[openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?

Major Hayden major at mhtx.net
Mon Feb 8 13:35:33 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/08/2016 06:40 AM, Jesse Pretorius wrote:
> Darren's reply is interesting and perhaps worth consideration. As far as I recall the security role adopted the STIG primarily because it was the only openly available set of standards that didn't require licensing. If there are other options to explore and ways to consume them, then perhaps that should be an initiative for the Newton cycle?

That's right.  After direct conversations with CIS, we found that the licensing and restricted use of the security benchmarks wouldn't allow us to use them in OpenStack projects.  That could change in the future, but that's what exists at the moment.  The STIG was chosen since it's widely adopted and it is in the public domain.

It could be interesting to take an XCCDF/OVAL dump and try to implement it in an automated way with Ansible.  Creating the XCCDF XML isn't easy (nor fun), but that could be an option, too.

Darren's point about using vendor-provided hardening standards for Red Hat, Fedora, and Solaris is a good one.  This could be very useful if the multi-os support for OpenStack-Ansible comes together.  It's a shame that Ubuntu doesn't have a comprehensive XCCDF profile available as the other distributions do. :/

- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWuJmjAAoJEHNwUeDBAR+x7BYP/2Cv31QL7enVAXgEzHThc1Wb
ov3phFoEYCY8FFmcOoH6grSK3DsRPmPc33ma2I6bMMKWpz8j+RFGMfgPAaEEkGiq
d9Ak3bidFe+xYjlMlZkj+EQbIfv2JvZ5FA/eqyVuB1opRpALWnCzXxuSNoIPsbyZ
3u0QkMiNX9eo+Iz0Y3UHQbV61bZWmhz5xO08vo8vxeIhOgbv1Mq9fyRXcsay2tqY
K6nZMK2Tj+Y46hjQ1WR1KMY9HUPBujkhY+It/qtq9QIUPLduavVNzAV8dYRoPwu8
HPRLZA/abWW51VAvmdbr2ABqhDIkL/EKhPUgnKPn/IPWDQuEHa3SAJb4VHK3njz9
fcanJ2h59fY90cBwYz7g0BNbf2m8i1k4DZCdgMfqPzSQ7OdWze3aLd2Eh1AI5ihp
Zk+41Cj8yZPb6d0Ocsqt8voPYtbh0seXLvdiiVccESq8chGBBIvjasFsq1pFrIlH
VqEl13YHI/VlnoLcSHiYP7AYDdM1IXY722It7HDBwB7bKGWL/NaogH/putvlXTw8
J1NT3EnGg7G4p92X0qTiP4datB8AIfYSQhNgjVDJSwJwS2DMaMgrPJr5AWDZ5dfv
iJE4vUbZLI2etmghb4y9XXMMa2g6/zXxvcSQVCEE5v1FoVfLCtr4HuMFGFfhxBeB
KY8imLhpcXlLsJgodUSa
=0PLZ
-----END PGP SIGNATURE-----

More information about the OpenStack-dev mailing list