[release-announce] [openstackansible] ansible-hardening 16.0.1 (pike)

no-reply at openstack.org no-reply at openstack.org
Thu Oct 5 20:52:45 UTC 2017


We contentedly announce the release of:

ansible-hardening 16.0.1: OpenStack-Ansible: Host security hardening

This release is part of the pike stable release series.

Download the package from:

    https://tarballs.openstack.org/ansible-hardening/

For more details, please see below.

16.0.1
^^^^^^


New Features
************

* Deployers can now specify a custom package name or URL for an EPEL
  release package. CentOS systems use "epel-release" by default, but
  some deployers have a customized package that redirects servers to
  internal mirrors.

* Fedora 26 is now supported.

* The password minimum and maximum lifetimes are now opt-in changes
  that can take action against user accounts instead of printing debug
  warnings. Refer to the documentation for STIG requirements V-71927
  and V-71931 to review the opt-in process and warnings.


Upgrade Notes
*************

* The EPEL repository is only installed and configured when the
  deployer sets "security_enable_virus_scanner" to "yes". This allows
  the ClamAV packages to be installed. If
  "security_enable_virus_scanner" is set to "no" (the default), the
  EPEL repository will not be added.

  See Bug 1702167 (https://bugs.launchpad.net/openstack-
  ansible/+bug/1702167) for more details.

* Deployers now have the option to prevent the EPEL repository from
  being installed by the role. Setting
  "security_epel_install_repository" to "no" prevents EPEL from being
  installed. This setting may prevent certain packages from
  installing, such as ClamAV.


Deprecation Notes
*****************

* Fedora 25 support is deprecated and no longer tested on each
  commit.


Security Issues
***************

* "PermitRootLogin" in the ssh configuration has changed from "yes"
  to "without-password".  This will only allow ssh to be used to
  authenticate root via a key.


Bug Fixes
*********

* The sysctl configuration task was not skipping configurations
  where "enabled" was set to "no". Instead, it was removing
  configurations when "enabled: no" was set.

  There is now a fix in place that ensures any sysctl configuration
  with "enabled: no" will be skipped and the configuration will be
  left unaltered on the system.

Changes in ansible-hardening 16.0.0.0b1..16.0.1
-----------------------------------------------

ebf3331 Final docs updates for Pike
8fa95bf Add release note for F26 support
24abca2 Check apparmor_status output
429906a Fix AppArmor idempotency
3e84ecd Updated from OpenStack Ansible Tests
53b578d Update vars and test tooling for Pike
619c22a Fedora 26 support
f576f24 Skip sysctl configs when enabled: no
ca9b2e2 Updated from global requirements
3c63217 Change default prohibit root sshd password auth
78d37af Manually check apparmor_status
5d11c8c Updated from global requirements
758eab9 Fix auditd remote conf check
458e0e4 Install libpam-pwquality on Ubuntu
f900089 Updated from OpenStack Ansible Tests
36b36b3 Re-organize defaults/main.yml
bcce655 Allow epel-release package name customization
a64c833 Conditionally install EPEL if needed
4449474 [Docs] Make install/usage docs more clear
e112b92 Fix grep for sudoers w/o password
d031846 Skip shadow checks for users w/o shadow data
923e219 [Docs] Adjust hardening domains page
6ae8823 Split long running tasks
4dd5e37 Avoid skipped package-related tasks
72afbcf Doc migration fixes
5ce112c Add equalto Jinja2 test for EL7
d2ab68b Correct the list of supported OS versions
f422da8 Add support for the openSUSE Leap distributions
93d05c5 tasks: rhel7stig: aide: Fix conditionals for Ubuntu exclusions
d996c60 tasks: rhel7stig: aide: Use 'aide -i' if 'aideinit' is not available
1a02653 Sync test files with the openstack-ansible-tests repository
90b1317 Trivial spelling fix
d3c74ec tasks: rhel7stig: sshd: Avoid using with_fileglob for remote hosts
76b51e3 Doc updates
2b14fca Ensure that role tests pin pip/setuptools/wheel
875f635 [Docs] Overhaul STIG by tag docs
75b29b6 Add release note for password lifetime patches
3699f90 Actually set min/max password lifetime for account
6c9c7fa Get a list of all users + interactive users
38270e7 [Docs] Replace security role references
68ecd21 Fix ansible-hardening references in tox/playbook
3633d35 Remove 'physical_host' from inventory
97186f8 Initial Fedora 25 support
25acbff Fix incorrect tag for V-71895
d2617c7 Fix incorrect tag for V-71899
33d1b71 Fix incorrect tag for V-72267
cbf46a1 Fix .gitreview
5743ea8 Fix AppArmor dmesg grep task
61516fb Don't install python-ndg_httpsclient
40c744c Add more test coverage
d7600f1 Fix bare jinja variable pam_password_file
4e9a8a1 Initial Debian 8 support
6e761ef Move tasks to 'accounts' file
ed8364e [Docs] Put FAQ after getting started docs
b83eb43 [Docs] Fix missing hyphen in status
5eb302c Fix numbering in AIDE config block
6ca676b Updated from global requirements
1525402 Enable auto-upgrade in the gate
45fd0a2 Check for grub2 defaults file
38255a8 Use zuul-cloner for tests repo in OpenStack-CI
1819c42 Configure AIDE before initial run
6a4f806 Remove test_plugins directory
5ef94bf Fix security role gate
d4daf7e Update docs for Pike
a547739 Cleanup tox.ini
d833671 Fix warnings about jinja2 in when
5a4efe7 Maintain default ansible parameters
ab9357d Skip ClamAV db update in gate
c09763e Adjust readme/meta for Ansible 2.3
9361a14 Do not update grub if grub not used


