We are tickled pink to announce the release of: openstack-ansible-security 15.0.0: OpenStack-Ansible: Host security hardening This release is part of the ocata release series. Download the package from: https://tarballs.openstack.org/ansible-hardening/ For more details, please see below. Changes in openstack-ansible-security 14.0.0.0rc2..15.0.0 --------------------------------------------------------- 2d4fb83 Add missing STIG ID tags 82cc48f Install python2-pyOpenSSL package on CentOS 333d11c Install python2-pyOpenSSL package on CentOS dcad939 Only enable ssh, not start 656dad3 Use async for file perms corrections 9f4a20d Use async for updating ClamAV DB 602f3e0 Use async for RPM verification a678596 Fix the regex 9b820be Update repo for stable/ocata 4c23bf1 Update UPPER_CONSTRAINTS_FILE for stable/ocata bf514f7 Update .gitreview for stable/ocata 1025238 Restore RHEL 6 STIG content gating 8d223fe Move test plugins into security role 87b635e Always check for EFI b14056e Don't fail when checking for FIPS dc8dc3d Install chrony when enabled in RHEL7 STIG dc949de Add Ubuntu audit packages for RHEL 7 STIG cdcfb46 Fix clamav_service variable to "clamav-daemon" 6f6c08f Enable RHEL 7 STIG tasks as default [+Docs] cd0fad3 Make umask change opt-in 354b87c Fix copy/paste error in task name c322abe Updated from global requirements ea8a0f0 Remove groupby filter to avoid bug 30ad9d5 DOC Remove some repeated words f69e851 Updated the broken link 672c028 Fix pip check in run_tests.sh 2a11c9c Add openstack-ansible-plugins dependency cce8ed6 Update and clean up run_tests.sh 17a4661 Fix invalid user/group checks bug 3e908d3 Handle SELinux properly when it is disabled 3942b20 Unblock security role gate f60dc47 Fix a typo de5f161 Updated from global requirements 9294b06 [Docs] Exceptions for user init files 8e82b13 Set cron.allow owner/group owner [+Docs] c0517ec Find world-writable dirs with bad group owners 5fdee29 Set home dir mode/owner/group owner [+Docs] ce386ec Add libxslt headers to bindep 1cf9fba Enable FIPS [+Docs] 111fa30 [Docs] Fix missing code-block property 61dd6e6 [Docs] Update for RHEL7 STIG a0b88da Add checks for remote syslog [+Docs] 71a3847 Fix issues from new CentOS 7 release 325fe75 Ensure separate filesystems exist [+Docs] f92f29d Set permissions on sshd host keys [+Docs] 7534fba Check for default SNMP comm strings [+Docs] 5b06a44 Check for TFTP secure mode [+Docs] fc2c356 Restrict mail relaying [+Docs] 14fa6e5 Enable chrony [+Docs] b1435ff Set TMOUT variable for all sessions [+Docs] 81807a1 Check for promiscuous interfaces [+Docs] 553ad01 Set action_email_acct in auditd [+Docs] 9f3921a Set space_left_action in auditd [+Docs] 42ca47b Set space_left in auditd [+Docs] efbeb69 Add AIDE checks for ACL/xattrs [+Docs] af84a27 Remove .shosts/shosts.equiv files [+Docs] 28cd873 Check for pam_lastlogin [+Docs] 404175d Check for cackey/coolkey values [+Docs] 4bee87b Check for ocsp_on in PKCS config [+Docs] 280e797 Set grub2 password [+Docs] e5db852 Enable automatic package updates [+Docs] 505a4a9 Enable AIDE [+Docs] 0e05d2e Search for unlabeled device files [+Docs] 46bb44c [Docs] User init file exceptions 222627c [Docs] Refer to other control for firewalld 2944081 [Docs] Exception: firewall port auditing 0e8feaf Verify password age limits [+Docs] d5ee4c3 Check for groups that don't exist [+Docs] 30c225b Extend get_users module to get groups 9c7b923 [Docs] Exception for firewalld config d63a709 [Docs] Exception: Disable syslog reception 3d51712 [Docs] Exception: Add AUTH_GSS for NFS fd4fa2d Set audisp failure options [+Docs] 806e364 Set maxlogins limit [+Docs] 2a17cd1 Disable accounts w/expired passwords [+Docs] 655b5f9 [Docs] Add missing docs for GSSAPI e841a78 [Docs] Docs for TFTP server removal c9aaf90 [Docs] Fix swapped docs 69db20a [Docs] Exception: grub on removable media 25f3d5c [Docs] Exception: logging level 5559b1c [Docs] Virus definition update frequency 1487c85 [Docs] Fix broken/missing auditd docs 439cd3d Enable/start auditd [+Docs] 85a337b [Docs] Exception