I’m pretty new to openstack-ansible-security but based on my use cases which are as much About using this for verification as they are for building secure boxes my preference would be 3) Use an Ansible callback plugin to catch these and print them at the end of the playbook run
-Rob On 13/01/2016 09:10, "Major Hayden" <ma...@mhtx.net> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >Hey there, > >After presenting openstack-ansible-security at the Security Project Mid-Cycle >meeting yesterday, the question came up around how to handle situations where >automation might cause problems. > >For example, the STIG requires[1] that all system accounts other than root are >locked. This could be dangerous on a running production system as Ubuntu has >non-root accounts that are not locked. At the moment, the playbook does a >hard stop (using the fail module) when this check fails[2]. Although that can >be skipped with --skip-tag, it can be a little annoying if you have automation >that depends on the playbook running without stopping. > >Is there a good alternative for this? I've found a few options: > > 1) Leave it as-is and do a hard stop on these tasks > 2) Print a warning to the console but let the playbook continue > 3) Use an Ansible callback plugin to catch these and print them at the end > of the playbook run > >Thanks in advance for any advice! > >[1] >https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496 >[2] >https://github.com/openstack/openstack-ansible-security/blob/master/tasks/auth.yml#L60-L87 > >- -- >Major Hayden >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v2 > >iQIcBAEBCAAGBQJWlmjbAAoJEHNwUeDBAR+x7zAP/RfGnihciZV0m7Jf+hVKSrzf >PEc4gauKRA1mZEFdgX4Ib137Vrztu9p1mPB29bRx9GN8aMcY2TtRwrR1QKmUOHX9 >gtrjif9m5XgCM0ja/DMbj82j7pPpIQC5Tby0+CIhX27ZdgGxBpo/9UOj1Dns39Mg >DzOdNGkGVO6ngmBKdqKetjkT+i0wSKXGQyS341PvyJDy77JCRaGFKc+jRnJWTdVc >Tpdkc+TL5Rv92gMkMlLnW6txHmtPEJDKjgndhrzWExhY6CLn6XogRMTdZ/1fMP2Y >x02S4s0VehuNF/9L5nmZ+lBS7HNhtiiSC6KGIo/0X7rZVo9VJ4KNjVaXGQ7clbxS >sDrqO9uXl98n4S7H44jzBiukYO8MtXVf9djQwujN5A5oN+d1r+sCDDLhxlsLDMVN >fMlj2LItNREzKe+ZFWBuEkl6GLAO3y0TQPRWYdc3L8PhiwqVJiJ0+WefYO2PNcZe >Csik3IHCn+jdIq1WdsPQXDEYhAHL1Y1OqEMoBnte/FHeq1BmnojXxuVNtrY1EKtL >APGGrUbhUWLtZ6v6ke3OT83BSd1FFmLLe/0MlIJ5LYZZZFR/bHgxuEiHcYNr6Fm1 >Dnlrg0NNeeQgClABcB5wK2T8lbDahhxp6Nq7F3MTirnIVYHGo7CYa7g5Gw2b7BMu >qWWgC8FnH0FzwE7P1LSj >=wi7P >-----END PGP SIGNATURE----- > >__________________________________________________________________________ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