Diffstat (except docs and test files)
-------------------------------------

.gitignore                                         |  10 +-
.gitreview                                         |   3 +-
README.md                                          |  34 +-
README.rst                                         |   6 +-
Vagrantfile                                        |  82 +-
bindep.txt                                         |  49 +-
defaults/main.yml                                  | 876 +++++++++++----------
files/V-38682-modprobe.conf                        |   2 +-
files/aide_extra.conf                              |  14 -
files/zypper-autoupdates                           |   3 +
handlers/main.yml                                  |   2 +
meta/main.yml                                      |  19 +-
...tom-epel-release-packages-b409be1aa46ee9c3.yaml |   6 +
...onditionally-install-epel-9e8e1b67e5943019.yaml |  16 +
.../notes/fedora-26-support-70a304f9c97d1b37.yaml  |   5 +
.../password-lifetime-opt-in-c380f0ec81daffd0.yaml |   7 +
...skip-sysctl-when-disabled-b32eca48df5b1437.yaml |  10 +
...ot-login-without-password-948ec79c6508c19b.yaml |   6 +
releasenotes/source/conf.py                        |  13 +-
setup.cfg                                          |   2 +-
tasks/main.yml                                     |  14 +-
tasks/rhel6stig/main.yml                           |   7 +
tasks/rhel6stig/sshd.yml                           |  28 +-
tasks/rhel7stig/accounts.yml                       | 249 ++++++
tasks/rhel7stig/aide.yml                           |  92 ++-
tasks/rhel7stig/apt.yml                            |  27 +
tasks/rhel7stig/async_tasks.yml                    |  45 ++
tasks/rhel7stig/auditd.yml                         |   4 +-
tasks/rhel7stig/auth.yml                           | 315 ++------
tasks/rhel7stig/dnf.yml                            |  93 +++
tasks/rhel7stig/file_perms.yml                     |   4 +-
tasks/rhel7stig/kernel.yml                         |   8 +-
tasks/rhel7stig/lsm.yml                            |  49 +-
tasks/rhel7stig/main.yml                           |  52 +-
tasks/rhel7stig/misc.yml                           |  11 +-
tasks/rhel7stig/packages.yml                       |  55 --
tasks/rhel7stig/rpm.yml                            |  16 +-
tasks/rhel7stig/sshd.yml                           |  24 +-
tasks/rhel7stig/yum.yml                            |  41 +
tasks/rhel7stig/zypper.yml                         | 101 +++
templates/osas-auditd-rhel7.j2                     |   4 +-
test-requirements.txt                              |  11 +-
tox.ini                                            |  41 +-
vars/debian.yml                                    | 169 ++++
vars/main.yml                                      |   4 +-
vars/redhat.yml                                    |  15 +-
vars/suse.yml                                      | 102 +++
vars/ubuntu.yml                                    | 160 ----
140 files changed, 2667 insertions(+), 1613 deletions(-)


Requirements updates
--------------------

diff --git a/test-requirements.txt b/test-requirements.txt
index 2e28ed2..6c9394a 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -6 +6 @@ flake8<2.6.0,>=2.5.4 # MIT
-pyasn1 # BSD
+pyasn1!=0.2.3 # BSD
@@ -8 +8 @@ pyOpenSSL>=0.14 # Apache-2.0
-requests!=2.12.2,!=2.13.0,>=2.10.0 # Apache-2.0
+requests>=2.14.2 # Apache-2.0
@@ -12,3 +12,2 @@ ndg-httpsclient>=0.4.2;python_version<'3.0' # BSD
-sphinx>=1.5.1 # BSD
-oslosphinx>=4.7.0 # Apache-2.0
-openstackdocstheme>=1.5.0 # Apache-2.0
+sphinx>=1.6.2 # BSD
+openstackdocstheme>=1.16.0 # Apache-2.0
@@ -16 +15 @@ doc8 # Apache-2.0
-reno>=1.8.0 # Apache-2.0
+reno!=2.3.1,>=1.8.0 # Apache-2.0






More information about the Release-announce mailing list