From d001b9dda5eaa405caf30106b7e13eca86fcdde3 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Fri, 30 Sep 2016 14:52:16 -0500 Subject: [PATCH] Initial scaffolding for RHEL 7 STIG This patch adds the initial scaffolding for the RHEL 7 STIG content and provides a pathway for adding gate jobs that test the tasks for the new content. Implements: blueprint security-rhel7-stig Change-Id: I4cc9468977fc6c14f4ca792a8964fa7a60a4e831 --- defaults/main.yml | 8 ++++++ tasks/main.yml | 33 ++++++---------------- tasks/{ => rhel6stig}/aide.yml | 0 tasks/{ => rhel6stig}/apt.yml | 0 tasks/{ => rhel6stig}/auditd.yml | 0 tasks/{ => rhel6stig}/auth.yml | 0 tasks/{ => rhel6stig}/boot.yml | 0 tasks/{ => rhel6stig}/console.yml | 0 tasks/{ => rhel6stig}/file_perms.yml | 0 tasks/{ => rhel6stig}/kernel.yml | 0 tasks/{ => rhel6stig}/lsm.yml | 0 tasks/{ => rhel6stig}/mail.yml | 0 tasks/rhel6stig/main.yml | 42 ++++++++++++++++++++++++++++ tasks/{ => rhel6stig}/misc.yml | 0 tasks/{ => rhel6stig}/nfsd.yml | 0 tasks/{ => rhel6stig}/rpm.yml | 0 tasks/{ => rhel6stig}/services.yml | 0 tasks/{ => rhel6stig}/sshd.yml | 0 tasks/rhel7stig/main.yml | 18 ++++++++++++ tox.ini | 40 ++++++++++++++++++++++++++ 20 files changed, 116 insertions(+), 25 deletions(-) rename tasks/{ => rhel6stig}/aide.yml (100%) rename tasks/{ => rhel6stig}/apt.yml (100%) rename tasks/{ => rhel6stig}/auditd.yml (100%) rename tasks/{ => rhel6stig}/auth.yml (100%) rename tasks/{ => rhel6stig}/boot.yml (100%) rename tasks/{ => rhel6stig}/console.yml (100%) rename tasks/{ => rhel6stig}/file_perms.yml (100%) rename tasks/{ => rhel6stig}/kernel.yml (100%) rename tasks/{ => rhel6stig}/lsm.yml (100%) rename tasks/{ => rhel6stig}/mail.yml (100%) create mode 100644 tasks/rhel6stig/main.yml rename tasks/{ => rhel6stig}/misc.yml (100%) rename tasks/{ => rhel6stig}/nfsd.yml (100%) rename tasks/{ => rhel6stig}/rpm.yml (100%) rename tasks/{ => rhel6stig}/services.yml (100%) rename tasks/{ => rhel6stig}/sshd.yml (100%) create mode 100644 tasks/rhel7stig/main.yml diff --git a/defaults/main.yml b/defaults/main.yml index edc26611..e75856ca 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,6 +13,14 @@ # See the License for the specific language governing permissions and # limitations under the License. +## STIG version selection +# During the Ocata development cycle, the role will begin adding the RHEL 7 +# STIG content. By default, all operating systems will use the RHEL 6 STIG +# until the work has completed. +# +# This variable should only be adjusted for testing purposes. +stig_version: rhel6 + ## APT Cache Options # This variable is used across multiple OpenStack-Ansible roles to handle the # apt cache updates as efficiently as possible. diff --git a/tasks/main.yml b/tasks/main.yml index eef41bf0..59a58ba1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -56,30 +56,13 @@ tags: - always - - include: apt.yml - static: no - when: ansible_pkg_mgr == 'apt' - tags: - - apt - - package - - include: rpm.yml - static: no - when: ansible_pkg_mgr == 'yum' or ansible_pkg_mgr == 'dnf' - tags: - - package - - rpm + - include: rhel6stig/main.yml + when: + - stig_version == 'rhel6' - - include: aide.yml - - include: auditd.yml - - include: auth.yml - - include: boot.yml - - include: console.yml - - include: file_perms.yml - - include: kernel.yml - - include: lsm.yml - - include: mail.yml - - include: misc.yml - - include: nfsd.yml - - include: services.yml - - include: sshd.yml + # NOTE(mhayden): RHEL 7 STIG content is still under development. Do not run + # these tasks against a production environment at this time. + - include: rhel7stig/main.yml + when: + - stig_version == 'rhel7' diff --git a/tasks/aide.yml b/tasks/rhel6stig/aide.yml similarity index 100% rename from tasks/aide.yml rename to tasks/rhel6stig/aide.yml diff --git a/tasks/apt.yml b/tasks/rhel6stig/apt.yml similarity index 100% rename from tasks/apt.yml rename to tasks/rhel6stig/apt.yml diff --git a/tasks/auditd.yml b/tasks/rhel6stig/auditd.yml similarity index 100% rename from tasks/auditd.yml rename to tasks/rhel6stig/auditd.yml diff --git a/tasks/auth.yml b/tasks/rhel6stig/auth.yml similarity index 100% rename from tasks/auth.yml rename to tasks/rhel6stig/auth.yml diff --git a/tasks/boot.yml b/tasks/rhel6stig/boot.yml similarity index 100% rename from tasks/boot.yml rename to tasks/rhel6stig/boot.yml diff --git a/tasks/console.yml b/tasks/rhel6stig/console.yml similarity index 100% rename from tasks/console.yml rename to tasks/rhel6stig/console.yml diff --git a/tasks/file_perms.yml b/tasks/rhel6stig/file_perms.yml similarity index 100% rename from tasks/file_perms.yml rename to tasks/rhel6stig/file_perms.yml diff --git a/tasks/kernel.yml b/tasks/rhel6stig/kernel.yml similarity index 100% rename from tasks/kernel.yml rename to tasks/rhel6stig/kernel.yml diff --git a/tasks/lsm.yml b/tasks/rhel6stig/lsm.yml similarity index 100% rename from tasks/lsm.yml rename to tasks/rhel6stig/lsm.yml diff --git a/tasks/mail.yml b/tasks/rhel6stig/mail.yml similarity index 100% rename from tasks/mail.yml rename to tasks/rhel6stig/mail.yml diff --git a/tasks/rhel6stig/main.yml b/tasks/rhel6stig/main.yml new file mode 100644 index 00000000..1144473c --- /dev/null +++ b/tasks/rhel6stig/main.yml @@ -0,0 +1,42 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + - include: apt.yml + static: no + when: ansible_pkg_mgr == 'apt' + tags: + - apt + - package + + - include: rpm.yml + static: no + when: ansible_pkg_mgr == 'yum' or ansible_pkg_mgr == 'dnf' + tags: + - package + - rpm + + - include: aide.yml + - include: auditd.yml + - include: auth.yml + - include: boot.yml + - include: console.yml + - include: file_perms.yml + - include: kernel.yml + - include: lsm.yml + - include: mail.yml + - include: misc.yml + - include: nfsd.yml + - include: services.yml + - include: sshd.yml diff --git a/tasks/misc.yml b/tasks/rhel6stig/misc.yml similarity index 100% rename from tasks/misc.yml rename to tasks/rhel6stig/misc.yml diff --git a/tasks/nfsd.yml b/tasks/rhel6stig/nfsd.yml similarity index 100% rename from tasks/nfsd.yml rename to tasks/rhel6stig/nfsd.yml diff --git a/tasks/rpm.yml b/tasks/rhel6stig/rpm.yml similarity index 100% rename from tasks/rpm.yml rename to tasks/rhel6stig/rpm.yml diff --git a/tasks/services.yml b/tasks/rhel6stig/services.yml similarity index 100% rename from tasks/services.yml rename to tasks/rhel6stig/services.yml diff --git a/tasks/sshd.yml b/tasks/rhel6stig/sshd.yml similarity index 100% rename from tasks/sshd.yml rename to tasks/rhel6stig/sshd.yml diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml new file mode 100644 index 00000000..5bf7e92e --- /dev/null +++ b/tasks/rhel7stig/main.yml @@ -0,0 +1,18 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Not yet implemented + debug: + msg: "The RHEL 7 STIG is not yet implemented." diff --git a/tox.ini b/tox.ini index 609fc64e..4ec217e5 100644 --- a/tox.ini +++ b/tox.ini @@ -163,6 +163,46 @@ commands = || (echo "Idempotence test: fail" && exit 1)' {[testenv:func_logs]commands} +[testenv:func_rhel7] +# Ignore_errors is set to true so that the logs are collected at the +# end of the run. This will not produce a false positive. Any +# exception will be mark the run as failed and exit 1 after all of +# the commands have been iterated through. +ignore_errors = True +# NOTE(odyssey4me): this target does not use constraints because +# it doesn't work in OpenStack-CI yet. Once that's fixed, we can +# drop the install_command. +install_command = + {[testenv:func_base]install_command} +deps = + {[testenv:ansible]deps} +commands = + {[testenv:ansible]commands} + # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now + # building images with apt config + # Apt::Get::AllowUnauthenticated set to true. + # NOTE(mhayden): Skipping V-38660 since openstack-infra has SNMP v1/2 in + # the images. This can be added back in once + # https://review.openstack.org/#/c/354819/ merges. + ansible-playbook --check \ + -i {toxinidir}/tests/inventory \ + -e "install_test_packages=True stig_version=rhel7" \ + --skip-tag V-38462,V-38660 \ + {toxinidir}/tests/test_check.yml + ansible-playbook -i {toxinidir}/tests/inventory \ + -e "install_test_packages=True stig_version=rhel7" \ + --skip-tag V-38462,V-38660 \ + {toxinidir}/tests/test.yml + bash -c 'ansible-playbook -i {toxinidir}/tests/inventory \ + -e "install_test_packages=True stig_version=rhel7" \ + --skip-tag V-38462,V-38660 \ + {toxinidir}/tests/test.yml \ + | tee /tmp/idempotence_test_output.txt' + bash -c 'grep -q "changed=0.*failed=0" /tmp/idempotence_test_output.txt \ + && (echo "Idempotence test: pass" && exit 0) \ + || (echo "Idempotence test: fail" && exit 1)' + {[testenv:func_logs]commands} + [testenv:linters] deps =