Merge "Use new ansible-hardening role"
This commit is contained in:
commit
3f0d07b53c
@ -1,3 +1,7 @@
|
||||
- name: ansible-hardening
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/ansible-hardening
|
||||
version: master
|
||||
- name: apt_package_pinning
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning
|
||||
@ -38,10 +42,6 @@
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/openstack-ansible-memcached_server
|
||||
version: master
|
||||
- name: openstack-ansible-security
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/openstack-ansible-security
|
||||
version: master
|
||||
- name: openstack_hosts
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/openstack-ansible-openstack_hosts
|
||||
|
@ -5,7 +5,7 @@ Security hardening
|
||||
==================
|
||||
|
||||
OpenStack-Ansible automatically applies host security hardening configurations
|
||||
by using the `openstack-ansible-security`_ role. The role uses a version of the
|
||||
by using the `ansible-hardening`_ role. The role uses a version of the
|
||||
`Security Technical Implementation Guide (STIG)`_ that has been adapted for
|
||||
Ubuntu 14.04 and OpenStack.
|
||||
|
||||
@ -33,6 +33,6 @@ audit an environment by using a playbook supplied with OpenStack-Ansible:
|
||||
For more information about the security configurations, see the
|
||||
`OpenStack-Ansible host security`_ hardening documentation.
|
||||
|
||||
.. _openstack-ansible-security: http://docs.openstack.org/developer/openstack-ansible-security/
|
||||
.. _ansible-hardening: http://docs.openstack.org/developer/ansible-hardening/
|
||||
.. _Security Technical Implementation Guide (STIG): https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide
|
||||
.. _OpenStack-Ansible host security: http://docs.openstack.org/developer/openstack-ansible-security/
|
||||
.. _OpenStack-Ansible host security: http://docs.openstack.org/developer/ansible-hardening/
|
||||
|
@ -58,7 +58,7 @@ to all deployments. The role has been carefully designed to perform as follows:
|
||||
For more information about configuring the role in OpenStack-Ansible, see
|
||||
:ref:`security_hardening`.
|
||||
|
||||
.. _security hardening role: http://docs.openstack.org/developer/openstack-ansible-security/
|
||||
.. _security hardening role: http://docs.openstack.org/developer/ansible-hardening/
|
||||
.. _Security Technical Implementation Guide: https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide
|
||||
.. _Defense Information Systems Agency: http://www.disa.mil/
|
||||
.. _Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/pci_security/
|
||||
|
@ -94,11 +94,11 @@ openrc_os_domain_name: "Default"
|
||||
openrc_region_name: "{{ service_region }}"
|
||||
|
||||
## Host security hardening
|
||||
# The openstack-ansible-security role provides security hardening for hosts
|
||||
# The ansible-hardening role provides security hardening for hosts
|
||||
# by applying security configurations from the STIG. Hardening is enabled by
|
||||
# default, but an option to opt out is available by setting the following
|
||||
# variable to 'false'.
|
||||
# Docs: http://docs.openstack.org/developer/openstack-ansible-security/
|
||||
# Docs: http://docs.openstack.org/developer/ansible-hardening/
|
||||
apply_security_hardening: true
|
||||
|
||||
## Ansible ssh configuration
|
||||
|
@ -21,7 +21,7 @@ security_package_state: "{{ package_state }}"
|
||||
# Disable /etc/hosts management if unbound DNS resolution containers exist
|
||||
openstack_host_manage_hosts_file: "{{ groups['unbound'] is not defined or groups['unbound'] | length < 1 }}"
|
||||
|
||||
# Use the RHEL 7 STIG content from the openstack-ansible-security role
|
||||
# Use the RHEL 7 STIG content from the ansible-hardening role
|
||||
stig_version: rhel7
|
||||
|
||||
# Temporarily avoid putting SELinux into enforcing mode on CentOS 7 until some
|
||||
|
@ -22,7 +22,7 @@
|
||||
gather_facts: "{{ gather_facts | default(True) }}"
|
||||
user: root
|
||||
roles:
|
||||
- role: "openstack-ansible-security"
|
||||
- role: "ansible-hardening"
|
||||
when: apply_security_hardening | bool
|
||||
environment: "{{ deployment_environment_variables | default({}) }}"
|
||||
tags:
|
||||
|
@ -91,11 +91,11 @@
|
||||
copy:
|
||||
content: |
|
||||
clonemap:
|
||||
- name: 'openstack/openstack-ansible-security'
|
||||
dest: '{{ role_path_default }}/openstack-ansible-security'
|
||||
- name: 'openstack/openstack-ansible-(?!security)(.*)'
|
||||
- name: 'openstack/ansible-hardening'
|
||||
dest: '{{ role_path_default }}/ansible-hardening'
|
||||
- name: 'openstack/openstack-ansible-(.*)'
|
||||
dest: '{{ role_path_default }}/\1'
|
||||
- name: 'openstack/(?!openstack-ansible)(.*)'
|
||||
- name: 'openstack/(?!(openstack-ansible|ansible-hardening))(.*)'
|
||||
dest: '/tmp/openstack/\1'
|
||||
dest: "/tmp/zuul-clonemap.yml"
|
||||
when:
|
||||
|
Loading…
Reference in New Issue
Block a user