We are psyched to announce the release of: ansible-hardening 16.0.0: OpenStack-Ansible: Host security hardening This release is part of the pike release series. Download the package from: https://tarballs.openstack.org/ansible-hardening/ For more details, please see below. 16.0.0 ^^^^^^ Prelude ******* The first release of the Red Hat Enterprise Linux 7 STIG was entirely renumbered from the pre-release versions. Many of the STIG configurations simply changed numbers, but some were removed or changed. A few new configurations were added as well. New Features ************ * Deployers can now specify a custom package name or URL for an EPEL release package. CentOS systems use "epel-release" by default, but some deployers have a customized package that redirects servers to internal mirrors. * Deployers can provide a customized login banner via a new Ansible variable: "security_login_banner_text". This banner text is used for non-graphical logins, which includes console and ssh logins. * Fedora 26 is now supported. * The password minimum and maximum lifetimes are now opt-in changes that can take action against user accounts instead of printing debug warnings. Refer to the documentation for STIG requirements V-71927 and V-71931 to review the opt-in process and warnings. Upgrade Notes ************* * The EPEL repository is only installed and configured when the deployer sets "security_enable_virus_scanner" to "yes". This allows the ClamAV packages to be installed. If "security_enable_virus_scanner" is set to "no" (the default), the EPEL repository will not be added. See Bug 1702167 (https://bugs.launchpad.net/openstack- ansible/+bug/1702167) for more details. * Deployers now have the option to prevent the EPEL repository from being installed by the role. Setting "security_epel_install_repository" to "no" prevents EPEL from being installed. This setting may prevent certain packages from installing, such as ClamAV. Deprecation Notes ***************** * Fedora 25 support is deprecated and no longer tested on each commit. Security Issues *************** * The security role will no longer fix file permissions and ownership based on the contents of the RPM database by default. Deployers can opt in for these changes by setting "security_reset_perm_ownership" to "yes". * The tasks that search for ".shosts" and "shosts.equiv" files (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a long time to complete on systems with lots of files and it also causes a significant amount of disk I/O while it runs. * "PermitRootLogin" in the ssh configuration has changed from "yes" to "without-password". This will only allow ssh to be used to authenticate root via a key. * The latest version of the RHEL 7 STIG requires that a standard login banner is presented to users when they log into the system (V-71863). The security role now deploys a login banner that is used for console and ssh sessions. * The "cn_map" permissions and ownership adjustments included as part of RHEL-07-040070 and RHEL-07-040080 has been removed. This STIG configuration was removed in the most recent release of the RHEL 7 STIG. * The PKI-based authentication checks for RHEL-07-040030, RHEL-07-040040, and RHEL-07-040050 are no longer included in the RHEL 7 STIG. The tasks and documentation for these outdated configurations are removed. Bug Fixes ********* * The sysctl configuration task was not skipping configurations where "enabled" was set to "no". Instead, it was removing configurations when "enabled: no" was set. There is now a fix in place that ensures any sysctl configuration with "enabled: no" will be skipped and the configuration will be left unaltered on the system. Changes in ansible-hardening 15.0.0.0rc1..16.0.0 ------------------------------------------------ ebf3331 Final docs updates for Pike 8fa95bf Add release note for F26 support 24abca2 Check apparmor_status output 429906a Fix AppArmor idempotency 3e84ecd Updated from OpenStack Ansible Tests 53b578d Update vars and test tooling for Pike 619c22a Fedora 26 support f576f24 Skip sysctl configs when enabled: no ca9b2e2 Updated from global requirements 3c63217 Change default prohibit root sshd password auth 78d37af Manually check apparmor_status 5d11c8c Updated from global requirements 758eab9 Fix auditd remote conf check 458e0e4 Install libpam-pwquality on Ubuntu f900089 Updated from OpenStack Ansible Tests 36b36b3 Re-organize defaults/main.yml bcce655 Allow epel-release package name customization a64c833 Conditionally install EPEL if needed 4449474 [Docs] Make install/usage docs more clear e112b92 Fix grep for sudoers w/o password d031846 Skip shadow checks for users w/o shadow data 923e219 [Docs] Adjust hardening domains page 6ae8823 Split long running tasks 4dd5e37 Avoid skipped package-related tasks 72afbcf Doc migration fixes 5ce112c Add equalto Jinja2 test for EL7 d2ab68b Correct the list of supported OS versions f422da8 Add support for the openSUSE Leap distributions 93d05c5 tasks: rhel7stig: aide: Fix conditionals for Ubuntu exclusions d996c60 tasks: rhel7stig: aide: Use 'aide -i' if 'aideinit' is not available 1a02653 Sync test files with the openstack-ansible-tests repository 90b1317 Trivial spelling fix d3c74ec tasks: rhel7stig: sshd: Avoid using with_fileglob for remote hosts 76b51e3 Doc updates 2b14fca Ensure that role tests pin pip/setuptools/wheel 875f635 [Docs] Overhaul STIG by tag docs 75b29b6 Add release note for password lifetime patches 3699f90 Actually set min/max password lifetime for account 6c9c7fa Get a list of all users + interactive users 38270e7 [Docs] Replace security role references 68ecd21 Fix ansible-hardening references in tox/playbook 3633d35 Remove 'physical_host' from inventory 97186f8 Initial Fedora 25 support 25acbff Fix incorrect tag for V-71895 d2617c7 Fix incorrect tag for V-71899 33d1b71 Fix incorrect tag for V-72267 cbf46a1 Fix .gitreview 5743ea8 Fix AppArmor dmesg grep task 61516fb Don't install python-ndg_httpsclient 40c744c Add more test coverage d7600f1 Fix bare jinja variable pam_password_file 4e9a8a1 Initial Debian 8 support 6e761ef Move tasks to 'accounts' file ed8364e [Docs] Put FAQ after getting started docs b83eb43 [Docs] Fix missing hyphen in status 5eb302c Fix numbering in AIDE config block 6ca676b Updated from global requirements 1525402 Enable auto-upgrade in the gate 45fd0a2 Check for grub2 defaults file 38255a8 Use zuul-cloner for tests repo in OpenStack-CI 1819c42 Configure AIDE before initial run 6a4f806 Remove test_plugins directory 5ef94bf Fix security role gate d4daf7e Update docs for Pike a547739 Cleanup tox.ini d833671 Fix warnings about jinja2 in when 5a4efe7 Maintain default ansible parameters ab9357d Skip ClamAV db update in gate c09763e Adjust readme/meta for Ansible 2.3 9361a14 Do not update grub if grub not used 005fa52 Make login banner customizable 1a1bc2b [Docs] Fix docs for V-72055 701c0b1 Fix path to daemon init params file 9d745ec Remove end spaces in STIG XML dccce1d Handle RHEL 7 STIG renumbering c1780c7 Change PASS_WARN_DAYS --> PASS_WARN_AGE 78d844a Rename vars/common.yml to vars/main.yml 12dd05b Install EPEL for security role 9efb815 Make .shosts search/removal opt in 8f7d132 Fix selinux check when disabled 209ce55 Add missing STIG ID tags 7caec98 Disable file perm/ownership reset 58038d4 Install python2-pyOpenSSL package on CentOS 13ef9cf Replace always_run with check_mode c7d9a79 Updated from global requirements 4cb2fa4 Enable ntp client functionality with chronyd 2e5fe3b Only enable ssh, not start 4a23bc8 Use async for RPM verification a2b3fe1 Use async for updating ClamAV DB 9af2e9e Use async for file perms corrections 389cccf Updated from global requirements b840612 Fix the regex a7c9d27 Updated from global requirements 1bd5dcc Correct minimum Ansible version in readme 455243c Typo fix: unneccessary => unnecessary 215fb08 Use https instead of http for git.openstack.org 600e5ab Replaces yaml.load() with yaml.safe_load() 78f0c9b Update reno for stable/ocata c15d75e Configure pam_faildelay on Ubuntu Diffstat (except docs and test files) ------------------------------------- .gitignore | 10 +- .gitreview | 3 +- README.md | 34 +- README.rst | 6 +- Vagrantfile | 82 +- bindep.txt | 49 +- defaults/main.yml | 617 +- ...Enterprise_Linux_7_STIG_V1R0-2_Manual-xccdf.xml | 10364 ---------------- ...t_Enterprise_Linux_7_STIG_V1R1_Manual-xccdf.xml | 12082 +++++++++++++++++++ files/V-38682-modprobe.conf | 2 +- files/aide_extra.conf | 14 - files/zypper-autoupdates | 3 + handlers/main.yml | 2 + meta/main.yml | 19 +- ...tom-epel-release-packages-b409be1aa46ee9c3.yaml | 6 + ...onditionally-install-epel-9e8e1b67e5943019.yaml | 16 + ...zable-login-banner-string-d8d5ae874e8e49f3.yaml | 6 + ...-rpm-perms-fix-by-default-b164e39717f0ada7.yaml | 6 + .../notes/fedora-26-support-70a304f9c97d1b37.yaml | 5 + .../password-lifetime-opt-in-c380f0ec81daffd0.yaml | 7 + ...shosts-file-search-opt-in-887f600a79eef07e.yaml | 7 + ...skip-sysctl-when-disabled-b32eca48df5b1437.yaml | 10 + ...ot-login-without-password-948ec79c6508c19b.yaml | 6 + ...sion-1-renumbering-fiesta-aa047fea3ea35e74.yaml | 20 + releasenotes/source/conf.py | 15 +- releasenotes/source/index.rst | 1 + releasenotes/source/ocata.rst | 6 + setup.cfg | 2 +- setup.py | 2 +- tasks/main.yml | 14 +- tasks/rhel6stig/apt.yml | 2 +- tasks/rhel6stig/auth.yml | 4 +- tasks/rhel6stig/file_perms.yml | 4 +- tasks/rhel6stig/main.yml | 7 + tasks/rhel6stig/misc.yml | 8 + tasks/rhel6stig/sshd.yml | 28 +- tasks/rhel7stig/accounts.yml | 249 + tasks/rhel7stig/aide.yml | 100 +- tasks/rhel7stig/apt.yml | 67 +- tasks/rhel7stig/async_tasks.yml | 45 + tasks/rhel7stig/auditd.yml | 132 +- tasks/rhel7stig/auth.yml | 427 +- tasks/rhel7stig/dnf.yml | 93 + tasks/rhel7stig/file_perms.yml | 71 +- tasks/rhel7stig/graphical.yml | 55 +- tasks/rhel7stig/kernel.yml | 37 +- tasks/rhel7stig/lsm.yml | 66 +- tasks/rhel7stig/main.yml | 42 +- tasks/rhel7stig/misc.yml | 79 +- tasks/rhel7stig/packages.yml | 73 +- tasks/rhel7stig/rpm.yml | 58 +- tasks/rhel7stig/sshd.yml | 78 +- tasks/rhel7stig/yum.yml | 41 + tasks/rhel7stig/zypper.yml | 101 + templates/chrony.conf.j2 | 5 +- templates/dconf-screensaver-lock.j2 | 8 +- templates/dconf-session-user-config-lockout.j2 | 2 +- templates/osas-auditd-rhel7.j2 | 46 +- templates/pam_faillock.j2 | 2 +- templates/sshd_config_block.j2 | 36 +- test-requirements.txt | 11 +- tox.ini | 41 +- vars/common.yml | 337 - vars/debian.yml | 169 + vars/main.yml | 342 +- vars/redhat.yml | 22 +- vars/suse.yml | 102 + vars/ubuntu.yml | 159 - 576 files changed, 19001 insertions(+), 16214 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt index 326f6eb..6c9394a 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -6 +6 @@ flake8<2.6.0,>=2.5.4 # MIT -pyasn1 # BSD +pyasn1!=0.2.3 # BSD @@ -8 +8 @@ pyOpenSSL>=0.14 # Apache-2.0 -requests!=2.12.2,>=2.10.0 # Apache-2.0 +requests>=2.14.2 # Apache-2.0 @@ -12,3 +12,2 @@ ndg-httpsclient>=0.4.2;python_version<'3.0' # BSD -sphinx!=1.3b1,<1.4,>=1.2.1 # BSD -oslosphinx>=4.7.0 # Apache-2.0 -openstackdocstheme>=1.5.0 # Apache-2.0 +sphinx>=1.6.2 # BSD +openstackdocstheme>=1.16.0 # Apache-2.0 @@ -16 +15 @@ doc8 # Apache-2.0 -reno>=1.8.0 # Apache-2.0 +reno!=2.3.1,>=1.8.0 # Apache-2.0