RHEL 7 and CentOS 7 benchmarks #27
Comments
|
It's something I am working on as time allows. A little bit of work done so Major Hayden
|
|
So the plan is to expand the scope of this repo to support CentOS 7? Is it
|
|
Correct. There are enough similarities between CentOS 6 and 7 that we should be able to use the same repository. However, I could see the need to make an entirely separate repository for 7 so that the experience is cleaner. What's your take on that? |
|
I think you can probably structure the role tasks to keep the separation
|
|
Hmm, I'll go back through the changes in the CentOS 7 benchmarks list and see just how much they differ. |
|
Hi, |
|
@major Its been a while since I've been down in the weeds but I think one repository is ideal and workable. @blakeblackshear @gamename I'm not currently running EL7 but should be in the near future. Thank you (preemptively) for any contribution in that space. |
|
I haven't read the EL 7 benchmarks yet but I suspect they vary enough to support task files per major version. It may make sense to use includes based on
|
|
I thought dynamic imports weren't possible in Ansible 1.9? https://groups.google.com/forum/#!topic/ansible-project/PzA4Vb9SEmk |
|
We can just use a when statement for now. There are only 2 versions we need
|
|
@major Good catch. I've started to believe ansible just does everything I think it should but apparently I've found an edge case here. @blakeblackshear Take a look at http://docs.ansible.com/ansible/playbooks_best_practices.html#operating-system-and-distribution-variance linked in the link @major sent. You could also group on |
|
@major Ok, I have the playbook running as an ansible provisioner on a CentOS 7.1 vagrant box. The code is committed to our fork of your repo. The playbook runs to the end error-free, but I haven't looked line-by-line to verify behavior is what it should be. Have a look at the fork if you're curious - or want to tell me what I'm doing wrong. :) @blakeblackshear fyi |
|
@gamename nice work. I think |
|
Testing out the fork for 7 support. For 4.1.1, I'm getting: |
|
that line is not available anymore in cis for rhel 7 |
|
@gamename Would you want to slap together a PR and I can try to get your code into a testing branch? Or, I could fetch your code and put it into a branch. Either way. |
|
@major Ok. Will work on it. |
|
Has there been any progress on a rhel7? |
|
Not yet. I've received word that the repo might violate CIS' terms of use. Waiting to see if I can do anything else with this or if it will need to be taken down. :/ |
|
@major could you explain more about the violation ? |
|
I suppose #3, 8, and 9 in the restrictions at
|
|
@Trikke76 It's a 'derivative work', which doesn't fit the terms of use. Currently waiting on legal clarification. |
|
@major thx for the clarification |
|
@major I think a different branch would be good, one for CentOS6 and one for 7, etc. |
|
@major any updates on the 'derivative work' issue? |
|
@major any updates wrt to 'repo might violate CIS' terms of use' ? |
|
As i have converted the complete CIS role for internal use working for rhel/centos 6/7 i asked the question myself to see if it can be made public. This is the response i got today:
|
|
@Trikke76 Thanks for the information! I'm curious to see if the benchmark content is changing as well. If not, do we merely need to update references to the new benchmark documents with appropriate license (when available)? |
|
No clue thats the only info i have so far |
|
The new versions have been released using the creative commons licensing. Here is the blurb that talks about how it can be used in derivative works:
|
|
Thanks for letting me know, @r0b0ticus. I'm no lawyer -- is that CC license compatible with Apache 2? |
|
@major I am no lawyer either I was hoping someone else would weigh in on the compatibility :) |
|
Its not explicitly compatible according to https://creativecommons.org/compatiblelicenses/. Then the question becomes whether this repository falls under this clause:
The only clear way to move forward (read: without that lawyer) is to relicense this repository. I believe this would require introducing a contributor agreement and applying it retroactively to all work under the current license. @major Is that at all palatable to you? |
|
As an aside, I've started using the STIG to secure Ubuntu 14.04, 16.04 and CentOS 7 here: http://docs.openstack.org/developer/openstack-ansible-security/ CentOS 6 isn't planned for inclusion there, but CentOS 7 and RHEL 7 work fine! |
|
@shawnsi That could be possible, but I might need to ask for some professional legal help on this one. |
|
Not much activity here since May. Can you summarize where things are now and plans going forward for this repo regarding CentOS 7 and Ubuntu 14/16 upgrades? I can't tell from the above discussion if 1) licensing issues with CIS have caused all work to cease here permanently or 2) everything is OK and there's just been a lack of bandwidth to work on it? |
|
@dbilling It's gone quiet for now. I've put all of my effort behind this role: https://github.com/openstack/openstack-ansible-security It's more complete, better organized, and more thoroughly tested than this role. |
Any idea when these might be ready? My team and I would be happy to help.
The text was updated successfully, but these errors were encountered: