[Docs] Replace security role references

This patch changes any reference of openstack-ansible-security to
ansible-hardening.

Change-Id: Ib264e31a926c05380b0d1dcd630ad8f3fd1e58f3

README.md

@@ -1,24 +1,23 @@
-openstack-ansible-security
+ansible-hardening
-==========================
+=================
 
-The openstack-ansible security role applies security hardening configurations
+The ansible-hardening role applies security hardening configurations
 from the [Security Technical Implementation Guide(STIG)](http://iase.disa.mil/stigs/Pages/index.aspx)
-to systems running Ubuntu 14.04, Ubuntu 16.04, CentOS 7, and Red Hat
+to systems running the following distributions:
-Enterprise Linux 7.
 
-The role is part of the
+* CentOS 7
-[OpenStack-Ansible project](https://git.openstack.org/cgit/openstack/openstack-ansible),
+* Debian Jessie *(experimental)*
-which deploys enterprise-grade OpenStack clouds using Ansible.  However, the
+* Ubuntu 14.04 *(deprecated)*
-role can easily be used outside of an OpenStack environment to secure hosts,
+* Ubuntu 16.04
-virtual machines, and containers.
+* Red Hat Enterprise Linux 7
 
 For more details, review the
-[openstack-ansible-security documentation](http://docs.openstack.org/developer/openstack-ansible-security/).
+[ansible-hardening documentation](http://docs.openstack.org/developer/ansible-hardening/).
 
 Requirements
 ------------
 
-This role can be used with or without the OpenStack-Ansible role. It requires
+This role can be used with or without OpenStack-Ansible. It requires
 Ansible 2.3 or later.
 
 Role Variables
@@ -38,7 +37,7 @@ Using the role is fairly straightforward:
 
     - hosts: servers
       roles:
-         - openstack-ansible-security
+         - ansible-hardening
 
 Running with Vagrant
 --------------------

README.rst

@@ -2,7 +2,7 @@
 Team and repository tags
 ========================
 
-.. image:: http://governance.openstack.org/badges/openstack-ansible-security.svg
+.. image:: http://governance.openstack.org/badges/ansible-hardening.svg
     :target: http://governance.openstack.org/reference/tags/index.html
 
 .. Change things from this point on
@@ -10,7 +10,7 @@ Team and repository tags
 Security hardening for OpenStack-Ansible
 ----------------------------------------
 
-Documentation for openstack-ansible-security is available in the `official
+Documentation for ansible-hardening is available in the `official
 OpenStack documentation site`_.
 
-.. _official OpenStack documentation site: http://docs.openstack.org/developer/openstack-ansible-security/
+.. _official OpenStack documentation site: http://docs.openstack.org/developer/ansible-hardening/

defaults/main.yml

@@ -36,10 +36,10 @@ security_package_state: present
 #  |_| \_\_| |_|_____|_____|  \___/  |____/ |_| |___\____|
 #
 #  The default configurations after this marker apply to the RHEL 6 STIG
-#  content in the openstack-ansible-security role. Review the comments below
+#  content in the ansible-hardening role. Review the comments below
-#  as well as the main openstack-ansible-security documentation:
+#  as well as the main ansible-hardening documentation:
 #
-#    http://docs.openstack.org/developer/openstack-ansible-security/
+#    http://docs.openstack.org/developer/ansible-hardening/
 #
 ###############################################################################
 
@@ -283,7 +283,7 @@ security_postfix_inet_interfaces: localhost       # V-38622
 #    Ubuntu: AppArmor
 #    CentOS: SELinux
 #
-# See the openstack-ansible-security documentation for more details.
+# See the ansible-hardening documentation for more details.
 security_enable_linux_security_module: yes        # V-51337
 
 ## PAM and authentication

doc/metadata/rhel6/V-38699.rst

@@ -12,7 +12,7 @@ following criteria:
 
 It requires that those directories are owned by root to prevent users from
 removing and replacing files. This ``find`` command isn't run within the
-Ansible tasks in openstack-ansible-security because it can be a very
+Ansible tasks in ansible-hardening because it can be a very
 time-consuming task and it can slow down disk I/O while it runs.
 
 Deployers are strongly urged to review the permissions and ownerships of

doc/source/conf.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-"""Documentation configuration for the openstack-ansible-security role."""
+"""Documentation configuration for the ansible-hardening role."""
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at

doc/source/controls-rhel7.rst

@@ -1,7 +1,7 @@
 Security hardening controls in detail (RHEL 7 STIG)
 ===================================================
 
-The openstack-ansible-security role follows the Red Hat Enteprise Linux 7
+The ansible-hardening role follows the Red Hat Enteprise Linux 7
 `Security Technical Implementation Guide (STIG)`_. The guide has over 200
 controls that apply to various parts of a Linux system, and it is updated
 regularly by the Defense Information Systems Agency (DISA). DISA is part of the

doc/source/controls.rst

@@ -17,12 +17,12 @@ Controls are divided into groups based on certain properties:
   can't be implemented with automation, or they could cause damage to an
   existing system. Other controls are listed as *opt-in* when they are
   implemented, but they require a deployer to enable them.
-  *(This categorization comes from openstack-ansible-security, not the STIG.)*
+  *(This categorization comes from ansible-hardening, not the STIG.)*
 
 * **Tag:** The controls are also separated based on which parts of the system
   they act upon. Something that secures ``grub`` would be tagged with *boot*
   while controls for ``sshd`` would be tagged with *auth*.
-  *(This categorization comes from openstack-ansible-security, not the STIG.)*
+  *(This categorization comes from ansible-hardening, not the STIG.)*
 
 You can also review the STIG controls in one very large page. This can be
 helpful when you need to search using your web browser.

doc/source/faq.rst

@@ -6,7 +6,7 @@ Does this role work only with OpenStack environments?
 
 No -- it works on almost any Linux host!
 
-The openstack-ansible-security role first began as a component of the
+The ansible-hardening role first began as a component of the
 OpenStack-Ansible project and it was designed to deploy into an existing
 OpenStack environment without causing disruptions. However, the role now works
 well in OpenStack and non-OpenStack environments.
@@ -40,7 +40,7 @@ Deployment without disruption
 Which systems are covered?
 --------------------------------------------------------
 
-The openstack-ansible-security role provides security hardening for physical
+The ansible-hardening role provides security hardening for physical
 servers running the following Linux distributions:
 
 * Ubuntu 14.04

doc/source/getting-started.rst

@@ -1,7 +1,7 @@
 Getting started
 ===============
 
-The openstack-ansible-security role can be used along with the
+The ansible-hardening role can be used along with the
 `OpenStack-Ansible`_ project or as a standalone role that can be used along
 with other Ansible playbooks.
 
@@ -20,10 +20,10 @@ Start by installing ansible and then install the role itself using
 .. code-block:: console
 
    pip install ansible
-   ansible-galaxy install git+https://git.openstack.org/openstack/openstack-ansible-security
+   ansible-galaxy install git+https://git.openstack.org/openstack/ansible-hardening
 
 The role will be installed into
-``/etc/ansible/roles/openstack-ansible-security``.
+``/etc/ansible/roles/ansible-hardening``.
 
 Initial configuration
 ---------------------
@@ -35,7 +35,7 @@ provide custom configuration for the Ansible tasks in the role.
 Using as a standalone role
 --------------------------
 
-Adding the openstack-ansible-security role to existing playbooks is
+Adding the ansible-hardening role to existing playbooks is
 straightforward. Here is an example of an existing role for deploying web
 servers with the security hardening role added:
 
@@ -49,12 +49,12 @@ servers with the security hardening role added:
      roles:
        - common
        - webserver
-       - openstack-ansible-security
+       - ansible-hardening
 
 Using with OpenStack-Ansible
 ----------------------------
 
-The openstack-ansible-security role is automatically enabled and applied in the
+The ansible-hardening role is automatically enabled and applied in the
 Newton release of OpenStack-Ansible. Set the following Ansible variable to
 enable the role in the Mitaka release of OpenStack-Ansible:
 

doc/source/index.rst

@@ -2,7 +2,7 @@
 Automated security hardening for Linux hosts
 ============================================
 
