openstack/ansible-hardening
Code Issues Proposed changes

[Docs] Replace security role references

Browse Source 
This patch changes any reference of openstack-ansible-security to
ansible-hardening.

Change-Id: Ib264e31a926c05380b0d1dcd630ad8f3fd1e58f3
This commit is contained in:
Major Hayden 2017-05-30 11:00:42 -05:00
parent 68ecd213b8
commit 38270e7870
22 changed files with 72 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
README.md
View File

@ -1,24 +1,23 @@
openstack-ansible-security
==========================
ansible-hardening
=================
The openstack-ansible security role applies security hardening configurations
The ansible-hardening role applies security hardening configurations
from the [Security Technical Implementation Guide(STIG)](http://iase.disa.mil/stigs/Pages/index.aspx)
to systems running Ubuntu 14.04, Ubuntu 16.04, CentOS 7, and Red Hat
Enterprise Linux 7.
to systems running the following distributions:
The role is part of the
[OpenStack-Ansible project](https://git.openstack.org/cgit/openstack/openstack-ansible),
which deploys enterprise-grade OpenStack clouds using Ansible. However, the
role can easily be used outside of an OpenStack environment to secure hosts,
virtual machines, and containers.
* CentOS 7
* Debian Jessie *(experimental)*
* Ubuntu 14.04 *(deprecated)*
* Ubuntu 16.04
* Red Hat Enterprise Linux 7
For more details, review the
[openstack-ansible-security documentation](http://docs.openstack.org/developer/openstack-ansible-security/).
[ansible-hardening documentation](http://docs.openstack.org/developer/ansible-hardening/).
Requirements
------------
This role can be used with or without the OpenStack-Ansible role. It requires
This role can be used with or without OpenStack-Ansible. It requires
Ansible 2.3 or later.
Role Variables
@ -38,7 +37,7 @@ Using the role is fairly straightforward:
- hosts: servers
roles:
- openstack-ansible-security
- ansible-hardening
Running with Vagrant
--------------------

6
README.rst
View File

@ -2,7 +2,7 @@
Team and repository tags
========================
.. image:: http://governance.openstack.org/badges/openstack-ansible-security.svg
.. image:: http://governance.openstack.org/badges/ansible-hardening.svg
:target: http://governance.openstack.org/reference/tags/index.html
.. Change things from this point on
@ -10,7 +10,7 @@ Team and repository tags
Security hardening for OpenStack-Ansible
----------------------------------------
Documentation for openstack-ansible-security is available in the `official
Documentation for ansible-hardening is available in the `official
OpenStack documentation site`_.
.. _official OpenStack documentation site: http://docs.openstack.org/developer/openstack-ansible-security/
.. _official OpenStack documentation site: http://docs.openstack.org/developer/ansible-hardening/

8
defaults/main.yml
View File

@ -36,10 +36,10 @@ security_package_state: present
# |_| \_\_| |_|_____|_____| \___/ |____/ |_| |___\____|
#
# The default configurations after this marker apply to the RHEL 6 STIG
# content in the openstack-ansible-security role. Review the comments below
# as well as the main openstack-ansible-security documentation:
# content in the ansible-hardening role. Review the comments below
# as well as the main ansible-hardening documentation:
#
# http://docs.openstack.org/developer/openstack-ansible-security/
# http://docs.openstack.org/developer/ansible-hardening/
#
###############################################################################
@ -283,7 +283,7 @@ security_postfix_inet_interfaces: localhost # V-38622
# Ubuntu: AppArmor
# CentOS: SELinux
#
# See the openstack-ansible-security documentation for more details.
# See the ansible-hardening documentation for more details.
security_enable_linux_security_module: yes # V-51337
## PAM and authentication

2
doc/metadata/rhel6/V-38699.rst
View File

@ -12,7 +12,7 @@ following criteria:
It requires that those directories are owned by root to prevent users from
removing and replacing files. This ``find`` command isn't run within the
Ansible tasks in openstack-ansible-security because it can be a very
Ansible tasks in ansible-hardening because it can be a very
time-consuming task and it can slow down disk I/O while it runs.
Deployers are strongly urged to review the permissions and ownerships of

2
doc/source/conf.py
View File

@ -1,5 +1,5 @@
#!/usr/bin/env python3
"""Documentation configuration for the openstack-ansible-security role."""
"""Documentation configuration for the ansible-hardening role."""
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

2
doc/source/controls-rhel7.rst
View File

@ -1,7 +1,7 @@
Security hardening controls in detail (RHEL 7 STIG)
===================================================
The openstack-ansible-security role follows the Red Hat Enteprise Linux 7
The ansible-hardening role follows the Red Hat Enteprise Linux 7
`Security Technical Implementation Guide (STIG)`_. The guide has over 200
controls that apply to various parts of a Linux system, and it is updated
regularly by the Defense Information Systems Agency (DISA). DISA is part of the

4
doc/source/controls.rst
View File

@ -17,12 +17,12 @@ Controls are divided into groups based on certain properties:
can't be implemented with automation, or they could cause damage to an
existing system. Other controls are listed as *opt-in* when they are
implemented, but they require a deployer to enable them.
*(This categorization comes from openstack-ansible-security, not the STIG.)*
*(This categorization comes from ansible-hardening, not the STIG.)*
* **Tag:** The controls are also separated based on which parts of the system
they act upon. Something that secures ``grub`` would be tagged with *boot*
while controls for ``sshd`` would be tagged with *auth*.
*(This categorization comes from openstack-ansible-security, not the STIG.)*
*(This categorization comes from ansible-hardening, not the STIG.)*
You can also review the STIG controls in one very large page. This can be
helpful when you need to search using your web browser.

4
doc/source/faq.rst
View File

@ -6,7 +6,7 @@ Does this role work only with OpenStack environments?
No -- it works on almost any Linux host!
The openstack-ansible-security role first began as a component of the
The ansible-hardening role first began as a component of the
OpenStack-Ansible project and it was designed to deploy into an existing
OpenStack environment without causing disruptions. However, the role now works
well in OpenStack and non-OpenStack environments.
@ -40,7 +40,7 @@ Deployment without disruption
Which systems are covered?
--------------------------------------------------------
The openstack-ansible-security role provides security hardening for physical
The ansible-hardening role provides security hardening for physical
servers running the following Linux distributions:
* Ubuntu 14.04

12
doc/source/getting-started.rst
View File

@ -1,7 +1,7 @@
Getting started
===============
The openstack-ansible-security role can be used along with the
The ansible-hardening role can be used along with the
`OpenStack-Ansible`_ project or as a standalone role that can be used along
with other Ansible playbooks.
@ -20,10 +20,10 @@ Start by installing ansible and then install the role itself using
.. code-block:: console
pip install ansible
ansible-galaxy install git+https://git.openstack.org/openstack/openstack-ansible-security
ansible-galaxy install git+https://git.openstack.org/openstack/ansible-hardening
The role will be installed into
``/etc/ansible/roles/openstack-ansible-security``.
``/etc/ansible/roles/ansible-hardening``.
Initial configuration
---------------------
@ -35,7 +35,7 @@ provide custom configuration for the Ansible tasks in the role.
Using as a standalone role
--------------------------
Adding the openstack-ansible-security role to existing playbooks is
Adding the ansible-hardening role to existing playbooks is
straightforward. Here is an example of an existing role for deploying web
servers with the security hardening role added:
@ -49,12 +49,12 @@ servers with the security hardening role added:
roles:
- common
- webserver
- openstack-ansible-security
- ansible-hardening
Using with OpenStack-Ansible
----------------------------
The openstack-ansible-security role is automatically enabled and applied in the
The ansible-hardening role is automatically enabled and applied in the
Newton release of OpenStack-Ansible. Set the following Ansible variable to
enable the role in the Mitaka release of OpenStack-Ansible:

22
doc/source/index.rst
View File

@ -2,7 +2,7 @@
Automated security hardening for Linux hosts
============================================
The openstack-ansible-security Ansible role uses industry-standard security
The ansible-hardening Ansible role uses industry-standard security
hardening guides to secure Linux hosts. Although the role is designed to work
well in OpenStack environments that are deployed with OpenStack-Ansible, it can
be used with almost any Linux system.
@ -82,9 +82,9 @@ Pike
* **Documentation:**
* `openstack-ansible-security Pike Release Notes`_
* `ansible-hardening Pike Release Notes`_
.. _openstack-ansible-security Pike Release Notes: http://docs.openstack.org/releasenotes/openstack-ansible-security/unreleased.html
.. _ansible-hardening Pike Release Notes: http://docs.openstack.org/releasenotes/ansible-hardening/unreleased.html
Ocata
~~~~~
@ -100,11 +100,11 @@ Ocata
* **Documentation:**
* `openstack-ansible-security Ocata Documentation`_
* `openstack-ansible-security Ocata Release Notes`_
* `ansible-hardening Ocata Documentation`_
* `ansible-hardening Ocata Release Notes`_
.. _openstack-ansible-security Ocata Documentation: http://docs.openstack.org/developer/openstack-ansible-security/ocata/
.. _openstack-ansible-security Ocata Release Notes: http://docs.openstack.org/releasenotes/openstack-ansible-security/ocata.html
.. _ansible-hardening Ocata Documentation: http://docs.openstack.org/developer/ansible-hardening/ocata/
.. _ansible-hardening Ocata Release Notes: http://docs.openstack.org/releasenotes/ansible-hardening/ocata.html
Newton
~~~~~~
@ -120,8 +120,8 @@ Newton
* **Documentation:**
* `openstack-ansible-security Newton Documentation`_
* `openstack-ansible-security Newton Release Notes`_
* `ansible-hardening Newton Documentation`_
* `ansible-hardening Newton Release Notes`_
.. _openstack-ansible-security Newton Documentation: http://docs.openstack.org/developer/openstack-ansible-security/newton/
.. _openstack-ansible-security Newton Release Notes: http://docs.openstack.org/releasenotes/openstack-ansible-security/newton.html
.. _ansible-hardening Newton Documentation: http://docs.openstack.org/developer/ansible-hardening/newton/
.. _ansible-hardening Newton Release Notes: http://docs.openstack.org/releasenotes/ansible-hardening/newton.html

4
doc/source/special-notes.rst
View File

@ -15,7 +15,7 @@ with production environments.
Reviewing deviations
--------------------
The openstack-ansible-security role deviates from some of the STIG's
The ansible-hardening role deviates from some of the STIG's
requirements when a security control could cause significant issues with
production systems. The role classifies each control into an implementation
status and provides notes on why a certain control is skipped or altered.
@ -138,7 +138,7 @@ Time synchronization
Reliable time synchronization is a requirement in the STIG and the ``chrony``
package will be installed to handle NTP for systems secured with the
openstack-ansible-security role.
ansible-hardening role.
The default settings will work for most environments, but some deployers may
prefer to use NTP servers which are geographically closer to their servers.

2
files/V-38682-modprobe.conf
View File

@ -1,4 +1,4 @@
# File managed by openstack-ansible-security
# File managed by ansible-hardening
# Fixes RHEL 6 STIG V-38682
install net-pf-31 /bin/true
install bluetooth /bin/true

2
setup.cfg
View File

@ -1,5 +1,5 @@
[metadata]
name = openstack-ansible-security
name = ansible-hardening
summary = OpenStack-Ansible: Host security hardening
description-file =
README.rst

28
tasks/rhel6stig/sshd.yml
View File

@ -19,7 +19,7 @@
# are added by the security role. For that reason, we check for the existence
# of a marker line here and add a marker line to the file if it doesn't exist.
- name: Check for security role marker in sshd_config
command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
command: "grep '^# ansible-hardening configurations' /etc/ssh/sshd_config"
register: sshd_marker_check
changed_when: False
check_mode: no
@ -43,7 +43,7 @@
# line above it.
- name: Add security role marker with sed above Match stanza
shell: |
sed -i '0,/^Match/s/^Match/\n# openstack-ansible-security configurations\n\n&/' /etc/ssh/sshd_config
sed -i '0,/^Match/s/^Match/\n# ansible-hardening configurations\n\n&/' /etc/ssh/sshd_config
when:
- sshd_marker_check.rc != 0
- sshd_match_check.rc == 0
@ -55,7 +55,7 @@
- name: Add security role marker to the end of the sshd_config
lineinfile:
dest: /etc/ssh/sshd_config
line: "\n# openstack-ansible-security configurations"
line: "\n# ansible-hardening configurations"
state: present
insertbefore: EOF
validate: '/usr/sbin/sshd -T -f %s'
@ -71,7 +71,7 @@
dest: /etc/ssh/sshd_config
regexp: '^(#)?PrintLastLog'
line: 'PrintLastLog yes'
insertafter: "^# openstack-ansible-security configurations"
insertafter: "^# ansible-hardening configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
@ -86,7 +86,7 @@
dest: /etc/ssh/sshd_config
regexp: '^(#)?Protocol \d'
line: 'Protocol 2'
insertafter: "^# openstack-ansible-security configurations"
insertafter: "^# ansible-hardening configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
@ -101,7 +101,7 @@
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitEmptyPasswords'
line: 'PermitEmptyPasswords no'
insertafter: "^# openstack-ansible-security configurations"
insertafter: "^# ansible-hardening configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
@ -116,7 +116,7 @@
dest: /etc/ssh/sshd_config
regexp: '^(#)?HostbasedAuthentication'
line: 'HostbasedAuthentication no'
insertafter: "^# openstack-ansible-security configurations"
insertafter: "^# ansible-hardening configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
@ -131,7 +131,7 @@
dest: /etc/ssh/sshd_config
regexp: '^(#)?ClientAliveInterval'
line: 'ClientAliveInterval {{ security_ssh_client_alive_interval }}'
insertafter: "^# openstack-ansible-security configurations"
insertafter: "^# ansible-hardening configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
@ -146,7 +146,7 @@
dest: /etc/ssh/sshd_config
regexp: '^(#)?ClientAliveCountMax'
line: 'ClientAliveCountMax {{ security_ssh_client_alive_count_max }}'
insertafter: "^# openstack-ansible-security configurations"
insertafter: "^# ansible-hardening configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
@ -161,7 +161,7 @@
dest: /etc/ssh/sshd_config
regexp: '^(#)?IgnoreRhosts'
line: 'IgnoreRhosts yes'
insertafter: "^# openstack-ansible-security configurations"
insertafter: "^# ansible-hardening configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
@ -176,7 +176,7 @@
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitRootLogin'
line: 'PermitRootLogin {{ security_ssh_permit_root_login }}'
insertafter: "^# openstack-ansible-security configurations"
insertafter: "^# ansible-hardening configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
@ -200,7 +200,7 @@
dest: /etc/ssh/sshd_config
regexp: '^(#)?Banner'
line: 'Banner /etc/issue.net'
insertafter: "^# openstack-ansible-security configurations"
insertafter: "^# ansible-hardening configurations"
validate: '/usr/sbin/sshd -T -f %s'
tags:
- ssh
@ -213,7 +213,7 @@
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitUserEnvironment'
line: 'PermitUserEnvironment no'
insertafter: "^# openstack-ansible-security configurations"
insertafter: "^# ansible-hardening configurations"
validate: '/usr/sbin/sshd -T -f %s'
tags:
- ssh
@ -226,7 +226,7 @@
dest: /etc/ssh/sshd_config
regexp: '^(#)?Ciphers'
line: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc'
insertafter: "^# openstack-ansible-security configurations"
insertafter: "^# ansible-hardening configurations"
validate: '/usr/sbin/sshd -T -f %s'
tags:
- ssh

