RFC: Coming updates and changes

[Jonathan Davila]

All,

The maintainers of ansible-lockdown have been discussing over that past month or two about various aspects of the project and we have come to agree on many things as far as this project is concerned. 

I'll do my best to explain everything. We are looking towards you, the community, to supply any feedback (good and bad) regarding the path we would like to take. 

Regarding Maintenance

• Roles to contain their own tests (no longer in Lockdown proper)
  Currently, the testing framework lives in the ansible-lockdown repo. This will be removed. Tests will now be placed in their respective repositories.
  
  
• Migration from CodeShip to TravisCI
  Currently, tests are conducted on CodeShip. Which has worked "okay" but is rather limited in that tests can only be kicked off at merge time instead of in a pull-request. TravisCI supports PR-based testing AND it's a first class citizen in Ansible Galaxy so we'll be moving there.
  
  
• Migration from AWS based CI flow to Docker
  Currently, the CodeShip tests create resources in AWS as a way to spin up proper RHEL VMs in order to fully test the benchmarks. We've already got the bulk of the work done to have proper RHEL-based Docker images ready to go, the last bits remaining are fairly simple and we hope to have this migrated by the end of the week. This will also include a framework for testing any of YOUR local changes via Docker in a quick manner (you'll need to have a free Red Hat Developer license or other entitlement in order to make it work) 
  Important note: We'll likely still use AWS for Windows-based testing in the future. (We're open to other, more efficient, ideas).

Regarding Future Content

• Windows STIGs are coming
  Behind the scenes, we've been toiling away at making Windows STIGs readily available. Over the next few months expect to see the following STIG benchmarks available:
• Windows Server 2008R2 Member Server
• Windows Server 2012/2012R2 Member Server
• Windows Server 2012/2012R2 Domain Controller
  
  
• Community Roles
  So far, we've only supplied roles wholly vetted by both Red Hat and MindPoint Group. Soon we'll introduce the option for community members to submit their own, non-benchmark specific, roles for inclusion within ansible-lockdown. There will be a badge indicator on the main ansible-lockdown page AND on a per-role basis (within README.md) to indicate whether a role is "official" or "community".
  
  
• Modular Roles
  So far, we've only introduced roles which are benchmark specific; soon we'll start introducing roles which are more granular and specific in nature. For example, there will likely be an SSHD role which would deal exclusively around hardening SSH-related things. These roles will be cross-platform supported (the official list of supported OSs is still TBD).

Overall, we're all excited about what 2017 has in store for ansible-lockdown. Please let us know your thoughts!