Apply host security hardening by default

Security hardening has been applied to all gate jobs since January 2016 in the Mitaka release. This patch enables security hardening for all deployments in Newton by changing the apply_security_hardening variable to true by default. Change-Id: Ia30a54f9e94c7341a306a7ed7561cdbc3e234db2
2016-04-05 13:18:22 -05:00 · 2016-04-05 13:18:22 -05:00 · b6a5c9a0ba
commit b6a5c9a0ba
parent 5aa25a4607
3 changed files with 19 additions and 12 deletions
--- a/doc/source/install-guide/configure-initial.rst
+++ b/doc/source/install-guide/configure-initial.rst
@ -85,22 +85,22 @@ container on each host, but there would be no RabbitMQ containers deployed.
 Security Hardening
 ^^^^^^^^^^^^^^^^^^

-Deployers have the option to automatically apply security hardening to an
-OpenStack Ansible deployment using the `openstack-ansible-security`_ role. The
-role uses a version of the `Security Technical Implementation Guide (STIG)`_
-that has been adapted for Ubuntu 14.04 and OpenStack.
+OpenStack-Ansible automatically applies host security hardening configurations
+using the `openstack-ansible-security`_ role. The role uses a version of the
+`Security Technical Implementation Guide (STIG)`_ that has been adapted for
+Ubuntu 14.04 and OpenStack.

 The role is applicable to physical hosts within an OpenStack-Ansible deployment
 that are operating as any type of node -- infrastructure or compute. By
-default, the role is disabled. Deployers can enable it by changing a variable
+default, the role is enabled. Deployers can disable it by changing a variable
 within ``user_variables.yml``:

 .. code-block:: yaml

-    apply_security_hardening: true
+    apply_security_hardening: false

-When the variable is set, the role will be applied by the ``setup-hosts.yml``
-playbook automatically during deployments.
+When the variable is set to ``true``, the ``setup-hosts.yml`` playbook applies
+the role during deployments.

 Deployers can apply security configurations to an existing environment or audit
 an environment using a playbook supplied with OpenStack-Ansible:
--- a/playbooks/inventory/group_vars/hosts.yml
+++ b/playbooks/inventory/group_vars/hosts.yml
@ -75,11 +75,11 @@ memcached_servers: "{% for host in groups['memcached'] %}{{ hostvars[host]['ansi

 ## Host security hardening
 # The openstack-ansible-security role provides security hardening for hosts
-# by applying security configurations from the STIG. Hardening is disabled by
-# default, but an option to opt-in is available by setting the following
-# variable to 'true'.
+# by applying security configurations from the STIG. Hardening is enabled by
+# default, but an option to opt out is available by setting the following
+# variable to 'false'.
 # Docs: http://docs.openstack.org/developer/openstack-ansible-security/
-apply_security_hardening: false
+apply_security_hardening: true

 ## Region Name
 service_region: RegionOne
--- a/releasenotes/notes/default-enable-host-security-hardening-eb73923218abbc2c.yaml
+++ b/releasenotes/notes/default-enable-host-security-hardening-eb73923218abbc2c.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - Host security hardening is now applied by default using the
+    ``openstack-ansible-security`` role. Developers can opt out by setting the
+    ``apply_security_hardening`` Ansible variable to ``false``. For more
+    information about the role and the changes it makes, refer to the
+    `openstack-ansible-security documentation <http://docs.openstack.org/developer/openstack-ansible-security/>`_.