Ansible role for security hardening
Branch: master
Clone or download
mgariepy Switch to rtcsync for chrony
when setting security_ntp_sync_rtc to true, chrony will sync rtc every
11 minutes.

using rtcfile + rtcautotrim locks access to rtc clock for other tools,
like hwclock or timedatectl so it's hard to validate that the clock is
really synced.

Change-Id: I72fd18d36ab139d7140281374b5c2b89f7cb460a
Latest commit ef1b417 Jan 15, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
defaults Chrony: new NTP server defaults Jan 10, 2019
doc docs: Write files in binary mode Oct 3, 2018
files Add support for the openSUSE Leap distributions Jun 27, 2017
handlers Always quote the filesystem permissions Nov 8, 2017
library Verify password age limits [+Docs] Dec 8, 2016
meta SUSE: Add support for openSUSE Leap 15 Aug 10, 2018
releasenotes Chrony: new NTP server defaults Jan 10, 2019
tasks Switch to using import_tasks for static inclusion Jan 8, 2019
templates Switch to rtcsync for chrony Jan 15, 2019
test_plugins Add equalto Jinja2 test for EL7 Jun 30, 2017
tests Add retries to package installations Jun 16, 2018
vars Replace Fedora 26 with 27 Mar 7, 2018
zuul.d switch documentation job to new PTI Aug 21, 2018
.gitignore Updated from OpenStack Ansible Tests Oct 2, 2018
.gitreview Fix .gitreview May 30, 2017
.zuul.yaml import zuul job settings from project-config Aug 9, 2018
LICENSE Initial import of openstack-ansible-security role Oct 7, 2015 Add release note link in README Jun 29, 2018
README.rst Add document information to readme Jul 13, 2018
Vagrantfile Updated from OpenStack Ansible Tests Sep 28, 2018
bindep.txt Updated from OpenStack Ansible Tests Dec 6, 2017
manual-test.rc Use centralised test scripts Sep 28, 2016 Updated from OpenStack Ansible Tests Sep 29, 2018
setup.cfg Update the homepage url May 7, 2018 Updated from global requirements Mar 2, 2017
tox.ini fix tox python3 overrides Nov 6, 2018



The ansible-hardening role applies security hardening configurations from the Security Technical Implementation Guide (STIG) to systems running the following distributions:

  • CentOS 7
  • Debian Jessie
  • Fedora 27
  • openSUSE Leap 42.2 and 42.3
  • Red Hat Enterprise Linux 7
  • SUSE Linux Enterprise 12 (experimental)
  • Ubuntu 16.04

For more details, review the ansible-hardening documentation.

Release notes for the project can be found at:


This role can be used with or without OpenStack-Ansible. It requires Ansible 2.3 or later.

Role Variables

All of the variables for this role are in defaults/main.yml.


This role has no dependencies.

Example Playbook

Using the role is fairly straightforward:

- hosts: servers
     - ansible-hardening

Running with Vagrant

This role can be tested easily on multiple platforms using Vagrant.

The Vagrantfile supports testing on:

  • Ubuntu 16.04
  • CentOS 7

To test on all platforms:

vagrant destroy --force && vagrant up

To test on Ubuntu 14.04 only:

vagrant destroy ubuntu1404 --force && vagrant up ubuntu1404

To test on Ubuntu 16.04 only:

vagrant destroy ubuntu1604 --force && vagrant up ubuntu1604

To test on CentOS 7 only:

vagrant destroy centos7 --force && vagrant up centos7


Apache 2.0

Author Information

For more information, join #openstack-ansible on Freenode.