We contentedly announce the release of: ansible-hardening 16.0.1: OpenStack-Ansible: Host security hardening This release is part of the pike stable release series. Download the package from: https://tarballs.openstack.org/ansible-hardening/ For more details, please see below. 16.0.1 ^^^^^^ New Features ************ * Deployers can now specify a custom package name or URL for an EPEL release package. CentOS systems use "epel-release" by default, but some deployers have a customized package that redirects servers to internal mirrors. * Fedora 26 is now supported. * The password minimum and maximum lifetimes are now opt-in changes that can take action against user accounts instead of printing debug warnings. Refer to the documentation for STIG requirements V-71927 and V-71931 to review the opt-in process and warnings. Upgrade Notes ************* * The EPEL repository is only installed and configured when the deployer sets "security_enable_virus_scanner" to "yes". This allows the ClamAV packages to be installed. If "security_enable_virus_scanner" is set to "no" (the default), the EPEL repository will not be added. See Bug 1702167 (https://bugs.launchpad.net/openstack- ansible/+bug/1702167) for more details. * Deployers now have the option to prevent the EPEL repository from being installed by the role. Setting "security_epel_install_repository" to "no" prevents EPEL from being installed. This setting may prevent certain packages from installing, such as ClamAV. Deprecation Notes ***************** * Fedora 25 support is deprecated and no longer tested on each commit. Security Issues *************** * "PermitRootLogin" in the ssh configuration has changed from "yes" to "without-password". This will only allow ssh to be used to authenticate root via a key. Bug Fixes ********* * The sysctl configuration task was not skipping configurations where "enabled" was set to "no". Instead, it was removing configurations when "enabled: no" was set. There is now a fix in place that ensures any sysctl configuration with "enabled: no" will be skipped and the configuration will be left unaltered on the system. Changes in ansible-hardening 16.0.0.0b1..16.0.1 ----------------------------------------------- ebf3331 Final docs updates for Pike 8fa95bf Add release note for F26 support 24abca2 Check apparmor_status output 429906a Fix AppArmor idempotency 3e84ecd Updated from OpenStack Ansible Tests 53b578d Update vars and test tooling for Pike 619c22a Fedora 26 support f576f24 Skip sysctl configs when enabled: no ca9b2e2 Updated from global requirements 3c63217 Change default prohibit root sshd password auth 78d37af Manually check apparmor_status 5d11c8c Updated from global requirements 758eab9 Fix auditd remote conf check 458e0e4 Install libpam-pwquality on Ubuntu f900089 Updated from OpenStack Ansible Tests 36b36b3 Re-organize defaults/main.yml bcce655 Allow epel-release package name customization a64c833 Conditionally install EPEL if needed 4449474 [Docs] Make install/usage docs more clear e112b92 Fix grep for sudoers w/o password d031846 Skip shadow checks for users w/o shadow data 923e219 [Docs] Adjust hardening domains page 6ae8823 Split long running tasks 4dd5e37 Avoid skipped package-related tasks 72afbcf Doc migration fixes 5ce112c Add equalto Jinja2 test for EL7 d2ab68b Correct the list of supported OS versions f422da8 Add support for the openSUSE Leap distributions 93d05c5 tasks: rhel7stig: aide: Fix conditionals for Ubuntu exclusions d996c60 tasks: rhel7stig: aide: Use 'aide -i' if 'aideinit' is not available 1a02653 Sync test files with the openstack-ansible-tests repository 90b1317 Trivial spelling fix d3c74ec tasks: rhel7stig: sshd: Avoid using with_fileglob for remote hosts 76b51e3 Doc updates 2b14fca Ensure that role tests pin pip/setuptools/wheel 875f635 [Docs] Overhaul STIG by tag docs 75b29b6 Add release note for password lifetime patches 3699f90 Actually set min/max password lifetime for account 6c9c7fa Get a list of all users + interactive users 38270e7 [Docs] Replace security role references 68ecd21 Fix ansible-hardening references in tox/playbook 3633d35 Remove 'physical_host' from inventory 97186f8 Initial Fedora 25 support 25acbff Fix incorrect tag for V-71895 d2617c7 Fix incorrect tag for V-71899 33d1b71 Fix incorrect tag for V-72267 cbf46a1 Fix .gitreview 5743ea8 Fix AppArmor dmesg grep task 61516fb Don't install python-ndg_httpsclient 40c744c Add more test coverage d7600f1 Fix bare jinja variable pam_password_file 4e9a8a1 Initial Debian 8 support 6e761ef Move tasks to 'accounts' file ed8364e [Docs] Put FAQ after getting started docs b83eb43 [Docs] Fix missing hyphen in status 5eb302c Fix numbering in AIDE config block 6ca676b Updated from global requirements 1525402 Enable auto-upgrade in the gate 45fd0a2 Check for grub2 defaults file 38255a8 Use zuul-cloner for tests repo in OpenStack-CI 1819c42 Configure AIDE before initial run 6a4f806 Remove test_plugins directory 5ef94bf Fix security role gate d4daf7e Update docs for Pike a547739 Cleanup tox.ini d833671 Fix warnings about jinja2 in when 5a4efe7 Maintain default ansible parameters ab9357d Skip ClamAV db update in gate c09763e Adjust readme/meta for Ansible 2.3 9361a14 Do not update grub if grub not used Diffstat (except docs and test files) ------------------------------------- .gitignore | 10 +- .gitreview | 3 +- README.md | 34 +- README.rst | 6 +- Vagrantfile | 82 +- bindep.txt | 49 +- defaults/main.yml | 876 +++++++++++---------- files/V-38682-modprobe.conf | 2 +- files/aide_extra.conf | 14 - files/zypper-autoupdates | 3 + handlers/main.yml | 2 + meta/main.yml | 19 +- ...tom-epel-release-packages-b409be1aa46ee9c3.yaml | 6 + ...onditionally-install-epel-9e8e1b67e5943019.yaml | 16 + .../notes/fedora-26-support-70a304f9c97d1b37.yaml | 5 + .../password-lifetime-opt-in-c380f0ec81daffd0.yaml | 7 + ...skip-sysctl-when-disabled-b32eca48df5b1437.yaml | 10 + ...ot-login-without-password-948ec79c6508c19b.yaml | 6 + releasenotes/source/conf.py | 13 +- setup.cfg | 2 +- tasks/main.yml | 14 +- tasks/rhel6stig/main.yml | 7 + tasks/rhel6stig/sshd.yml | 28 +- tasks/rhel7stig/accounts.yml | 249 ++++++ tasks/rhel7stig/aide.yml | 92 ++- tasks/rhel7stig/apt.yml | 27 + tasks/rhel7stig/async_tasks.yml | 45 ++ tasks/rhel7stig/auditd.yml | 4 +- tasks/rhel7stig/auth.yml | 315 ++------ tasks/rhel7stig/dnf.yml | 93 +++ tasks/rhel7stig/file_perms.yml | 4 +- tasks/rhel7stig/kernel.yml | 8 +- tasks/rhel7stig/lsm.yml | 49 +- tasks/rhel7stig/main.yml | 52 +- tasks/rhel7stig/misc.yml | 11 +- tasks/rhel7stig/packages.yml | 55 -- tasks/rhel7stig/rpm.yml | 16 +- tasks/rhel7stig/sshd.yml | 24 +- tasks/rhel7stig/yum.yml | 41 + tasks/rhel7stig/zypper.yml | 101 +++ templates/osas-auditd-rhel7.j2 | 4 +- test-requirements.txt | 11 +- tox.ini | 41 +- vars/debian.yml | 169 ++++ vars/main.yml | 4 +- vars/redhat.yml | 15 +- vars/suse.yml | 102 +++ vars/ubuntu.yml | 160 ---- 140 files changed, 2667 insertions(+), 1613 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt index 2e28ed2..6c9394a 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -6 +6 @@ flake8<2.6.0,>=2.5.4 # MIT -pyasn1 # BSD +pyasn1!=0.2.3 # BSD @@ -8 +8 @@ pyOpenSSL>=0.14 # Apache-2.0 -requests!=2.12.2,!=2.13.0,>=2.10.0 # Apache-2.0 +requests>=2.14.2 # Apache-2.0 @@ -12,3 +12,2 @@ ndg-httpsclient>=0.4.2;python_version<'3.0' # BSD -sphinx>=1.5.1 # BSD -oslosphinx>=4.7.0 # Apache-2.0 -openstackdocstheme>=1.5.0 # Apache-2.0 +sphinx>=1.6.2 # BSD +openstackdocstheme>=1.16.0 # Apache-2.0 @@ -16 +15 @@ doc8 # Apache-2.0 -reno>=1.8.0 # Apache-2.0 +reno!=2.3.1,>=1.8.0 # Apache-2.0