Open Stack

We are excited to announce the release of:

openstack-ansible-security 12.0.14: Security hardening role for
openstack-ansible

For more details, please see below.

12.0.14
^^^^^^^

Bug Fixes

* The dictionary-based variables in "defaults/main.yml" are now
  individual variables. The dictionary-based variables could not be
  changed as the documentation instructed. Instead it was required to
  override the entire dictionary. Deployers must use the new variable
  names to enable or disable the security configuration changes
  applied by the security role. For more information, see Launchpad
  Bug 1577944 (https://bugs.launchpad.net/openstack-
  ansible/+bug/1577944).

* Failed access logging is now disabled by default and can be
  enabled by changing "security_audit_failed_access" to "yes". The
  rsyslog daemon checks for the existence of log files regularly and
  this audit rule was triggered very frequently, which led to very
  large audit logs.

* The security role now handles "ssh_config" files that contain
  "Match" stanzas. A marker is added to the configuration file and any
  new configuration items will be added below that marker. In
  addition, the configuration file is validated for each change to the
  ssh configuration file.

Changes in openstack-ansible-security 12.0.0..12.0.14
-----------------------------------------------------

d90908f Handle Match properly in sshd_config
d31fe31 Removing equal signs in docs
b5cdff7 Switch from dict to individual variables
5c6317b Adding release note that should have backported
437aa54 Doc updates
3bf6b32 Add dependencies for paramiko 2.0
61506eb Add .swp files to .gitignore
8db2a82 Disable failed access auditd logging
556de08 Fix flake8 violation in conf.py
1300199 Update .gitreview for Liberty

Diffstat (except docs and test files)
-------------------------------------

.gitignore                                         |   4 +
.gitreview                                         |   1 +
defaults/main.yml                                  | 103 ++++----
other-requirements.txt                             |   4 +
releasenotes/notes/.placeholder                    |   0
...tionary-variables-removed-957c7b7b2108ba1f.yaml |   9 +
...iled-access-audit-logging-789dc01c8bcbef17.yaml |   6 +
...ndling-sshd-match-stanzas-fa40b97689004e46.yaml |   7 +
releasenotes/source/_static/.placeholder           |   0
releasenotes/source/_templates/.placeholder        |   0
releasenotes/source/conf.py                        | 274 +++++++++++++++++++++
releasenotes/source/index.rst                      |  10 +
releasenotes/source/liberty.rst                    |   6 +
releasenotes/source/mitaka.rst                     |   6 +
releasenotes/source/unreleased.rst                 |   5 +
tasks/auth.yml                                     |   4 +-
tasks/kernel.yml                                   |  14 +-
tasks/services.yml                                 |  26 +-
tasks/sshd.yml                                     |  74 +++++-
templates/osas-auditd.j2                           |  50 ++--
test-requirements.txt                              |   1 +
tox.ini                                            |   3 +
57 files changed, 615 insertions(+), 179 deletions(-)


Requirements updates
--------------------

diff --git a/other-requirements.txt b/other-requirements.txt
index 6eac5c2..67cd643 100644
--- a/other-requirements.txt
+++ b/other-requirements.txt
@@ -16,0 +17,4 @@ curl
+
+# Requirements for Paramiko 2.0
+libssl-dev
+libffi-dev
diff --git a/test-requirements.txt b/test-requirements.txt
index 3422d65..a7c89ef 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -8,0 +9 @@ oslosphinx>=2.5.0 # Apache-2.0
+reno>=0.1.1 # Apache-2.0