[openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?
major at mhtx.net
Mon Feb 8 13:35:33 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
On 02/08/2016 06:40 AM, Jesse Pretorius wrote:
> Darren's reply is interesting and perhaps worth consideration. As far as I recall the security role adopted the STIG primarily because it was the only openly available set of standards that didn't require licensing. If there are other options to explore and ways to consume them, then perhaps that should be an initiative for the Newton cycle?
That's right. After direct conversations with CIS, we found that the licensing and restricted use of the security benchmarks wouldn't allow us to use them in OpenStack projects. That could change in the future, but that's what exists at the moment. The STIG was chosen since it's widely adopted and it is in the public domain.
It could be interesting to take an XCCDF/OVAL dump and try to implement it in an automated way with Ansible. Creating the XCCDF XML isn't easy (nor fun), but that could be an option, too.
Darren's point about using vendor-provided hardening standards for Red Hat, Fedora, and Solaris is a good one. This could be very useful if the multi-os support for OpenStack-Ansible comes together. It's a shame that Ubuntu doesn't have a comprehensive XCCDF profile available as the other distributions do. :/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the OpenStack-dev