Merge "Use new ansible-hardening role"

This commit is contained in:
Jenkins 2017-06-12 21:40:19 +00:00 committed by Gerrit Code Review
commit 3f0d07b53c
7 changed files with 16 additions and 16 deletions

View File

@ -1,3 +1,7 @@
- name: ansible-hardening
scm: git
src: https://git.openstack.org/openstack/ansible-hardening
version: master
- name: apt_package_pinning
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning
@ -38,10 +42,6 @@
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-memcached_server
version: master
- name: openstack-ansible-security
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-security
version: master
- name: openstack_hosts
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-openstack_hosts

View File

@ -5,7 +5,7 @@ Security hardening
==================
OpenStack-Ansible automatically applies host security hardening configurations
by using the `openstack-ansible-security`_ role. The role uses a version of the
by using the `ansible-hardening`_ role. The role uses a version of the
`Security Technical Implementation Guide (STIG)`_ that has been adapted for
Ubuntu 14.04 and OpenStack.
@ -33,6 +33,6 @@ audit an environment by using a playbook supplied with OpenStack-Ansible:
For more information about the security configurations, see the
`OpenStack-Ansible host security`_ hardening documentation.
.. _openstack-ansible-security: http://docs.openstack.org/developer/openstack-ansible-security/
.. _ansible-hardening: http://docs.openstack.org/developer/ansible-hardening/
.. _Security Technical Implementation Guide (STIG): https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide
.. _OpenStack-Ansible host security: http://docs.openstack.org/developer/openstack-ansible-security/
.. _OpenStack-Ansible host security: http://docs.openstack.org/developer/ansible-hardening/

View File

@ -58,7 +58,7 @@ to all deployments. The role has been carefully designed to perform as follows:
For more information about configuring the role in OpenStack-Ansible, see
:ref:`security_hardening`.
.. _security hardening role: http://docs.openstack.org/developer/openstack-ansible-security/
.. _security hardening role: http://docs.openstack.org/developer/ansible-hardening/
.. _Security Technical Implementation Guide: https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide
.. _Defense Information Systems Agency: http://www.disa.mil/
.. _Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/pci_security/

View File

@ -94,11 +94,11 @@ openrc_os_domain_name: "Default"
openrc_region_name: "{{ service_region }}"
## Host security hardening
# The openstack-ansible-security role provides security hardening for hosts
# The ansible-hardening role provides security hardening for hosts
# by applying security configurations from the STIG. Hardening is enabled by
# default, but an option to opt out is available by setting the following
# variable to 'false'.
# Docs: http://docs.openstack.org/developer/openstack-ansible-security/
# Docs: http://docs.openstack.org/developer/ansible-hardening/
apply_security_hardening: true
## Ansible ssh configuration

View File

@ -21,7 +21,7 @@ security_package_state: "{{ package_state }}"
# Disable /etc/hosts management if unbound DNS resolution containers exist
openstack_host_manage_hosts_file: "{{ groups['unbound'] is not defined or groups['unbound'] | length < 1 }}"
# Use the RHEL 7 STIG content from the openstack-ansible-security role
# Use the RHEL 7 STIG content from the ansible-hardening role
stig_version: rhel7
# Temporarily avoid putting SELinux into enforcing mode on CentOS 7 until some

View File

@ -22,7 +22,7 @@
gather_facts: "{{ gather_facts | default(True) }}"
user: root
roles:
- role: "openstack-ansible-security"
- role: "ansible-hardening"
when: apply_security_hardening | bool
environment: "{{ deployment_environment_variables | default({}) }}"
tags:

View File

@ -91,11 +91,11 @@
copy:
content: |
clonemap:
- name: 'openstack/openstack-ansible-security'
dest: '{{ role_path_default }}/openstack-ansible-security'
- name: 'openstack/openstack-ansible-(?!security)(.*)'
- name: 'openstack/ansible-hardening'
dest: '{{ role_path_default }}/ansible-hardening'
- name: 'openstack/openstack-ansible-(.*)'
dest: '{{ role_path_default }}/\1'
- name: 'openstack/(?!openstack-ansible)(.*)'
- name: 'openstack/(?!(openstack-ansible|ansible-hardening))(.*)'
dest: '/tmp/openstack/\1'
dest: "/tmp/zuul-clonemap.yml"
when: