From 38270e78706a26e5d4302c8c87081df0dee4337a Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 30 May 2017 11:00:42 -0500 Subject: [PATCH] [Docs] Replace security role references This patch changes any reference of openstack-ansible-security to ansible-hardening. Change-Id: Ib264e31a926c05380b0d1dcd630ad8f3fd1e58f3 --- README.md | 25 ++++++++++++------------- README.rst | 6 +++--- defaults/main.yml | 8 ++++---- doc/metadata/rhel6/V-38699.rst | 2 +- doc/source/conf.py | 2 +- doc/source/controls-rhel7.rst | 2 +- doc/source/controls.rst | 4 ++-- doc/source/faq.rst | 4 ++-- doc/source/getting-started.rst | 12 ++++++------ doc/source/index.rst | 22 +++++++++++----------- doc/source/special-notes.rst | 4 ++-- files/V-38682-modprobe.conf | 2 +- setup.cfg | 2 +- tasks/rhel6stig/sshd.yml | 28 ++++++++++++++-------------- tasks/rhel7stig/accounts.yml | 2 +- tasks/rhel7stig/aide.yml | 2 +- tasks/rhel7stig/auth.yml | 6 +++--- tasks/rhel7stig/kernel.yml | 2 +- tasks/rhel7stig/misc.yml | 2 +- tasks/rhel7stig/sshd.yml | 2 +- templates/osas-auditd-rhel7.j2 | 4 ++-- tests/vagrant.yml | 2 +- 22 files changed, 72 insertions(+), 73 deletions(-) diff --git a/README.md b/README.md index 09132dc6..992313a1 100644 --- a/README.md +++ b/README.md @@ -1,24 +1,23 @@ -openstack-ansible-security -========================== +ansible-hardening +================= -The openstack-ansible security role applies security hardening configurations +The ansible-hardening role applies security hardening configurations from the [Security Technical Implementation Guide(STIG)](http://iase.disa.mil/stigs/Pages/index.aspx) -to systems running Ubuntu 14.04, Ubuntu 16.04, CentOS 7, and Red Hat -Enterprise Linux 7. +to systems running the following distributions: -The role is part of the -[OpenStack-Ansible project](https://git.openstack.org/cgit/openstack/openstack-ansible), -which deploys enterprise-grade OpenStack clouds using Ansible. However, the -role can easily be used outside of an OpenStack environment to secure hosts, -virtual machines, and containers. +* CentOS 7 +* Debian Jessie *(experimental)* +* Ubuntu 14.04 *(deprecated)* +* Ubuntu 16.04 +* Red Hat Enterprise Linux 7 For more details, review the -[openstack-ansible-security documentation](http://docs.openstack.org/developer/openstack-ansible-security/). +[ansible-hardening documentation](http://docs.openstack.org/developer/ansible-hardening/). Requirements ------------ -This role can be used with or without the OpenStack-Ansible role. It requires +This role can be used with or without OpenStack-Ansible. It requires Ansible 2.3 or later. Role Variables @@ -38,7 +37,7 @@ Using the role is fairly straightforward: - hosts: servers roles: - - openstack-ansible-security + - ansible-hardening Running with Vagrant -------------------- diff --git a/README.rst b/README.rst index 0554a8d2..13e0b949 100644 --- a/README.rst +++ b/README.rst @@ -2,7 +2,7 @@ Team and repository tags ======================== -.. image:: http://governance.openstack.org/badges/openstack-ansible-security.svg +.. image:: http://governance.openstack.org/badges/ansible-hardening.svg :target: http://governance.openstack.org/reference/tags/index.html .. Change things from this point on @@ -10,7 +10,7 @@ Team and repository tags Security hardening for OpenStack-Ansible ---------------------------------------- -Documentation for openstack-ansible-security is available in the `official +Documentation for ansible-hardening is available in the `official OpenStack documentation site`_. -.. _official OpenStack documentation site: http://docs.openstack.org/developer/openstack-ansible-security/ +.. _official OpenStack documentation site: http://docs.openstack.org/developer/ansible-hardening/ diff --git a/defaults/main.yml b/defaults/main.yml index b68a2857..98c7c839 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -36,10 +36,10 @@ security_package_state: present # |_| \_\_| |_|_____|_____| \___/ |____/ |_| |___\____| # # The default configurations after this marker apply to the RHEL 6 STIG -# content in the openstack-ansible-security role. Review the comments below -# as well as the main openstack-ansible-security documentation: +# content in the ansible-hardening role. Review the comments below +# as well as the main ansible-hardening documentation: # -# http://docs.openstack.org/developer/openstack-ansible-security/ +# http://docs.openstack.org/developer/ansible-hardening/ # ############################################################################### @@ -283,7 +283,7 @@ security_postfix_inet_interfaces: localhost # V-38622 # Ubuntu: AppArmor # CentOS: SELinux # -# See the openstack-ansible-security documentation for more details. +# See the ansible-hardening documentation for more details. security_enable_linux_security_module: yes # V-51337 ## PAM and authentication diff --git a/doc/metadata/rhel6/V-38699.rst b/doc/metadata/rhel6/V-38699.rst index 9a39a0b0..94577399 100644 --- a/doc/metadata/rhel6/V-38699.rst +++ b/doc/metadata/rhel6/V-38699.rst @@ -12,7 +12,7 @@ following criteria: It requires that those directories are owned by root to prevent users from removing and replacing files. This ``find`` command isn't run within the -Ansible tasks in openstack-ansible-security because it can be a very +Ansible tasks in ansible-hardening because it can be a very time-consuming task and it can slow down disk I/O while it runs. Deployers are strongly urged to review the permissions and ownerships of diff --git a/doc/source/conf.py b/doc/source/conf.py index 381eb9a2..e9a26050 100644 --- a/doc/source/conf.py +++ b/doc/source/conf.py @@ -1,5 +1,5 @@ #!/usr/bin/env python3 -"""Documentation configuration for the openstack-ansible-security role.""" +"""Documentation configuration for the ansible-hardening role.""" # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at diff --git a/doc/source/controls-rhel7.rst b/doc/source/controls-rhel7.rst index 90d27178..91474c3f 100644 --- a/doc/source/controls-rhel7.rst +++ b/doc/source/controls-rhel7.rst @@ -1,7 +1,7 @@ Security hardening controls in detail (RHEL 7 STIG) =================================================== -The openstack-ansible-security role follows the Red Hat Enteprise Linux 7 +The ansible-hardening role follows the Red Hat Enteprise Linux 7 `Security Technical Implementation Guide (STIG)`_. The guide has over 200 controls that apply to various parts of a Linux system, and it is updated regularly by the Defense Information Systems Agency (DISA). DISA is part of the diff --git a/doc/source/controls.rst b/doc/source/controls.rst index ee114f6d..04d1314b 100644 --- a/doc/source/controls.rst +++ b/doc/source/controls.rst @@ -17,12 +17,12 @@ Controls are divided into groups based on certain properties: can't be implemented with automation, or they could cause damage to an existing system. Other controls are listed as *opt-in* when they are implemented, but they require a deployer to enable them. - *(This categorization comes from openstack-ansible-security, not the STIG.)* + *(This categorization comes from ansible-hardening, not the STIG.)* * **Tag:** The controls are also separated based on which parts of the system they act upon. Something that secures ``grub`` would be tagged with *boot* while controls for ``sshd`` would be tagged with *auth*. - *(This categorization comes from openstack-ansible-security, not the STIG.)* + *(This categorization comes from ansible-hardening, not the STIG.)