We are excited to announce the release of: openstack-ansible-security 12.0.14: Security hardening role for openstack-ansible For more details, please see below. 12.0.14 ^^^^^^^ Bug Fixes * The dictionary-based variables in "defaults/main.yml" are now individual variables. The dictionary-based variables could not be changed as the documentation instructed. Instead it was required to override the entire dictionary. Deployers must use the new variable names to enable or disable the security configuration changes applied by the security role. For more information, see Launchpad Bug 1577944 (https://bugs.launchpad.net/openstack- ansible/+bug/1577944). * Failed access logging is now disabled by default and can be enabled by changing "security_audit_failed_access" to "yes". The rsyslog daemon checks for the existence of log files regularly and this audit rule was triggered very frequently, which led to very large audit logs. * The security role now handles "ssh_config" files that contain "Match" stanzas. A marker is added to the configuration file and any new configuration items will be added below that marker. In addition, the configuration file is validated for each change to the ssh configuration file. Changes in openstack-ansible-security 12.0.0..12.0.14 ----------------------------------------------------- d90908f Handle Match properly in sshd_config d31fe31 Removing equal signs in docs b5cdff7 Switch from dict to individual variables 5c6317b Adding release note that should have backported 437aa54 Doc updates 3bf6b32 Add dependencies for paramiko 2.0 61506eb Add .swp files to .gitignore 8db2a82 Disable failed access auditd logging 556de08 Fix flake8 violation in conf.py 1300199 Update .gitreview for Liberty Diffstat (except docs and test files) ------------------------------------- .gitignore | 4 + .gitreview | 1 + defaults/main.yml | 103 ++++---- other-requirements.txt | 4 + releasenotes/notes/.placeholder | 0 ...tionary-variables-removed-957c7b7b2108ba1f.yaml | 9 + ...iled-access-audit-logging-789dc01c8bcbef17.yaml | 6 + ...ndling-sshd-match-stanzas-fa40b97689004e46.yaml | 7 + releasenotes/source/_static/.placeholder | 0 releasenotes/source/_templates/.placeholder | 0 releasenotes/source/conf.py | 274 +++++++++++++++++++++ releasenotes/source/index.rst | 10 + releasenotes/source/liberty.rst | 6 + releasenotes/source/mitaka.rst | 6 + releasenotes/source/unreleased.rst | 5 + tasks/auth.yml | 4 +- tasks/kernel.yml | 14 +- tasks/services.yml | 26 +- tasks/sshd.yml | 74 +++++- templates/osas-auditd.j2 | 50 ++-- test-requirements.txt | 1 + tox.ini | 3 + 57 files changed, 615 insertions(+), 179 deletions(-) Requirements updates -------------------- diff --git a/other-requirements.txt b/other-requirements.txt index 6eac5c2..67cd643 100644 --- a/other-requirements.txt +++ b/other-requirements.txt @@ -16,0 +17,4 @@ curl + +# Requirements for Paramiko 2.0 +libssl-dev +libffi-dev diff --git a/test-requirements.txt b/test-requirements.txt index 3422d65..a7c89ef 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -8,0 +9 @@ oslosphinx>=2.5.0 # Apache-2.0 +reno>=0.1.1 # Apache-2.0