for cron logging 21454af Disable kdump [+Docs] 83fe89e [Docs] Exception for user init file umask ec68313 [Docs] Exceptions for filesystem mounts 4e8bf67 Trivial fix to the documentation 2ac6dd6 [Docs] Exception for removing unnecessary accounts ab8cdc3 Fix status/tag for RHEL-07-010040 971c6df [Docs] Exception for removing default accounts fa65790 Apply pam_faillock restrictions [+Docs] 113947b Delete deprecated Hacking in tox.ini 8ad6816 Set minimum password length [+Docs] 708cb62 Prevent password re-use [+Docs] e06fc87 Ensure prep tasks have 'always' tag 0eef112 Refactor login.defs adjustments [+Docs] 711dc28 Updated from global requirements f9a3a16 Check for two nameservers [+Docs] 0085792 Add firewalld rate limit rule [+Docs] 61dbdd6 Check for SHA512 password storage [+Docs] 3fa6fd2 Display MOTD warning banner [+Docs] 51bd12f Point roles docs bugs to openstack-ansible LP e84a295 [Docs] Enable graphical login banner 992f196 Enable sshd [+Docs] c777f73 Enable firewalld [+Docs] 40ca9cf Disable ctrl-alt-del key sequence [+Docs] 9880ceb Disable autofs [+Docs] c229c43 Find files/dirs without valid owners [+Docs] 8fe505e Expire cached sssd authenticators [+Docs] f61fc49 Require auth for sudo [+Docs] fce1e4f Verify that home directories exist [+Docs] acdd6d5 Create home directories by default [+Docs] 66ebdc9 Check for users w/o home dirs [+Docs] 637d0f3 Set lifetime limits for passwords [+Docs] 0eece28 Set auditd failure flag [+Docs] 3efe849 Enable SELinux/AppArmor [+Docs] dcb3034 [Docs] Exceptions for disk encryption aacea94 Disable usb-storage module [+Docs] 2739579 [Docs] Exception for SELinux user confinement 63a900f [Docs] Exception for MFA/smartcards 29cbeb5 [Docs] Apply password quality rules 06090a2 Ensure libuser crypt_style is SHA512 [+Docs] 63131e0 Ensure passwords hashed with SHA512 [+Docs] c59d5b6 Apply password quality rules b8597c8 [Docs] Capitalize severity 04ff6e1 Show team and repo badges on README 4c79244 Move common variables to common.yml 53ffc83 Use dynamic includes for speedup 85630fd Enable graphical login banner 57748b7 Correct lineinfile option 60a8205 [Docs] Refactor auditd rules ff5bbe1 Refactor auditd rules 5c97321 Move clamav packages to rhel7 vars 6f256af [Docs] Set cn_map permissions/owner 6a3ee0f Set cn_map permissions/owner 4c91f21 Fix stig_packages_rhel7 typo 716232c [Docs] Securing sysctl configurations 746816c Securing sysctl configurations 1435ce5 [Doc] Exceptions for LDAP SSL/TLS checks 401f321 [Docs] Exception for PKI revocation 300c9f8 Check for other UID 0 accounts 215001c Add exception for supported release check f23aace Handle sshd_config without Match properly 8868011 Disable repo GPG checks by default 8efb235 Change package state to 'present' 3c0cc41 Enable virus scanner 770b2ad [Docs] Set graphical session locks 5fbc456 Set graphical session locks db2663b Automatically remove package deps 4405271 [Docs] Configure sshd based on the RHEL 7 STIG 1335d0b [Docs] Audit rules 09487fd Add template for audit rules 235ee06 Use ansible_service_mgr fact 9d12469 [Docs] Declutter controls listing 14baa91 [Docs] Exception for RHEL-07-040830 365ad65 Configure sshd based on the RHEL 7 STIG f383afe Encrypt transmitted audit logs 8daae8c Transmit audit logs to other servers a3e0f68 Remove deprecated always_run 9e66cde [Docs] Auditing setuid/setgid applications 35fa42e Refactor package removal 9d74dbd Install screen and ssh client/server 1f557eb Fix tags 0df4169 GPG verification for packages e5f3528 Remove packages according to STIG fec2cb3 Add conf file entry for chrony 23af709 Fix auditd restart handler d63b6ce Remove ansible<2.2 apt cache hack 784a38e Speed up package install/removal 0b2a381 Fix linting issues for ansible-lint 3.4.1 7f7d1da [Docs] Adjust docs for Ocata 20976bc Updated from global requirements 8424eb4 Replace github with git.o.o e4d3ea4 Add RHEL-07-010430 and RHEL-07-010431 19cfb16 [Docs] Add 'only' to clarify status 0637257 Add RHEL-07-010270 (ssh - empty password) de92fbd [Docs] Fix indentation for