Document effort to merge projects.

First Meeting

Minutes https://meetbot.fedoraproject.org/ansible-lockdown/2018-10-17/hardening-lockdown_merger_first_steps.2018-10-17-14.04.html
Logs https://freenode.logbot.info/ansible-lockdown/20181017

To Do's

• Migrate docs to AH based sphinx generation. Each repo to have sphinx docs that are ultimately aggregated into a single build to publish a unified docs site
• Make tests be driven by Zuul to leverage OpenStacks infra
• Create an 'extras' task file to include extra hardening tasks that arent a part of the STIG standard to maintain backward compatibility with Ansible Hardening

Ansible Collections is the optimal way to share content such as this role with the community.

Therefore, it would be good to bundle the roles provided in the ansible-lockdown umbrella into a collection.

The part about usage of tags consists of 2 examples labeled #This and #Not This, but both examples are identical.

While a new collection is imminent, this repo is woefully out of date with the community:

https://github.com/ansible-lockdown

When I perform a clone of the repository with --recursive, the clone fails to pull the RHEL6-STIG due to the URL of the sub-module being SSH vs HTTPS. Users behind a proxy (like myself) may not be able to reach this URL.

Please update the RHEL6-STIG sub-module location from
[email protected]:MindPointGroup/RHEL6-STIG.git
to
https://github.com/MindPointGroup/RHEL6-STIG.git

I am running the ansible-lockdown on a RHEL7 Server. I keep finding that RHEL-07-020070 is reporting as skipped in Ansible Tower. The target server's yum.conf definitely does not have repo_gpgcheck=1 but it does have gpgpcheck=1. I am deploying this in AWS on a RHEL AMI. Could this be a bug?

Hi,
I want to disable STIG-IDs in defaults/main.yml as some are not functional within AWS such as the bootstrap password (RHEL-07-010480, RHEL-07-010490). The only method i found is by commenting out both the STIG-ID in 'defaults/main.yml' and also within tasks/fix-cat1.yml comment out these tasks. Is there any easier way to do this?

#- name: |
#
#      "HIGH | RHEL-07-010480 | PATCH | Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."
#      "HIGH | RHEL-07-010490 | PATCH | Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."
#  lineinfile:
#      dest: /etc/grub.d/40_custom
#      insertafter: EOF
#      regexp: "{{ item.regexp }}"
#      line: "{{ item.line }}"
#  with_items: "{{ rhel7stig_boot_password_config }}"
#  notify: make grub2 config
#  when: rhel_07_010480 or rhel_07_010490
#  tags:
#      - cat1
#      - high
#      - patch
#      - RHEL-07-010480
#      - RHEL-07-010490
#      - grub
#      - bootloader