[release-announce] [openstackansible] ansible-hardening 16.0.0 (pike)
no-reply at openstack.org
no-reply at openstack.org
Thu Sep 14 17:22:15 UTC 2017
We are psyched to announce the release of:
ansible-hardening 16.0.0: OpenStack-Ansible: Host security hardening
This release is part of the pike release series.
Download the package from:
https://tarballs.openstack.org/ansible-hardening/
For more details, please see below.
16.0.0
^^^^^^
Prelude
*******
The first release of the Red Hat Enterprise Linux 7 STIG was entirely
renumbered from the pre-release versions. Many of the STIG
configurations simply changed numbers, but some were removed or
changed. A few new configurations were added as well.
New Features
************
* Deployers can now specify a custom package name or URL for an EPEL
release package. CentOS systems use "epel-release" by default, but
some deployers have a customized package that redirects servers to
internal mirrors.
* Deployers can provide a customized login banner via a new Ansible
variable: "security_login_banner_text". This banner text is used for
non-graphical logins, which includes console and ssh logins.
* Fedora 26 is now supported.
* The password minimum and maximum lifetimes are now opt-in changes
that can take action against user accounts instead of printing debug
warnings. Refer to the documentation for STIG requirements V-71927
and V-71931 to review the opt-in process and warnings.
Upgrade Notes
*************
* The EPEL repository is only installed and configured when the
deployer sets "security_enable_virus_scanner" to "yes". This allows
the ClamAV packages to be installed. If
"security_enable_virus_scanner" is set to "no" (the default), the
EPEL repository will not be added.
See Bug 1702167 (https://bugs.launchpad.net/openstack-
ansible/+bug/1702167) for more details.
* Deployers now have the option to prevent the EPEL repository from
being installed by the role. Setting
"security_epel_install_repository" to "no" prevents EPEL from being
installed. This setting may prevent certain packages from
installing, such as ClamAV.
Deprecation Notes
*****************
* Fedora 25 support is deprecated and no longer tested on each
commit.
Security Issues
***************
* The security role will no longer fix file permissions and
ownership based on the contents of the RPM database by default.
Deployers can opt in for these changes by setting
"security_reset_perm_ownership" to "yes".
* The tasks that search for ".shosts" and "shosts.equiv" files (STIG
ID: RHEL-07-040330) are now skipped by default. The search takes a
long time to complete on systems with lots of files and it also
causes a significant amount of disk I/O while it runs.
* "PermitRootLogin" in the ssh configuration has changed from "yes"
to "without-password". This will only allow ssh to be used to
authenticate root via a key.
* The latest version of the RHEL 7 STIG requires that a standard
login banner is presented to users when they log into the system
(V-71863). The security role now deploys a login banner that is used
for console and ssh sessions.
* The "cn_map" permissions and ownership adjustments included as
part of RHEL-07-040070 and RHEL-07-040080 has been removed. This
STIG configuration was removed in the most recent release of the
RHEL 7 STIG.
* The PKI-based authentication checks for RHEL-07-040030,
RHEL-07-040040, and RHEL-07-040050 are no longer included in the
RHEL 7 STIG. The tasks and documentation for these outdated
configurations are removed.
Bug Fixes
*********
* The sysctl configuration task was not skipping configurations
where "enabled" was set to "no". Instead, it was removing
configurations when "enabled: no" was set.
There is now a fix in place that ensures any sysctl configuration
with "enabled: no" will be skipped and the configuration will be
left unaltered on the system.
