openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Implements management of `/etc/login.defs` 

Enables management of shadow password directives in login.defs

By allowing operators to set values in login.defs, they are able
to improve password security for newly created system accounts.

This change will in turn allow operators to adhere with security
hardening frameworks, such as STIG DISA & CIS Security Benchmarks.

bp login-defs

Change-Id: Id4fe88cb9569f18f27f94c35b5c27a85fe7947ae
Depends-On: Iec8c032adb44593da3770d3c6bb5a4655e463637
This commit is contained in:
lhinds 2017-04-19 10:48:45 +01:00
parent 6e16903a50
commit 502fde7a64
24 changed files with 107 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
capabilities-map.yaml
View File

@ -531,6 +531,11 @@ topics:
environments:
- file: environments/securetty.yaml
title: SecureTTY Values
- title: login.defs values
description: Set values within /etc/login.defs
environments:
- file: environments/login-defs.yaml
title: login.defs Values
- title: Additional Services
description:
@ -642,3 +647,4 @@ topics:
description:
requires:
- overcloud-resource-registry-puppet.yaml

1
ci/environments/scenario001-multinode-containers.yaml
View File

@ -36,6 +36,7 @@ parameter_defaults:
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::HeatApi
- OS::TripleO::Services::HeatApiCfn

2
environments/hyperconverged-ceph.yaml
View File

@ -52,3 +52,5 @@ parameter_defaults:
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::OVNController
- OS::TripleO::Services::RsyslogSidecar
- OS::TripleO::Services::LoginDefs

9
environments/login-defs.yaml Normal file
View File

@ -0,0 +1,9 @@
resource_registry:
OS::TripleO::Services::LoginDefs: ../puppet/services/login-defs.yaml
parameter_defaults:
PasswordMaxDays: 60
PasswordMinDays: 1
PasswordMinLen: 5
PasswordWarnAge: 7
FailDelay: 4

1
overcloud-resource-registry-puppet.j2.yaml
View File

@ -302,6 +302,7 @@ resource_registry:
OS::TripleO::Services::VRTSHyperScale: OS::Heat::None
OS::TripleO::Services::SkydiveAgent: OS::Heat::None
OS::TripleO::Services::SkydiveAnalyzer: OS::Heat::None
OS::TripleO::Services::LoginDefs: OS::Heat::None
# Logging
OS::TripleO::Services::Logging::BarbicanApi: docker/services/logging/files/barbican-api.yaml

66
puppet/services/login-defs.yaml Normal file
View File

@ -0,0 +1,66 @@
heat_template_version: pike
description: >
Configure login.defs values
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
PasswordMaxDays:
default: {}
description: Set the maximum age allowed for passwords
type: number
PasswordMinDays:
default: {}
description: Set the minimum age allowed for passwords
type: number
PasswordWarnAge:
default: {}
description: Set the warning period for password expiration
type: number
PasswordMinLen:
default: {}
description: Set the minimum length allowed for passwords
type: number
FailDelay:
default: {}
description: The period of time between password retries
type: number
outputs:
role_data:
description: Parameters for configuration of the login.defs file
value:
service_name: login_defs
config_settings:
tripleo::profile::base::login_defs::password_max_days: {get_param: PasswordMaxDays}
tripleo::profile::base::login_defs::password_min_days: {get_param: PasswordMinDays}
tripleo::profile::base::login_defs::password_warn_age: {get_param: PasswordWarnAge}
tripleo::profile::base::login_defs::password_min_len: {get_param: PasswordMinLen}
tripleo::profile::base::login_defs::fail_delay: {get_param: FailDelay}
step_config: |
include ::tripleo::profile::base::login_defs

1
roles/BlockStorage.yaml
View File

@ -19,6 +19,7 @@
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond

1
roles/CephStorage.yaml
View File

@ -16,6 +16,7 @@
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond

1
roles/Compute.yaml
View File

@ -36,6 +36,7 @@
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::NeutronBgpVpnBagpipe
- OS::TripleO::Services::NeutronLinuxbridgeAgent

1
roles/ComputeHCI.yaml
View File

@ -27,6 +27,7 @@
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::NeutronBgpVpnBagpipe
- OS::TripleO::Services::NeutronLinuxbridgeAgent

1
roles/ComputeOvsDpdk.yaml
View File

@ -27,6 +27,7 @@
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::NeutronBgpVpnBagpipe
- OS::TripleO::Services::NovaCompute

1
roles/ComputeSriov.yaml
View File

@ -27,6 +27,7 @@
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::NeutronBgpVpnBagpipe
- OS::TripleO::Services::NeutronSriovAgent

1
roles/Controller.yaml
View File

@ -76,6 +76,7 @@
- OS::TripleO::Services::Keepalived
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::ManilaApi
- OS::TripleO::Services::ManilaBackendCephFs
- OS::TripleO::Services::ManilaBackendIsilon

2
roles/ControllerOpenstack.yaml
View File

@ -61,6 +61,7 @@
- OS::TripleO::Services::Keepalived
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::ManilaApi
- OS::TripleO::Services::ManilaBackendCephFs
- OS::TripleO::Services::ManilaBackendIsilon
@ -118,4 +119,3 @@
- OS::TripleO::Services::Tuned
- OS::TripleO::Services::Vpp
- OS::TripleO::Services::Zaqar

1
roles/Database.yaml
View File

@ -16,6 +16,7 @@
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQL
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp

1
roles/IronicConductor.yaml
View File

@ -15,6 +15,7 @@
- OS::TripleO::Services::IronicConductor
- OS::TripleO::Services::IronicPxe
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond

1
roles/Messaging.yaml
View File

@ -15,6 +15,7 @@
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond
- OS::TripleO::Services::Pacemaker

1
roles/Networker.yaml
View File

@ -16,6 +16,7 @@
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::NeutronDhcpAgent
- OS::TripleO::Services::NeutronL2gwAgent

1
roles/ObjectStorage.yaml
View File

@ -24,6 +24,7 @@
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond

1
roles/Telemetry.yaml
View File

@ -21,6 +21,7 @@
- OS::TripleO::Services::GnocchiMetricd
- OS::TripleO::Services::GnocchiStatsd
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQL
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond

1
roles/Undercloud.yaml
View File

@ -23,6 +23,7 @@
- OS::TripleO::Services::IronicPxe
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::Memcached
- OS::TripleO::Services::MistralApi
- OS::TripleO::Services::MistralEngine

1
roles/UndercloudLight.yaml
View File

@ -19,6 +19,7 @@
- OS::TripleO::Services::HeatApiCfn
- OS::TripleO::Services::HeatEngine
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::Memcached
- OS::TripleO::Services::MistralApi
- OS::TripleO::Services::MistralEngine

5
roles_data.yaml
View File

@ -79,6 +79,7 @@
- OS::TripleO::Services::Keepalived
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::ManilaApi
- OS::TripleO::Services::ManilaBackendCephFs
- OS::TripleO::Services::ManilaBackendIsilon
@ -187,6 +188,7 @@
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::NeutronBgpVpnBagpipe
- OS::TripleO::Services::NeutronLinuxbridgeAgent
@ -230,6 +232,7 @@
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond
@ -268,6 +271,7 @@
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond
@ -300,6 +304,7 @@
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond

1
roles_data_undercloud.yaml
View File

@ -26,6 +26,7 @@
- OS::TripleO::Services::IronicPxe
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::Memcached
- OS::TripleO::Services::MistralApi
- OS::TripleO::Services::MistralEngine