openstack
/
openstack-ansible-security
Code Issues Proposed changes

Initial import of openstack-ansible-security role 

This role contains around 150 controls from the 270+ controls that exist
in the RHEL 6 STIG. New controls are still being added.

Implements: blueprint security-hardening

Change-Id: I0578f86bf42d55242bc72b97b40a5935a3cb18d6
This commit is contained in:
Major Hayden 2015-10-05 15:36:08 -05:00
parent 74b2aa6d0d
commit bfcf6c7423
182 changed files with 8369 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
.gitignore vendored Normal file
View File

@ -0,0 +1,60 @@
# Override Files #
rpc_deployment/playbooks/lab_plays
rpc_deployment/vars/overrides/*.yml
# Compiled source #
###################
*.com
*.class
*.dll
*.exe
*.o
*.so
*.pyc
build/
dist/
doc/build/
# Packages #
############
# it's better to unpack these files and commit the raw source
# git has its own built in compression methods
*.7z
*.dmg
*.gz
*.iso
*.jar
*.rar
*.tar
*.zip
# Logs and databases #
######################
*.log
*.sql
*.sqlite
# OS generated files #
######################
.DS_Store
.DS_Store?
._*
.Spotlight-V100
.Trashes
.idea
.tox
*.sublime*
*.egg-info
Icon?
ehthumbs.db
Thumbs.db
.eggs
# User driven backup files #
############################
*.bak
# Generated by pbr while building docs
######################################
AUTHORS
ChangeLog

202
LICENSE Normal file
View File

@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

30
README.rst Normal file
View File

@ -0,0 +1,30 @@
Security hardening for openstack-ansible
----------------------------------------
**--- Currently a work in progress ---**
Documentation is on `ReadTheDocs`_ temporarily.
.. _ReadTheDocs: http://openstack-ansible-security.readthedocs.org/en/latest/
What is this?
~~~~~~~~~~~~~
The goal of this Ansible role is to provide additional security for deployments of openstack-ansible, the OpenStack project which deploys a fully-functional OpenStack environment using Ansible roles. For a more detailed explanation, review the security hardening spec in the section below.
How do I learn more?
~~~~~~~~~~~~~~~~~~~~
* `openstack-ansible`_
* `Security hardening spec`_ in openstack-ansible
* `RHEL 6 STIG`_ in `STIG Viewer`_
.. _openstack-ansible: https://github.com/openstack/openstack-ansible
.. _Security hardening spec: http://specs.openstack.org/openstack/openstack-ansible-specs/specs/mitaka/security-hardening.html
.. _RHEL 6 STIG: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/
.. _STIG Viewer: https://www.stigviewer.com
Questions or comments?
~~~~~~~~~~~~~~~~~~~~~~
Join ``#openstack-ansible`` on Freenode or email openstack-dev@lists.openstack.org with the tag ``[openstack-ansible]`` in the subject line.

3
dev-requirements.txt Normal file
View File

@ -0,0 +1,3 @@
ansible-lint
oslosphinx>=2.5.0
sphinx

195
doc/Makefile Normal file
View File

@ -0,0 +1,195 @@
# Makefile for Sphinx documentation
#
# You can set these variables from the command line.
SPHINXOPTS =
SPHINXBUILD = sphinx-build
PAPER =
BUILDDIR = build
# User-friendly check for sphinx-build
ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/)
endif
# Internal variables.
PAPEROPT_a4 = -D latex_paper_size=a4
PAPEROPT_letter = -D latex_paper_size=letter
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source
# the i18n builder cannot share the environment and doctrees with the others
I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source
.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest coverage gettext
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo " html to make standalone HTML files"
@echo " dirhtml to make HTML files named index.html in directories"
@echo " singlehtml to make a single large HTML file"
@echo " pickle to make pickle files"
@echo " json to make JSON files"
@echo " htmlhelp to make HTML files and a HTML help project"
@echo " qthelp to make HTML files and a qthelp project"
@echo " applehelp to make an Apple Help Book"
@echo " devhelp to make HTML files and a Devhelp project"
@echo " epub to make an epub"
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
@echo " latexpdf to make LaTeX files and run them through pdflatex"
@echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
@echo " text to make text files"
@echo " man to make manual pages"
@echo " texinfo to make Texinfo files"
@echo " info to make Texinfo files and run them through makeinfo"
@echo " gettext to make PO message catalogs"
@echo " changes to make an overview of all changed/added/deprecated items"
@echo " xml to make Docutils-native XML files"
@echo " pseudoxml to make pseudoxml-XML files for display purposes"
@echo " linkcheck to check all external links for integrity"
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
@echo " coverage to run coverage check of the documentation (if enabled)"
clean:
rm -rf $(BUILDDIR)/*
html:
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
dirhtml:
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
singlehtml:
$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
@echo
@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
pickle:
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
@echo
@echo "Build finished; now you can process the pickle files."
json:
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
@echo
@echo "Build finished; now you can process the JSON files."
htmlhelp:
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
@echo
@echo "Build finished; now you can run HTML Help Workshop with the" \
".hhp project file in $(BUILDDIR)/htmlhelp."
qthelp:
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
@echo
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/openstack-ansible.qhcp"
@echo "To view the help file:"
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/openstack-ansible.qhc"
applehelp:
$(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp
@echo
@echo "Build finished. The help book is in $(BUILDDIR)/applehelp."
@echo "N.B. You won't be able to view it unless you put it in" \
"~/Library/Documentation/Help or install it in your application" \
"bundle."
devhelp:
$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
@echo
@echo "Build finished."
@echo "To view the help file:"
@echo "# mkdir -p $$HOME/.local/share/devhelp/openstack-ansible"
@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/openstack-ansible"
@echo "# devhelp"
epub:
$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
@echo
@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
latex:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
@echo "Run \`make' in that directory to run these through (pdf)latex" \
"(use \`make latexpdf' here to do that automatically)."
latexpdf:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo "Running LaTeX files through pdflatex..."
$(MAKE) -C $(BUILDDIR)/latex all-pdf
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
latexpdfja:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo "Running LaTeX files through platex and dvipdfmx..."
$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
text:
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
@echo
@echo "Build finished. The text files are in $(BUILDDIR)/text."
man:
$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
@echo
@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
texinfo:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo
@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
@echo "Run \`make' in that directory to run these through makeinfo" \
"(use \`make info' here to do that automatically)."
info:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo "Running Texinfo files through makeinfo..."
make -C $(BUILDDIR)/texinfo info
@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
gettext:
$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
@echo
@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
changes:
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
@echo
@echo "The overview file is in $(BUILDDIR)/changes."
linkcheck:
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
@echo
@echo "Link check complete; look for any errors in the above output " \
"or in $(BUILDDIR)/linkcheck/output.txt."
doctest:
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
@echo "Testing of doctests in the sources finished, look at the " \
"results in $(BUILDDIR)/doctest/output.txt."
coverage:
$(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage
@echo "Testing of coverage in the sources finished, look at the " \
"results in $(BUILDDIR)/coverage/python.txt."
xml:
$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
@echo
@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
pseudoxml:
$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
@echo
@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
livehtml: html
sphinx-autobuild -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html

0
doc/source/_static/.gitkeep Normal file
View File

109
doc/source/_themes/openstack/layout.html Normal file
View File

@ -0,0 +1,109 @@
{% extends "basic/layout.html" %}
{% set css_files = css_files + ['_static/tweaks.css'] %}
{% block sidebar2 %}
<div class="sphinxsidebar">
<div class="sphinxsidebarwrapper">
{%- if not embedded %}{% if not theme_nosidebar|tobool %}
{%- block sidebarlogo %}
{%- if logo %}
<p class="logo"><a href="{{ pathto(master_doc) }}">
<img class="logo" src="{{ pathto('_static/' + logo, 1) }}" alt="Logo"/>
</a></p>
{%- endif %}
{%- endblock %}
{%- block sidebartoc %}
{%- if display_toc %}
<h3><a href="{{ pathto(master_doc) }}">{{ _('Table Of Contents') }}</a></h3>
{{ toc }}
{%- endif %}
{%- endblock %}
{%- block sidebarrel %}
{%- if prev %}
<h4>{{ _('Previous topic') }}</h4>
<p class="topless"><a href="{{ prev.link|e }}"
title="{{ _('previous chapter') }}">{{ prev.title }}</a></p>
{%- endif %}
{%- if next %}
<h4>{{ _('Next topic') }}</h4>
<p class="topless"><a href="{{ next.link|e }}"
title="{{ _('next chapter') }}">{{ next.title }}</a></p>
{%- endif %}
{%- endblock %}
{%- block projectsource %}
{%- if cgit_link %}
<h3>{{ _('Project Source') }}</h3>
<ul class="this-page-menu">
<li><a href="{{cgit_link}}"
rel="nofollow">{{ _('Project Source') }}</a></li>
</ul>
{%- endif %}
{%- endblock %}
{%- block sidebarsourcelink %}
{%- if show_source and has_source and sourcename %}
<h3>{{ _('This Page') }}</h3>
<ul class="this-page-menu">
<li><a href="{{ pathto('_sources/' + sourcename, true)|e }}"
rel="nofollow">{{ _('Show Source') }}</a></li>
</ul>
{%- endif %}
{%- endblock %}
{%- if customsidebar %}
{% include customsidebar %}
{%- endif %}
{%- block sidebarsearch %}
{%- if pagename != "search" %}
<div id="searchbox" style="display: none">
<h3>{{ _('Quick search') }}</h3>
<form class="search" action="{{ pathto('search') }}" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="{{ _('Go') }}" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
<p class="searchtip" style="font-size: 90%">
{{ _('Enter search terms or a module, class or function name.') }}
</p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
{%- endif %}
{%- endblock %}
{%- endif %}{% endif %}
</div>
</div>
{% endblock %}
{% block relbar1 %}{% endblock relbar1 %}
{% block header %}
<div id="header">
<h1 id="logo"><a href="http://www.openstack.org/">OpenStack</a></h1>
<ul id="navigation">
{% block header_navigation %}
<li><a href="http://www.openstack.org/" title="Go to the Home page" class="link">Home</a></li>
<li><a href="http://www.openstack.org/projects/" title="Go to the OpenStack Projects page">Projects</a></li>
<li><a href="http://www.openstack.org/user-stories/" title="Go to the User Stories page" class="link">User Stories</a></li>
<li><a href="http://www.openstack.org/community/" title="Go to the Community page" class="link">Community</a></li>
<li><a href="http://www.openstack.org/blog/" title="Go to the OpenStack Blog">Blog</a></li>
<li><a href="http://wiki.openstack.org/" title="Go to the OpenStack Wiki">Wiki</a></li>
<li><a href="http://docs.openstack.org/" title="Go to OpenStack Documentation" class="current">Documentation</a></li>
{% endblock %}
</ul>
</div>
{% endblock %}
{% block footer %}
{{ super() }}
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
//Tracking docs.openstack.org/developer/<projectname> only
//The URL is built from the project variable in conf.py
var pageTracker = _gat._getTracker("UA-17511903-1");
pageTracker._setCookiePath("/developer/{{ project }}");
pageTracker._trackPageview();
} catch(err) {}</script>
{% endblock %}

419
doc/source/_themes/openstack/static/basic.css Normal file
View File

@ -0,0 +1,419 @@
/**
* Sphinx stylesheet -- basic theme
* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*/
/* -- main layout ----------------------------------------------------------- */
div.clearer {
clear: both;
}
/* -- relbar ---------------------------------------------------------------- */
div.related {
font-size: 90%;
}
div.related h3 {
display: none;
}
div.related ul {
margin: 0;
padding: 0 0 0 10px;
list-style: none;
}
div.related li {
display: inline;
}
div.related li.right {
float: right;
margin-right: 5px;
}
/* -- sidebar --------------------------------------------------------------- */
div.sphinxsidebarwrapper {
padding: 10px 5px 0 10px;
}
div.sphinxsidebar {
float: left;
width: 260px;
margin-left: -100%;
font-size: 90%;
}
div.sphinxsidebar ul {
list-style: none;
}
div.sphinxsidebar ul ul,
div.sphinxsidebar ul.want-points {
margin-left: 20px;
list-style: square;
}
div.sphinxsidebar ul ul {
margin-top: 0;
margin-bottom: 0;
}
div.sphinxsidebar form {
margin-top: 10px;
}
div.sphinxsidebar input {
border: 1px solid #98dbcc;
font-family: sans-serif;
font-size: 1em;
}
div.sphinxsidebar span.pre {
word-wrap: break-word;
}
img {
border: 0;
}
/* -- search page ----------------------------------------------------------- */
ul.search {
margin: 10px 0 0 20px;
padding: 0;
}
ul.search li {
padding: 5px 0 5px 20px;
background-image: url(file.png);
background-repeat: no-repeat;
background-position: 0 7px;
}
ul.search li a {
font-weight: bold;
}
ul.search li div.context {
color: #888;
margin: 2px 0 0 30px;
text-align: left;
}
ul.keywordmatches li.goodmatch a {
font-weight: bold;
}
/* -- index page ------------------------------------------------------------ */
table.contentstable {
width: 90%;
}
table.contentstable p.biglink {
line-height: 150%;
}
a.biglink {
font-size: 1.3em;
}
span.linkdescr {
font-style: italic;
padding-top: 5px;
font-size: 90%;
}
/* -- general index --------------------------------------------------------- */
table.indextable td {
text-align: left;
vertical-align: top;
}
table.indextable dl, table.indextable dd {
margin-top: 0;
margin-bottom: 0;
}
table.indextable tr.pcap {
height: 10px;
}
table.indextable tr.cap {
margin-top: 10px;
background-color: #f2f2f2;
}
img.toggler {
margin-right: 3px;
margin-top: 3px;
cursor: pointer;
}
/* -- general body styles --------------------------------------------------- */
a.headerlink {
visibility: hidden;
}
h1:hover > a.headerlink,
h2:hover > a.headerlink,
h3:hover > a.headerlink,
h4:hover > a.headerlink,
h5:hover > a.headerlink,
h6:hover > a.headerlink,
dt:hover > a.headerlink {
visibility: visible;
}
div.body p.caption {
text-align: inherit;
}
div.body td {
text-align: left;
}
.field-list ul {
padding-left: 1em;
}
.first {
}
p.rubric {
margin-top: 30px;
font-weight: bold;
}
/* -- sidebars -------------------------------------------------------------- */
div.sidebar {
margin: 0 0 0.5em 1em;
border: 1px solid #ddb;
padding: 7px 7px 0 7px;
background-color: #ffe;
width: 40%;
float: right;
}
p.sidebar-title {
font-weight: bold;
}
/* -- topics ---------------------------------------------------------------- */
div.topic {
border: 1px solid #ccc;
padding: 7px 7px 0 7px;
margin: 10px 0 10px 0;
}
p.topic-title {
font-size: 1.1em;
font-weight: bold;
margin-top: 10px;
}
/* -- admonitions ----------------------------------------------------------- */
div.admonition {
margin-top: 10px;
margin-bottom: 10px;
padding: 7px;
}
div.admonition dt {
font-weight: bold;
}
div.admonition dl {
margin-bottom: 0;
}
p.admonition-title {
margin: 0px 10px 5px 0px;
font-weight: bold;
}
div.body p.centered {
text-align: center;
margin-top: 25px;
}
/* -- tables ---------------------------------------------------------------- */
table.docutils {
border: 0;
border-collapse: collapse;
}
table.docutils td, table.docutils th {
padding: 1px 8px 1px 0;
border-top: 0;
border-left: 0;
border-right: 0;
border-bottom: 1px solid #aaa;
}
table.field-list td, table.field-list th {
border: 0 !important;
}
table.footnote td, table.footnote th {
border: 0 !important;
}
th {
text-align: left;
padding-right: 5px;
}
/* -- other body styles ----------------------------------------------------- */
dl {
margin-bottom: 15px;
}
dd p {
margin-top: 0px;
}
dd ul, dd table {
margin-bottom: 10px;
}
dd {
margin-top: 3px;
margin-bottom: 10px;
margin-left: 30px;
}
dt:target, .highlight {
background-color: #fbe54e;
}
dl.glossary dt {
font-weight: bold;
font-size: 1.1em;
}
.field-list ul {
margin: 0;
padding-left: 1em;
}
.field-list p {
margin: 0;
}
.refcount {
color: #060;
}
.optional {
font-size: 1.3em;
}
.versionmodified {
font-style: italic;
}
.system-message {
background-color: #fda;
padding: 5px;
border: 3px solid red;
}
.footnote:target {
background-color: #ffa
}
.line-block {
display: block;
margin-top: 1em;
margin-bottom: 1em;
}
.line-block .line-block {
margin-top: 0;
margin-bottom: 0;
margin-left: 1.5em;
}
/* -- code displays --------------------------------------------------------- */
pre {
overflow: auto;
}
td.linenos pre {
padding: 5px 0px;
border: 0;
background-color: transparent;
color: #aaa;
}
table.highlighttable {
margin-left: 0.5em;
}
table.highlighttable td {
padding: 0 0.5em 0 0.5em;
}
tt.descname {
background-color: transparent;
font-weight: bold;
font-size: 1.2em;
}
tt.descclassname {
background-color: transparent;
}
tt.xref, a tt {
background-color: transparent;
font-weight: bold;
}
h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt {
background-color: transparent;
}
/* -- math display ---------------------------------------------------------- */
img.math {
vertical-align: middle;
}
div.body div.math p {
text-align: center;
}
span.eqno {
float: right;
}
/* -- printout stylesheet --------------------------------------------------- */
@media print {
div.document,
div.documentwrapper,
div.bodywrapper {
margin: 0 !important;
width: 100%;
}
div.sphinxsidebar,
div.related,
div.footer,
#top-link {
display: none;
}
}

230
doc/source/_themes/openstack/static/default.css Normal file
View File

@ -0,0 +1,230 @@
/**
* Sphinx stylesheet -- default theme
* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*/
@import url("basic.css");
/* -- page layout ----------------------------------------------------------- */
body {
font-family: sans-serif;
font-size: 100%;
background-color: #11303d;
color: #000;
margin: 0;
padding: 0;
}
div.document {
background-color: #1c4e63;
}
div.documentwrapper {
float: left;
width: 100%;
}
div.bodywrapper {
margin: 0 0 0 230px;
}
div.body {
background-color: #ffffff;
color: #000000;
padding: 0 20px 30px 20px;
}
div.footer {
color: #ffffff;
width: 100%;
padding: 9px 0 9px 0;
text-align: center;
font-size: 75%;
}
div.footer a {
color: #ffffff;
text-decoration: underline;
}
div.related {
background-color: #133f52;
line-height: 30px;
color: #ffffff;
}
div.related a {
color: #ffffff;
}
div.sphinxsidebar {
}
div.sphinxsidebar h3 {
font-family: 'Trebuchet MS', sans-serif;
color: #ffffff;
font-size: 1.4em;
font-weight: normal;
margin: 0;
padding: 0;
}
div.sphinxsidebar h3 a {
color: #ffffff;
}
div.sphinxsidebar h4 {
font-family: 'Trebuchet MS', sans-serif;
color: #ffffff;
font-size: 1.3em;
font-weight: normal;
margin: 5px 0 0 0;
padding: 0;
}
div.sphinxsidebar p {
color: #ffffff;
}
div.sphinxsidebar p.topless {
margin: 5px 10px 10px 10px;
}
div.sphinxsidebar ul {
margin: 10px;
padding: 0;
color: #ffffff;
}
div.sphinxsidebar a {
color: #98dbcc;
}
div.sphinxsidebar input {
border: 1px solid #98dbcc;
font-family: sans-serif;
font-size: 1em;
}
/* -- body styles ----------------------------------------------------------- */
a {
color: #355f7c;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
div.body p, div.body dd, div.body li {
text-align: left;
line-height: 130%;
}
div.body h1,
div.body h2,
div.body h3,
div.body h4,
div.body h5,
div.body h6 {
font-family: 'Trebuchet MS', sans-serif;
background-color: #f2f2f2;
font-weight: normal;
color: #20435c;
border-bottom: 1px solid #ccc;
margin: 20px -20px 10px -20px;
padding: 3px 0 3px 10px;
}
div.body h1 { margin-top: 0; font-size: 200%; }
div.body h2 { font-size: 160%; }
div.body h3 { font-size: 140%; }
div.body h4 { font-size: 120%; }
div.body h5 { font-size: 110%; }
div.body h6 { font-size: 100%; }
a.headerlink {
color: #c60f0f;
font-size: 0.8em;
padding: 0 4px 0 4px;
text-decoration: none;
}
a.headerlink:hover {
background-color: #c60f0f;
color: white;
}
div.body p, div.body dd, div.body li {
text-align: left;
line-height: 130%;
}
div.admonition p.admonition-title + p {
display: inline;
}
div.admonition p {
margin-bottom: 5px;
}
div.admonition pre {
margin-bottom: 5px;
}
div.admonition ul, div.admonition ol {
margin-bottom: 5px;
}
div.note {
background-color: #eee;
border: 1px solid #ccc;
}
div.seealso {
background-color: #ffc;
border: 1px solid #ff6;
}
div.topic {
background-color: #eee;
}
div.warning {
background-color: #ffe4e4;
border: 1px solid #f66;
}
p.admonition-title {
display: inline;
}
p.admonition-title:after {
content: ":";
}
pre {
padding: 5px;
background-color: #eeffcc;
color: #333333;
line-height: 120%;
border: 1px solid #ac9;
border-left: none;
border-right: none;
}
tt {
background-color: #ecf0f3;
padding: 0 1px 0 1px;
font-size: 0.95em;
}
.warning tt {
background: #efc2c2;
}
.note tt {
background: #d6d6d6;
}

BIN
doc/source/_themes/openstack/static/header-line.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 B

BIN
doc/source/_themes/openstack/static/header_bg.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.7 KiB

245
doc/source/_themes/openstack/static/nature.css Normal file
View File

@ -0,0 +1,245 @@
/*
* nature.css_t
* ~~~~~~~~~~~~
*
* Sphinx stylesheet -- nature theme.
*
* :copyright: Copyright 2007-2011 by the Sphinx team, see AUTHORS.
* :license: BSD, see LICENSE for details.
*
*/
@import url("basic.css");
/* -- page layout ----------------------------------------------------------- */
body {
font-family: Arial, sans-serif;
font-size: 100%;
background-color: #111;
color: #555;
margin: 0;
padding: 0;
}
div.documentwrapper {
float: left;
width: 100%;
}
div.bodywrapper {
margin: 0 0 0 {{ theme_sidebarwidth|toint }}px;
}
hr {
border: 1px solid #B1B4B6;
}
div.document {
background-color: #eee;
}
div.body {
background-color: #ffffff;
color: #3E4349;
padding: 0 30px 30px 30px;
font-size: 0.9em;
}
div.footer {
color: #555;
width: 100%;
padding: 13px 0;
text-align: center;
font-size: 75%;
}
div.footer a {
color: #444;
text-decoration: underline;
}
div.related {
background-color: #6BA81E;
line-height: 32px;
color: #fff;
text-shadow: 0px 1px 0 #444;
font-size: 0.9em;
}
div.related a {
color: #E2F3CC;
}
div.sphinxsidebar {
font-size: 0.75em;
line-height: 1.5em;
}
div.sphinxsidebarwrapper{
padding: 20px 0;
}
div.sphinxsidebar h3,
div.sphinxsidebar h4 {
font-family: Arial, sans-serif;
color: #222;
font-size: 1.2em;
font-weight: normal;
margin: 0;
padding: 5px 10px;
background-color: #ddd;
text-shadow: 1px 1px 0 white
}
div.sphinxsidebar h4{
font-size: 1.1em;
}
div.sphinxsidebar h3 a {
color: #444;
}
div.sphinxsidebar p {
color: #888;
padding: 5px 20px;
}
div.sphinxsidebar p.topless {
}
div.sphinxsidebar ul {
margin: 10px 20px;
padding: 0;
color: #000;
}
div.sphinxsidebar a {
color: #444;
}
div.sphinxsidebar input {
border: 1px solid #ccc;
font-family: sans-serif;
font-size: 1em;
}
div.sphinxsidebar input[type=text]{
margin-left: 20px;
}
/* -- body styles ----------------------------------------------------------- */
a {
color: #005B81;
text-decoration: none;
}
a:hover {
color: #E32E00;
text-decoration: underline;
}
div.body h1,
div.body h2,
div.body h3,
div.body h4,
div.body h5,
div.body h6 {
font-family: Arial, sans-serif;
background-color: #BED4EB;
font-weight: normal;
color: #212224;
margin: 30px 0px 10px 0px;
padding: 5px 0 5px 10px;
text-shadow: 0px 1px 0 white
}
div.body h1 { border-top: 20px solid white; margin-top: 0; font-size: 200%; }
div.body h2 { font-size: 150%; background-color: #C8D5E3; }
div.body h3 { font-size: 120%; background-color: #D8DEE3; }
div.body h4 { font-size: 110%; background-color: #D8DEE3; }
div.body h5 { font-size: 100%; background-color: #D8DEE3; }
div.body h6 { font-size: 100%; background-color: #D8DEE3; }
a.headerlink {
color: #c60f0f;
font-size: 0.8em;
padding: 0 4px 0 4px;
text-decoration: none;
}
a.headerlink:hover {
background-color: #c60f0f;
color: white;
}
div.body p, div.body dd, div.body li {
line-height: 1.5em;
}
div.admonition p.admonition-title + p {
display: inline;
}
div.highlight{
background-color: white;
}
div.note {
background-color: #eee;
border: 1px solid #ccc;
}
div.seealso {
background-color: #ffc;
border: 1px solid #ff6;
}
div.topic {
background-color: #eee;
}
div.warning {
background-color: #ffe4e4;
border: 1px solid #f66;
}
p.admonition-title {
display: inline;
}
p.admonition-title:after {
content: ":";
}
pre {
padding: 10px;
background-color: White;
color: #222;
line-height: 1.2em;
border: 1px solid #C6C9CB;
font-size: 1.1em;
margin: 1.5em 0 1.5em 0;
-webkit-box-shadow: 1px 1px 1px #d8d8d8;
-moz-box-shadow: 1px 1px 1px #d8d8d8;
}
tt {
background-color: #ecf0f3;
color: #222;
/* padding: 1px 2px; */
font-size: 1.1em;
font-family: monospace;
}
.viewcode-back {
font-family: Arial, sans-serif;
}
div.viewcode-block:target {
background-color: #f4debf;
border-top: 1px solid #ac9;
border-bottom: 1px solid #ac9;
}

