-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hey there,
After presenting openstack-ansible-security at the Security Project Mid-Cycle meeting yesterday, the question came up around how to handle situations where automation might cause problems. For example, the STIG requires[1] that all system accounts other than root are locked. This could be dangerous on a running production system as Ubuntu has non-root accounts that are not locked. At the moment, the playbook does a hard stop (using the fail module) when this check fails[2]. Although that can be skipped with --skip-tag, it can be a little annoying if you have automation that depends on the playbook running without stopping. Is there a good alternative for this? I've found a few options: 1) Leave it as-is and do a hard stop on these tasks 2) Print a warning to the console but let the playbook continue 3) Use an Ansible callback plugin to catch these and print them at the end of the playbook run Thanks in advance for any advice! [1] https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496 [2] https://github.com/openstack/openstack-ansible-security/blob/master/tasks/auth.yml#L60-L87 - -- Major Hayden -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWlmjbAAoJEHNwUeDBAR+x7zAP/RfGnihciZV0m7Jf+hVKSrzf PEc4gauKRA1mZEFdgX4Ib137Vrztu9p1mPB29bRx9GN8aMcY2TtRwrR1QKmUOHX9 gtrjif9m5XgCM0ja/DMbj82j7pPpIQC5Tby0+CIhX27ZdgGxBpo/9UOj1Dns39Mg DzOdNGkGVO6ngmBKdqKetjkT+i0wSKXGQyS341PvyJDy77JCRaGFKc+jRnJWTdVc Tpdkc+TL5Rv92gMkMlLnW6txHmtPEJDKjgndhrzWExhY6CLn6XogRMTdZ/1fMP2Y x02S4s0VehuNF/9L5nmZ+lBS7HNhtiiSC6KGIo/0X7rZVo9VJ4KNjVaXGQ7clbxS sDrqO9uXl98n4S7H44jzBiukYO8MtXVf9djQwujN5A5oN+d1r+sCDDLhxlsLDMVN fMlj2LItNREzKe+ZFWBuEkl6GLAO3y0TQPRWYdc3L8PhiwqVJiJ0+WefYO2PNcZe Csik3IHCn+jdIq1WdsPQXDEYhAHL1Y1OqEMoBnte/FHeq1BmnojXxuVNtrY1EKtL APGGrUbhUWLtZ6v6ke3OT83BSd1FFmLLe/0MlIJ5LYZZZFR/bHgxuEiHcYNr6Fm1 Dnlrg0NNeeQgClABcB5wK2T8lbDahhxp6Nq7F3MTirnIVYHGo7CYa7g5Gw2b7BMu qWWgC8FnH0FzwE7P1LSj =wi7P -----END PGP SIGNATURE----- __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