-The openstack-ansible-security Ansible role uses industry-standard security
+The ansible-hardening Ansible role uses industry-standard security
 hardening guides to secure Linux hosts. Although the role is designed to work
 well in OpenStack environments that are deployed with OpenStack-Ansible, it can
 be used with almost any Linux system.
@@ -82,9 +82,9 @@ Pike
 
 * **Documentation:**
 
-  * `openstack-ansible-security Pike Release Notes`_
+  * `ansible-hardening Pike Release Notes`_
 
-.. _openstack-ansible-security Pike Release Notes: http://docs.openstack.org/releasenotes/openstack-ansible-security/unreleased.html
+.. _ansible-hardening Pike Release Notes: http://docs.openstack.org/releasenotes/ansible-hardening/unreleased.html
 
 Ocata
 ~~~~~
@@ -100,11 +100,11 @@ Ocata
 
 * **Documentation:**
 
-  * `openstack-ansible-security Ocata Documentation`_
+  * `ansible-hardening Ocata Documentation`_
-  * `openstack-ansible-security Ocata Release Notes`_
+  * `ansible-hardening Ocata Release Notes`_
 
-.. _openstack-ansible-security Ocata Documentation: http://docs.openstack.org/developer/openstack-ansible-security/ocata/
+.. _ansible-hardening Ocata Documentation: http://docs.openstack.org/developer/ansible-hardening/ocata/
-.. _openstack-ansible-security Ocata Release Notes: http://docs.openstack.org/releasenotes/openstack-ansible-security/ocata.html
+.. _ansible-hardening Ocata Release Notes: http://docs.openstack.org/releasenotes/ansible-hardening/ocata.html
 
 Newton
 ~~~~~~
@@ -120,8 +120,8 @@ Newton
 
 * **Documentation:**
 
-  * `openstack-ansible-security Newton Documentation`_
+  * `ansible-hardening Newton Documentation`_
-  * `openstack-ansible-security Newton Release Notes`_
+  * `ansible-hardening Newton Release Notes`_
 
-.. _openstack-ansible-security Newton Documentation: http://docs.openstack.org/developer/openstack-ansible-security/newton/
+.. _ansible-hardening Newton Documentation: http://docs.openstack.org/developer/ansible-hardening/newton/
-.. _openstack-ansible-security Newton Release Notes: http://docs.openstack.org/releasenotes/openstack-ansible-security/newton.html
+.. _ansible-hardening Newton Release Notes: http://docs.openstack.org/releasenotes/ansible-hardening/newton.html

doc/source/special-notes.rst

@@ -15,7 +15,7 @@ with production environments.
 Reviewing deviations
 --------------------
 
-The openstack-ansible-security role deviates from some of the STIG's
+The ansible-hardening role deviates from some of the STIG's
 requirements when a security control could cause significant issues with
 production systems. The role classifies each control into an implementation
 status and provides notes on why a certain control is skipped or altered.
@@ -138,7 +138,7 @@ Time synchronization
 
 Reliable time synchronization is a requirement in the STIG and the ``chrony``
 package will be installed to handle NTP for systems secured with the
-openstack-ansible-security role.
+ansible-hardening role.
 
 The default settings will work for most environments, but some deployers may
 prefer to use NTP servers which are geographically closer to their servers.

files/V-38682-modprobe.conf

@@ -1,4 +1,4 @@
-# File managed by openstack-ansible-security
+# File managed by ansible-hardening
 # Fixes RHEL 6 STIG V-38682
 install net-pf-31 /bin/true
 install bluetooth /bin/true

setup.cfg

@@ -1,5 +1,5 @@
 [metadata]
-name = openstack-ansible-security
+name = ansible-hardening
 summary = OpenStack-Ansible: Host security hardening
 description-file =
     README.rst

tasks/rhel6stig/sshd.yml

@@ -19,7 +19,7 @@
 # are added by the security role. For that reason, we check for the existence
 # of a marker line here and add a marker line to the file if it doesn't exist.
 - name: Check for security role marker in sshd_config
-  command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
+  command: "grep '^# ansible-hardening configurations' /etc/ssh/sshd_config"
   register: sshd_marker_check
   changed_when: False
   check_mode: no
@@ -43,7 +43,7 @@
 # line above it.
 - name: Add security role marker with sed above Match stanza
   shell: |
-    sed -i '0,/^Match/s/^Match/\n# openstack-ansible-security configurations\n\n&/' /etc/ssh/sshd_config
+    sed -i '0,/^Match/s/^Match/\n# ansible-hardening configurations\n\n&/' /etc/ssh/sshd_config
   when:
     - sshd_marker_check.rc != 0
     - sshd_match_check.rc == 0
@@ -55,7 +55,7 @@
 - name: Add security role marker to the end of the sshd_config
   lineinfile:
     dest: /etc/ssh/sshd_config
-    line: "\n# openstack-ansible-security configurations"
+    line: "\n# ansible-hardening configurations"
     state: present
     insertbefore: EOF
     validate: '/usr/sbin/sshd -T -f %s'
@@ -71,7 +71,7 @@
     dest: /etc/ssh/sshd_config
     regexp: '^(#)?PrintLastLog'
     line: 'PrintLastLog yes'
-    insertafter: "^# openstack-ansible-security configurations"
+    insertafter: "^# ansible-hardening configurations"
     validate: '/usr/sbin/sshd -T -f %s'
   notify:
     - restart ssh
@@ -86,7 +86,7 @@
     dest: /etc/ssh/sshd_config
     regexp: '^(#)?Protocol \d'
     line: 'Protocol 2'
-    insertafter: "^# openstack-ansible-security configurations"
+    insertafter: "^# ansible-hardening configurations"
     validate: '/usr/sbin/sshd -T -f %s'
   notify:
     - restart ssh
@@ -101,7 +101,7 @@
     dest: /etc/ssh/sshd_config
     regexp: '^(#)?PermitEmptyPasswords'
     line: 'PermitEmptyPasswords no'
-    insertafter: "^# openstack-ansible-security configurations"
+    insertafter: "^# ansible-hardening configurations"
     validate: '/usr/sbin/sshd -T -f %s'
   notify:
     - restart ssh
@@ -116,7 +116,7 @@
     dest: /etc/ssh/sshd_config
     regexp: '^(#)?HostbasedAuthentication'
     line: 'HostbasedAuthentication no'
-    insertafter: "^# openstack-ansible-security configurations"
+    insertafter: "^# ansible-hardening configurations"
     validate: '/usr/sbin/sshd -T -f %s'
   notify:
     - restart ssh
@@ -131,7 +131,7 @@
     dest: /etc/ssh/sshd_config
     regexp: '^(#)?ClientAliveInterval'
     line: 'ClientAliveInterval {{ security_ssh_client_alive_interval }}'
-    insertafter: "^# openstack-ansible-security configurations"
+    insertafter: "^# ansible-hardening configurations"
     validate: '/usr/sbin/sshd -T -f %s'
   notify:
     - restart ssh
@@ -146,7 +146,7 @@
     dest: /etc/ssh/sshd_config
     regexp: '^(#)?ClientAliveCountMax'
     line: 'ClientAliveCountMax {{ security_ssh_client_alive_count_max }}'
-    insertafter: "^# openstack-ansible-security configurations"
+    insertafter: "^# ansible-hardening configurations"
     validate: '/usr/sbin/sshd -T -f %s'
   notify:
     - restart ssh
@@ -161,7 +161,7 @@
     dest: /etc/ssh/sshd_config
     regexp: '^(#)?IgnoreRhosts'
     line: 'IgnoreRhosts yes'
-    insertafter: "^# openstack-ansible-security configurations"
+    insertafter: "^# ansible-hardening configurations"
     validate: '/usr/sbin/sshd -T -f %s'
   notify:
     - restart ssh
@@ -176,7 +176,7 @@
     dest: /etc/ssh/sshd_config
     regexp: '^(#)?PermitRootLogin'
     line: 'PermitRootLogin {{ security_ssh_permit_root_login }}'
-    insertafter: "^# openstack-ansible-security configurations"
+    insertafter: "^# ansible-hardening configurations"
     validate: '/usr/sbin/sshd -T -f %s'
   notify:
     - restart ssh
@@ -200,7 +200,7 @@
     dest: /etc/ssh/sshd_config
     regexp: '^(#)?Banner'
     line: 'Banner /etc/issue.net'
-    insertafter: "^# openstack-ansible-security configurations"
+    insertafter: "^# ansible-hardening configurations"
     validate: '/usr/sbin/sshd -T -f %s'
   tags:
     - ssh
@@ -213,7 +213,7 @@
     dest: /etc/ssh/sshd_config
     regexp: '^(#)?PermitUserEnvironment'
     line: 'PermitUserEnvironment no'
-    insertafter: "^# openstack-ansible-security configurations"
+    insertafter: "^# ansible-hardening configurations"
     validate: '/usr/sbin/sshd -T -f %s'
   tags:
     - ssh
@@ -226,7 +226,7 @@
     dest: /etc/ssh/sshd_config
     regexp: '^(#)?Ciphers'
     line: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc'
-    insertafter: "^# openstack-ansible-security configurations"
+    insertafter: "^# ansible-hardening configurations"
     validate: '/usr/sbin/sshd -T -f %s'
   tags:
     - ssh