BIN
doc/source/_themes/openstack/static/openstack_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.6 KiB

128
doc/source/_themes/openstack/static/tweaks.css Normal file
View File

@ -0,0 +1,128 @@
body {
background: #fff url(../_static/header_bg.jpg) top left no-repeat;
}
#header {
width: 950px;
margin: 0 auto;
height: 102px;
}
#header h1#logo {
background: url(../_static/openstack_logo.png) top left no-repeat;
display: block;
float: left;
text-indent: -9999px;
width: 175px;
height: 55px;
}
#navigation {
background: url(../_static/header-line.gif) repeat-x 0 bottom;
display: block;
float: left;
margin: 27px 0 0 25px;
padding: 0;
}
#navigation li{
float: left;
display: block;
margin-right: 25px;
}
#navigation li a {
display: block;
font-weight: normal;
text-decoration: none;
background-position: 50% 0;
padding: 20px 0 5px;
color: #353535;
font-size: 14px;
}
#navigation li a.current, #navigation li a.section {
border-bottom: 3px solid #cf2f19;
color: #cf2f19;
}
div.related {
background-color: #cde2f8;
border: 1px solid #b0d3f8;
}
div.related a {
color: #4078ba;
text-shadow: none;
}
div.sphinxsidebarwrapper {
padding-top: 0;
}
pre {
color: #555;
}
div.documentwrapper h1, div.documentwrapper h2, div.documentwrapper h3, div.documentwrapper h4, div.documentwrapper h5, div.documentwrapper h6 {
font-family: 'PT Sans', sans-serif !important;
color: #264D69;
border-bottom: 1px dotted #C5E2EA;
padding: 0;
background: none;
padding-bottom: 5px;
}
div.documentwrapper h3 {
color: #CF2F19;
}
a.headerlink {
color: #fff !important;
margin-left: 5px;
background: #CF2F19 !important;
}
div.body {
margin-top: -25px;
margin-left: 260px;
}
div.document {
width: 960px;
margin: 0 auto;
}
div.sphinxsidebar h3.highlighted {
background-color: #cf2f19;
color: #EEE;
text-shadow: 1px 1px 0 #740101;
}
div.sphinxsidebar h3.highlighted a {
color: #EEE;
}
/** provide visual separation for sidebar for increased readability. */
div.sphinxsidebar ul li {
margin-top: 1em;
font-weight: bold;
}
div.sphinxsidebar ul li ul li {
margin-top: 0;
font-weight: normal;
}
/** Provide the sidebar to allow long words to go to the next line
making them easier to read.*/
div.sphinxsidebar a {
display: block;
text-indent: -1em;
margin-left: 1em;
word-wrap: break-word;
}
div.sphinxsidebar ul {
margin: 10px 10px;
}

7
doc/source/_themes/openstack/theme.conf Normal file
View File

@ -0,0 +1,7 @@
[theme]
inherit = basic
stylesheet = nature.css
pygments_style = tango
[options]
incubating = false

287
doc/source/conf.py Normal file
View File

@ -0,0 +1,287 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
# openstack-ansible documentation build configuration file, created by
# sphinx-quickstart on Mon Apr 13 20:42:26 2015.
#
# This file is execfile()d with the current directory set to its
# containing dir.
#
# Note that not all possible configuration values are present in this
# autogenerated file.
#
# All configuration values have a default; values that are commented out
# serve to show the default.
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
# sys.path.insert(0, os.path.abspath('.'))
# -- General configuration ------------------------------------------------
# If your documentation needs a minimal Sphinx version, state it here.
# needs_sphinx = '1.0'
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
'sphinx.ext.autodoc',
'oslosphinx'
]
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
# The suffix(es) of source filenames.
# You can specify multiple suffix as a list of string:
# source_suffix = ['.rst', '.md']
source_suffix = '.rst'
# The encoding of source files.
# source_encoding = 'utf-8-sig'
# The master toctree document.
master_doc = 'index'
# General information about the project.
project = 'openstack-ansible-security'
copyright = '2015, openstack-ansible contributors'
author = 'openstack-ansible contributors'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
# built documents.
#
# The short X.Y version.
version = 'master'
# The full version, including alpha/beta/rc tags.
release = 'master'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
#
# This is also used if you do content translation via gettext catalogs.
# Usually you set "language" from the command line for these cases.
language = None
# There are two options for replacing |today|: either, you set today to some
# non-false value, then it is used:
# today = ''
# Else, today_fmt is used as the format for a strftime call.
# today_fmt = '%B %d, %Y'
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
exclude_patterns = []
# The reST default role (used for this markup: `text`) to use for all
# documents.
# default_role = None
# If true, '()' will be appended to :func: etc. cross-reference text.
# add_function_parentheses = True
# If true, the current module name will be prepended to all description
# unit titles (such as .. function::).
# add_module_names = True
# If true, sectionauthor and moduleauthor directives will be shown in the
# output. They are ignored by default.
# show_authors = False
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
# A list of ignored prefixes for module index sorting.
# modindex_common_prefix = []
# If true, keep warnings as "system message" paragraphs in the built documents.
# keep_warnings = False
# If true, `todo` and `todoList` produce output, else they produce nothing.
todo_include_todos = False
# -- Options for HTML output ----------------------------------------------
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
html_theme = 'openstack'
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
# documentation.
# html_theme_options = {}
# Add any paths that contain custom themes here, relative to this directory.
html_theme_path = ['_themes']
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> documentation".
# html_title = None
# A shorter title for the navigation bar. Default is the same as html_title.
# html_short_title = None
# The name of an image file (relative to this directory) to place at the top
# of the sidebar.
# html_logo = None
# The name of an image file (within the static path) to use as favicon of the
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
# pixels large.
# html_favicon = None
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = ['_static']
# Add any extra paths that contain custom files (such as robots.txt or
# .htaccess) here, relative to this directory. These files are copied
# directly to the root of the documentation.
# html_extra_path = []
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
# using the given strftime format.
# html_last_updated_fmt = '%b %d, %Y'
# If true, SmartyPants will be used to convert quotes and dashes to
# typographically correct entities.
# html_use_smartypants = True
# Custom sidebar templates, maps document names to template names.
# html_sidebars = {}
# Additional templates that should be rendered to pages, maps page names to
# template names.
# html_additional_pages = {}
# If false, no module index is generated.
# html_domain_indices = True
# If false, no index is generated.
# html_use_index = True
# If true, the index is split into individual pages for each letter.
# html_split_index = False
# If true, links to the reST sources are added to the pages.
# html_show_sourcelink = True
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
# html_show_sphinx = True
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
# html_show_copyright = True
# If true, an OpenSearch description file will be output, and all pages will
# contain a <link> tag referring to it. The value of this option must be the
# base URL from which the finished HTML is served.
# html_use_opensearch = ''
# This is the file name suffix for HTML files (e.g. ".xhtml").
# html_file_suffix = None
# Language to be used for generating the HTML full-text search index.
# Sphinx supports the following languages:
# 'da', 'de', 'en', 'es', 'fi', 'fr', 'h', 'it', 'ja'
# 'nl', 'no', 'pt', 'ro', 'r', 'sv', 'tr'
# html_search_language = 'en'
# A dictionary with options for the search language support, empty by default.
# Now only 'ja' uses this config value
# html_search_options = {'type': 'default'}
# The name of a javascript file (relative to the configuration directory) that
# implements a search results scorer. If empty, the default will be used.
# html_search_scorer = 'scorer.js'
# Output file base name for HTML help builder.
htmlhelp_basename = 'openstack-ansibledoc'
# -- Options for LaTeX output ---------------------------------------------
latex_elements = {
# The paper size ('letterpaper' or 'a4paper').
# 'papersize': 'letterpaper',
# The font size ('10pt', '11pt' or '12pt').
# 'pointsize': '10pt',
# Additional stuff for the LaTeX preamble.
# 'preamble': '',
# Latex figure (float) alignment
# 'figure_align': 'htbp',
}
# Grouping the document tree into LaTeX files. List of tuples
# (source start file, target name, title,
# author, documentclass [howto, manual, or own class]).
latex_documents = [
(master_doc, 'openstack-ansible.tex',
'openstack-ansible Documentation',
'openstack-ansible contributors', 'manual'),
]
# The name of an image file (relative to this directory) to place at the top of
# the title page.
# latex_logo = None
# For "manual" documents, if this is true, then toplevel headings are parts,
# not chapters.
# latex_use_parts = False
# If true, show page references after internal links.
# latex_show_pagerefs = False
# If true, show URL addresses after external links.
# latex_show_urls = False
# Documents to append as an appendix to all manuals.
# latex_appendices = []
# If false, no module index is generated.
# latex_domain_indices = True
# -- Options for manual page output ---------------------------------------
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
(master_doc, 'openstack-ansible',
'openstack-ansible Documentation',
[author], 1)
]
# If true, show URL addresses after external links.
# man_show_urls = False
# -- Options for Texinfo output -------------------------------------------
# Grouping the document tree into Texinfo files. List of tuples
# (source start file, target name, title, author,
# dir menu entry, description, category)
texinfo_documents = [
(master_doc, 'openstack-ansible',
'openstack-ansible Documentation',
author, 'openstack-ansible', 'One line description of project.',
'Miscellaneous'),
]
# Documents to append as an appendix to all manuals.
# texinfo_appendices = []
# If false, no module index is generated.
# texinfo_domain_indices = True
# How to display URL addresses: 'footnote', 'no', or 'inline'.
# texinfo_show_urls = 'footnote'
# If true, do not generate a @detailmenu in the "Top" node's menu.
# texinfo_no_detailmenu = False

1543
doc/source/configurations-cat1.rst Normal file
View File

File diff suppressed because it is too large Load Diff

2194
doc/source/configurations-cat2.rst Normal file
View File

File diff suppressed because it is too large Load Diff

267
doc/source/configurations-cat3.rst Normal file
View File

@ -0,0 +1,267 @@
.. include:: <xhtml1-lat1.txt>
`Home <index.html>`__ |raquo| Security hardening for openstack-ansible
Category 3 (High) configurations
================================
.. contents::
:depth: 2
V-38653: The snmpd service must not use a default password.
-----------------------------------------------------------
Presence of the default SNMP password enables querying of different system
aspects and could result in unauthorized knowledge of the system.
Details: `V-38653 in STIG Viewer`_.
.. _V-38653 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38653
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38653.rst
V-38666: The system must use and update a DoD-approved virus scan program.
--------------------------------------------------------------------------
Virus scanning software can be used to detect if a system has been compromised
by computer viruses, as well as to limit their spread to other systems.
Details: `V-38666 in STIG Viewer`_.
.. _V-38666 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38666
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38666.rst
V-38668: The x86 Ctrl-Alt-Delete key sequence must be disabled.
---------------------------------------------------------------
A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can
reboot the system. If accidentally pressed, as could happen in the case of
mixed OS environment, this can create the risk of short-term loss of
availability of systems due to unintentional reboot. In the GNOME graphical
environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is
reduced because the user will be prompted before any action is taken.
Details: `V-38668 in STIG Viewer`_.
.. _V-38668 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38668
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38668.rst
V-38462: The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
-------------------------------------------------------------------------------------------------------------------------------------
Ensuring all packages' cryptographic signatures are valid prior to
installation ensures the provenance of the software and protects against
malicious tampering.
Details: `V-38462 in STIG Viewer`_.
.. _V-38462 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38462
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38462.rst
V-38497: The system must not have accounts configured with blank or null passwords.
-----------------------------------------------------------------------------------
If an account has an empty password, anyone could log in and run commands with
the privileges of that account. Accounts with empty passwords should never be
used in operational environments.
Details: `V-38497 in STIG Viewer`_.
.. _V-38497 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38497
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38497.rst
V-38677: The NFS server must not have the insecure file locking option enabled.
-------------------------------------------------------------------------------
Allowing insecure file locking could allow for sensitive data to be viewed or
edited by an unauthorized user.
Details: `V-38677 in STIG Viewer`_.
.. _V-38677 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38677
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38677.rst
V-38476: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
-----------------------------------------------------------------------------------------------------------------
The Red Hat GPG keys are necessary to cryptographically verify packages are
from Red Hat.
Details: `V-38476 in STIG Viewer`_.
.. _V-38476 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38476
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38476.rst
V-38491: There must be no .rhosts or hosts.equiv files on the system.
---------------------------------------------------------------------
Trust files are convenient, but when used in conjunction with the R-services,
they can allow unauthenticated access to a system.
Details: `V-38491 in STIG Viewer`_.
.. _V-38491 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38491
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38491.rst
V-38607: The SSH daemon must be configured to use only the SSHv2 protocol.
--------------------------------------------------------------------------
SSH protocol version 1 suffers from design flaws that result in security
vulnerabilities and should not be used.
Details: `V-38607 in STIG Viewer`_.
.. _V-38607 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38607
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38607.rst
V-38602: The rlogind service must not be running.
-------------------------------------------------
The rlogin service uses unencrypted network communications, which means that
data from the login session, including passwords and all other information
transmitted during the session, can be stolen by eavesdroppers on the network.
Details: `V-38602 in STIG Viewer`_.
.. _V-38602 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38602
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38602.rst
V-38594: The rshd service must not be running.
----------------------------------------------
The rsh service uses unencrypted network communications, which means that data
from the login session, including passwords and all other information
transmitted during the session, can be stolen by eavesdroppers on the network.
Details: `V-38594 in STIG Viewer`_.
.. _V-38594 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38594
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38594.rst
V-38591: The rsh-server package must not be installed.
------------------------------------------------------
The "rsh-server" package provides several obsolete and insecure network
services. Removing it decreases the risk of those services' accidental (or
intentional) activation.
Details: `V-38591 in STIG Viewer`_.
.. _V-38591 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38591
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38591.rst
V-38598: The rexecd service must not be running.
------------------------------------------------
The rexec service uses unencrypted network communications, which means that
data from the login session, including passwords and all other information
transmitted during the session, can be stolen by eavesdroppers on the network.
Details: `V-38598 in STIG Viewer`_.
.. _V-38598 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38598
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38598.rst
V-38587: The telnet-server package must not be installed.
---------------------------------------------------------
Removing the "telnet-server" package decreases the risk of the unencrypted
telnet service's accidental (or intentional) activation. Mitigation: If the
telnet-server package is configured to only allow encrypted sessions, such as
with Kerberos or the use of encrypted network tunnels, the risk of exposing
sensitive information is mitigated.
Details: `V-38587 in STIG Viewer`_.
.. _V-38587 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38587
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38587.rst
V-38589: The telnet daemon must not be running.
-----------------------------------------------
The telnet protocol uses unencrypted network communication, which means that
data from the login session, including passwords and all other information
transmitted during the session, can be stolen by eavesdroppers on the network.
The telnet protocol is also subject to man-in-the-middle attacks. Mitigation:
If an enabled telnet daemon is configured to only allow encrypted sessions,
such as with Kerberos or the use of encrypted network tunnels, the risk of
exposing sensitive information is mitigated.
Details: `V-38589 in STIG Viewer`_.
.. _V-38589 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38589
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38589.rst
V-38701: The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
------------------------------------------------------------------------------------------------------------------------------
Using the "-s" option causes the TFTP service to only serve files from the
given directory. Serving files from an intentionally specified directory
reduces the risk of sharing files which should remain private.
Details: `V-38701 in STIG Viewer`_.
.. _V-38701 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38701
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38701.rst
V-38614: The SSH daemon must not allow authentication using an empty password.
------------------------------------------------------------------------------
Configuring this setting for the SSH daemon provides additional assurance that
remote login via SSH will require a password, even in the event of
misconfiguration elsewhere.
Details: `V-38614 in STIG Viewer`_.
.. _V-38614 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38614
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38614.rst

12
doc/source/configurations.rst Normal file
View File

@ -0,0 +1,12 @@
.. include:: <xhtml1-lat1.txt>
`Home <index.html>`__ |raquo| Security hardening for openstack-ansible
Security hardening configurations
=================================
.. toctree::
:maxdepth: 2
configurations-cat3.rst
configurations-cat2.rst
configurations-cat1.rst

6
doc/source/developer-notes/V-38437.rst Normal file
View File

@ -0,0 +1,6 @@
If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out
of this change, adjust the following variable:
.. code-block:: yaml
disable_services['autofs'] = no

8
doc/source/developer-notes/V-38438.rst Normal file
View File

@ -0,0 +1,8 @@
**Exception**
Adjusting the bootloader configuration can cause issues with reboots and this
work is left up to the deployer. Enabling auditing at boot time is helpful,
but the risk may not be worth the change in most environments.
The ``auditd`` process starts very early during the boot process to catch
events already, and this should be sufficient for most environments.

5
doc/source/developer-notes/V-38439.rst Normal file
View File

@ -0,0 +1,5 @@
**Exception**
Although adding centralized authentication and carefully managing user
accounts is critical for securing any system, that's left up to deployers
to handle via their internal business processes.

4
doc/source/developer-notes/V-38443.rst Normal file
View File

@ -0,0 +1,4 @@
The Ansible tasks will ensure that ``/etc/gshadow`` is owned by root. This is
the default in Ubuntu 14.04 already, but the tasks will ensure that the
permissions match the STIG requirements in case they were changed by other
means after the installation of the operating system.

4
doc/source/developer-notes/V-38444.rst Normal file
View File

@ -0,0 +1,4 @@
**Exception**
See V-38551 for additional details. IPv6 configuration and filtering is left
up to the deployer.

3
doc/source/developer-notes/V-38445.rst Normal file
View File

@ -0,0 +1,3 @@
Although audit log files are owned by the root user and group by default
in Ubuntu 14.04, the Ansible task for V-38445 will ensure that they are
configured as such.

4
doc/source/developer-notes/V-38446.rst Normal file
View File

@ -0,0 +1,4 @@
Forwarding root's email to another user is highly recommended, but the Ansible
tasks won't configure an email address to receive root's email unless that
email address is configured. Set ``root_forward_email`` to an email address
that is ready to receive root's email.

11
doc/source/developer-notes/V-38447.rst Normal file
View File

@ -0,0 +1,11 @@
**Exception**
Verifying contents of files installed from packages is more difficult in
Ubuntu, mainly due to the lack of an equivalent of ``rpm -V``. The ``debsums``
package installs the ``debsums`` command and that can be used to look for
files that have changed since the package was installed.
However, not all packages have MD5 checksums for all files and ``debsums``
doesn't do detailed checking like ``rpm``. Deployers are urged to run
``debsums -c`` to review changes made to files on their systems. This report
takes a long time to run on most systems.

2
doc/source/developer-notes/V-38448.rst Normal file
View File

@ -0,0 +1,2 @@
Although the ``/etc/gshadow`` file is group-owned by root by default, the
Ansible tasks will ensure that it is configured that way.

2
doc/source/developer-notes/V-38449.rst Normal file
View File

@ -0,0 +1,2 @@
The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet
the requirements of the STIG.

1
doc/source/developer-notes/V-38450.rst Normal file
View File

@ -0,0 +1 @@
The ownership of ``/etc/passwd`` will be changed to root.

1
doc/source/developer-notes/V-38451.rst Normal file
View File

@ -0,0 +1 @@
The group ownership for ``/etc/passwd`` will be set to root.

5
doc/source/developer-notes/V-38452.rst Normal file
View File

@ -0,0 +1,5 @@
**Exception**
Verifying permissions of installed packages isn't possible in the current
version of ``dpkg`` as it is with ``rpm``. This security configuration is
skipped.

5
doc/source/developer-notes/V-38453.rst Normal file
View File

@ -0,0 +1,5 @@
**Exception**
Verifying ownership of installed packages isn't possible in the current
version of ``dpkg`` as it is with ``rpm``. This security configuration is
skipped.

6
doc/source/developer-notes/V-38454.rst Normal file
View File

@ -0,0 +1,6 @@
**Exception**
Verifying ownership of installed packages isn't possible in the current
version of ``dpkg`` as it is with ``rpm``. This security configuration is
skipped.

8
doc/source/developer-notes/V-38455.rst Normal file
View File

@ -0,0 +1,8 @@
**Exception**
Configuring another mount for ``/tmp`` can disrupt a running system and this
configuration is skipped.
However, deployers are strongly urged to consider creating a separate
partition and/or LVM logical volume for ``/tmp`` during installation of the OS
if possible.

9
doc/source/developer-notes/V-38456.rst Normal file
View File

@ -0,0 +1,9 @@
**Exception**
Configuring another mount for ``/var`` can disrupt a running system and this
configuration is skipped.
However, deployers are strongly urged to consider creating a separate
partition and/or LVM logical volume for ``/var`` during installation of the OS
if possible.

1
doc/source/developer-notes/V-38457.rst Normal file
View File

@ -0,0 +1 @@
The permissions for ``/etc/passwd`` will be set to ``0644``.

1
doc/source/developer-notes/V-38459.rst Normal file
View File

@ -0,0 +1 @@
The tasks in file_perms.yml will ensure that "/etc/group" is owned by the root account.

4
doc/source/developer-notes/V-38460.rst Normal file
View File

@ -0,0 +1,4 @@
The Ansible tasks will chek for ``all_squash`` in ``/etc/exports`` (if it is
present). If found, a warning message will be printed. No configuration
changes will be made since neither Ubuntu or openstack-ansible configures
the NFS server by default.

2
doc/source/developer-notes/V-38461.rst Normal file
View File

@ -0,0 +1,2 @@
Ubuntu sets the mode of ``/etc/group`` to ``0644`` by default and the Ansible
task will ensure that it is current set to those permissions.

9
doc/source/developer-notes/V-38462.rst Normal file
View File

@ -0,0 +1,9 @@
Ubuntu checks packages against GPG signatures by default. It can be turned
off for all package installations by a setting in /etc/apt/apt.conf.d/ and we
search for that in the Ansible task. A warning is printed if the
``AllowUnauthenticated`` configuration option is present in the apt
configuration directories.
Please note that users can pass an argument on the apt command line
to bypass the checks as well, but that's outside the scope of this check
and remediation.

8
doc/source/developer-notes/V-38463.rst Normal file
View File

@ -0,0 +1,8 @@
**Exception**
Configuring a separate partition for ``/var/log`` is currently left up to the
deployer. There are security and operational benefits that come from the
change, but it must be done when the system is initially installed.
Deployers are urged to consider making a separate partition for ``/var/log``
during OS installation.

16
doc/source/developer-notes/V-38464.rst Normal file
View File

@ -0,0 +1,16 @@
Ubuntu's default for ``disk_error_action`` is ``SUSPEND``, which actually
only suspends audit logging. That could be a security issue, so ``SYSLOG``
is recommended and is set by default be openstack-ansible-security. There
are additional options available, like ``EXEC``, ``SINGLE`` or ``HALT``.
To configure a different ``disk_error_action``, set the following Ansible
variable:
.. code-block:: yaml
disk_error_action = SYSLOG
For details on available settings and what they do, run ``man auditd.conf``.
Some options can cause the host to go offline until the issue is fixed.
Deployers are urged to **carefully read the auditd documentation** prior to
changing the ``disk_error_action`` setting from the default.

5
doc/source/developer-notes/V-38465.rst Normal file
View File

@ -0,0 +1,5 @@
**Exception**
Ubuntu 14.04 sets library files to have ``0755`` (or more restrictive)
permissions by default. Deployers are urged to review the permissions
of libraries regularly to ensure the system hasn't been altered.

5
doc/source/developer-notes/V-38466.rst Normal file
View File

@ -0,0 +1,5 @@
**Exception**
As with V-38465, Ubuntu sets the ownership of library files to root by
default. Deployers are urged to configure monitoring for changes to these
files.

4
doc/source/developer-notes/V-38467.rst Normal file
View File

@ -0,0 +1,4 @@
**Exception**
Storing audit logs on a separate partition is recommended, but this change
is left up to deployers to configure during the installation of the OS.

19
doc/source/developer-notes/V-38468.rst Normal file
View File

@ -0,0 +1,19 @@
Ubuntu's default for ``disk_full_action`` is ``SUSPEND``, which actually
only suspends audit logging. That could be a security issue, so ``SYSLOG``
is recommended and is set by default be openstack-ansible-security. If syslog
messages are being sent to remote servers, these log messages should alert
an administrator about the disk being full. There are additional options
available, like ``EXEC``, ``SINGLE`` or ``HALT``.
To configure a different ``disk_full_action``, set the following Ansible
variable:
.. code-block:: yaml
disk_full_action = SYSLOG
For details on available settings and what they do, run ``man auditd.conf``.
Some options can cause the host to go offline until the issue is fixed.
Deployers are urged to **carefully read the auditd documentation** prior to
changing the ``disk_full_action`` setting from the default.

5
doc/source/developer-notes/V-38469.rst Normal file
View File

@ -0,0 +1,5 @@
**Exception**
Ubuntu sets the permissions for system commands to ``0755`` or less already.
Deployers are urged to review these permissions for changes over time as they
can be a sign of a compromise.

18
doc/source/developer-notes/V-38470.rst Normal file
View File

@ -0,0 +1,18 @@
Ubuntu's default for ``space_left_action`` is ``SUSPEND``, which actually
only suspends audit logging. That could be a security issue, so ``SYSLOG``
is recommended and is set by default be openstack-ansible-security. If syslog
messages are being sent to remote servers, these log messages should alert
an administrator about the disk being almost full. There are additional options
available, like ``EXEC``, ``SINGLE`` or ``HALT``.
To configure a different ``space_left_action``, set the following Ansible
variable:
.. code-block:: yaml
space_left_action = SYSLOG
For details on available settings and what they do, run ``man auditd.conf``.
Some options can cause the host to go offline until the issue is fixed.
Deployers are urged to **carefully read the auditd documentation** prior to
changing the ``space_left_action`` setting from the default.

4
doc/source/developer-notes/V-38471.rst Normal file
View File

@ -0,0 +1,4 @@
An Ansible task will adjust ``active`` from `no` to `yes` in
``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to
syslog automatically. The auditd daemon will be restarted if the configuration
file is changed.

5
doc/source/developer-notes/V-38472.rst Normal file
View File

@ -0,0 +1,5 @@
**Exception**
Ubuntu sets system commands to be owned by root by default Deployers are
urged to review ownership changes via auditd rules to ensure system
commands haven't changed ownership over time.

4
doc/source/developer-notes/V-38473.rst Normal file
View File

@ -0,0 +1,4 @@
**Exception**
Creating ``/home`` on a different partition is highly recommended but it is
left to deployers to configure during the installation of the OS.

4
doc/source/developer-notes/V-38474.rst Normal file
View File

@ -0,0 +1,4 @@
**Exception**
The openstack-ansible roles don't install X by default, so there is no
graphical desktop to configure.

12
doc/source/developer-notes/V-38475.rst Normal file
View File

@ -0,0 +1,12 @@
**Configuration required**
Ubuntu 14.04 does not set a password length requirement by default. The STIG
recommends passwords to be a minimum of 14 characters in length. To apply this
setting, set the following Ansible variable:
.. code-block:: yaml
password_minimum_length: 14
Deployers are urged to avoid the use of passwords and rely upon SSH keys if
possible.

21
doc/source/developer-notes/V-38476.rst Normal file
View File

@ -0,0 +1,21 @@
The STIG talks about yum having the RHN GPG keys installed, but this
requirement has been adapted to check for the Ubuntu signing keys normally
present in Ubuntu 14.04.
See ``tasks/apt.yml`` for more details::
# apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub 2048g/79164387 2004-09-12
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
pub 4096R/C0B21F32 2012-05-11
uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
pub 4096R/EFE21092 2012-05-11
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

10
doc/source/developer-notes/V-38477.rst Normal file
View File

@ -0,0 +1,10 @@
**Configuration required**
Ubuntu doesn't set a limitation on how frequently uses can change passwords.
However, the STIG recommends setting a limit of one password change per day.
To enable this configuration, use this Ansible variable:
.. code-block:: yaml
password_minimum_days: 14

4
doc/source/developer-notes/V-38478.rst Normal file
View File

@ -0,0 +1,4 @@
**Exception**
Ubuntu doesn't use the Red Hat Network Service, so this requirement doesn't
apply.

12
doc/source/developer-notes/V-38479.rst Normal file
View File

@ -0,0 +1,12 @@
**Configuration required**
Ubuntu doesn't set a limitation on the age of passwords.
However, the STIG recommends setting a limit of 60 days before a password must
be changed.
To enable this configuration, use this Ansible variable:
.. code-block:: yaml
password_maximum_days: 60

10
doc/source/developer-notes/V-38480.rst Normal file
View File

@ -0,0 +1,10 @@
**Configuration required**
After enabling password age limits in V-38479, be sure to configure
warnings for users so they know when their password is approaching expiration.
STIG's recommendation is seven days prior to the expiration. Use an Ansible
variable to configure the warning:
.. code-block:: yaml
password_warn_age: 7

10
doc/source/developer-notes/V-38481.rst Normal file
View File

@ -0,0 +1,10 @@
**Exception**
Operating system patching is left up to the deployer to configure based on
their business requirements and toleration for risk. Enabling automated
updates in Ubuntu can be done with changes to the apt configuration.
Ubuntu's documentation on `automatic updates`_ covers a few options for
configuring apt.
.. _automatic_updates: https://help.ubuntu.com/lts/serverguide/automatic-updates.html

10
doc/source/developer-notes/V-38482.rst Normal file
View File

@ -0,0 +1,10 @@
**Exception**
Password complexity requirements are left up to the deployer. Deployers are
urged to rely on SSH keys as often as possible to avoid problems with
passwords.
Review the pam_cracklib documentation by running ``man pam_cracklib`` or
read the `detailed documentation from Hal Pomeranz`_.
.. _detailed documentation from Hal Pomeranz: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html

3
doc/source/developer-notes/V-38483.rst Normal file
View File

@ -0,0 +1,3 @@
The Ansible task for V-38462 already checks for apt configurations that would
disable any GPG checks when installing packages. However, it's possible for
the root user to override these configurations via command line parameters.

3
doc/source/developer-notes/V-38484.rst Normal file
View File

@ -0,0 +1,3 @@
Ubuntu 14.04 already enables the display of the last successful login for a
user immediately after login. An Ansible task ensures this setting is
applied and restarts the ssh daemon if necessary.

5
doc/source/developer-notes/V-38486.rst Normal file
View File

@ -0,0 +1,5 @@
**Exception**
System backups are left to the deployer to configure. Deployers are stringly
urged to maintain backups of each system, including log files and critical
configuration information.

3
doc/source/developer-notes/V-38487.rst Normal file
View File

@ -0,0 +1,3 @@
The Ansible task for V-38462 already checks for apt configurations that would
disable any GPG checks when installing packages. However, it's possible for
the root user to override these configurations via command line parameters.

5
doc/source/developer-notes/V-38488.rst Normal file
View File

@ -0,0 +1,5 @@
**Exception**
System backups are left to the deployer to configure. Deployers are stringly
urged to maintain backups of each system, including log files and critical
configuration information.

1
doc/source/developer-notes/V-38489.rst Normal file
View File

@ -0,0 +1 @@
The ``aide`` package will be installed by Ansible tasks.

9
doc/source/developer-notes/V-38490.rst Normal file
View File

@ -0,0 +1,9 @@
**Exception**
Disabling the ``usb-storage`` module can add extra security, but it's not
necessary on most systems. To disable the ``usb-storage`` module on hosts,
set ``disable_usb_storage`` to ``yes``:
.. code-block:: yaml
disable_usb_storage: yes

4
doc/source/developer-notes/V-38491.rst Normal file
View File

@ -0,0 +1,4 @@
The Ansible task will check for the presence of ``/etc/hosts.equiv`` and
``/root/.rhosts``. Both of those files could potentially be used with ``rsh``
for host access, but ``rshd`` is not installed by default with Ubuntu 14.04
or openstack-ansible.

2
doc/source/developer-notes/V-38492.rst Normal file
View File

@ -0,0 +1,2 @@
The virtual consoles mentioned in V-38492 aren't used in Ubuntu 14.04 by
default.

3
doc/source/developer-notes/V-38493.rst Normal file
View File

@ -0,0 +1,3 @@
Ubuntu 14.04 sets the mode of ``/var/log/audit/`` to ``0750`` by default. The
Ansible task for this requirement ensures that the mode is ``0750`` (which
is more strict than the STIG requirement).

7
doc/source/developer-notes/V-38494.rst Normal file
View File

@ -0,0 +1,7 @@
**Exception**
Removing serial consoles from ``/etc/securetty`` can make troubleshooting
a server extremely difficult. Deployers are urged to use strong physical
security practices to prevent unauthorized users from gaining physical access
to critical hosts. In addition, out-of-band systems that allow for serial
over LAN access should also be heavily secured.

2
doc/source/developer-notes/V-38495.rst Normal file
View File

@ -0,0 +1,2 @@
The Ansible tasks will ensure that files in ``/var/log/audit`` are owned
by the root user.

5
doc/source/developer-notes/V-38497.rst Normal file
View File

@ -0,0 +1,5 @@
Making adjustments to PAM configuration can be **very dangerous** for a
production system, so the Ansible task runs a check for text matching
``nullok`` in ``/etc/pam.d/common-auth`` (different than
``/etc/pam.d/system-auth`` found in RHEL 6) and prints a warning if it is
found.

2
doc/source/developer-notes/V-38499.rst Normal file
View File

@ -0,0 +1,2 @@
The Ansible task will search for password hashes in ``/etc/passwd`` using
awk and report a failure if any are found.

1
doc/source/developer-notes/V-38522.rst Normal file
View File

@ -0,0 +1 @@
Rules are added for auditing changes to system time made via ``settimeofday``.

1
doc/source/developer-notes/V-38525.rst Normal file
View File

@ -0,0 +1 @@
Rules are added for auditing changes to system time done via ``stime``.

2
doc/source/developer-notes/V-38527.rst Normal file
View File

@ -0,0 +1,2 @@
Rules are added for auditing changes to system time done via
``clock_settime``.

2
doc/source/developer-notes/V-38530.rst Normal file
View File

@ -0,0 +1,2 @@
Rules are added to auditd to log all attempts to change the system time using
``/etc/localtime``.

3
doc/source/developer-notes/V-38531.rst Normal file
View File

@ -0,0 +1,3 @@
**Exception**
The audit rules from V-38534 already cover all account modifications.

3
doc/source/developer-notes/V-38534.rst Normal file
View File

@ -0,0 +1,3 @@
Audit rules are added in a task so that any events associated with
account modifications are logged. The new audit rule will be loaded immediately
with ``augenrules --load``.

3
doc/source/developer-notes/V-38536.rst Normal file
View File

@ -0,0 +1,3 @@
**Exception**
The audit rules from V-38534 already cover all account modifications.

3
doc/source/developer-notes/V-38538.rst Normal file
View File

@ -0,0 +1,3 @@
**Exception**
The audit rules from V-38534 already cover all account modifications.

3
doc/source/developer-notes/V-38540.rst Normal file
View File

@ -0,0 +1,3 @@
Rules are added for auditing network configuration changes. The path to
Ubuntu's standard network configuration location has replaced the path
to Red Hat's default network configuration location.

5
doc/source/developer-notes/V-38541.rst Normal file
View File

@ -0,0 +1,5 @@
The RHEL 6 STIG requires that changes to SELinux policies and configuration are
audited. However, Ubuntu's preference for Mandatory Access Control (MAC) is
AppArmor and openstack-ansible configures AppArmor by default.
This requirement has been modified to fit AppArmor on an Ubuntu system.

2
doc/source/developer-notes/V-38547.rst Normal file
View File

@ -0,0 +1,2 @@
Rules are added for auditd to log discretionary access control permission
changes done with fchmod.

2
doc/source/developer-notes/V-38550.rst Normal file
View File

@ -0,0 +1,2 @@
Rules are added for auditing discretionary access control changes made via
fchmodat.

18
doc/source/developer-notes/V-38551.rst Normal file
View File

@ -0,0 +1,18 @@
**Exception**
Filtering IPv6 traffic is left up to the deployer to implement. The
openstack-ansible roles don't configure IPv6 (at this time) and adding
persistent ip6tables rules could harm a running system.
However, deployers are strongly recommended to implement IPv6 filtering at the
edges of the network via network devices. In addition, deployers should be
aware that link-local IPv6 addresses are configured automatcally by the system
and those addresses could open up new network paths for future attacks.
For example, if IPv4 access was tightly controlled and segmented, hosts and/or
containers could possibly communicate across these boundaries using IPv6
link-local addresses. For more detailed information on this security topic,
review Cisco's documentation titled `IPv6 Security Brief`_ that is available
on their website.
.. _IPv6 Security Brief: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-678658.html

2
doc/source/developer-notes/V-38552.rst Normal file
View File

@ -0,0 +1,2 @@
Rules are added for auditing discretionary access control changes
made by fchown.

2
doc/source/developer-notes/V-38556.rst Normal file
View File

@ -0,0 +1,2 @@
Rules are added for auditing discretionary access control changes made
by fremovexattr.

2
doc/source/developer-notes/V-38557.rst Normal file
View File

@ -0,0 +1,2 @@
Rules are added for auditing discretionary access control changes made via
``fsetxattr``.

2
doc/source/developer-notes/V-38558.rst Normal file
View File

@ -0,0 +1,2 @@
Rules are added for auditing discretionary access control changes made via
``lchown``.

2
doc/source/developer-notes/V-38559.rst Normal file
View File

@ -0,0 +1,2 @@
Rules are added for auditing discretionary access control changes made via
``lremovexattr``.

3
doc/source/developer-notes/V-38561.rst Normal file
View File

@ -0,0 +1,3 @@
Rules are added to auditd to log all DAC modifications using `lsetxattr`_.
.. _lsetxattr: http://linux.die.net/man/2/lsetxattr

3
doc/source/developer-notes/V-38563.rst Normal file
View File

@ -0,0 +1,3 @@
Audit rules are added in a task so that any events associated with the
discretionary access controls (DAC) permission modifications are logged.
The new audit rule will be loaded immediately with ``augenrules --load``.

4
doc/source/developer-notes/V-38565.rst Normal file
View File

@ -0,0 +1,4 @@
Rules are added so that all permission modifications made via `setxattr`_ are
logged.
.. _setxattr: http://man7.org/linux/man-pages/man2/setxattr.2.html

1
doc/source/developer-notes/V-38566.rst Normal file
View File

@ -0,0 +1 @@
Rules are added for auditd to log failed access attempts to files and programs.

6
doc/source/developer-notes/V-38567.rst Normal file
View File

@ -0,0 +1,6 @@
**Exception**
Keeping the list of setuid/setgid applications up to date and adding the paths
to those files within the ``audit.rules`` file is challenging. Deployers are
urged to use setuid/setgid sparingly and carefully monitor all applications
with those permissions set.

1
doc/source/developer-notes/V-38568.rst Normal file
View File

@ -0,0 +1 @@
Rules are added for auditd to log successful filesystem mounts.

Some files were not shown because too many files have changed in this diff Show More