Changes in ansible-hardening 15.0.0.0rc1..16.0.0
------------------------------------------------
ebf3331 Final docs updates for Pike
8fa95bf Add release note for F26 support
24abca2 Check apparmor_status output
429906a Fix AppArmor idempotency
3e84ecd Updated from OpenStack Ansible Tests
53b578d Update vars and test tooling for Pike
619c22a Fedora 26 support
f576f24 Skip sysctl configs when enabled: no
ca9b2e2 Updated from global requirements
3c63217 Change default prohibit root sshd password auth
78d37af Manually check apparmor_status
5d11c8c Updated from global requirements
758eab9 Fix auditd remote conf check
458e0e4 Install libpam-pwquality on Ubuntu
f900089 Updated from OpenStack Ansible Tests
36b36b3 Re-organize defaults/main.yml
bcce655 Allow epel-release package name customization
a64c833 Conditionally install EPEL if needed
4449474 [Docs] Make install/usage docs more clear
e112b92 Fix grep for sudoers w/o password
d031846 Skip shadow checks for users w/o shadow data
923e219 [Docs] Adjust hardening domains page
6ae8823 Split long running tasks
4dd5e37 Avoid skipped package-related tasks
72afbcf Doc migration fixes
5ce112c Add equalto Jinja2 test for EL7
d2ab68b Correct the list of supported OS versions
f422da8 Add support for the openSUSE Leap distributions
93d05c5 tasks: rhel7stig: aide: Fix conditionals for Ubuntu exclusions
d996c60 tasks: rhel7stig: aide: Use 'aide -i' if 'aideinit' is not available
1a02653 Sync test files with the openstack-ansible-tests repository
90b1317 Trivial spelling fix
d3c74ec tasks: rhel7stig: sshd: Avoid using with_fileglob for remote hosts
76b51e3 Doc updates
2b14fca Ensure that role tests pin pip/setuptools/wheel
875f635 [Docs] Overhaul STIG by tag docs
75b29b6 Add release note for password lifetime patches
3699f90 Actually set min/max password lifetime for account
6c9c7fa Get a list of all users + interactive users
38270e7 [Docs] Replace security role references
68ecd21 Fix ansible-hardening references in tox/playbook
3633d35 Remove 'physical_host' from inventory
97186f8 Initial Fedora 25 support
25acbff Fix incorrect tag for V-71895
d2617c7 Fix incorrect tag for V-71899
33d1b71 Fix incorrect tag for V-72267
cbf46a1 Fix .gitreview
5743ea8 Fix AppArmor dmesg grep task
61516fb Don't install python-ndg_httpsclient
40c744c Add more test coverage
d7600f1 Fix bare jinja variable pam_password_file
4e9a8a1 Initial Debian 8 support
6e761ef Move tasks to 'accounts' file
ed8364e [Docs] Put FAQ after getting started docs
b83eb43 [Docs] Fix missing hyphen in status
5eb302c Fix numbering in AIDE config block
6ca676b Updated from global requirements
1525402 Enable auto-upgrade in the gate
45fd0a2 Check for grub2 defaults file
38255a8 Use zuul-cloner for tests repo in OpenStack-CI
1819c42 Configure AIDE before initial run
6a4f806 Remove test_plugins directory
5ef94bf Fix security role gate
d4daf7e Update docs for Pike
a547739 Cleanup tox.ini
d833671 Fix warnings about jinja2 in when
5a4efe7 Maintain default ansible parameters
ab9357d Skip ClamAV db update in gate
c09763e Adjust readme/meta for Ansible 2.3
9361a14 Do not update grub if grub not used
005fa52 Make login banner customizable
1a1bc2b [Docs] Fix docs for V-72055
701c0b1 Fix path to daemon init params file
9d745ec Remove end spaces in STIG XML
dccce1d Handle RHEL 7 STIG renumbering
c1780c7 Change PASS_WARN_DAYS --> PASS_WARN_AGE
78d844a Rename vars/common.yml to vars/main.yml
12dd05b Install EPEL for security role
9efb815 Make .shosts search/removal opt in
8f7d132 Fix selinux check when disabled
209ce55 Add missing STIG ID tags
7caec98 Disable file perm/ownership reset
58038d4 Install python2-pyOpenSSL package on CentOS
13ef9cf Replace always_run with check_mode
c7d9a79 Updated from global requirements
4cb2fa4 Enable ntp client functionality with chronyd
