[openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?

Clark, Robert Graham robert.clark at hpe.com
Wed Jan 13 20:59:14 UTC 2016

I’m pretty new to openstack-ansible-security but based on my use cases which are as much
About using this for verification as they are for building secure boxes my preference 
would be 3) Use an Ansible callback plugin to catch these and print them at the end of the
playbook run


On 13/01/2016 09:10, "Major Hayden" <major at mhtx.net> wrote:

>Hash: SHA256
>Hey there,
>After presenting openstack-ansible-security at the Security Project Mid-Cycle meeting yesterday, the question came up around how to handle situations where automation might cause problems.
>For example, the STIG requires[1] that all system accounts other than root are locked.  This could be dangerous on a running production system as Ubuntu has non-root accounts that are not locked.  At the moment, the playbook does a hard stop (using the fail module) when this check fails[2].  Although that can be skipped with --skip-tag, it can be a little annoying if you have automation that depends on the playbook running without stopping.
>Is there a good alternative for this?  I've found a few options:
>  1) Leave it as-is and do a hard stop on these tasks
>  2) Print a warning to the console but let the playbook continue
>  3) Use an Ansible callback plugin to catch these and print them at the end of the playbook run
>Thanks in advance for any advice!
>[1] https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496
>[2] https://github.com/openstack/openstack-ansible-security/blob/master/tasks/auth.yml#L60-L87
>- --
>Major Hayden
>Version: GnuPG v2
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

More information about the OpenStack-dev mailing list