major/cis-rhel-ansible

RHEL 7 and CentOS 7 benchmarks

blakeblackshear opened this issue · 38 comments

Any idea when these might be ready? My team and I would be happy to help.

major commented

It's something I am working on as time allows. A little bit of work done so
far. Feel free to submit PR's!

Major Hayden
On Aug 19, 2015 1:09 PM, "Blake Blackshear" notifications@github.com
wrote:

Any idea when these might be ready? My team and I would be happy to help.


Reply to this email directly or view it on GitHub
#27.

So the plan is to expand the scope of this repo to support CentOS 7? Is it
incorporated into the test process yet?
On Aug 19, 2015 5:42 PM, "Major Hayden" notifications@github.com wrote:

It's something I am working on as time allows. A little bit of work done so
far. Feel free to submit PR's!

Major Hayden
On Aug 19, 2015 1:09 PM, "Blake Blackshear" notifications@github.com
wrote:

Any idea when these might be ready? My team and I would be happy to help.


Reply to this email directly or view it on GitHub
#27.


Reply to this email directly or view it on GitHub
#27 (comment)
.

major commented

Correct. There are enough similarities between CentOS 6 and 7 that we should be able to use the same repository. However, I could see the need to make an entirely separate repository for 7 so that the experience is cleaner.

What's your take on that?

I think you can probably structure the role tasks to keep the separation
clean in the same place. We are happy to contribute.
On Aug 20, 2015 9:47 AM, "Major Hayden" notifications@github.com wrote:

Correct. There are enough similarities between CentOS 6 and 7 that we
should be able to use the same repository. However, I could see the need to
make an entirely separate repository for 7 so that the experience is
cleaner.

What's your take on that?


Reply to this email directly or view it on GitHub
#27 (comment)
.

major commented

Hmm, I'll go back through the changes in the CentOS 7 benchmarks list and see just how much they differ.

Hi,
I'm one of blakeblackshear's Minions. We have a CentOS 7 image to experiment on. We've forked the repo and will let you know what happens.

@major Its been a while since I've been down in the weeds but I think one repository is ideal and workable.

@blakeblackshear @gamename I'm not currently running EL7 but should be in the near future. Thank you (preemptively) for any contribution in that space.

major commented

@gamename Awesome!

@shawnsi Glad we're on the same page. ;)

I haven't read the EL 7 benchmarks yet but I suspect they vary enough to support task files per major version. It may make sense to use includes based on ansible_lsb.major_version.

If that variable is used in the task file path passed to an include task it should produce dynamic loading of the proper benchmark logic.

major commented

I thought dynamic imports weren't possible in Ansible 1.9?

https://groups.google.com/forum/#!topic/ansible-project/PzA4Vb9SEmk

We can just use a when statement for now. There are only 2 versions we need
to support. Dynamic imports are of limited use anyways. The files have to
be there to import.
On Aug 20, 2015 10:23 AM, "Major Hayden" notifications@github.com wrote:

I thought dynamic imports weren't possible in Ansible 1.9?

https://groups.google.com/forum/#!topic/ansible-project/PzA4Vb9SEmk


Reply to this email directly or view it on GitHub
#27 (comment)
.

@major Good catch. I've started to believe ansible just does everything I think it should but apparently I've found an edge case here.

@blakeblackshear Take a look at http://docs.ansible.com/ansible/playbooks_best_practices.html#operating-system-and-distribution-variance linked in the link @major sent. You could also group on ansible_lsb.major_version if the benchmark differences warrant that approach.

@major Ok, I have the playbook running as an ansible provisioner on a CentOS 7.1 vagrant box. The code is committed to our fork of your repo. The playbook runs to the end error-free, but I haven't looked line-by-line to verify behavior is what it should be. Have a look at the fork if you're curious - or want to tell me what I'm doing wrong. :)

@blakeblackshear fyi

@gamename nice work. I think when: statements should be sufficient to handle most of the 6/7 differences.

major commented

Testing out the fork for 7 support. For 4.1.1, I'm getting:

sysctl: cannot stat /proc/sys/kernel/exec-shield: No such file or directory

that line is not available anymore in cis for rhel 7
my fork works in my vagrant box but i suppose i have to check every line of the cis folder to see if things are added or removed.
Becarefull my fork is heavy modified compared to your original work.
https://github.com/Trikke76/cis-rhel-ansible

major commented

@gamename Would you want to slap together a PR and I can try to get your code into a testing branch?

Or, I could fetch your code and put it into a branch. Either way.

@major Ok. Will work on it.

Has there been any progress on a rhel7?

major commented

Not yet. I've received word that the repo might violate CIS' terms of use. Waiting to see if I can do anything else with this or if it will need to be taken down. :/

@major could you explain more about the violation ?
is it because of the name being used ?

I suppose #3, 8, and 9 in the restrictions at
http://benchmarks.cisecurity.org/downloads/terms-of-use/ would be in
question. If this holds true then I will reevaluate use of CIS benchmarks
in my systems. Closed benchmarks and tools work against healthy secure
practices in my opinion.
On Oct 29, 2015 9:41 AM, "Patrik Uytterhoeven" notifications@github.com
wrote:

@major https://github.com/major could you explain more about the
violation ?
is it because of the name being used ?


Reply to this email directly or view it on GitHub
#27 (comment)
.

major commented

@Trikke76 It's a 'derivative work', which doesn't fit the terms of use. Currently waiting on legal clarification.

@major thx for the clarification

@major I think a different branch would be good, one for CentOS6 and one for 7, etc.

@major any updates on the 'derivative work' issue?

@major any updates wrt to 'repo might violate CIS' terms of use' ?

As i have converted the complete CIS role for internal use working for rhel/centos 6/7 i asked the question myself to see if it can be made public. This is the response i got today:

Thank you for your email. We have just recently updated our licensing for our PDF versions of the publically available benchmarks to be under creative commons licensing. We are working to update our benchmarks accordingly to reflect the new licensing. I will be in touch shortly with copies of the RHEL/CentOS 6 & 7 benchmarks for your use. If you were to use the current versions available today it would not allow for use in github and would require you not reference CIS.

I appreciate your patience and plan to have you versions with new licensing in the next couple of days.

Thanks,

@Trikke76 Thanks for the information!

I'm curious to see if the benchmark content is changing as well. If not, do we merely need to update references to the new benchmark documents with appropriate license (when available)?

No clue thats the only info i have so far
i suppose that the new pdf with benchmarks is different from the once they have now
will update once i have more info

The new versions have been released using the creative commons licensing. Here is the blurb that talks about how it can be used in derivative works:

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike
4.0 International Public License. The link to the license terms can be found at
https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
To further clarify the Creative Commons license related to CIS Benchmark content, you are
authorized to copy and redistribute the content for use by you, within your organization
and outside your organization for non-commercial purposes only, provided that (i)
appropriate credit is given to CIS, (ii) a link to the license is provided. Additionally, if you
remix, transform or build upon the CIS Benchmark(s), you may only distribute the modified
materials if they are subject to the same license terms as the original Benchmark license
and your derivative will no longer be a CIS Benchmark. Commercial use of CIS Benchmarks
is subject to the prior approval of the Center for Internet Security

major commented

Thanks for letting me know, @r0b0ticus. I'm no lawyer -- is that CC license compatible with Apache 2?

@major I am no lawyer either I was hoping someone else would weigh in on the compatibility :)

Its not explicitly compatible according to https://creativecommons.org/compatiblelicenses/. Then the question becomes whether this repository falls under this clause:

Additionally, if you remix, transform or build upon the CIS Benchmark(s), you may only distribute the modified materials if they are subject to the same license terms...

The only clear way to move forward (read: without that lawyer) is to relicense this repository. I believe this would require introducing a contributor agreement and applying it retroactively to all work under the current license. @major Is that at all palatable to you?

major commented

As an aside, I've started using the STIG to secure Ubuntu 14.04, 16.04 and CentOS 7 here: http://docs.openstack.org/developer/openstack-ansible-security/

CentOS 6 isn't planned for inclusion there, but CentOS 7 and RHEL 7 work fine!

major commented

@shawnsi That could be possible, but I might need to ask for some professional legal help on this one.

Not much activity here since May. Can you summarize where things are now and plans going forward for this repo regarding CentOS 7 and Ubuntu 14/16 upgrades? I can't tell from the above discussion if 1) licensing issues with CIS have caused all work to cease here permanently or 2) everything is OK and there's just been a lack of bandwidth to work on it?

major commented

@dbilling It's gone quiet for now. I've put all of my effort behind this role:

https://github.com/openstack/openstack-ansible-security

It's more complete, better organized, and more thoroughly tested than this role.