openstack/ansible-hardening
Code Issues Proposed changes
Ansible role for security hardening
239 Commits 10 Branches 141 Tags 5.4 MiB
Jinja 44.5%
Python 41.2%
Shell 14.3%
5112569743
Go to file
Kamil Boratyński 5112569743 Implemented: V-38524. 
This patch disables ICMPv4 redirects feature on the host.
Accepting ICMP redirects has few legitimate uses.
It should be disabled unless it is absolutely required.

It is configurable by `security_disable_icmpv4_redirects`.
This feature is disabled by default as it can disrupt LXC deployments.

Change-Id: I228f8aa7b0df80cce16e54c5f1e11da678bfd67d
2016-06-03 21:42:58 +02:00
defaults Implemented: V-38524. 2016-06-03 21:42:58 +02:00
doc Implemented: V-38524. 2016-06-03 21:42:58 +02:00
files Add ability to enable unattended upgrades 2016-04-15 11:58:29 +01:00
handlers Add CentOS 7 and Ubuntu 16.04 support 2016-05-13 14:57:28 -05:00
meta Add CentOS 7 and Ubuntu 16.04 support 2016-05-13 14:57:28 -05:00
releasenotes Merge "Search for unlabeled device files" 2016-06-01 20:53:01 +00:00
tasks Implemented: V-38524. 2016-06-03 21:42:58 +02:00
templates Add /etc/apparmor.d/ for auditing 2016-05-31 18:30:57 +00:00
tests Add CentOS 7 and Ubuntu 16.04 support 2016-05-13 14:57:28 -05:00
vars Add CentOS 7 and Ubuntu 16.04 support 2016-05-13 14:57:28 -05:00
.gitignore Add .swp files to .gitignore 2016-05-04 08:56:41 -05:00
.gitreview Added .gitreview 2015-10-05 17:37:21 +00:00
LICENSE Initial import of openstack-ansible-security role 2015-10-07 07:27:39 -05:00
other-requirements.txt Add CentOS 7 and Ubuntu 16.04 support 2016-05-13 14:57:28 -05:00
README.md Merge "Adding Vagrant setup for deploying security-ansible" 2016-02-05 16:12:33 +00:00
README.rst Add a note to the README file where to report bugs 2016-05-27 17:06:40 +02:00
run_tests.sh Add dependencies for paramiko 2.0 2016-05-03 08:58:41 +01:00
setup.cfg Initial import of openstack-ansible-security role 2015-10-07 07:27:39 -05:00
setup.py Initial import of openstack-ansible-security role 2015-10-07 07:27:39 -05:00
test-requirements.txt Add reno scaffolding for release notes management 2016-04-28 23:15:13 +00:00
tox.ini Enable LSM instead of checking status 2016-05-26 09:16:42 -05:00
Vagrantfile Adding Vagrant setup for deploying security-ansible 2016-01-25 08:04:26 -08:00

README.md

openstack-ansible-security

The goal of the openstack-ansible-security role is to improve security within openstack-ansible deployments. The role is based on the Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 6.

Requirements

This role can be used with or without the openstack-ansible role. It requires Ansible 1.8.3 at a minimum.

Role Variables

All of the variables for this role are in defaults/main.yml.

Dependencies

This role has no dependencies.

Example Playbook

Using the role is fairly straightforward:

- hosts: servers
  roles:
     - openstack-ansible-security

Running with Vagrant

Security Ansible can be easily run for testing using Vagrant.

To do so run: vagrant destroy To destroy any previously created Vagrant setup vagrant up Spin up Ubuntu Trusty VM and run ansible-security against it

License

Apache 2.0

Author Information

For more information, join #openstack-ansible on Freenode.