Re: [openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?

[Jesse Pretorius]

On 13 January 2016 at 15:10, Major Hayden  wrote:

>
> For example, the STIG requires[1] that all system accounts other than root
> are locked.  This could be dangerous on a running production system as
> Ubuntu has non-root accounts that are not locked.  At the moment, the
> playbook does a hard stop (using the fail module) when this check
> fails[2].  Although that can be skipped with --skip-tag, it can be a little
> annoying if you have automation that depends on the playbook running
> without stopping.
>
> Is there a good alternative for this?  I've found a few options:
>
>   1) Leave it as-is and do a hard stop on these tasks
>   2) Print a warning to the console but let the playbook continue
>   3) Use an Ansible callback plugin to catch these and print them at the
> end of the playbook run
>
> Thanks in advance for any advice!
>
> [1]
> https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496
> [2]
> https://github.com/openstack/openstack-ansible-security/blob/master/tasks/auth.yml#L60-L87


I think the best thing to do here is to take a stance on what the
project/role deems to be a good set of defaults for the environment its
catering for. Whatever that stance is should be rigorously enforced (ie the
playbook should hard stop if there is non-compliance).

For anyone using automation, if they wish to skip particular compliance
elements then they should build the skip into their automation (ie add
--skip-tags). Skipping compliance should be a conscious action implemented
deliberately by the consumer of the role.

Darren's reply is interesting and perhaps worth consideration. As far as I
recall the security role adopted the STIG primarily because it was the only
openly available set of standards that didn't require licensing. If there
are other options to explore and ways to consume them, then perhaps that
should be an initiative for the Newton cycle?
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?

[Major Hayden]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 02/08/2016 06:40 AM, Jesse Pretorius wrote:
> Darren's reply is interesting and perhaps worth consideration. As far as I 
> recall the security role adopted the STIG primarily because it was the only 
> openly available set of standards that didn't require licensing. If there are 
> other options to explore and ways to consume them, then perhaps that should 
> be an initiative for the Newton cycle?

That's right.  After direct conversations with CIS, we found that the licensing 
and restricted use of the security benchmarks wouldn't allow us to use them in 
OpenStack projects.  That could change in the future, but that's what exists at 
the moment.  The STIG was chosen since it's widely adopted and it is in the 
public domain.

It could be interesting to take an XCCDF/OVAL dump and try to implement it in 
an automated way with Ansible.  Creating the XCCDF XML isn't easy (nor fun), 
but that could be an option, too.

Darren's point about using vendor-provided hardening standards for Red Hat, 
Fedora, and Solaris is a good one.  This could be very useful if the multi-os 
support for OpenStack-Ansible comes together.  It's a shame that Ubuntu doesn't 
have a comprehensive XCCDF profile available as the other distributions do. :/

- --
Major Hayden
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWuJmjAAoJEHNwUeDBAR+x7BYP/2Cv31QL7enVAXgEzHThc1Wb
ov3phFoEYCY8FFmcOoH6grSK3DsRPmPc33ma2I6bMMKWpz8j+RFGMfgPAaEEkGiq
d9Ak3bidFe+xYjlMlZkj+EQbIfv2JvZ5FA/eqyVuB1opRpALWnCzXxuSNoIPsbyZ
3u0QkMiNX9eo+Iz0Y3UHQbV61bZWmhz5xO08vo8vxeIhOgbv1Mq9fyRXcsay2tqY
K6nZMK2Tj+Y46hjQ1WR1KMY9HUPBujkhY+It/qtq9QIUPLduavVNzAV8dYRoPwu8
HPRLZA/abWW51VAvmdbr2ABqhDIkL/EKhPUgnKPn/IPWDQuEHa3SAJb4VHK3njz9
fcanJ2h59fY90cBwYz7g0BNbf2m8i1k4DZCdgMfqPzSQ7OdWze3aLd2Eh1AI5ihp
Zk+41Cj8yZPb6d0Ocsqt8voPYtbh0seXLvdiiVccESq8chGBBIvjasFsq1pFrIlH
VqEl13YHI/VlnoLcSHiYP7AYDdM1IXY722It7HDBwB7bKGWL/NaogH/putvlXTw8
J1NT3EnGg7G4p92X0qTiP4datB8AIfYSQhNgjVDJSwJwS2DMaMgrPJr5AWDZ5dfv
iJE4vUbZLI2etmghb4y9XXMMa2g6/zXxvcSQVCEE5v1FoVfLCtr4HuMFGFfhxBeB
KY8imLhpcXlLsJgodUSa
=0PLZ
-END PGP SIGNATURE-

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?

[Darren J Moffat]

On 01/13/16 15:10, Major Hayden wrote:

After presenting openstack-ansible-security at the Security Project Mid-Cycle 
meeting yesterday, the question came up around how to handle situations where 
automation might cause problems.

