OpenStack-Ansible

ansible-hardening: defaults/main.yml needs reorganized

Bug #1702183 reported by Troy Engel (RAX)
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Low
Major Hayden

Bug Description

ref: https://github.com/openstack/ansible-hardening/blob/master/defaults/main.yml

The current layout as of this writing is confusing to work through to develop a targeted playbook; if you're working to tune a RHEL7 deployment and look for, say, NTP settings they're embedded in what appears to be the RHEL6 section, which also seems to contain random Debian/Ubuntu (apt) things as well without warning. If you started at the RHEL7 section they get completely missed, as the natural assumption is "I don't need to read this RHEL6 section."

I'd like to request the file be reorganized with better headers ("Common", "RHEL6", "RHEL7", Ubuntu16", etc.) and ensure that common items are clearly located together, differentiating between the blocks with the usual ascii art. Moving NTP settings (chrony) into 'Common' would be a good example for clarity, or if needed 'Common RHEL' if it's not common to Debian/Ubuntu due to platform differences (say, SElinux vs. AppArmor).

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

Major, I think there is work to be done on the docs.

First, the docs currently returns 404 (docs migration I guess). But then there is obviously an expectation issue that lead to this bug.

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

For the dead link, I meant https://docs.openstack.org/ansible-hardening/latest/

Revision history for this message
Major Hayden (rackerhacker) wrote :

This is a reasonable request since the plan is to remove the RHEL 6 content for 14.04 soon. I've wanted to re-org the defaults/main.yml a bit to reduce clutter.

Changed in openstack-ansible:
importance: Undecided → Low
assignee: nobody → Major Hayden (rackerhacker)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-hardening (master)

Fix proposed to branch: master
Review: https://review.openstack.org/480739

Changed in openstack-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-hardening (master)

Reviewed: https://review.openstack.org/480739
Committed: https://git.openstack.org/cgit/openstack/ansible-hardening/commit/?id=36b36b3ce8ea252df2281c3f9e00bb4fdf903350
Submitter: Jenkins
Branch: master

commit 36b36b3ce8ea252df2281c3f9e00bb4fdf903350
Author: Major Hayden <email address hidden>
Date: Wed Jul 5 16:02:47 2017 -0500

    Re-organize defaults/main.yml

    This patch re-organizes the defaults/main.yml by:

    * Moving RHEL 7 STIG content to the top
    * Explaining better how to use `stig_version`

    Closes-Bug: 1702183
    Change-Id: Ib5eab8fc3129ea1b6745b4b84ab1195dbbbceebf

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ansible-hardening 16.0.0.0rc2

This issue was fixed in the openstack/ansible-hardening 16.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ansible-hardening 17.0.0.0b1

This issue was fixed in the openstack/ansible-hardening 17.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.