Apply the STIG to even more operating systems with ansible-hardening

Tons of improvements made their way into the ansible-hardening role in preparation for the OpenStack Pike release next month. The role has a new name, new documentation and extra tests. The role uses the Security Technical Implementation Guide (STIG) produced by the Defense Information Systems Agency (DISA) and applies the guidelines to Linux hosts using Ansible. Every control is configurable via simple Ansible variables and each control is thoroughly documented.
Read more →

Old role, new name: ansible-hardening

The interest in the openstack-ansible-security role has taken off faster than I expected, and one piece of constant feedback I received was around the name of the role. Some users were unsure if they needed to use the role in an OpenStack cloud or if the OpenStack-Ansible project was required. The role works everywhere - OpenStack cloud or not. I started a mailing list thread on the topic and we eventually settled on a new name: ansible-hardening!
Read more →

Enable AppArmor on a Debian Jessie cloud image

I merged some initial Debian support into the openstack-ansible-security role and ran into an issue enabling AppArmor. The apparmor service failed to start and I found this output in the system journal: kernel: AppArmor: AppArmor disabled by boot time parameter Digging in That was unexpected. I was using the Debian jessie cloud image and it uses extlinux as the bootloader. The file didn’t reference AppArmor at all:

cat /boot/extlinux/extlinux.conf default linux timeout 1 label linux kernel boot/vmlinuz-3.

Read more →

RHEL 7 STIG v1 updates for openstack-ansible-security

DISA’s final release of the Red Hat Enterprise Linux (RHEL) 7 Security Technical Implementation Guide (STIG) came out a few weeks ago and it has plenty of improvements and changes. The openstack-ansible-security role has already been updated with these changes. Quite a few duplicated STIG controls were removed and a few new ones were added. Some of the controls in the pre-release were difficult to implement, especially those that changed parameters for PKI-based authentication.
Read more →

Takeaways from Bruce Schneier’s talk: “Security and Privacy in a Hyper-connected World”

Read more →