For example, the STIG requires[1] that all system accounts other than root are 
locked.  This could be dangerous on a running production system as Ubuntu has 
non-root accounts that are not locked.  At the moment, the playbook does a hard 
stop (using the fail module) when this check fails[2].  Although that can be 
skipped with --skip-tag, it can be a little annoying if you have automation 
that depends on the playbook running without stopping.

Is there a good alternative for this?  I've found a few options:

   1) Leave it as-is and do a hard stop on these tasks
   2) Print a warning to the console but let the playbook continue
   3) Use an Ansible callback plugin to catch these and print them at the end 
of the playbook run


The STIG is just DISA's interpretation and based on my experience with 
helping get the Solaris 10 and Solaris 11 STIG correct it is often 
overly strict and sometimes poor advice for the general case.


In the case of Solaris, Ubuntu, Fedora requiring some of these system 
accounts to be locked would actually weaken system security because 
certain required functionality would break.


So I would strongly caution against taking the DISA STIG as an 
authoratative stance for OS security configuration.  A lot of it is very 
good and overlaps with CIS and vendor recommendations.  For Red Hat, 
Fedora and Solaris I would recommend instead to look at the vendor 
delivered XCCDF profiles.


I think it would be much more valuable for us to focus on getting 
XCCDF/OVAL developed for OpenStack specific rules and leave the OS 
configuration/recommendations to the OS vendors.


--
Darren J Moffat

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?

[Major Hayden]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/13/2016 02:59 PM, Clark, Robert Graham wrote:
> I’m pretty new to openstack-ansible-security but based on my use cases which 
> are as much
> About using this for verification as they are for building secure boxes my 
> preference 
> would be 3) Use an Ansible callback plugin to catch these and print them at 
> the end of the
> playbook run

I'm leaning in that direction as well, but I'm not sure if there's a way to 
wedge this type of functionality into a role.  It can be done easily with a 
playbook, but I'm not sure if we can add this to a role by itself.

- --
Major Hayden
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWl6O9AAoJEHNwUeDBAR+xCUMQAIg+eZudAHowbFXqwBu3XQ74
Kov9gD2hwd3wq6LPzpeFVjrd61vlw+GOMQUwJlvf5jeM0oXlw7/oRHtJWaHvLcLc
mFQDW2QTfA/jX1gGOSYctkFF6nTahNmWuSQ3G01Om0WkjNBGrZLJQM42BK+UQ+VF
/aEXS6Rg/hPACd92ebXBpD9VSw7EI/K6i8Qt6fbTfLxSSVgGiRtWoJ6bsj8cWKft
OKNSnsddDC2+40z91X84eiRIRvMeblBDl7q0wdyS3c+ZwkyJyG9YL3CT92qbtjPK
gd3i9zjJ2XMlF6MPv06aNeiHidV+8bzupr8ZSh/gP7Zr4SkwmQLv0SppG/M2mb6h
nHqJD1QtJTmKbE4jynfqkEwVL1MSwAvRG7Yx3Y1JletONybYOSjkQ+PRcl0Wl+IM
4SF6Fo8NFF48ywaGSrNSp9TSlzFecKxSc0XTN/0LK+XoquqQYV0TurboHlUYFrRK
/AW8Q3M9Zf6R5vqAolut8fxNgaizZnNTFWp2ZlI1dbKoCFlKvmmPY75xrD17j963
Zna4DHgvglXOxtEYjLrDGbw8KOItvZXdjRMnIZOdBdnnpaN2eOjYfTOCpjoSunKD
MXyiqMj3svg9vUJLeoGTVmKKhYgP3hyDJd9W8aS3GC2U5bWfd65fzgrG0Qmx+fqw
VF/jWXNDzYryEKMFzR87
=J+iA
-END PGP SIGNATURE-

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?

[Clark, Robert Graham]

I’m pretty new to openstack-ansible-security but based on my use cases which 
are as much
About using this for verification as they are for building secure boxes my 
preference 
would be 3) Use an Ansible callback plugin to catch these and print them at the 
end of the
playbook run

-Rob





On 13/01/2016 09:10, "Major Hayden"  wrote:

>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>Hey there,
>
>After presenting openstack-ansible-security at the Security Project Mid-Cycle 
>meeting yesterday, the question came up around how to handle situations where 
>automation might cause problems.
>
>For example, the STIG requires[1] that all system accounts other than root are 
>locked.  This could be dangerous on a running production system as Ubuntu has 
>non-root accounts that are not locked.  At the moment, the playbook does a 
>hard stop (using the fail module) when this check fails[2].  Although that can 
>be skipped with --skip-tag, it can be a little annoying if you have automation 
>that depends on the playbook running without stopping.
>
>Is there a good alternative for this?  I've found a few options:
>
>  1) Leave it as-is and do a hard stop on these tasks
>  2) Print a warning to the console but let the playbook continue
>  3) Use an Ansible callback plugin to catch these and print them at the end 
> of the playbook run
>
>Thanks in advance for any advice!
>
>[1] 
>https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496
>[2] 
>https://github.com/openstack/openstack-ansible-security/blob/master/tasks/auth.yml#L60-L87
>
>- --
>Major Hayden
>-BEGIN PGP SIGNATURE-
>Version: GnuPG v2
>
>iQIcBAEBCAAGBQJWlmjbAAoJEHNwUeDBAR+x7zAP/RfGnihciZV0m7Jf+hVKSrzf
>PEc4gauKRA1mZEFdgX4Ib137Vrztu9p1mPB29bRx9GN8aMcY2TtRwrR1QKmUOHX9
>gtrjif9m5XgCM0ja/DMbj82j7pPpIQC5Tby0+CIhX27ZdgGxBpo/9UOj1Dns39Mg
>DzOdNGkGVO6ngmBKdqKetjkT+i0wSKXGQyS341PvyJDy77JCRaGFKc+jRnJWTdVc
>Tpdkc+TL5Rv92gMkMlLnW6txHmtPEJDKjgndhrzWExhY6CLn6XogRMTdZ/1fMP2Y
>x02S4s0VehuNF/9L5nmZ+lBS7HNhtiiSC6KGIo/0X7rZVo9VJ4KNjVaXGQ7clbxS
>sDrqO9uXl98n4S7H44jzBiukYO8MtXVf9djQwujN5A5oN+d1r+sCDDLhxlsLDMVN
>fMlj2LItNREzKe+ZFWBuEkl6GLAO3y0TQPRWYdc3L8PhiwqVJiJ0+WefYO2PNcZe
>Csik3IHCn+jdIq1WdsPQXDEYhAHL1Y1OqEMoBnte/FHeq1BmnojXxuVNtrY1EKtL
>APGGrUbhUWLtZ6v6ke3OT83BSd1FFmLLe/0MlIJ5LYZZZFR/bHgxuEiHcYNr6Fm1
>Dnlrg0NNeeQgClABcB5wK2T8lbDahhxp6Nq7F3MTirnIVYHGo7CYa7g5Gw2b7BMu
>qWWgC8FnH0FzwE7P1LSj
>=wi7P
>-END PGP SIGNATURE-
>
>__
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?

[Major Hayden]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hey there,

After presenting openstack-ansible-security at the Security Project Mid-Cycle 
meeting yesterday, the question came up around how to handle situations where 
automation might cause problems.

For example, the STIG requires[1] that all system accounts other than root are 
locked.  This could be dangerous on a running production system as Ubuntu has 
non-root accounts that are not locked.  At the moment, the playbook does a hard 
stop (using the fail module) when this check fails[2].  Although that can be 
skipped with --skip-tag, it can be a little annoying if you have automation 
that depends on the playbook running without stopping.

Is there a good alternative for this?  I've found a few options:

  1) Leave it as-is and do a hard stop on these tasks
  2) Print a warning to the console but let the playbook continue
  3) Use an Ansible callback plugin to catch these and print them at the end of 
the playbook run

Thanks in advance for any advice!

[1] 
https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496
[2] 
https://github.com/openstack/openstack-ansible-security/blob/master/tasks/auth.yml#L60-L87

- --
Major Hayden
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWlmjbAAoJEHNwUeDBAR+x7zAP/RfGnihciZV0m7Jf+hVKSrzf
PEc4gauKRA1mZEFdgX4Ib137Vrztu9p1mPB29bRx9GN8aMcY2TtRwrR1QKmUOHX9
gtrjif9m5XgCM0ja/DMbj82j7pPpIQC5Tby0+CIhX27ZdgGxBpo/9UOj1Dns39Mg
DzOdNGkGVO6ngmBKdqKetjkT+i0wSKXGQyS341PvyJDy77JCRaGFKc+jRnJWTdVc
Tpdkc+TL5Rv92gMkMlLnW6txHmtPEJDKjgndhrzWExhY6CLn6XogRMTdZ/1fMP2Y
x02S4s0VehuNF/9L5nmZ+lBS7HNhtiiSC6KGIo/0X7rZVo9VJ4KNjVaXGQ7clbxS
sDrqO9uXl98n4S7H44jzBiukYO8MtXVf9djQwujN5A5oN+d1r+sCDDLhxlsLDMVN
fMlj2LItNREzKe+ZFWBuEkl6GLAO3y0TQPRWYdc3L8PhiwqVJiJ0+WefYO2PNcZe
Csik3IHCn+jdIq1WdsPQXDEYhAHL1Y1OqEMoBnte/FHeq1BmnojXxuVNtrY1EKtL
APGGrUbhUWLtZ6v6ke3OT83BSd1FFmLLe/0MlIJ5LYZZZFR/bHgxuEiHcYNr6Fm1
Dnlrg0NNeeQgClABcB5wK2T8lbDahhxp6Nq7F3MTirnIVYHGo7CYa7g5Gw2b7BMu
qWWgC8FnH0FzwE7P1LSj
=wi7P
-END PGP SIGNATURE-

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev