Re: [openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?
On 13 January 2016 at 15:10, Major Haydenwrote: > > For example, the STIG requires[1] that all system accounts other than root > are locked. This could be dangerous on a running production system as > Ubuntu has non-root accounts that are not locked. At the moment, the > playbook does a hard stop (using the fail module) when this check > fails[2]. Although that can be skipped with --skip-tag, it can be a little > annoying if you have automation that depends on the playbook running > without stopping. > > Is there a good alternative for this? I've found a few options: > > 1) Leave it as-is and do a hard stop on these tasks > 2) Print a warning to the console but let the playbook continue > 3) Use an Ansible callback plugin to catch these and print them at the > end of the playbook run > > Thanks in advance for any advice! > > [1] > https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496 > [2] > https://github.com/openstack/openstack-ansible-security/blob/master/tasks/auth.yml#L60-L87 I think the best thing to do here is to take a stance on what the project/role deems to be a good set of defaults for the environment its catering for. Whatever that stance is should be rigorously enforced (ie the playbook should hard stop if there is non-compliance). For anyone using automation, if they wish to skip particular compliance elements then they should build the skip into their automation (ie add --skip-tags). Skipping compliance should be a conscious action implemented deliberately by the consumer of the role. Darren's reply is interesting and perhaps worth consideration. As far as I recall the security role adopted the STIG primarily because it was the only openly available set of standards that didn't require licensing. If there are other options to explore and ways to consume them, then perhaps that should be an initiative for the Newton cycle? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/08/2016 06:40 AM, Jesse Pretorius wrote: > Darren's reply is interesting and perhaps worth consideration. As far as I > recall the security role adopted the STIG primarily because it was the only > openly available set of standards that didn't require licensing. If there are > other options to explore and ways to consume them, then perhaps that should > be an initiative for the Newton cycle? That's right. After direct conversations with CIS, we found that the licensing and restricted use of the security benchmarks wouldn't allow us to use them in OpenStack projects. That could change in the future, but that's what exists at the moment. The STIG was chosen since it's widely adopted and it is in the public domain. It could be interesting to take an XCCDF/OVAL dump and try to implement it in an automated way with Ansible. Creating the XCCDF XML isn't easy (nor fun), but that could be an option, too. Darren's point about using vendor-provided hardening standards for Red Hat, Fedora, and Solaris is a good one. This could be very useful if the multi-os support for OpenStack-Ansible comes together. It's a shame that Ubuntu doesn't have a comprehensive XCCDF profile available as the other distributions do. :/ - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWuJmjAAoJEHNwUeDBAR+x7BYP/2Cv31QL7enVAXgEzHThc1Wb ov3phFoEYCY8FFmcOoH6grSK3DsRPmPc33ma2I6bMMKWpz8j+RFGMfgPAaEEkGiq d9Ak3bidFe+xYjlMlZkj+EQbIfv2JvZ5FA/eqyVuB1opRpALWnCzXxuSNoIPsbyZ 3u0QkMiNX9eo+Iz0Y3UHQbV61bZWmhz5xO08vo8vxeIhOgbv1Mq9fyRXcsay2tqY K6nZMK2Tj+Y46hjQ1WR1KMY9HUPBujkhY+It/qtq9QIUPLduavVNzAV8dYRoPwu8 HPRLZA/abWW51VAvmdbr2ABqhDIkL/EKhPUgnKPn/IPWDQuEHa3SAJb4VHK3njz9 fcanJ2h59fY90cBwYz7g0BNbf2m8i1k4DZCdgMfqPzSQ7OdWze3aLd2Eh1AI5ihp Zk+41Cj8yZPb6d0Ocsqt8voPYtbh0seXLvdiiVccESq8chGBBIvjasFsq1pFrIlH VqEl13YHI/VlnoLcSHiYP7AYDdM1IXY722It7HDBwB7bKGWL/NaogH/putvlXTw8 J1NT3EnGg7G4p92X0qTiP4datB8AIfYSQhNgjVDJSwJwS2DMaMgrPJr5AWDZ5dfv iJE4vUbZLI2etmghb4y9XXMMa2g6/zXxvcSQVCEE5v1FoVfLCtr4HuMFGFfhxBeB KY8imLhpcXlLsJgodUSa =0PLZ -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?
On 01/13/16 15:10, Major Hayden wrote: After presenting openstack-ansible-security at the Security Project Mid-Cycle meeting yesterday, the question came up around how to handle situations where automation might cause problems. For example, the STIG requires[1] that all system accounts other than root are locked. This could be dangerous on a running production system as Ubuntu has non-root accounts that are not locked. At the moment, the playbook does a hard stop (using the fail module) when this check fails[2]. Although that can be skipped with --skip-tag, it can be a little annoying if you have automation that depends on the playbook running without stopping. Is there a good alternative for this? I've found a few options: 1) Leave it as-is and do a hard stop on these tasks 2) Print a warning to the console but let the playbook continue 3) Use an Ansible callback plugin to catch these and print them at the end of the playbook run The STIG is just DISA's interpretation and based on my experience with helping get the Solaris 10 and Solaris 11 STIG correct it is often overly strict and sometimes poor advice for the general case. In the case of Solaris, Ubuntu, Fedora requiring some of these system accounts to be locked would actually weaken system security because certain required functionality would break. So I would strongly caution against taking the DISA STIG as an authoratative stance for OS security configuration. A lot of it is very good and overlaps with CIS and vendor recommendations. For Red Hat, Fedora and Solaris I would recommend instead to look at the vendor delivered XCCDF profiles. I think it would be much more valuable for us to focus on getting XCCDF/OVAL developed for OpenStack specific rules and leave the OS configuration/recommendations to the OS vendors. -- Darren J Moffat __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/13/2016 02:59 PM, Clark, Robert Graham wrote: > I’m pretty new to openstack-ansible-security but based on my use cases which > are as much > About using this for verification as they are for building secure boxes my > preference > would be 3) Use an Ansible callback plugin to catch these and print them at > the end of the > playbook run I'm leaning in that direction as well, but I'm not sure if there's a way to wedge this type of functionality into a role. It can be done easily with a playbook, but I'm not sure if we can add this to a role by itself. - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWl6O9AAoJEHNwUeDBAR+xCUMQAIg+eZudAHowbFXqwBu3XQ74 Kov9gD2hwd3wq6LPzpeFVjrd61vlw+GOMQUwJlvf5jeM0oXlw7/oRHtJWaHvLcLc mFQDW2QTfA/jX1gGOSYctkFF6nTahNmWuSQ3G01Om0WkjNBGrZLJQM42BK+UQ+VF /aEXS6Rg/hPACd92ebXBpD9VSw7EI/K6i8Qt6fbTfLxSSVgGiRtWoJ6bsj8cWKft OKNSnsddDC2+40z91X84eiRIRvMeblBDl7q0wdyS3c+ZwkyJyG9YL3CT92qbtjPK gd3i9zjJ2XMlF6MPv06aNeiHidV+8bzupr8ZSh/gP7Zr4SkwmQLv0SppG/M2mb6h nHqJD1QtJTmKbE4jynfqkEwVL1MSwAvRG7Yx3Y1JletONybYOSjkQ+PRcl0Wl+IM 4SF6Fo8NFF48ywaGSrNSp9TSlzFecKxSc0XTN/0LK+XoquqQYV0TurboHlUYFrRK /AW8Q3M9Zf6R5vqAolut8fxNgaizZnNTFWp2ZlI1dbKoCFlKvmmPY75xrD17j963 Zna4DHgvglXOxtEYjLrDGbw8KOItvZXdjRMnIZOdBdnnpaN2eOjYfTOCpjoSunKD MXyiqMj3svg9vUJLeoGTVmKKhYgP3hyDJd9W8aS3GC2U5bWfd65fzgrG0Qmx+fqw VF/jWXNDzYryEKMFzR87 =J+iA -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?
I’m pretty new to openstack-ansible-security but based on my use cases which are as much About using this for verification as they are for building secure boxes my preference would be 3) Use an Ansible callback plugin to catch these and print them at the end of the playbook run -Rob On 13/01/2016 09:10, "Major Hayden"wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA256 > >Hey there, > >After presenting openstack-ansible-security at the Security Project Mid-Cycle >meeting yesterday, the question came up around how to handle situations where >automation might cause problems. > >For example, the STIG requires[1] that all system accounts other than root are >locked. This could be dangerous on a running production system as Ubuntu has >non-root accounts that are not locked. At the moment, the playbook does a >hard stop (using the fail module) when this check fails[2]. Although that can >be skipped with --skip-tag, it can be a little annoying if you have automation >that depends on the playbook running without stopping. > >Is there a good alternative for this? I've found a few options: > > 1) Leave it as-is and do a hard stop on these tasks > 2) Print a warning to the console but let the playbook continue > 3) Use an Ansible callback plugin to catch these and print them at the end > of the playbook run > >Thanks in advance for any advice! > >[1] >https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496 >[2] >https://github.com/openstack/openstack-ansible-security/blob/master/tasks/auth.yml#L60-L87 > >- -- >Major Hayden >-BEGIN PGP SIGNATURE- >Version: GnuPG v2 > >iQIcBAEBCAAGBQJWlmjbAAoJEHNwUeDBAR+x7zAP/RfGnihciZV0m7Jf+hVKSrzf >PEc4gauKRA1mZEFdgX4Ib137Vrztu9p1mPB29bRx9GN8aMcY2TtRwrR1QKmUOHX9 >gtrjif9m5XgCM0ja/DMbj82j7pPpIQC5Tby0+CIhX27ZdgGxBpo/9UOj1Dns39Mg >DzOdNGkGVO6ngmBKdqKetjkT+i0wSKXGQyS341PvyJDy77JCRaGFKc+jRnJWTdVc >Tpdkc+TL5Rv92gMkMlLnW6txHmtPEJDKjgndhrzWExhY6CLn6XogRMTdZ/1fMP2Y >x02S4s0VehuNF/9L5nmZ+lBS7HNhtiiSC6KGIo/0X7rZVo9VJ4KNjVaXGQ7clbxS >sDrqO9uXl98n4S7H44jzBiukYO8MtXVf9djQwujN5A5oN+d1r+sCDDLhxlsLDMVN >fMlj2LItNREzKe+ZFWBuEkl6GLAO3y0TQPRWYdc3L8PhiwqVJiJ0+WefYO2PNcZe >Csik3IHCn+jdIq1WdsPQXDEYhAHL1Y1OqEMoBnte/FHeq1BmnojXxuVNtrY1EKtL >APGGrUbhUWLtZ6v6ke3OT83BSd1FFmLLe/0MlIJ5LYZZZFR/bHgxuEiHcYNr6Fm1 >Dnlrg0NNeeQgClABcB5wK2T8lbDahhxp6Nq7F3MTirnIVYHGo7CYa7g5Gw2b7BMu >qWWgC8FnH0FzwE7P1LSj >=wi7P >-END PGP SIGNATURE- > >__ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey there, After presenting openstack-ansible-security at the Security Project Mid-Cycle meeting yesterday, the question came up around how to handle situations where automation might cause problems. For example, the STIG requires[1] that all system accounts other than root are locked. This could be dangerous on a running production system as Ubuntu has non-root accounts that are not locked. At the moment, the playbook does a hard stop (using the fail module) when this check fails[2]. Although that can be skipped with --skip-tag, it can be a little annoying if you have automation that depends on the playbook running without stopping. Is there a good alternative for this? I've found a few options: 1) Leave it as-is and do a hard stop on these tasks 2) Print a warning to the console but let the playbook continue 3) Use an Ansible callback plugin to catch these and print them at the end of the playbook run Thanks in advance for any advice! [1] https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496 [2] https://github.com/openstack/openstack-ansible-security/blob/master/tasks/auth.yml#L60-L87 - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWlmjbAAoJEHNwUeDBAR+x7zAP/RfGnihciZV0m7Jf+hVKSrzf PEc4gauKRA1mZEFdgX4Ib137Vrztu9p1mPB29bRx9GN8aMcY2TtRwrR1QKmUOHX9 gtrjif9m5XgCM0ja/DMbj82j7pPpIQC5Tby0+CIhX27ZdgGxBpo/9UOj1Dns39Mg DzOdNGkGVO6ngmBKdqKetjkT+i0wSKXGQyS341PvyJDy77JCRaGFKc+jRnJWTdVc Tpdkc+TL5Rv92gMkMlLnW6txHmtPEJDKjgndhrzWExhY6CLn6XogRMTdZ/1fMP2Y x02S4s0VehuNF/9L5nmZ+lBS7HNhtiiSC6KGIo/0X7rZVo9VJ4KNjVaXGQ7clbxS sDrqO9uXl98n4S7H44jzBiukYO8MtXVf9djQwujN5A5oN+d1r+sCDDLhxlsLDMVN fMlj2LItNREzKe+ZFWBuEkl6GLAO3y0TQPRWYdc3L8PhiwqVJiJ0+WefYO2PNcZe Csik3IHCn+jdIq1WdsPQXDEYhAHL1Y1OqEMoBnte/FHeq1BmnojXxuVNtrY1EKtL APGGrUbhUWLtZ6v6ke3OT83BSd1FFmLLe/0MlIJ5LYZZZFR/bHgxuEiHcYNr6Fm1 Dnlrg0NNeeQgClABcB5wK2T8lbDahhxp6Nq7F3MTirnIVYHGo7CYa7g5Gw2b7BMu qWWgC8FnH0FzwE7P1LSj =wi7P -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev