openstack-ansible/deploy-guide/source/app-advanced-config-security.rst
Jesse Pretorius e4551ef3e2 [DOCS] Move limited connectivity section to Deploy Guide
The limited connectivity section was temporarily moved into
the developer guide temporarily when re-arranging the deploy
guide, but never moved back.

As this is important information for deployers to see, this
is being moved into the deploy guide appendix, then references
to it are added to the AIO and Deployment Guide in appropriate
places.

The following notes regarding additional changes apply:

- The pip offline install content for the limited connectivity
  page breaks the flow and doesn't really fit in the two models
  proposed. This content should move to the pip install role.

- The reference to the get_url/get_uri bug for Ansible 1.9 no
  longer applies as Newton onwards now uses Ansible 2.1.x and
  above.

- An unused Appendix H reference in the Security Appendix has
  been removed.

- The Appendices have been re-arranged slightly to try to show
  the information in a perceived order of importance.

Change-Id: If4b8a75277374ed7e96a1ce6610ed8a897125693
2017-02-16 11:54:08 +00:00

1.5 KiB

Security hardening

OpenStack-Ansible automatically applies host security hardening configurations by using the openstack-ansible-security role. The role uses a version of the Security Technical Implementation Guide (STIG) that has been adapted for Ubuntu 14.04 and OpenStack.

The role is applicable to physical hosts within an OpenStack-Ansible deployment that are operating as any type of node, infrastructure or compute. By default, the role is enabled. You can disable it by changing the value of the apply_security_hardening variable in the user_variables.yml file to false:

apply_security_hardening: false

You can apply security hardening configurations to an existing environment or audit an environment by using a playbook supplied with OpenStack-Ansible:

# Apply security hardening configurations
  openstack-ansible security-hardening.yml

# Perform a quick audit by using Ansible's check mode
  openstack-ansible --check security-hardening.yml

For more information about the security configurations, see the OpenStack-Ansible host security hardening documentation.