bullets bc9cc7b Fix stdout_lines check 1a0724d Security: Add tasks for RHEL-07-010260 0a7a993 Security: Add tasks for RHEL-07-010020 6971f03 Security: Add tasks for RHEL-07-010010 eed96b4 Use upper constraints for all tox targets 13e3fd4 Security: Remove quotes from extra vars 90c3630 Use centralised Ansible test scripts c906216 Enable release notes translation 3fdc656 Initial docs scaffolding for RHEL 7 STIG b87effb Add dividers to defaults/main.yml 4e7e57a Skip some test assertions for RHEL7 STIG 687dcdc Remove install_test_packages variable d001b9d Initial scaffolding for RHEL 7 STIG 401ccd7 Skip V-38620 (chrony) in gate 4913b29 Updated from global requirements b8c7c40 Update reno for stable/newton ec1b42a Use centralised test scripts Diffstat (except docs and test files) ------------------------------------- .gitignore | 4 +- .gitreview | 1 + README.md | 2 +- README.rst | 9 + bindep.txt | 6 +- defaults/main.yml | 302 +- ...Enterprise_Linux_7_STIG_V1R0-2_Manual-xccdf.xml | 10364 +++++++++++++++++++ files/aide_extra.conf | 14 + files/dconf-profile-gdm | 3 + files/dconf-user-profile | 2 + handlers/main.yml | 25 +- library/get_users | 122 + manual-test.rc | 2 +- .../chrony-config-variable-7a1a7862c05c9675.yaml | 5 + .../package-state-present-951161faa5384abd.yaml | 7 + .../notes/rhel7-stig-default-f6c7c97498a8b2e7.yaml | 19 + releasenotes/source/conf.py | 3 + releasenotes/source/index.rst | 1 + releasenotes/source/newton.rst | 6 + tasks/aide.yml | 115 - tasks/apt.yml | 112 - tasks/auditd.yml | 313 - tasks/auth.yml | 467 - tasks/boot.yml | 66 - tasks/console.yml | 59 - tasks/file_perms.yml | 184 - tasks/kernel.yml | 222 - tasks/lsm.yml | 83 - tasks/mail.yml | 92 - tasks/main.yml | 52 +- tasks/misc.yml | 375 - tasks/nfsd.yml | 74 - tasks/rhel6stig/aide.yml | 94 + tasks/rhel6stig/apt.yml | 129 + tasks/rhel6stig/auditd.yml | 290 + tasks/rhel6stig/auth.yml | 408 + tasks/rhel6stig/boot.yml | 66 + tasks/rhel6stig/console.yml | 61 + tasks/rhel6stig/file_perms.yml | 188 + tasks/rhel6stig/kernel.yml | 222 + tasks/rhel6stig/lsm.yml | 52 + tasks/rhel6stig/mail.yml | 72 + tasks/rhel6stig/main.yml | 42 + tasks/rhel6stig/misc.yml | 339 + tasks/rhel6stig/nfsd.yml | 74 + tasks/rhel6stig/rpm.yml | 125 + tasks/rhel6stig/services.yml | 167 + tasks/rhel6stig/sshd.yml | 234 + tasks/rhel7stig/aide.yml | 102 + tasks/rhel7stig/apt.yml | 92 + tasks/rhel7stig/auditd.yml | 186 + tasks/rhel7stig/auth.yml | 521 + tasks/rhel7stig/file_perms.yml | 187 + tasks/rhel7stig/graphical.yml | 154 + tasks/rhel7stig/kernel.yml | 94 + tasks/rhel7stig/lsm.yml | 89 + tasks/rhel7stig/main.yml | 86 + tasks/rhel7stig/misc.yml | 408 + tasks/rhel7stig/packages.yml | 90 + tasks/rhel7stig/rpm.yml | 71 + tasks/rhel7stig/sshd.yml | 108 + tasks/rpm.yml | 109 - tasks/services.yml | 312 - tasks/sshd.yml | 234 - templates/chrony.conf.j2 | 2 +- templates/dconf-gdm-banner-message.j2 | 3 + templates/dconf-screensaver-lock.j2 | 24 + templates/dconf-session-user-config-lockout.j2 | 8 + templates/osas-auditd-rhel7.j2 | 97 + templates/osas-auditd.j2 | 6 + templates/pam_faillock.j2 | 3 + templates/pwquality.conf.j2 | 8 + templates/sshd_config_block.j2 | 58 + test-requirements.txt | 12 +- tox.ini | 180 +- vars/common.yml | 337 + vars/main.yml | 30 +- vars/redhat.yml | 150 +- vars/ubuntu.yml | 134 +- 351 files changed, 20987 insertions(+), 3345 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt index 73b06a3..326f6eb 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -8 +8 @@ pyOpenSSL>=0.14 # Apache-2.0 -requests>=2.10.0 # Apache-2.0 +requests!=2.12.2,>=2.10.0 # Apache-2.0 @@ -12,2 +12,2 @@ ndg-httpsclient>=0.4.2;python_version<'3.0' # BSD -sphinx!=1.3b1,<1.3,>=1.2.1 # BSD -oslosphinx!=3.4.0,>=2.5.0 # Apache-2.0 +sphinx!=1.3b1,<1.4,>=1.2.1 # BSD +oslosphinx>=4.7.0 # Apache-2.0 @@ -16,3 +16,3 @@ doc8 # Apache-2.0 -reno>=1.8.0 # Apache2 -Jinja2>=2.8 # BSD License (3 clause) -lxml>=2.3 # BSD +reno>=1.8.0 # Apache-2.0 +Jinja2!=2.9.0,!=2.9.1,!=2.9.2,!=2.9.3,!=2.9.4,>=2.8 # BSD License (3 clause) +lxml!=3.7.0,>=2.3 # BSD