The Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux (RHEL) 7 is in the final stages of release. The security hardening role needs to be updated to apply these new requirements to Ubuntu 16.04, CentOS 7 and RHEL 7.
Today, the openstack-ansible-security role uses the RHEL 6 STIG as the basis for all of the security configurations applied to Ubuntu 14.04, Ubuntu 16.04, CentOS 7, and RHEL 7. However, the new RHEL 7 STIG is in the final stages of its release and the new security configurations provide a stronger security posture for all systemd-based distributions, including:
There are some challenges with a wholesale change to the RHEL 7 STIG:
The current role structure is flat and the differences between the distributions are handled within each task YAML file. The proposed new layout would look something like this:
/main.yml /rhel6stig/main.yml /rhel6stig/auth.yml /rhel6stig/boot.yml /rhel6stig/... /rhel7stig/main.yml /rhel7stig/auth.yml /rhel7stig/boot.yml /rhel7stig/...
The root main.yml would have a when: that would include the correct main.yml from the STIG version subdirectories. This comes with some nice benefits:
See the Proposed change section above for details.
If a deployer is running the Newton release of the role on Ubuntu 16.04, CentOS 7, or RHEL 7, they will notice lots of additional security configurations being applied by the role per the requirements of the RHEL 7 STIG. Backing out security configurations from the previous versions of the role shouldn’t be necessary.
This change will improve the role’s capability to secure new systemd-based distributions, such as Ubuntu 16.04, CentOS 7, and RHEL 7.
As with the previous versions of the role, the updates to the role from the RHEL 7 STIG should not cause performance impacts or downtime on the system.
End users should not notice a difference when these changes are made.
Deployers will apply the role using the same commands as they do now. However, they will see some new changes:
Developers must ensure that RHEL 7 STIG content is kept separate from RHEL 6 content. This will be documented within the tasks themselves as well as in the formal role documentation.
This change has no dependencies.
The OpenStack CI environment would test the security role in the same way that it does now. Testing could be adjusted during the first phase of RHEL 7 STIG development so that both pathways (RHEL 6 STIG and RHEL 7 STIG) are tested on Ubuntu 16.04 and CentOS 7.
RHEL 7 testing will need to be manual since OpenStack CI has no RHEL image.
New documentation will be needed for the RHEL 7 STIG security configurations as well as any new variables that are introduced. This will need to be done carefully (perhaps in a draft directory) until the RHEL 7 STIG content is ready to be applied to Ubuntu 16.04 and CentOS 7.