[openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?

Clark, Robert Graham robert.clark at hpe.com
Wed Jan 13 20:59:14 UTC 2016


I’m pretty new to openstack-ansible-security but based on my use cases which are as much
About using this for verification as they are for building secure boxes my preference 
would be 3) Use an Ansible callback plugin to catch these and print them at the end of the
playbook run

-Rob





On 13/01/2016 09:10, "Major Hayden" <major at mhtx.net> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Hey there,
>
>After presenting openstack-ansible-security at the Security Project Mid-Cycle meeting yesterday, the question came up around how to handle situations where automation might cause problems.
>
>For example, the STIG requires[1] that all system accounts other than root are locked.  This could be dangerous on a running production system as Ubuntu has non-root accounts that are not locked.  At the moment, the playbook does a hard stop (using the fail module) when this check fails[2].  Although that can be skipped with --skip-tag, it can be a little annoying if you have automation that depends on the playbook running without stopping.
>
>Is there a good alternative for this?  I've found a few options:
>
>  1) Leave it as-is and do a hard stop on these tasks
>  2) Print a warning to the console but let the playbook continue
>  3) Use an Ansible callback plugin to catch these and print them at the end of the playbook run
>
>Thanks in advance for any advice!
>
>[1] https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496
>[2] https://github.com/openstack/openstack-ansible-security/blob/master/tasks/auth.yml#L60-L87
>
>- --
>Major Hayden
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2
>
>iQIcBAEBCAAGBQJWlmjbAAoJEHNwUeDBAR+x7zAP/RfGnihciZV0m7Jf+hVKSrzf
>PEc4gauKRA1mZEFdgX4Ib137Vrztu9p1mPB29bRx9GN8aMcY2TtRwrR1QKmUOHX9
>gtrjif9m5XgCM0ja/DMbj82j7pPpIQC5Tby0+CIhX27ZdgGxBpo/9UOj1Dns39Mg
>DzOdNGkGVO6ngmBKdqKetjkT+i0wSKXGQyS341PvyJDy77JCRaGFKc+jRnJWTdVc
>Tpdkc+TL5Rv92gMkMlLnW6txHmtPEJDKjgndhrzWExhY6CLn6XogRMTdZ/1fMP2Y
>x02S4s0VehuNF/9L5nmZ+lBS7HNhtiiSC6KGIo/0X7rZVo9VJ4KNjVaXGQ7clbxS
>sDrqO9uXl98n4S7H44jzBiukYO8MtXVf9djQwujN5A5oN+d1r+sCDDLhxlsLDMVN
>fMlj2LItNREzKe+ZFWBuEkl6GLAO3y0TQPRWYdc3L8PhiwqVJiJ0+WefYO2PNcZe
>Csik3IHCn+jdIq1WdsPQXDEYhAHL1Y1OqEMoBnte/FHeq1BmnojXxuVNtrY1EKtL
>APGGrUbhUWLtZ6v6ke3OT83BSd1FFmLLe/0MlIJ5LYZZZFR/bHgxuEiHcYNr6Fm1
>Dnlrg0NNeeQgClABcB5wK2T8lbDahhxp6Nq7F3MTirnIVYHGo7CYa7g5Gw2b7BMu
>qWWgC8FnH0FzwE7P1LSj
>=wi7P
>-----END PGP SIGNATURE-----
>
>__________________________________________________________________________
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


More information about the OpenStack-dev mailing list