* You can also review the STIG controls in one very large page. This can be helpful when you need to search using your web browser. diff --git a/doc/source/faq.rst b/doc/source/faq.rst index c6dbaa4f..e4ad3255 100644 --- a/doc/source/faq.rst +++ b/doc/source/faq.rst @@ -6,7 +6,7 @@ Does this role work only with OpenStack environments? No -- it works on almost any Linux host! -The openstack-ansible-security role first began as a component of the +The ansible-hardening role first began as a component of the OpenStack-Ansible project and it was designed to deploy into an existing OpenStack environment without causing disruptions. However, the role now works well in OpenStack and non-OpenStack environments. @@ -40,7 +40,7 @@ Deployment without disruption Which systems are covered? -------------------------------------------------------- -The openstack-ansible-security role provides security hardening for physical +The ansible-hardening role provides security hardening for physical servers running the following Linux distributions: * Ubuntu 14.04 diff --git a/doc/source/getting-started.rst b/doc/source/getting-started.rst index d888595a..6d5f109f 100644 --- a/doc/source/getting-started.rst +++ b/doc/source/getting-started.rst @@ -1,7 +1,7 @@ Getting started =============== -The openstack-ansible-security role can be used along with the +The ansible-hardening role can be used along with the `OpenStack-Ansible`_ project or as a standalone role that can be used along with other Ansible playbooks. @@ -20,10 +20,10 @@ Start by installing ansible and then install the role itself using .. code-block:: console pip install ansible - ansible-galaxy install git+https://git.openstack.org/openstack/openstack-ansible-security + ansible-galaxy install git+https://git.openstack.org/openstack/ansible-hardening The role will be installed into -``/etc/ansible/roles/openstack-ansible-security``. +``/etc/ansible/roles/ansible-hardening``. Initial configuration --------------------- @@ -35,7 +35,7 @@ provide custom configuration for the Ansible tasks in the role. Using as a standalone role -------------------------- -Adding the openstack-ansible-security role to existing playbooks is +Adding the ansible-hardening role to existing playbooks is straightforward. Here is an example of an existing role for deploying web servers with the security hardening role added: @@ -49,12 +49,12 @@ servers with the security hardening role added: roles: - common - webserver - - openstack-ansible-security + - ansible-hardening Using with OpenStack-Ansible ---------------------------- -The openstack-ansible-security role is automatically enabled and applied in the +The ansible-hardening role is automatically enabled and applied in the Newton release of OpenStack-Ansible. Set the following Ansible variable to enable the role in the Mitaka release of OpenStack-Ansible: diff --git a/doc/source/index.rst b/doc/source/index.rst index 97df3dfe..2ac85ea0 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -2,7 +2,7 @@ Automated security hardening for Linux hosts ============================================ -The openstack-ansible-security Ansible role uses industry-standard security +The ansible-hardening Ansible role uses industry-standard security hardening guides to secure Linux hosts. Although the role is designed to work well in OpenStack environments that are deployed with OpenStack-Ansible, it can be used with almost any Linux system. @@ -82,9 +82,9 @@ Pike * **Documentation:** - * `openstack-ansible-security Pike Release Notes`_ + * `ansible-hardening Pike Release Notes`_ -.. _openstack-ansible-security Pike Release Notes: http://docs.openstack.org/releasenotes/openstack-ansible-security/unreleased.html +.. _ansible-hardening Pike Release Notes: http://docs.openstack.org/releasenotes/ansible-hardening/unreleased.html Ocata ~~~~~ @@ -100,11 +100,11 @@ Ocata * **Documentation:** - * `openstack-ansible-security Ocata Documentation`_ - * `openstack-ansible-security Ocata Release Notes`_ + * `ansible-hardening Ocata