Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rhel7 #113

Merged
merged 1 commit into from
Jan 20, 2017
Merged

Rhel7 #113

merged 1 commit into from
Jan 20, 2017

Conversation

tyrken
Copy link

@tyrken tyrken commented Jan 18, 2017

Fix RHEL7/Oracle7 runs as mentioned in #112.

Also adds HTTP(S) proxy support to the kitchen test system

rndmh3ro
rndmh3ro requested changes Jan 18, 2017
View reviewed changes
Copy link
Member

@rndmh3ro rndmh3ro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the improvements.
Could you take a look at the core_dump comment?

default.yml
@@ -11,7 +11,6 @@
os_desktop_enable: true
os_env_extra_user_paths: ['/home']
os_auth_allow_homeless: true
os_security_kernel_enable_core_dump: true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did you remove this line?
It should actually be set to false. Would you set this to false, please?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed it as it's a duplicate - the other being on line 8. Happy to set to false if you want - but not sure how this file interacts with defaults/main.yml, i.e. which takes priority?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well sorry, I made a mistake here: I thought you removed the line in the defaults/main.yml, not in the default.yml. The setting in the default.yml overwrites the setting in the defaults/main.yml, so removing that line was ok. I'll fix this later though.

tasks/main.yml
@@ -35,10 +35,9 @@
tags: rhosts

- include: yum.yml
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
when: ansible_os_family == 'RedHat'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for that. Seems Ansible fixed that incosistency.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah - some old pre-1.9 versions might need both but given you're about to drop even 1.9 support, hopefully this is OK.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, thanks!

@tyrken
Copy link
Author

tyrken commented Jan 18, 2017

I can squash & re-push tomorrow if you're happy with the use of ansible_os_family over specific distributions.

Unfortunately the linux-baseline tests are still not passing for centos/oracle-7 for me, with many failures around net ip_v4/6 sysctl properties. But I'd like to tackle them in a different issue/PR (after getting the password complexity working in this one) once I've grokked what's causing them.

Support RHEL7 password quality and HTTP(S) proxies
1cacbf4 
Oracle Linux -> OracleLinux in both ansible_os_family and ansible_distribution: ansible/ansible#10789
(Note - older versions before latest 1.9 had the name including a space - but I can see PR to drop 1.9 support is in progress)

pam_pwfamily (the supposed package to install to get password complexity checking in RHEL7) doesn't seem to exist.
There is a libpwquality package that provides /usr/lib64/security/pam_pwquality.so, but that is installed by default according to a RHEL support case answer.
@tyrken
Copy link
Author

tyrken commented Jan 19, 2017
edited
Loading

Looking at the net failures, they are:

net.ipv4.conf.default.accept_redirects
net.ipv4.conf.all.secure_redirects
net.ipv4.conf.default.send_redirects
net.ipv4.conf.all.send_redirects
net.ipv4.conf.all.log_martians
net.ipv6.conf.default.accept_redirects
net.ipv6.conf.default.router_solicitations
net.ipv6.conf.default.accept_ra_rtr_pref
net.ipv6.conf.default.accept_ra_pinfo
net.ipv6.conf.default.accept_ra_defrtr
net.ipv6.conf.default.autoconf
net.ipv6.conf.default.dad_transmits
net.ipv6.conf.default.max_addresses
kernel.sysrq

... which don't seem to be implemented in ansible-os-hardening at all yet, so out of scope.

So with a final whitespace fix I've squashed and pushed, I think this is good to go.

I've also set os_security_kernel_enable_core_dump to false as you suggested.

@rndmh3ro
Copy link
Member

... which don't seem to be implemented in ansible-os-hardening at all yet, so out of scope.

You're right here, I alreadyhave a pending commit to fix this.

I'll do a last test now, than merge this, thanks!

@rndmh3ro rndmh3ro merged commit 0779022 into dev-sec:master Jan 20, 2017
@tyrken tyrken deleted the rhel7 branch January 21, 2017 21:14
This was referenced Jan 22, 2017
Merged
Merged
rndmh3ro added a commit that referenced this pull request Jul 24, 2020
@rndmh3ro
Merge pull request #113 from pwyliu/master
037cec6 
fix validation error
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this pull request Aug 3, 2022
@rndmh3ro
Merge pull request dev-sec#113 from tyrken/rhel7
fec6d51 
Rhel7
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this pull request Aug 3, 2022
@rndmh3ro
Merge pull request dev-sec#113 from pwyliu/master
2a6330a 
fix validation error
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rndmh3ro rndmh3ro rndmh3ro approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tyrken @rndmh3ro