tasks/rhel7stig/accounts.yml

@@ -26,7 +26,7 @@
     dest: /etc/security/pwquality.conf
     backup: yes
     insertbefore: EOF
-    marker: "# {mark} Added by openstack-ansible-security role"
+    marker: "# {mark} Added by ansible-hardening role"
     state: present
     block: "{{ lookup('template', 'pwquality.conf.j2') }}"
   when:

tasks/rhel7stig/aide.yml

@@ -38,7 +38,7 @@
   blockinfile:
     dest: "{{ aide_conf }}"
     insertbefore: EOF
-    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
+    marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
     block: |
       # Rules borrowed from CentOS/RHEL AIDE configuration
       # (SELinux was removed for Ubuntu compatibility.)

tasks/rhel7stig/auth.yml

@@ -69,7 +69,7 @@
   blockinfile:
     dest: "{{ pam_password_file }}"
     state: present
-    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
+    marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
     insertbefore: EOF
     block: "{{ lookup('template', 'pam_faillock.j2') }}"
   when:
@@ -166,10 +166,10 @@
 
 - name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
   blockinfile:
-    dest: /etc/security/limits.d/openstack-ansible-security-maxlogins.conf
+    dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf
     create: yes
     block: |
-      # Deployed by the openstack-ansible-security role
+      # Deployed by the ansible-hardening role
       # V-72217 - Limit concurrent sessions for all accounts/types
       * hard maxlogins {{ security_rhel7_concurrent_session_limit }}
   when:

tasks/rhel7stig/kernel.yml

@@ -15,7 +15,7 @@
 
 - name: V-71983 - USB mass storage must be disabled.
   lineinfile:
-    dest: /etc/modprobe.d/openstack-ansible-security-disable-usb-storage.conf
+    dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf
     line: install usb-storage /bin/true
     create: yes
   when:

tasks/rhel7stig/misc.yml

@@ -211,7 +211,7 @@
   blockinfile:
     dest: /etc/profile
     insertbefore: EOF
-    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
+    marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
     block: |
       # Set a {{ security_rhel7_session_timeout }} second timeout for sessions
       TMOUT={{ security_rhel7_session_timeout }}

tasks/rhel7stig/sshd.yml

@@ -44,7 +44,7 @@
   blockinfile:
     dest: /etc/ssh/sshd_config
     state: present
-    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
+    marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
     insertbefore: "{{ sshd_match_check.stdout_lines[0] }}"
     validate: '/usr/sbin/sshd -T -f %s'
     block: "{{ lookup('template', 'sshd_config_block.j2') }}"

templates/osas-auditd-rhel7.j2

@@ -1,9 +1,9 @@
-## Rules for auditd deployed by openstack-ansible-security
+## Rules for auditd deployed by ansible-hardening
 # Do not edit any of these rules directly. The contents of this file are
 # controlled by Ansible variables and each variable is explained in detail
 # within the role documentation:
 #
-#    http://docs.openstack.org/developer/openstack-ansible-security/
+#    http://docs.openstack.org/developer/ansible-hardening/
 #
 
 # Delete all existing auditd rules prior to loading this ruleset.

tests/vagrant.yml

@@ -16,4 +16,4 @@
 - name: Playbook for role testing
   hosts: all
   roles:
-    - role: "../../../openstack-ansible-security"
+    - role: "../../../ansible-hardening"