Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This uses the openstack ansible-hardening role to apply STIG security configurations to hosts in the
hardening
group. Theenvironments/common/layouts/everything
template used by cookiecutter puts thelogin
group into thehardening
group.NB: This depends on PR #97.
The
ansible-hardening
role is run with default settings and the following additional changes are made to hosts in thehardening
group:centos
user by theansible/adhoc/generate-passwords.yml
playbook and sudo rules are set for forcentos
andwheel
groups to require a password. Note if other users have been added with sudo rights (e.g. via apre-
hook), they will not be affected and a warning will be generated by theansible-hardning
role.Note that hosts in
hardening
will also have theirsestatus
set to enforcing, rather than the appliance default ofpermissive
.On a CentOS 8.4 system the
ansible-hardening
role will still generate warnings about:cockpit-ws
,cockpit-wsinstance
,rngd
are missing theirs - note the cockpit-* ones are not removed by removing thecockpit-ws
package)./var
,/var/log/audit
,/tmp
.