Skip to content

Commit

Permalink
Merge pull request #1229 from stackhpc/zed-yoga-merge
Browse files Browse the repository at this point in the history
zed: yoga merge
  • Loading branch information
markgoddard authored Aug 16, 2024
2 parents 41936eb + 07fdce6 commit 0f6c73e
Show file tree
Hide file tree
Showing 5 changed files with 61 additions and 4 deletions.
2 changes: 0 additions & 2 deletions etc/kayobe/ansible/cis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,7 @@
- include_role:
name: ansible-lockdown.rhel9_cis
when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'
tags: always

- include_role:
name: ansible-lockdown.ubuntu22_cis
when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '22'
tags: always
12 changes: 12 additions & 0 deletions etc/kayobe/ansible/reboot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,19 @@
serial: "{{ lookup('env', 'ANSIBLE_SERIAL') | default(1, true) }}"
tags:
- reboot
vars:
reboot_timeout_s: "{{ 20 * 60 }}"
tasks:
- name: Reboot and wait
become: true
reboot:
reboot_timeout: "{{ reboot_timeout_s }}"
search_paths:
# Systems running molly-guard hang waiting for confirmation before rebooting without this.
- "/lib/molly-guard"
# Default list:
- "/sbin"
- "/bin"
- "/usr/sbin"
- "/usr/bin"
- "/usr/local/sbin"
18 changes: 18 additions & 0 deletions etc/kayobe/ansible/ubuntu-upgrade.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,15 @@
reboot:
reboot_timeout: "{{ reboot_timeout_s }}"
connect_timeout: 600
search_paths:
# Systems running molly-guard hang waiting for confirmation before rebooting without this.
- "/lib/molly-guard"
# Default list:
- "/sbin"
- "/bin"
- "/usr/sbin"
- "/usr/bin"
- "/usr/local/sbin"
become: true
when: file_status.stat.exists

Expand Down Expand Up @@ -101,6 +110,15 @@
reboot:
reboot_timeout: "{{ reboot_timeout_s }}"
connect_timeout: 600
search_paths:
# Systems running molly-guard hang waiting for confirmation before rebooting without this.
- "/lib/molly-guard"
# Default list:
- "/sbin"
- "/bin"
- "/usr/sbin"
- "/usr/bin"
- "/usr/local/sbin"
become: true

- name: Update distribution facts
Expand Down
31 changes: 30 additions & 1 deletion etc/kayobe/inventory/group_vars/overcloud/cis
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,22 @@ rhel9cis_rule_5_3_4: false
# Please double-check yourself with: sudo passwd -S root
rhel9cis_rule_5_6_6: false

# Stop the CIS benchmark scanning all files on every filesystem since this
# takes a long time. Related to the changing permissions block below. This
# would normally warn you about violations, but we can use Wazuh to continually
# monitor this.
rhel9cis_rule_6_1_9: false
rhel9cis_rule_6_1_10: false
rhel9cis_rule_6_1_11: false
rhel9cis_rule_6_1_12: false
rhel9cis_rule_6_1_13: false
rhel9cis_rule_6_1_14: false
rhel9cis_rule_6_1_15: false

# The following rules change permissions on all files on every mounted
# filesystem. We do not want to change /var/lib/docker permissions.
rhel9cis_no_world_write_adjust: false

# Configure log rotation to prevent audit logs from filling the disk
rhel9cis_auditd:
space_left_action: syslog
Expand Down Expand Up @@ -119,9 +135,22 @@ ubtu22cis_sshd:
deny_users: ""
deny_groups: ""

# Do not change /var/lib/docker permissions
# Stop the CIS benchmark scanning all files on every filesystem since this
# takes a long time. Related to the changing permissions block below. This
# would normally warn you about violations, but we can use Wazuh to continually
# monitor this.
ubtu22cis_rule_6_1_9: false
ubtu22cis_rule_6_1_10: false
ubtu22cis_rule_6_1_11: false
ubtu22cis_rule_6_1_12: false
ubtu22cis_rule_6_1_13: false

# The following rules change permissions on all files on every mounted
# filesystem. We do not want to change /var/lib/docker permissions.
ubtu22cis_no_group_adjust: false
ubtu22cis_no_owner_adjust: false
ubtu22cis_no_world_write_adjust: false
ubtu22cis_suid_adjust: false

# Configure log rotation to prevent audit logs from filling the disk
ubtu22cis_auditd:
Expand Down
2 changes: 1 addition & 1 deletion terraform/aio/vm.tf
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ variable "aio_vm_subnet" {

variable "aio_vm_volume_size" {
type = number
default = 35
default = 40
}

variable "aio_vm_tags" {
Expand Down

0 comments on commit 0f6c73e

Please sign in to comment.