2e5fe3b Only enable ssh, not start
4a23bc8 Use async for RPM verification
a2b3fe1 Use async for updating ClamAV DB
9af2e9e Use async for file perms corrections
389cccf Updated from global requirements
b840612 Fix the regex
a7c9d27 Updated from global requirements
1bd5dcc Correct minimum Ansible version in readme
455243c Typo fix: unneccessary => unnecessary
215fb08 Use https instead of http for git.openstack.org
600e5ab Replaces yaml.load() with yaml.safe_load()
78f0c9b Update reno for stable/ocata
c15d75e Configure pam_faildelay on Ubuntu
Diffstat (except docs and test files)
-------------------------------------
.gitignore | 10 +-
.gitreview | 3 +-
README.md | 34 +-
README.rst | 6 +-
Vagrantfile | 82 +-
bindep.txt | 49 +-
defaults/main.yml | 617 +-
...Enterprise_Linux_7_STIG_V1R0-2_Manual-xccdf.xml | 10364 ----------------
...t_Enterprise_Linux_7_STIG_V1R1_Manual-xccdf.xml | 12082 +++++++++++++++++++
files/V-38682-modprobe.conf | 2 +-
files/aide_extra.conf | 14 -
files/zypper-autoupdates | 3 +
handlers/main.yml | 2 +
meta/main.yml | 19 +-
...tom-epel-release-packages-b409be1aa46ee9c3.yaml | 6 +
...onditionally-install-epel-9e8e1b67e5943019.yaml | 16 +
...zable-login-banner-string-d8d5ae874e8e49f3.yaml | 6 +
...-rpm-perms-fix-by-default-b164e39717f0ada7.yaml | 6 +
.../notes/fedora-26-support-70a304f9c97d1b37.yaml | 5 +
.../password-lifetime-opt-in-c380f0ec81daffd0.yaml | 7 +
...shosts-file-search-opt-in-887f600a79eef07e.yaml | 7 +
...skip-sysctl-when-disabled-b32eca48df5b1437.yaml | 10 +
...ot-login-without-password-948ec79c6508c19b.yaml | 6 +
...sion-1-renumbering-fiesta-aa047fea3ea35e74.yaml | 20 +
releasenotes/source/conf.py | 15 +-
releasenotes/source/index.rst | 1 +
releasenotes/source/ocata.rst | 6 +
setup.cfg | 2 +-
setup.py | 2 +-
tasks/main.yml | 14 +-
tasks/rhel6stig/apt.yml | 2 +-
tasks/rhel6stig/auth.yml | 4 +-
tasks/rhel6stig/file_perms.yml | 4 +-
tasks/rhel6stig/main.yml | 7 +
tasks/rhel6stig/misc.yml | 8 +
tasks/rhel6stig/sshd.yml | 28 +-
tasks/rhel7stig/accounts.yml | 249 +
tasks/rhel7stig/aide.yml | 100 +-
tasks/rhel7stig/apt.yml | 67 +-
tasks/rhel7stig/async_tasks.yml | 45 +
tasks/rhel7stig/auditd.yml | 132 +-
tasks/rhel7stig/auth.yml | 427 +-
tasks/rhel7stig/dnf.yml | 93 +
tasks/rhel7stig/file_perms.yml | 71 +-
tasks/rhel7stig/graphical.yml | 55 +-
tasks/rhel7stig/kernel.yml | 37 +-
tasks/rhel7stig/lsm.yml | 66 +-
tasks/rhel7stig/main.yml | 42 +-
tasks/rhel7stig/misc.yml | 79 +-
tasks/rhel7stig/packages.yml | 73 +-
tasks/rhel7stig/rpm.yml | 58 +-
tasks/rhel7stig/sshd.yml | 78 +-
tasks/rhel7stig/yum.yml | 41 +
tasks/rhel7stig/zypper.yml | 101 +
templates/chrony.conf.j2 | 5 +-
templates/dconf-screensaver-lock.j2 | 8 +-
templates/dconf-session-user-config-lockout.j2 | 2 +-
templates/osas-auditd-rhel7.j2 | 46 +-
templates/pam_faillock.j2 | 2 +-
templates/sshd_config_block.j2 | 36 +-
test-requirements.txt | 11 +-
tox.ini | 41 +-
vars/common.yml | 337 -
vars/debian.yml | 169 +
vars/main.yml | 342 +-
vars/redhat.yml | 22 +-
vars/suse.yml | 102 +
vars/ubuntu.yml | 159 -
576 files changed, 19001 insertions(+), 16214 deletions(-)
Requirements updates
--------------------
diff --git a/test-requirements.txt b/test-requirements.txt
index 326f6eb..6c9394a 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -6 +6 @@ flake8<2.6.0,>=2.5.4 # MIT
-pyasn1 # BSD
+pyasn1!=0.2.3 # BSD
@@ -8 +8 @@ pyOpenSSL>=0.14 # Apache-2.0
-requests!=2.12.2,>=2.10.0 # Apache-2.0
+requests>=2.14.2 # Apache-2.0
@@ -12,3 +12,2 @@ ndg-httpsclient>=0.4.2;python_version<'3.0' # BSD
-sphinx!=1.3b1,<1.4,>=1.2.1 # BSD
-oslosphinx>=4.7.0 # Apache-2.0
-openstackdocstheme>=1.5.0 # Apache-2.0
+sphinx>=1.6.2 # BSD
+openstackdocstheme>=1.16.0 # Apache-2.0
@@ -16 +15 @@ doc8 # Apache-2.0
-reno>=1.8.0 # Apache-2.0
+reno!=2.3.1,>=1.8.0 # Apache-2.0
More information about the Release-announce
mailing list