Check mode only

[jtyr]

It would be really useful if the role would be possible to run in check mode only (no action would be performed on the remote host). This would allow to find out what's not compliant and select tasks which should be applied or which should be skipped if the user is using different role to manage certain resources (e.g. ntp, yum, ssh, ...).

[major]

Hey @jtyr, I totally agree. Due to some licensing mishaps with CIS in the past, most of my effort has been focused here lately: http://docs.openstack.org/developer/openstack-ansible-security/

This repository has received a lot of contributions from multiple people/organizations and is compatible with Red Hat Enteprise Linux 7, CentOS 7, Ubuntu 14.04 and Ubuntu 16.04.

[jtyr]

I quickly checked the Openstack role role and have these comments:

1. It's using different authority - STIG which doesn't support RHEL7 yet.
2. The role doesn't have any check mode. It performs actions straight away.

[major]

It is using the STIG -- that choice was made to avoid licensing issues.

However, the check mode is a first class feature in openstack-ansible-security. In fact, we have gate checks proposed to test the check/audit mode for each commit: https://review.openstack.org/#/c/324482/

[jtyr]

Is any of the discussions you had with CIS publicly available? I would be interested to read what they did not like about this initiative (probably that you were stealing customers from them?) .

[major]

I don't have anything that I can share publicly.