Documentation`_ + * `ansible-hardening Ocata Release Notes`_ -.. _openstack-ansible-security Ocata Documentation: http://docs.openstack.org/developer/openstack-ansible-security/ocata/ -.. _openstack-ansible-security Ocata Release Notes: http://docs.openstack.org/releasenotes/openstack-ansible-security/ocata.html +.. _ansible-hardening Ocata Documentation: http://docs.openstack.org/developer/ansible-hardening/ocata/ +.. _ansible-hardening Ocata Release Notes: http://docs.openstack.org/releasenotes/ansible-hardening/ocata.html Newton ~~~~~~ @@ -120,8 +120,8 @@ Newton * **Documentation:** - * `openstack-ansible-security Newton Documentation`_ - * `openstack-ansible-security Newton Release Notes`_ + * `ansible-hardening Newton Documentation`_ + * `ansible-hardening Newton Release Notes`_ -.. _openstack-ansible-security Newton Documentation: http://docs.openstack.org/developer/openstack-ansible-security/newton/ -.. _openstack-ansible-security Newton Release Notes: http://docs.openstack.org/releasenotes/openstack-ansible-security/newton.html +.. _ansible-hardening Newton Documentation: http://docs.openstack.org/developer/ansible-hardening/newton/ +.. _ansible-hardening Newton Release Notes: http://docs.openstack.org/releasenotes/ansible-hardening/newton.html diff --git a/doc/source/special-notes.rst b/doc/source/special-notes.rst index f3959895..54a29aed 100644 --- a/doc/source/special-notes.rst +++ b/doc/source/special-notes.rst @@ -15,7 +15,7 @@ with production environments. Reviewing deviations -------------------- -The openstack-ansible-security role deviates from some of the STIG's +The ansible-hardening role deviates from some of the STIG's requirements when a security control could cause significant issues with production systems. The role classifies each control into an implementation status and provides notes on why a certain control is skipped or altered. @@ -138,7 +138,7 @@ Time synchronization Reliable time synchronization is a requirement in the STIG and the ``chrony`` package will be installed to handle NTP for systems secured with the -openstack-ansible-security role. +ansible-hardening role. The default settings will work for most environments, but some deployers may prefer to use NTP servers which are geographically closer to their servers. diff --git a/files/V-38682-modprobe.conf b/files/V-38682-modprobe.conf index 5e2ffbc3..4f47792e 100644 --- a/files/V-38682-modprobe.conf +++ b/files/V-38682-modprobe.conf @@ -1,4 +1,4 @@ -# File managed by openstack-ansible-security +# File managed by ansible-hardening # Fixes RHEL 6 STIG V-38682 install net-pf-31 /bin/true install bluetooth /bin/true diff --git a/setup.cfg b/setup.cfg index 75bbe25c..fe504b14 100644 --- a/setup.cfg +++ b/setup.cfg @@ -1,5 +1,5 @@ [metadata] -name = openstack-ansible-security +name = ansible-hardening summary = OpenStack-Ansible: Host security hardening description-file = README.rst diff --git a/tasks/rhel6stig/sshd.yml b/tasks/rhel6stig/sshd.yml index f00ade82..12a45103 100644 --- a/tasks/rhel6stig/sshd.yml +++ b/tasks/rhel6stig/sshd.yml @@ -19,7 +19,7 @@ # are added by the security role. For that reason, we check for the existence # of a marker line here and add a marker line to the file if it doesn't exist. - name: Check for security role marker in sshd_config - command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config" + command: "grep '^# ansible-hardening configurations' /etc/ssh/sshd_config" register: sshd_marker_check changed_when: False check_mode: no @@ -43,7 +43,7 @@ # line above it. - name: Add security role marker with sed above Match stanza shell: | - sed -i '0,/^Match/s/^Match/\n# openstack-ansible-security configurations\n\n&/' /etc/ssh/sshd_config + sed -i '0,/^Match/s/^Match/\n# ansible-hardening configurations\n\n&/' /etc/ssh/sshd_config when: - sshd_marker_check.rc != 0 - sshd_match_check.rc == 0 @@ -55,7 +55,7 @@ - name: Add security role marker to the end of the sshd_config lineinfile: dest: /etc/ssh/sshd_config - line: "\n# openstack-ansible-security configurations" + line: "\n# ansible-hardening configurations" state: present insertbefore: EOF validate: '/usr/sbin/sshd -T -f %s' @@ -71,7 +71,7 @@ dest: /etc/ssh/sshd_config regexp: '^(#)?PrintLastLog' line: 'PrintLastLog yes' - insertafter: "^# openstack-ansible-security configurations" + insertafter: "^# ansible-hardening configurations" validate: '/usr/sbin/sshd -T -f %s' notify: - restart ssh @@ -86,7 +86,7 @@ dest: /etc/ssh/sshd_config regexp: '^(#)?Protocol \d' line: 'Protocol 2' - insertafter: "^# openstack-ansible-security configurations" + insertafter: "^# ansible-hardening configurations" validate: '/usr/sbin/sshd -T -f %s' notify: - restart ssh @@ -101,7 +101,7 @@ dest: /etc/ssh/sshd_config regexp: '^(#)?PermitEmptyPasswords' line: 'PermitEmptyPasswords no' - insertafter: "^# openstack-ansible-security configurations" + insertafter: "^# ansible-hardening configurations" validate: '/usr/sbin/sshd -T -f %s' notify: - restart ssh @@ -116,7 +116,7 @@ dest: /etc/ssh/sshd_config regexp: '^(#)?HostbasedAuthentication' line: 'HostbasedAuthentication no' - insertafter: "^# openstack-ansible-security configurations" + insertafter: "^# ansible-hardening configurations" validate: '/usr/sbin/sshd -T -f %s' notify: - restart ssh @@ -131,7 +131,7 @@ dest: /etc/ssh/sshd_config regexp: '^(#)?ClientAliveInterval' line: 'ClientAliveInterval {{ security_ssh_client_alive_interval }}' - insertafter: "^# openstack-ansible-security configurations" + insertafter: "^# ansible-hardening configurations" validate: '/usr/sbin/sshd -T -f %s' notify: - restart ssh @@ -146,7 +146,7 @@ dest: /etc/ssh/sshd_config regexp: '^(#)?ClientAliveCountMax' line: 'ClientAliveCountMax {{ security_ssh_client_alive_count_max }}' - insertafter: "^# openstack-ansible-security configurations" + insertafter: "^# ansible-hardening configurations" validate: '/usr/sbin/sshd -T -f %s' notify: - restart ssh @@ -161,7 +161,7 @@ dest: /etc/ssh/sshd_config regexp: '^(#)?IgnoreRhosts' line: 'IgnoreRhosts yes' - insertafter: "^# openstack-ansible-security configurations" + insertafter: "^# ansible-hardening configurations" validate: '/usr/sbin/sshd -T -f %s' notify: - restart ssh @@ -176,7 +176,7 @@ dest: /etc/ssh/sshd_config regexp: '^(#)?PermitRootLogin' line: 'PermitRootLogin {{ security_ssh_permit_root_login }}' - insertafter: "^# openstack-ansible-security configurations" + insertafter: "^# ansible-hardening configurations" validate: '/usr/sbin/sshd -T -f %s' notify: - restart ssh @@ -200,7 +200,7 @@ dest: /etc/ssh/sshd_config regexp: '^(#)?Banner' line: 'Banner /etc/issue.net' - insertafter: "^# openstack-ansible-security configurations" + insertafter: "^# ansible-hardening configurations" validate: '/usr/sbin/sshd -T -f %s' tags: - ssh @@ -213,7 +213,7 @@ dest: /etc/ssh/sshd_config regexp: '^(#)?PermitUserEnvironment' line: 'PermitUserEnvironment no' - insertafter: "^# openstack-ansible-security configurations" + insertafter: "^# ansible-hardening configurations" validate: '/usr/sbin/sshd -T -f %s' tags: - ssh @@ -226,7 +226,7 @@ dest: /etc/ssh/sshd_config regexp: '^(#)?Ciphers' line: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' - insertafter: "^# openstack-ansible-security configurations" + insertafter: "^# ansible-hardening configurations" validate: '/usr/sbin/sshd -T -f %s' tags: - ssh diff --git a/tasks/rhel7stig/accounts.yml b/tasks/rhel7stig/accounts.yml index 73baf6c5..5e566f64 100644 --- a/tasks/rhel7stig/accounts.yml +++ b/tasks/rhel7stig/accounts.yml @@ -26,7 +26,7 @@ dest: /etc/security/pwquality.conf backup: yes insertbefore: EOF - marker: "# {mark} Added by openstack-ansible-security role" + marker: "# {mark} Added by ansible-hardening role" state: present block: "{{ lookup('template', 'pwquality.conf.j2') }}" when: diff --git a/tasks/rhel7stig/aide.yml b/tasks/rhel7stig/aide.yml index 96999e5b..8fd0b12a 100644 --- a/tasks/rhel7stig/aide.yml +++ b/tasks/rhel7stig/aide.yml @@ -38,7 +38,7 @@ blockinfile: dest: "{{ aide_conf }}" insertbefore: EOF - marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY" + marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" block: | # Rules borrowed from CentOS/RHEL AIDE configuration # (SELinux was removed for Ubuntu compatibility.) diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index fb337323..0352fd62 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -69,7 +69,7 @@ blockinfile: dest: "{{ pam_password_file }}" state: present - marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY" + marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" insertbefore: EOF block: "{{ lookup('template', 'pam_faillock.j2') }}" when: @@ -166,10 +166,10 @@ - name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. blockinfile: - dest: /etc/security/limits.d/openstack-ansible-security-maxlogins.conf + dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf create: yes block: | - # Deployed by the openstack-ansible-security role + # Deployed by the ansible-hardening role # V-72217 - Limit concurrent sessions for all accounts/types * hard maxlogins {{ security_rhel7_concurrent_session_limit }} when: diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml index c2097394..ec1835c5 100644 --- a/tasks/rhel7stig/kernel.yml +++ b/tasks/rhel7stig/kernel.yml @@ -15,7 +15,7 @@ - name: V-71983 - USB mass storage must be disabled. lineinfile: - dest: /etc/modprobe.d/openstack-ansible-security-disable-usb-storage.conf + dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf line: install usb-storage /bin/true create: yes when: diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml index 30a26e21..050205ff 100644 --- a/tasks/rhel7stig/misc.yml +++ b/tasks/rhel7stig/misc.yml @@ -211,7 +211,7 @@ blockinfile: dest: /etc/profile insertbefore: EOF - marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY" + marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" block: | # Set a {{ security_rhel7_session_timeout }} second timeout for sessions TMOUT={{ security_rhel7_session_timeout }} diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml index 6bafe142..e25af47b 100644 --- a/tasks/rhel7stig/sshd.yml +++ b/tasks/rhel7stig/sshd.yml @@ -44,7 +44,7 @@ blockinfile: dest: /etc/ssh/sshd_config state: present - marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY" + marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" insertbefore: "{{ sshd_match_check.stdout_lines[0] }}" validate: '/usr/sbin/sshd -T -f %s' block: "{{ lookup('template', 'sshd_config_block.j2') }}" diff --git a/templates/osas-auditd-rhel7.j2 b/templates/osas-auditd-rhel7.j2 index ab138622..bfb46ed1 100644 --- a/templates/osas-auditd-rhel7.j2 +++ b/templates/osas-auditd-rhel7.j2 @@ -1,9 +1,9 @@ -## Rules for auditd deployed by openstack-ansible-security +## Rules for auditd deployed by ansible-hardening # Do not edit any of these rules directly. The contents of this file are # controlled by Ansible variables and each variable is explained in detail # within the role documentation: # -# http://docs.openstack.org/developer/openstack-ansible-security/ +# http://docs.openstack.org/developer/ansible-hardening/ # # Delete all existing auditd rules prior to loading this ruleset. diff --git a/tests/vagrant.yml b/tests/vagrant.yml index 040006ba..5d648c4a 100644 --- a/tests/vagrant.yml +++ b/tests/vagrant.yml @@ -16,4 +16,4 @@ - name: Playbook for role testing hosts: all roles: - - role: "../../../openstack-ansible-security" + - role: "../../../ansible-hardening"