a10fae4fe1
Now that infra is moving from Fedora 26 to 27, we need to update the role to reflect the changing support for Fedora releases. Change-Id: Icce8fd7ee2f8c54e6eb33beec7af96c4d1d375d6 Signed-off-by: Major Hayden <major@mhtx.net>
69 lines
2.7 KiB
ReStructuredText
69 lines
2.7 KiB
ReStructuredText
Frequently Asked Questions
|
|
==========================
|
|
|
|
Does this role work only with OpenStack environments?
|
|
-----------------------------------------------------
|
|
|
|
No -- it works on almost any Linux host!
|
|
|
|
The ansible-hardening role first began as a component of the
|
|
OpenStack-Ansible project and it was designed to deploy into an existing
|
|
OpenStack environment without causing disruptions. However, the role now works
|
|
well in OpenStack and non-OpenStack environments.
|
|
|
|
See *Which systems are covered?* below for more details.
|
|
|
|
Why should this role be applied to a system?
|
|
--------------------------------------------
|
|
|
|
There are three main reasons to apply this role to production Linux systems:
|
|
|
|
Improve security posture
|
|
The configurations from the STIG add security and rigor around multiple
|
|
components of a Linux system, including user authentication, service
|
|
configurations, and package management. All of these configurations add up
|
|
to an environment that is more difficult for an attacker to penetrate and use
|
|
for lateral movement.
|
|
|
|
Meet compliance requirements
|
|
Some deployers may be subject to industry compliance programs, such as
|
|
PCI-DSS, ISO 27001/27002, or NIST 800-53. Many of these programs require
|
|
hardening standards to be applied to critical systems, such as OpenStack
|
|
infrastructure components.
|
|
|
|
Deployment without disruption
|
|
Security is often at odds with usability. The role provides the greatest
|
|
security benefit without disrupting production systems. Deployers have the
|
|
option to opt out or opt in for most configurations depending on how their
|
|
environments are configured.
|
|
|
|
Which systems are covered?
|
|
--------------------------------------------------------
|
|
|
|
The ansible-hardening role provides security hardening for physical
|
|
servers running the following Linux distributions:
|
|
|
|
* CentOS 7
|
|
* Debian 8 Jessie
|
|
* Fedora 27
|
|
* openSUSE Leap 42.2 and 42.3
|
|
* Red Hat Enterprise Linux 7 *(partial automated test coverage)*
|
|
* SUSE Linux Enterprise 12 (*experimental*)
|
|
* Ubuntu 16.04 Xenial
|
|
|
|
The OpenStack gating system tests the role against each of these distributions
|
|
regularly except for Red Hat Enterprise Linux 7, since it is a non-free
|
|
Linux distribution. CentOS 7 is very similar to Red Hat Enterprise Linux 7 and
|
|
the existing test coverage for CentOS is very thorough.
|
|
|
|
Which systems are not covered?
|
|
------------------------------
|
|
|
|
The containers that run various OpenStack services on physical servers in
|
|
OpenStack-Ansible deployments are currently out of scope and are not changed
|
|
by the role.
|
|
|
|
Virtual machines that are created within the OpenStack environment are also
|
|
not affected by this role, although this role could be applied within those
|
|
VM's if a deployer chooses to do so.
|