cis-rhel-ansible
cis-rhel-ansible copied to clipboard
major
RHEL 7 and CentOS 7 benchmarks
Any idea when these might be ready? My team and I would be happy to help.
It's something I am working on as time allows. A little bit of work done so far. Feel free to submit PR's!
Major Hayden On Aug 19, 2015 1:09 PM, "Blake Blackshear" [email protected] wrote:
Any idea when these might be ready? My team and I would be happy to help.
— Reply to this email directly or view it on GitHub https://github.com/major/cis-rhel-ansible/issues/27.
So the plan is to expand the scope of this repo to support CentOS 7? Is it incorporated into the test process yet? On Aug 19, 2015 5:42 PM, "Major Hayden" [email protected] wrote:
It's something I am working on as time allows. A little bit of work done so far. Feel free to submit PR's!
Major Hayden On Aug 19, 2015 1:09 PM, "Blake Blackshear" [email protected] wrote:
Any idea when these might be ready? My team and I would be happy to help.
— Reply to this email directly or view it on GitHub https://github.com/major/cis-rhel-ansible/issues/27.
— Reply to this email directly or view it on GitHub https://github.com/major/cis-rhel-ansible/issues/27#issuecomment-132813764 .
Correct. There are enough similarities between CentOS 6 and 7 that we should be able to use the same repository. However, I could see the need to make an entirely separate repository for 7 so that the experience is cleaner.
What's your take on that?
I think you can probably structure the role tasks to keep the separation clean in the same place. We are happy to contribute. On Aug 20, 2015 9:47 AM, "Major Hayden" [email protected] wrote:
Correct. There are enough similarities between CentOS 6 and 7 that we should be able to use the same repository. However, I could see the need to make an entirely separate repository for 7 so that the experience is cleaner.
What's your take on that?
— Reply to this email directly or view it on GitHub https://github.com/major/cis-rhel-ansible/issues/27#issuecomment-133037182 .
Hmm, I'll go back through the changes in the CentOS 7 benchmarks list and see just how much they differ.
Hi, I'm one of blakeblackshear's Minions. We have a CentOS 7 image to experiment on. We've forked the repo and will let you know what happens.
@major Its been a while since I've been down in the weeds but I think one repository is ideal and workable.
@blakeblackshear @gamename I'm not currently running EL7 but should be in the near future. Thank you (preemptively) for any contribution in that space.
I haven't read the EL 7 benchmarks yet but I suspect they vary enough to support task files per major version. It may make sense to use includes based on ansible_lsb.major_version.
~~If that variable is used in the task file path passed to an include task it should produce dynamic loading of the proper benchmark logic.~~
I thought dynamic imports weren't possible in Ansible 1.9?
https://groups.google.com/forum/#!topic/ansible-project/PzA4Vb9SEmk
We can just use a when statement for now. There are only 2 versions we need to support. Dynamic imports are of limited use anyways. The files have to be there to import. On Aug 20, 2015 10:23 AM, "Major Hayden" [email protected] wrote:
I thought dynamic imports weren't possible in Ansible 1.9?
https://groups.google.com/forum/#!topic/ansible-project/PzA4Vb9SEmk
— Reply to this email directly or view it on GitHub https://github.com/major/cis-rhel-ansible/issues/27#issuecomment-133048243 .
@major Good catch. I've started to believe ansible just does everything I think it should but apparently I've found an edge case here.
@blakeblackshear Take a look at http://docs.ansible.com/ansible/playbooks_best_practices.html#operating-system-and-distribution-variance linked in the link @major sent. You could also group on ansible_lsb.major_version if the benchmark differences warrant that approach.
@major Ok, I have the playbook running as an ansible provisioner on a CentOS 7.1 vagrant box. The code is committed to our fork of your repo. The playbook runs to the end error-free, but I haven't looked line-by-line to verify behavior is what it should be. Have a look at the fork if you're curious - or want to tell me what I'm doing wrong. :)
@blakeblackshear fyi
@gamename nice work. I think when: statements should be sufficient to handle most of the 6/7 differences.
Testing out the fork for 7 support. For 4.1.1, I'm getting:
sysctl: cannot stat /proc/sys/kernel/exec-shield: No such file or directory
that line is not available anymore in cis for rhel 7 my fork works in my vagrant box but i suppose i have to check every line of the cis folder to see if things are added or removed. Becarefull my fork is heavy modified compared to your original work. https://github.com/Trikke76/cis-rhel-ansible
@gamename Would you want to slap together a PR and I can try to get your code into a testing branch?
Or, I could fetch your code and put it into a branch. Either way.
Not yet. I've received word that the repo might violate CIS' terms of use. Waiting to see if I can do anything else with this or if it will need to be taken down. :/
@major could you explain more about the violation ? is it because of the name being used ?
I suppose #3, 8, and 9 in the restrictions at http://benchmarks.cisecurity.org/downloads/terms-of-use/ would be in question. If this holds true then I will reevaluate use of CIS benchmarks in my systems. Closed benchmarks and tools work against healthy secure practices in my opinion. On Oct 29, 2015 9:41 AM, "Patrik Uytterhoeven" [email protected] wrote:
@major https://github.com/major could you explain more about the violation ? is it because of the name being used ?
— Reply to this email directly or view it on GitHub https://github.com/major/cis-rhel-ansible/issues/27#issuecomment-152200801 .
@Trikke76 It's a 'derivative work', which doesn't fit the terms of use. Currently waiting on legal clarification.
@major I think a different branch would be good, one for CentOS6 and one for 7, etc.
As i have converted the complete CIS role for internal use working for rhel/centos 6/7 i asked the question myself to see if it can be made public. This is the response i got today:
Thank you for your email. We have just recently updated our licensing for our PDF versions of the publically available benchmarks to be under creative commons licensing. We are working to update our benchmarks accordingly to reflect the new licensing. I will be in touch shortly with copies of the RHEL/CentOS 6 & 7 benchmarks for your use. If you were to use the current versions available today it would not allow for use in github and would require you not reference CIS.
I appreciate your patience and plan to have you versions with new licensing in the next couple of days.
Thanks,
@Trikke76 Thanks for the information!
I'm curious to see if the benchmark content is changing as well. If not, do we merely need to update references to the new benchmark documents with appropriate license (when available)?
No clue thats the only info i have so far i suppose that the new pdf with benchmarks is different from the once they have now will update once i have more info