We are chuffed to announce the release of:
openstack-ansible-security 12.2.5: Security hardening role for
openstack-ansible
Download the package from:
https://tarballs.openstack.org/openstack-ansible-security/
For more details, please see below.
12.2.5
^^^^^^
New Features
************
* AIDE is configured to skip the entire "/var" directory when it
does the database initialization and when it performs checks. This
reduces disk I/O and allows these jobs to complete faster.
This also allows the initialization to become a blocking process and
Ansible will wait for the initialization to complete prior to
running the next task.
* Although the STIG requires martian packets to be logged, the
logging is now disabled by default. The logs can quickly fill up a
syslog server or make a physical console unusable.
Deployers that need this logging enabled will need to set the
following Ansible variable:
security_sysctl_enable_martian_logging: yes
Upgrade Notes
*************
* All of the discretionary access control (DAC) auditing is now
disabled by default. This reduces the amount of logs generated
during deployments and minor upgrades. The following variables are
now set to "no":
security_audit_DAC_chmod: no
security_audit_DAC_chown: no
security_audit_DAC_lchown: no
security_audit_DAC_fchmod: no
security_audit_DAC_fchmodat: no
security_audit_DAC_fchown: no
security_audit_DAC_fchownat: no
security_audit_DAC_fremovexattr: no
security_audit_DAC_lremovexattr: no
security_audit_DAC_fsetxattr: no
security_audit_DAC_lsetxattr: no
security_audit_DAC_setxattr: no
Bug Fixes
*********
* The "/run" directory is excluded from AIDE checks since the files
and directories there are only temporary and often change when
services start and stop.
* AIDE initialization is now always run on subsequent playbook runs
when "initialize_aide" is set to "yes". The initialization will be
skipped if AIDE isn't installed or if the AIDE database already
exists.
See bug 1616281 (https://launchpad.net/bugs/1616281) for more
details.
* The auditd rules for auditing V-38568 (filesystem mounts) were
incorrectly labeled in the auditd logs with the key of
"export-V-38568". They are now correctly logged with the key
"filesystem_mount-V-38568".
Changes in openstack-ansible-security 12.2.3..12.2.5
----------------------------------------------------
77eaaf2 Disable DAC change auditing
31a8ff5 Disable martian logging by default
e7373c4 Exclude /run from AIDE checks
6c9eb50 Ensure AIDE initializes on subsequent runs
23fe90b Fix numbering on V-38583
Diffstat (except docs and test files)
-------------------------------------
defaults/main.yml | 22 +++---
handlers/main.yml | 6 --
.../notes/aide-exclude-run-4d3c97a2d08eb373.yaml | 6 ++
.../aide-initialization-fix-16ab0223747d7719.yaml | 17 +++++
...figurable-martian-logging-370ede40b036db0b.yaml | 13 ++++
.../reduce-auditd-logging-633677a74aee5481.yaml | 25 +++++++
tasks/aide.yml | 86 ++++++++++++++++++++++
tasks/boot.yml | 4 +-
tasks/kernel.yml | 2 +-
tasks/main.yml | 1 +
tasks/misc.yml | 49 ------------
templates/osas-auditd.j2 | 8 +-
22 files changed, 293 insertions(+), 94 deletions(-)
_______________________________________________
OpenStack-announce mailing list
OpenStack-announce@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce
openstack-ansible-security 12.2.5: Security hardening role for
openstack-ansible
Download the package from:
https://tarballs.openstack.org/openstack-ansible-security/
For more details, please see below.
12.2.5
^^^^^^
New Features
************
* AIDE is configured to skip the entire "/var" directory when it
does the database initialization and when it performs checks. This
reduces disk I/O and allows these jobs to complete faster.
This also allows the initialization to become a blocking process and
Ansible will wait for the initialization to complete prior to
running the next task.
* Although the STIG requires martian packets to be logged, the
logging is now disabled by default. The logs can quickly fill up a
syslog server or make a physical console unusable.
Deployers that need this logging enabled will need to set the
following Ansible variable:
security_sysctl_enable_martian_logging: yes
Upgrade Notes
*************
* All of the discretionary access control (DAC) auditing is now
disabled by default. This reduces the amount of logs generated
during deployments and minor upgrades. The following variables are
now set to "no":
security_audit_DAC_chmod: no
security_audit_DAC_chown: no
security_audit_DAC_lchown: no
security_audit_DAC_fchmod: no
security_audit_DAC_fchmodat: no
security_audit_DAC_fchown: no
security_audit_DAC_fchownat: no
security_audit_DAC_fremovexattr: no
security_audit_DAC_lremovexattr: no
security_audit_DAC_fsetxattr: no
security_audit_DAC_lsetxattr: no
security_audit_DAC_setxattr: no
Bug Fixes
*********
* The "/run" directory is excluded from AIDE checks since the files
and directories there are only temporary and often change when
services start and stop.
* AIDE initialization is now always run on subsequent playbook runs
when "initialize_aide" is set to "yes". The initialization will be
skipped if AIDE isn't installed or if the AIDE database already
exists.
See bug 1616281 (https://launchpad.net/bugs/1616281) for more
details.
* The auditd rules for auditing V-38568 (filesystem mounts) were
incorrectly labeled in the auditd logs with the key of
"export-V-38568". They are now correctly logged with the key
"filesystem_mount-V-38568".
Changes in openstack-ansible-security 12.2.3..12.2.5
----------------------------------------------------
77eaaf2 Disable DAC change auditing
31a8ff5 Disable martian logging by default
e7373c4 Exclude /run from AIDE checks
6c9eb50 Ensure AIDE initializes on subsequent runs
23fe90b Fix numbering on V-38583
Diffstat (except docs and test files)
-------------------------------------
defaults/main.yml | 22 +++---
handlers/main.yml | 6 --
.../notes/aide-exclude-run-4d3c97a2d08eb373.yaml | 6 ++
.../aide-initialization-fix-16ab0223747d7719.yaml | 17 +++++
...figurable-martian-logging-370ede40b036db0b.yaml | 13 ++++
.../reduce-auditd-logging-633677a74aee5481.yaml | 25 +++++++
tasks/aide.yml | 86 ++++++++++++++++++++++
tasks/boot.yml | 4 +-
tasks/kernel.yml | 2 +-
tasks/main.yml | 1 +
tasks/misc.yml | 49 ------------
templates/osas-auditd.j2 | 8 +-
22 files changed, 293 insertions(+), 94 deletions(-)
_______________________________________________
OpenStack-announce mailing list
OpenStack-announce@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce