diff --git a/deploy-guide/source/app-advanced-config-options.rst b/deploy-guide/source/app-advanced-config-options.rst index c27d9113d8..317554144e 100644 --- a/deploy-guide/source/app-advanced-config-options.rst +++ b/deploy-guide/source/app-advanced-config-options.rst @@ -9,6 +9,5 @@ Appendix I: Advanced configuration :maxdepth: 2 app-advanced-config-override - app-advanced-config-security app-advanced-config-sslcertificates app-advanced-config-affinity diff --git a/deploy-guide/source/app-advanced-config-security.rst b/deploy-guide/source/app-advanced-config-security.rst deleted file mode 100644 index 6bfc46ceba..0000000000 --- a/deploy-guide/source/app-advanced-config-security.rst +++ /dev/null @@ -1,38 +0,0 @@ -.. _security_hardening: - -================== -Security hardening -================== - -OpenStack-Ansible automatically applies host security hardening configurations -by using the `ansible-hardening`_ role. The role uses a version of the -`Security Technical Implementation Guide (STIG)`_ that has been adapted for -Ubuntu 14.04 and OpenStack. - -The role is applicable to physical hosts within an OpenStack-Ansible deployment -that are operating as any type of node, infrastructure or compute. By -default, the role is enabled. You can disable it by changing the value of -the ``apply_security_hardening`` variable in the ``user_variables.yml`` file -to ``false``: - -.. code-block:: yaml - - apply_security_hardening: false - -You can apply security hardening configurations to an existing environment or -audit an environment by using a playbook supplied with OpenStack-Ansible: - -.. code-block:: bash - - # Apply security hardening configurations - openstack-ansible security-hardening.yml - - # Perform a quick audit by using Ansible's check mode - openstack-ansible --check security-hardening.yml - -For more information about the security configurations, see the -`OpenStack-Ansible host security`_ hardening documentation. - -.. _ansible-hardening: http://docs.openstack.org/developer/ansible-hardening/ -.. _Security Technical Implementation Guide (STIG): https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide -.. _OpenStack-Ansible host security: http://docs.openstack.org/developer/ansible-hardening/ diff --git a/deploy-guide/source/app-security.rst b/deploy-guide/source/app-security.rst index 0929787c21..8f83bcffde 100644 --- a/deploy-guide/source/app-security.rst +++ b/deploy-guide/source/app-security.rst @@ -48,15 +48,36 @@ Host security hardening is required by several compliance and regulatory programs, such as the `Payment Card Industry Data Security Standard`_ (PCI DSS) (Requirement 2.2). -By default, OpenStack-Ansible automatically applies the security hardening role +By default, OpenStack-Ansible automatically applies the ansible-hardening role to all deployments. The role has been carefully designed to perform as follows: * Apply nondisruptively to a production OpenStack environment * Balance security with OpenStack performance and functionality * Run as quickly as possible -For more information about configuring the role in OpenStack-Ansible, see -:ref:`security_hardening`. +The role is applicable to physical hosts within an OpenStack-Ansible deployment +that are operating as any type of node, infrastructure or compute. By +default, the role is enabled. You can disable it by changing the value of +the ``apply_security_hardening`` variable in the ``user_variables.yml`` file +to ``false``: + +.. code-block:: yaml + + apply_security_hardening: false + +You can apply security hardening configurations to an existing environment or +audit an environment by using a playbook supplied with OpenStack-Ansible: + +.. code-block:: bash + + # Apply security hardening configurations + openstack-ansible security-hardening.yml + + # Perform a quick audit by using Ansible's check mode + openstack-ansible --check security-hardening.yml + +For more information about the security configurations, see the +`security hardening role`_ documentation. .. _security hardening role: http://docs.openstack.org/developer/ansible-hardening/ .. _Security Technical Implementation Guide: https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide