Implementing stricter permissions on config files

The security guide suggests that all OpenStack service config files
should be owned by root and in the service user group with 0640 permissions.

http://docs.openstack.org/security-guide/networking/checklist.html

Change-Id: I603eb691828bb3456ae0686ed80342765f52ecea
This commit is contained in:
Travis Truman 2017-02-07 14:24:18 -05:00
parent 3d3a2c3e7d
commit f927760d88
2 changed files with 14 additions and 16 deletions

View File

@ -17,9 +17,9 @@
config_template: config_template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
owner: "{{ item.owner|default(neutron_system_user_name) }}" owner: "root"
group: "{{ item.group|default(neutron_system_group_name) }}" group: "{{ item.group|default(neutron_system_group_name) }}"
mode: "0644" mode: "0640"
config_overrides: "{{ item.config_overrides }}" config_overrides: "{{ item.config_overrides }}"
config_type: "{{ item.config_type }}" config_type: "{{ item.config_type }}"
with_items: with_items:
@ -37,8 +37,6 @@
config_type: "ini" config_type: "ini"
- src: "rootwrap.conf.j2" - src: "rootwrap.conf.j2"
dest: "{{ neutron_conf_dir }}/rootwrap.conf" dest: "{{ neutron_conf_dir }}/rootwrap.conf"
owner: "root"
group: "root"
config_overrides: "{{ neutron_rootwrap_conf_overrides }}" config_overrides: "{{ neutron_rootwrap_conf_overrides }}"
config_type: "ini" config_type: "ini"
- src: "policy.json.j2" - src: "policy.json.j2"
@ -52,9 +50,9 @@
config_template: config_template:
src: "{{ neutron_plugins[item].plugin_ini }}.j2" src: "{{ neutron_plugins[item].plugin_ini }}.j2"
dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[item].plugin_ini }}" dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[item].plugin_ini }}"
owner: "{{ neutron_system_user_name }}" owner: "root"
group: "{{ neutron_system_group_name }}" group: "{{ neutron_system_group_name }}"
mode: "0644" mode: "0640"
config_overrides: "{{ neutron_plugins[item].plugin_conf_ini_overrides }}" config_overrides: "{{ neutron_plugins[item].plugin_conf_ini_overrides }}"
config_type: "ini" config_type: "ini"
with_items: "{{ neutron_plugin_types }}" with_items: "{{ neutron_plugin_types }}"
@ -63,9 +61,9 @@
config_template: config_template:
src: "dnsmasq-neutron.conf.j2" src: "dnsmasq-neutron.conf.j2"
dest: "{{ neutron_conf_dir }}/dnsmasq-neutron.conf" dest: "{{ neutron_conf_dir }}/dnsmasq-neutron.conf"
owner: "{{ neutron_system_user_name }}" owner: "root"
group: "{{ neutron_system_group_name }}" group: "{{ neutron_system_group_name }}"
mode: "0644" mode: "0640"
config_overrides: "{{ neutron_dnsmasq_neutron_conf_overrides }}" config_overrides: "{{ neutron_dnsmasq_neutron_conf_overrides }}"
config_type: "ini" config_type: "ini"
notify: notify:
@ -82,19 +80,19 @@
config_template: config_template:
src: "{{ item.value.service_conf }}.j2" src: "{{ item.value.service_conf }}.j2"
dest: "{{ item.value.service_conf_path }}/{{ item.value.service_conf }}" dest: "{{ item.value.service_conf_path }}/{{ item.value.service_conf }}"
owner: "{{ neutron_system_user_name }}" owner: "root"
group: "{{ neutron_system_group_name }}" group: "{{ neutron_system_group_name }}"
mode: "0644" mode: "0640"
config_overrides: "{{ item.value.config_overrides }}" config_overrides: "{{ item.value.config_overrides }}"
config_type: "{{ item.value.config_type }}" config_type: "{{ item.value.config_type }}"
with_dict: "{{ neutron_services }}" with_dict: "{{ neutron_services }}"
notify: notify:
- Restart neutron services - Restart neutron services
when: when:
- item.value.service_en | bool - item.value.service_en | bool
- item.value.service_conf_path is defined - item.value.service_conf_path is defined
- item.value.service_conf is defined - item.value.service_conf is defined
- item.value.group in group_names - item.value.group in group_names
- name: Copy neutron rootwrap filters - name: Copy neutron rootwrap filters
copy: copy:

View File

@ -39,8 +39,8 @@
with_items: with_items:
- { path: "/openstack", owner: "root", group: "root" } - { path: "/openstack", owner: "root", group: "root" }
- { path: "{{ neutron_conf_dir }}", mode: "0750" } - { path: "{{ neutron_conf_dir }}", mode: "0750" }
- { path: "{{ neutron_conf_dir }}/plugins" } - { path: "{{ neutron_conf_dir }}/plugins", mode: "0750" }
- { path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}" } - { path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}", mode: "0750" }
- { path: "{{ neutron_conf_dir }}/rootwrap.d", owner: "root", group: "root" } - { path: "{{ neutron_conf_dir }}/rootwrap.d", owner: "root", group: "root" }
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" } - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
- { path: "/var/cache/neutron" } - { path: "/var/cache/neutron" }