2
tasks/rhel7stig/accounts.yml
View File

@ -26,7 +26,7 @@
dest: /etc/security/pwquality.conf
backup: yes
insertbefore: EOF
marker: "# {mark} Added by openstack-ansible-security role"
marker: "# {mark} Added by ansible-hardening role"
state: present
block: "{{ lookup('template', 'pwquality.conf.j2') }}"
when:

2
tasks/rhel7stig/aide.yml
View File

@ -38,7 +38,7 @@
blockinfile:
dest: "{{ aide_conf }}"
insertbefore: EOF
marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
block: |
# Rules borrowed from CentOS/RHEL AIDE configuration
# (SELinux was removed for Ubuntu compatibility.)

6
tasks/rhel7stig/auth.yml
View File

@ -69,7 +69,7 @@
blockinfile:
dest: "{{ pam_password_file }}"
state: present
marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
insertbefore: EOF
block: "{{ lookup('template', 'pam_faillock.j2') }}"
when:
@ -166,10 +166,10 @@
- name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
blockinfile:
dest: /etc/security/limits.d/openstack-ansible-security-maxlogins.conf
dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf
create: yes
block: |
# Deployed by the openstack-ansible-security role
# Deployed by the ansible-hardening role
# V-72217 - Limit concurrent sessions for all accounts/types
* hard maxlogins {{ security_rhel7_concurrent_session_limit }}
when:

2
tasks/rhel7stig/kernel.yml
View File

@ -15,7 +15,7 @@
- name: V-71983 - USB mass storage must be disabled.
lineinfile:
dest: /etc/modprobe.d/openstack-ansible-security-disable-usb-storage.conf
dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf
line: install usb-storage /bin/true
create: yes
when:

2
tasks/rhel7stig/misc.yml
View File

@ -211,7 +211,7 @@
blockinfile:
dest: /etc/profile
insertbefore: EOF
marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
block: |
# Set a {{ security_rhel7_session_timeout }} second timeout for sessions
TMOUT={{ security_rhel7_session_timeout }}

2
tasks/rhel7stig/sshd.yml
View File

@ -44,7 +44,7 @@
blockinfile:
dest: /etc/ssh/sshd_config
state: present
marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
insertbefore: "{{ sshd_match_check.stdout_lines[0] }}"
validate: '/usr/sbin/sshd -T -f %s'
block: "{{ lookup('template', 'sshd_config_block.j2') }}"

4
templates/osas-auditd-rhel7.j2
View File

@ -1,9 +1,9 @@
## Rules for auditd deployed by openstack-ansible-security
## Rules for auditd deployed by ansible-hardening
# Do not edit any of these rules directly. The contents of this file are
# controlled by Ansible variables and each variable is explained in detail
# within the role documentation:
#
# http://docs.openstack.org/developer/openstack-ansible-security/
# http://docs.openstack.org/developer/ansible-hardening/
#
# Delete all existing auditd rules prior to loading this ruleset.

2
tests/vagrant.yml
View File

@ -16,4 +16,4 @@
- name: Playbook for role testing
hosts: all
roles:
- role: "../../../openstack-ansible-security"
- role: "../../../ansible-hardening"