openstack/openstack-ansible
Code Issues Proposed changes

Use RHEL 7 STIG content in OSA

Browse Source 
This patch applies the RHEL 7 STIG security content from the
openstack-ansible-security role to OpenStack-Ansible deployments by
default.

Implements: blueprint security-rhel7-stig
Change-Id: I7981d73660adf877d91b63ca8387ec27e863c73c
This commit is contained in:
Major Hayden 2017-01-16 11:21:39 -06:00
parent 7cc13fd1c9
commit 32ca3e6909
4 changed files with 14 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
playbooks/inventory/group_vars/hosts.yml
View File

@ -21,7 +21,5 @@ security_package_state: "{{ package_state }}"
# Disable /etc/hosts management if unbound DNS resolution containers exist # Disable /etc/hosts management if unbound DNS resolution containers exist
openstack_host_manage_hosts_file: "{{ groups['unbound_all'] is not defined or groups['unbound_all'] | length < 1 }}" openstack_host_manage_hosts_file: "{{ groups['unbound_all'] is not defined or groups['unbound_all'] | length < 1 }}"
# Use the RHEL 6 STIG content from the security role. # Use the RHEL 7 STIG content from the openstack-ansible-security role
# NOTE(mhayden): Remove this variable when the RHEL 7 STIG content becomes the stig_version: rhel7
# default and tests well with the integrated repository.
stig_version: rhel6

6
releasenotes/notes/osa-security-rhel7-content-b55ed1d1bae02295.yaml Normal file
View File

@ -0,0 +1,6 @@
---
features:
- |
The openstack-ansible-security role is now configured to apply the
security configurations from the Red Hat Enterprise Linux 7 STIG to
OpenStack-Ansible deployments.

12
scripts/run-playbooks.sh
View File

@ -95,17 +95,7 @@ function playbook_run {
# Set the playbook log path so that we can review specific execution later. # Set the playbook log path so that we can review specific execution later.
export ANSIBLE_LOG_PATH="${PLAYBOOK_LOGS}/${COUNTER}-${include_file_name}.txt" export ANSIBLE_LOG_PATH="${PLAYBOOK_LOGS}/${COUNTER}-${include_file_name}.txt"
let COUNTER=COUNTER+=1 let COUNTER=COUNTER+=1
if [[ "${DEPLOY_AIO}" = true ]] && [[ "${include_file_name}" == "security-hardening.yml" ]]; then if [[ "${DEPLOY_AIO}" = true ]]; then
# NOTE(mattt): We have to skip V-38462 as openstack-infra are now building
# images with apt config Apt::Get::AllowUnauthenticated set
# to true.
# NOTE(odyssey4me): We skip V-38471 as it generates a huge amount of log
# entries in syslog and the syslog files are gathered
# in OpenStack-CI. ref: bug/1620849
# NOTE(mhayden): Skipping V-38660 since it breaks the Xenial gate. The
# CI Xenial image has non-SNMPv3 configurations.
install_bits "${include_playbook}" --skip-tag V-38462,V-38471,V-38660
else
install_bits "${include_playbook}" install_bits "${include_playbook}"
fi fi
# Remove the generate playbook when done with it # Remove the generate playbook when done with it

5
tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
View File

@ -94,3 +94,8 @@ neutron_plugin_base:
## Always setup tempest, the resources for it, then execute tests ## Always setup tempest, the resources for it, then execute tests
tempest_install: yes tempest_install: yes
tempest_run: yes tempest_run: yes
{% if nodepool_dir.stat.exists %}
# Disable chronyd in OpenStack CI
security_rhel7_enable_chrony: no
{% endif %}