Optionally apply security hardening in Liberty
This patch brings the openstack-ansible-security role into the Liberty release as an opt in feature. Deployers will need to adjust apply_security_hardening to true for the standards to be applied. Security hardening is automatically enabled in Liberty gate jobs, as it has been in Mitaka since January 2016. Change-Id: Ia76d7634b4d14d1cbc0c71e800508afb992e9f7c
This commit is contained in:
parent
7b7407c304
commit
b8f12c86b2
|
@ -9,3 +9,7 @@
|
|||
version: '1.3'
|
||||
- src: mattwillsher.sshd
|
||||
name: sshd
|
||||
- name: openstack-ansible-security
|
||||
src: https://git.openstack.org/openstack/openstack-ansible-security
|
||||
scm: git
|
||||
version: 12.0.0
|
||||
|
|
|
@ -76,6 +76,48 @@ this configuration, their ``openstack_user_config.yml`` would look like this:
|
|||
The configuration above would still deploy a memcached container and a database
|
||||
container on each host, but there would be no RabbitMQ containers deployed.
|
||||
|
||||
.. _security_hardening:
|
||||
|
||||
Security Hardening
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Deployers have the option to automatically apply security hardening to an
|
||||
OpenStack Ansible deployment using the `openstack-ansible-security`_ role. The
|
||||
role uses a version of the `Security Technical Implementation Guide (STIG)`_
|
||||
that has been adapted for Ubuntu 14.04 and OpenStack.
|
||||
|
||||
The role is applicable to physical hosts within an OpenStack-Ansible deployment
|
||||
that are operating as any type of node -- infrastructure or compute. By
|
||||
default, the role is disabled. Deployers can enable it by changing a variable
|
||||
within ``user_variables.yml``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
apply_security_hardening: true
|
||||
|
||||
When the variable is set, the role will be applied by the ``setup-hosts.yml``
|
||||
playbook automatically during deployments.
|
||||
|
||||
Deployers can apply security configurations to an existing environment or audit
|
||||
an environment using a playbook supplied with OpenStack-Ansible:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
# Perform a quick audit using Ansible's check mode
|
||||
openstack-ansible --check security-hardening.yml
|
||||
|
||||
# Apply security hardening configurations
|
||||
openstack-ansible security-hardening.yml
|
||||
|
||||
For more details on the security configurations that will be applied, refer to
|
||||
the `openstack-ansible-security`_ documentation. Review the `Configuration`_
|
||||
section of the openstack-ansible-security documentation to find out how to
|
||||
fine-tune certain security configurations.
|
||||
|
||||
.. _openstack-ansible-security: http://docs.openstack.org/developer/openstack-ansible-security/
|
||||
.. _Security Technical Implementation Guide (STIG): https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide
|
||||
.. _Configuration: http://docs.openstack.org/developer/openstack-ansible-security/configuration.html
|
||||
|
||||
--------------
|
||||
|
||||
.. include:: navigation.txt
|
||||
|
|
|
@ -44,6 +44,17 @@ to configure SSL certificates, refer to the documentation section titled
|
|||
|
||||
.. _Securing services with SSL certificates: configure-sslcertificates.html
|
||||
|
||||
Host security hardening
|
||||
~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Deployers can apply security hardening to OpenStack infrastructure and compute
|
||||
hosts using the openstack-ansible-security role. The purpose of the role is to
|
||||
apply as many security configurations as possible without disrupting the
|
||||
operation of an OpenStack deployment.
|
||||
|
||||
Refer to the documentation on :ref:`security_hardening` for more information
|
||||
on the role and how to enable it in OpenStack-Ansible.
|
||||
|
||||
Least privilege
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
|
|
|
@ -166,3 +166,11 @@
|
|||
# All the previous variables are used in a var file, fed to the keepalived role.
|
||||
# To use another file to feed the role, override the following var:
|
||||
# haproxy_keepalived_vars_file: 'vars/configs/keepalived_haproxy.yml'
|
||||
|
||||
## Host security hardening
|
||||
# The openstack-ansible-security role provides security hardening for hosts
|
||||
# by applying security configurations from the STIG. Hardening is disabled by
|
||||
# default, but an option to opt-in is available by setting the following
|
||||
# variable to 'true'.
|
||||
# Docs: http://docs.openstack.org/developer/openstack-ansible-security/
|
||||
# apply_security_hardening: true
|
||||
|
|
|
@ -80,6 +80,14 @@ memcached_listen: "{{ ansible_ssh_host }}"
|
|||
memcached_port: 11211
|
||||
memcached_servers: "{% for host in groups['memcached'] %}{{ hostvars[host]['ansible_ssh_host'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}"
|
||||
|
||||
## Host security hardening
|
||||
# The openstack-ansible-security role provides security hardening for hosts
|
||||
# by applying security configurations from the STIG. Hardening is disabled by
|
||||
# default, but an option to opt-in is available by setting the following
|
||||
# variable to 'true'.
|
||||
# Docs: http://docs.openstack.org/developer/openstack-ansible-security/
|
||||
apply_security_hardening: false
|
||||
|
||||
## Region Name
|
||||
service_region: RegionOne
|
||||
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
# Copyright 2016, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# As an additional safeguard, this playbook requires the
|
||||
# 'apply_security_hardening' boolean set to True for it to apply security
|
||||
# hardening standards to a system.
|
||||
|
||||
- name: Apply security hardening configurations
|
||||
hosts: "{{ host_group|default('hosts') }}"
|
||||
user: root
|
||||
roles:
|
||||
- { role: "openstack-ansible-security",
|
||||
when: apply_security_hardening | bool }
|
|
@ -14,5 +14,6 @@
|
|||
# limitations under the License.
|
||||
|
||||
- include: openstack-hosts-setup.yml
|
||||
- include: security-hardening.yml
|
||||
- include: lxc-hosts-setup.yml
|
||||
- include: lxc-containers-create.yml
|
||||
|
|
|
@ -91,3 +91,6 @@ lxc_cache_resolvers: {{ lxc_cache_resolvers }}
|
|||
lxc_container_template_main_apt_repo: {{ bootstrap_host_ubuntu_repo }}
|
||||
lxc_container_template_security_apt_repo: {{ bootstrap_host_ubuntu_security_repo }}
|
||||
lxc_container_template_apt_components: {{ bootstrap_host_apt_components }}
|
||||
|
||||
## Security hardening
|
||||
apply_security_hardening: true
|
||||
|
|
Loading…
Reference in New Issue