364 Set maxlogins limit [+Docs]
2a17cd1 Disable accounts w/expired passwords [+Docs]
655b5f9 [Docs] Add missing docs for GSSAPI
e841a78 [Docs] Docs for TFTP server removal
c9aaf90 [Docs] Fix swapped docs
69db20a [Docs] Exception: grub on removable media
25f3d5c [Docs] Exception: logging level
5559b1c [Docs] Virus definition update frequency
1487c85 [Docs] Fix broken/missing auditd docs
439cd3d Enable/start auditd [+Docs]
85a337b [Docs] Exception for cron logging
21454af Disable kdump [+Docs]
83fe89e [Docs] Exception for user init file umask
ec68313 [Docs] Exceptions for filesystem mounts
4e8bf67 Trivial fix to the documentation
2ac6dd6 [Docs] Exception for removing unnecessary accounts
ab8cdc3 Fix status/tag for RHEL-07-010040
971c6df [Docs] Exception for removing default accounts
fa65790 Apply pam_faillock restrictions [+Docs]
113947b Delete deprecated Hacking in tox.ini
8ad6816 Set minimum password length [+Docs]
708cb62 Prevent password re-use [+Docs]
e06fc87 Ensure prep tasks have 'always' tag
0eef112 Refactor login.defs adjustments [+Docs]
711dc28 Updated from global requirements
f9a3a16 Check for two nameservers [+Docs]
0085792 Add firewalld rate limit rule [+Docs]
61dbdd6 Check for SHA512 password storage [+Docs]
3fa6fd2 Display MOTD warning banner [+Docs]
51bd12f Point roles docs bugs to openstack-ansible LP
e84a295 [Docs] Enable graphical login banner
992f196 Enable sshd [+Docs]
c777f73 Enable firewalld [+Docs]
40ca9cf Disable ctrl-alt-del key sequence [+Docs]
9880ceb Disable autofs [+Docs]
c229c43 Find files/dirs without valid owners [+Docs]
8fe505e Expire cached sssd authenticators [+Docs]
f61fc49 Require auth for sudo [+Docs]
fce1e4f Verify that home directories exist [+Docs]
acdd6d5 Create home directories by default [+Docs]
66ebdc9 Check for users w/o home dirs [+Docs]
637d0f3 Set lifetime limits for passwords [+Docs]
0eece28 Set auditd failure flag [+Docs]
3efe849 Enable SELinux/AppArmor [+Docs]
dcb3034 [Docs] Exceptions for disk encryption
aacea94 Disable usb-storage module [+Docs]
2739579 [Docs] Exception for SELinux user confinement
63a900f [Docs] Exception for MFA/smartcards
29cbeb5 [Docs] Apply password quality rules
06090a2 Ensure libuser crypt_style is SHA512 [+Docs]
63131e0 Ensure passwords hashed with SHA512 [+Docs]
c59d5b6 Apply password quality rules
b8597c8 [Docs] Capitalize severity
04ff6e1 Show team and repo badges on README
4c79244 Move common variables to common.yml
53ffc83 Use dynamic includes for speedup
85630fd Enable graphical login banner
57748b7 Correct lineinfile option
60a8205 [Docs] Refactor auditd rules
ff5bbe1 Refactor auditd rules
5c97321 Move clamav packages to rhel7 vars
6f256af [Docs] Set cn_map permissions/owner
6a3ee0f Set cn_map permissions/owner
4c91f21 Fix stig_packages_rhel7 typo
716232c [Docs] Securing sysctl configurations
746816c Securing sysctl configurations
1435ce5 [Doc] Exceptions for LDAP SSL/TLS checks
401f321 [Docs] Exception for PKI revocation
300c9f8 Check for other UID 0 accounts
215001c Add exception for supported release check
f23aace Handle sshd_config without Match properly
8868011 Disable repo GPG checks by default
8efb235 Change package state to 'present'
3c0cc41 Enable virus scanner
770b2ad [Docs] Set graphical session locks
5fbc456 Set graphical session locks
db2663b Automatically remove package deps
4405271 [Docs] Configure sshd based on the RHEL 7 STIG
1335d0b [Docs] Audit rules
09487fd Add template for audit rules
235ee06 Use ansible_service_mgr fact
9d12469 [Docs] Declutter controls listing
14baa91 [Docs] Exception for RHEL-07-040830
365ad65 Configure sshd based on the RHEL 7 STIG
f383afe Encrypt transmitted audit logs
8daae8c Transmit audit logs to other servers
a3e0f68 Remove deprecated always_run
9e66cde [Docs] Auditing setuid/setgid applications
35fa42e Refactor package removal
9d74dbd Install screen and ssh client/server
1f557eb Fix tags
0df4169 GPG verification for packages
e5f3528 Remove packages according to STIG
fec2cb3 Add conf file entry for chrony
23af709 Fix auditd restart handler
d63b6ce Remove ansible<2.2 apt cache hack
784a38e Speed up package install/removal
0b2a381 Fix linting issues for ansible-lint 3.4.1
7f7d1da [Docs] Adjust docs for Ocata
20976bc Updated from global requirements
8424eb4 Replace github with git.o.o
e4d3ea4 Add RHEL-07-010430 and RHEL-07-010431
19cfb16 [Docs] Add 'only' to clarify status
0637257 Add RHEL-07-010270 (ssh - empty password)
de92fbd [Docs] Fix indentation for bullets
bc9cc7b Fix stdout_lines check
1a0724d Security: Add tasks for RHEL-07-010260
0a7a993 Security: Add tasks for RHEL-07-010020
6971f03 Security: Add tasks for RHEL-07-010010
eed96b4 Use upper constraints for all tox targets
13e3fd4 Security: Remove quotes from extra vars
90c3630 Use centralised Ansible test scripts
c906216 Enable release notes translation
3fdc656 Initial docs scaffolding for RHEL 7 STIG
b87effb Add dividers to defaults/main.yml
4e7e57a Skip some test assertions for RHEL7 STIG
687dcdc Remove install_test_packages variable
d001b9d Initial scaffolding for RHEL 7 STIG
401ccd7 Skip V-38620 (chrony) in gate
4913b29 Updated from global requirements
b8c7c40 Update reno for stable/newton
ec1b42a Use centralised test scripts


Diffstat (except docs and test files)
-------------------------------------

.gitignore                                         |     4 +-
.gitreview                                         |     1 +
README.md                                          |     2 +-
README.rst                                         |     9 +
bindep.txt                                         |     6 +-
defaults/main.yml                                  |   302 +-
...Enterprise_Linux_7_STIG_V1R0-2_Manual-xccdf.xml | 10364 +++++++++++++++++++
files/aide_extra.conf                              |    14 +
files/dconf-profile-gdm                            |     3 +
files/dconf-user-profile                           |     2 +
handlers/main.yml                                  |    25 +-
library/get_users                                  |   122 +
manual-test.rc                                     |     2 +-
.../chrony-config-variable-7a1a7862c05c9675.yaml   |     5 +
.../package-state-present-951161faa5384abd.yaml    |     7 +
.../notes/rhel7-stig-default-f6c7c97498a8b2e7.yaml |    19 +
releasenotes/source/conf.py                        |     3 +
releasenotes/source/index.rst                      |     1 +
releasenotes/source/newton.rst                     |     6 +
tasks/aide.yml                                     |   115 -
tasks/apt.yml                                      |   112 -
tasks/auditd.yml                                   |   313 -
tasks/auth.yml                                     |   467 -
tasks/boot.yml                                     |    66 -
tasks/console.yml                                  |    59 -
tasks/file_perms.yml                               |   184 -
tasks/kernel.yml                                   |   222 -
tasks/lsm.yml                                      |    83 -
tasks/mail.yml                                     |    92 -
tasks/main.yml                                     |    52 +-
tasks/misc.yml                                     |   375 -
tasks/nfsd.yml                                     |    74 -
tasks/rhel6stig/aide.yml                           |    94 +
tasks/rhel6stig/apt.yml                            |   129 +
tasks/rhel6stig/auditd.yml                         |   290 +
tasks/rhel6stig/auth.yml                           |   408 +
tasks/rhel6stig/boot.yml                           |    66 +
tasks/rhel6stig/console.yml                        |    61 +
tasks/rhel6stig/file_perms.yml                     |   188 +
tasks/rhel6stig/kernel.yml                         |   222 +
tasks/rhel6stig/lsm.yml                            |    52 +
tasks/rhel6stig/mail.yml                           |    72 +
tasks/rhel6stig/main.yml                           |    42 +
tasks/rhel6stig/misc.yml                           |   339 +
tasks/rhel6stig/nfsd.yml                           |    74 +
tasks/rhel6stig/rpm.yml                            |   125 +
tasks/rhel6stig/services.yml                       |   167 +
tasks/rhel6stig/sshd.yml                           |   234 +
tasks/rhel7stig/aide.yml                           |   102 +
tasks/rhel7stig/apt.yml                            |    92 +
tasks/rhel7stig/auditd.yml                         |   186 +
tasks/rhel7stig/auth.yml                           |   521 +
tasks/rhel7stig/file_perms.yml                     |   187 +
tasks/rhel7stig/graphical.yml                      |   154 +
tasks/rhel7stig/kernel.yml                         |    94 +
tasks/rhel7stig/lsm.yml                            |    89 +
tasks/rhel7stig/main.yml                           |    86 +
tasks/rhel7stig/misc.yml                           |   408 +
tasks/rhel7stig/packages.yml                       |    90 +
tasks/rhel7stig/rpm.yml                            |    71 +
tasks/rhel7stig/sshd.yml                           |   108 +
tasks/rpm.yml                                      |   109 -
tasks/services.yml                                 |   312 -
tasks/sshd.yml                                     |   234 -
templates/chrony.conf.j2                           |     2 +-
templates/dconf-gdm-banner-message.j2              |     3 +
templates/dconf-screensaver-lock.j2                |    24 +
templates/dconf-session-user-config-lockout.j2     |     8 +
templates/osas-auditd-rhel7.j2                     |    97 +
templates/osas-auditd.j2                           |     6 +
templates/pam_faillock.j2                          |     3 +
templates/pwquality.conf.j2                        |     8 +
templates/sshd_config_block.j2                     |    58 +
test-requirements.txt                              |    12 +-
tox.ini                                            |   180 +-
vars/common.yml                                    |   337 +
vars/main.yml                                      |    30 +-
vars/redhat.yml                                    |   150 +-
vars/ubuntu.yml                                    |   134 +-
351 files changed, 20987 insertions(+), 3345 deletions(-)


Requirements updates
--------------------

diff --git a/test-requirements.txt b/test-requirements.txt
index 73b06a3..326f6eb 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -8 +8 @@ pyOpenSSL>=0.14 # Apache-2.0
-requests>=2.10.0 # Apache-2.0
+requests!=2.12.2,>=2.10.0 # Apache-2.0
@@ -12,2 +12,2 @@ ndg-httpsclient>=0.4.2;python_version<'3.0' # BSD
-sphinx!=1.3b1,<1.3,>=1.2.1 # BSD
-oslosphinx!=3.4.0,>=2.5.0 # Apache-2.0
+sphinx!=1.3b1,<1.4,>=1.2.1 # BSD
+oslosphinx>=4.7.0 # Apache-2.0
@@ -16,3 +16,3 @@ doc8 # Apache-2.0
-reno>=1.8.0 # Apache2
-Jinja2>=2.8 # BSD License (3 clause)
-lxml>=2.3 # BSD
+reno>=1.8.0 # Apache-2.0
+Jinja2!=2.9.0,!=2.9.1,!=2.9.2,!=2.9.3,!=2.9.4,>=2.8 # BSD License (3 clause)
+lxml!=3.7.0,>=2.3 # BSD





More information about the Release-announce mailing list