Optionally apply security hardening in Liberty

This patch brings the openstack-ansible-security role into the Liberty release as an opt in feature. Deployers will need to adjust apply_security_hardening to true for the standards to be applied. Security hardening is automatically enabled in Liberty gate jobs, as it has been in Mitaka since January 2016. Change-Id: Ia76d7634b4d14d1cbc0c71e800508afb992e9f7c
2016-04-08 09:58:12 -05:00 · 2016-04-08 09:58:12 -05:00 · b8f12c86b2
parent 7b7407c304
commit b8f12c86b2
8 changed files with 102 additions and 0 deletions
--- a/ansible-role-requirements.yml
+++ b/ansible-role-requirements.yml
@ -9,3 +9,7 @@
  version: '1.3'
 - src: mattwillsher.sshd
  name: sshd
+- name: openstack-ansible-security
+  src: https://git.openstack.org/openstack/openstack-ansible-security
+  scm: git
+  version: 12.0.0
--- a/doc/source/install-guide/configure-initial.rst
+++ b/doc/source/install-guide/configure-initial.rst
@ -76,6 +76,48 @@ this configuration, their ``openstack_user_config.yml`` would look like this:
 The configuration above would still deploy a memcached container and a database
 container on each host, but there would be no RabbitMQ containers deployed.

+.. _security_hardening:
+
+Security Hardening
+^^^^^^^^^^^^^^^^^^
+
+Deployers have the option to automatically apply security hardening to an
+OpenStack Ansible deployment using the `openstack-ansible-security`_ role. The
+role uses a version of the `Security Technical Implementation Guide (STIG)`_
+that has been adapted for Ubuntu 14.04 and OpenStack.
+
+The role is applicable to physical hosts within an OpenStack-Ansible deployment
+that are operating as any type of node -- infrastructure or compute. By
+default, the role is disabled. Deployers can enable it by changing a variable
+within ``user_variables.yml``:
+
+.. code-block:: yaml
+
+    apply_security_hardening: true
+
+When the variable is set, the role will be applied by the ``setup-hosts.yml``
+playbook automatically during deployments.
+
+Deployers can apply security configurations to an existing environment or audit
+an environment using a playbook supplied with OpenStack-Ansible:
+
+.. code-block:: bash
+
+    # Perform a quick audit using Ansible's check mode
+    openstack-ansible --check security-hardening.yml
+
+    # Apply security hardening configurations
+    openstack-ansible security-hardening.yml
+
+For more details on the security configurations that will be applied, refer to
+the `openstack-ansible-security`_ documentation. Review the `Configuration`_
+section of the openstack-ansible-security documentation to find out how to
+fine-tune certain security configurations.
+
+.. _openstack-ansible-security: http://docs.openstack.org/developer/openstack-ansible-security/
+.. _Security Technical Implementation Guide (STIG): https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide
+.. _Configuration: http://docs.openstack.org/developer/openstack-ansible-security/configuration.html
+
 --------------

 .. include:: navigation.txt
--- a/doc/source/install-guide/overview-security.rst
+++ b/doc/source/install-guide/overview-security.rst
@ -44,6 +44,17 @@ to configure SSL certificates, refer to the documentation section titled

 .. _Securing services with SSL certificates: configure-sslcertificates.html

+Host security hardening
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Deployers can apply security hardening to OpenStack infrastructure and compute
+hosts using the openstack-ansible-security role. The purpose of the role is to
+apply as many security configurations as possible without disrupting the
+operation of an OpenStack deployment.
+
+Refer to the documentation on :ref:`security_hardening` for more information
+on the role and how to enable it in OpenStack-Ansible.
+
 Least privilege
 ~~~~~~~~~~~~~~~

--- a/etc/openstack_deploy/user_variables.yml
+++ b/etc/openstack_deploy/user_variables.yml
@ -166,3 +166,11 @@
 # All the previous variables are used in a var file, fed to the keepalived role.
 # To use another file to feed the role, override the following var:
 # haproxy_keepalived_vars_file: 'vars/configs/keepalived_haproxy.yml'
+
+## Host security hardening
+# The openstack-ansible-security role provides security hardening for hosts
+# by applying security configurations from the STIG. Hardening is disabled by
+# default, but an option to opt-in is available by setting the following
+# variable to 'true'.
+# Docs: http://docs.openstack.org/developer/openstack-ansible-security/
+# apply_security_hardening: true
--- a/playbooks/inventory/group_vars/hosts.yml
+++ b/playbooks/inventory/group_vars/hosts.yml
@ -80,6 +80,14 @@ memcached_listen: "{{ ansible_ssh_host }}"
 memcached_port: 11211
 memcached_servers: "{% for host in groups['memcached'] %}{{ hostvars[host]['ansible_ssh_host'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}"

+## Host security hardening
+# The openstack-ansible-security role provides security hardening for hosts
+# by applying security configurations from the STIG. Hardening is disabled by
+# default, but an option to opt-in is available by setting the following
+# variable to 'true'.
+# Docs: http://docs.openstack.org/developer/openstack-ansible-security/
+apply_security_hardening: false
+
 ## Region Name
 service_region: RegionOne

--- a/playbooks/security-hardening.yml
+++ b/playbooks/security-hardening.yml
@ -0,0 +1,25 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# As an additional safeguard, this playbook requires the
+# 'apply_security_hardening' boolean set to True for it to apply security
+# hardening standards to a system.
+
+- name: Apply security hardening configurations
+  hosts: "{{ host_group|default('hosts') }}"
+  user: root
+  roles:
+    - { role: "openstack-ansible-security",
+        when: apply_security_hardening | bool }
--- a/playbooks/setup-hosts.yml
+++ b/playbooks/setup-hosts.yml
@ -14,5 +14,6 @@
 # limitations under the License.

 - include: openstack-hosts-setup.yml
+- include: security-hardening.yml
 - include: lxc-hosts-setup.yml
 - include: lxc-containers-create.yml
--- a/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
+++ b/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
@ -91,3 +91,6 @@ lxc_cache_resolvers: {{ lxc_cache_resolvers }}
 lxc_container_template_main_apt_repo: {{ bootstrap_host_ubuntu_repo }}
 lxc_container_template_security_apt_repo: {{ bootstrap_host_ubuntu_security_repo }}
 lxc_container_template_apt_components: {{ bootstrap_host_apt_components }}
+
+## Security hardening
+apply_security_hardening: true