Adds service for managing securetty

This adds the ability to manage the securetty file. By allowing management of securetty, operators can limit root console access and improve security through hardening. Change-Id: I0767c9529b40a721ebce1eadc2dea263e0a5d4d7 Partial-Bug: #1665042 Depends-On: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
6 years ago · 9945538069
parent cd6128d0a5
commit 9945538069
7 changed files with 69 additions and 0 deletions
--- a/capabilities-map.yaml
+++ b/capabilities-map.yaml
@ -597,3 +597,8 @@ topics:
        environments:
          - file: environments/cadf.yaml
            title: Keystone CADF auditing
+      - title: SecureTTY Values
+        description: Set values within /etc/securetty
+        environments:
+          - file: environments/securetty.yaml
+            title: SecureTTY Values
--- a/ci/environments/scenario001-multinode.yaml
+++ b/ci/environments/scenario001-multinode.yaml
@ -51,6 +51,7 @@ parameter_defaults:
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::Snmp
    - OS::TripleO::Services::Sshd
+    - OS::TripleO::Services::Securetty
    - OS::TripleO::Services::Timezone
    - OS::TripleO::Services::NovaCompute
    - OS::TripleO::Services::NovaLibvirt
@ -124,3 +125,11 @@ parameter_defaults:
  MonitoringRabbitHost: 127.0.0.1
  MonitoringRabbitPort: 5676
  MonitoringRabbitPassword: sensu
+  TtyValues:
+    - console
+    - tty1
+    - tty2
+    - tty3
+    - tty4
+    - tty5
+    - tty6
--- a/environments/hyperconverged-ceph.yaml
+++ b/environments/hyperconverged-ceph.yaml
@ -13,6 +13,7 @@ parameter_defaults:
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::Snmp
    - OS::TripleO::Services::Sshd
+    - OS::TripleO::Services::Securetty
    - OS::TripleO::Services::NovaCompute
    - OS::TripleO::Services::NovaLibvirt
    - OS::TripleO::Services::Kernel
--- a/environments/securetty.yaml
+++ b/environments/securetty.yaml
@ -0,0 +1,12 @@
+resource_registry:
+  OS::TripleO::Services::Securetty: ../puppet/services/securetty.yaml
+
+parameter_defaults:
+  TtyValues:
+    - console
+    - tty1
+    - tty2
+    - tty3
+    - tty4
+    - tty5
+    - tty6
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -178,6 +178,7 @@ resource_registry:
  OS::TripleO::Services::SaharaApi: OS::Heat::None
  OS::TripleO::Services::SaharaEngine: OS::Heat::None
  OS::TripleO::Services::Sshd: OS::Heat::None
+  OS::TripleO::Services::Securetty: OS::Heat::None
  OS::TripleO::Services::Redis: puppet/services/database/redis.yaml
  OS::TripleO::Services::NovaConductor: puppet/services/nova-conductor.yaml
  OS::TripleO::Services::MongoDb: puppet/services/database/mongodb.yaml
--- a/puppet/services/securetty.yaml
+++ b/puppet/services/securetty.yaml
@ -0,0 +1,36 @@
+heat_template_version: ocata
+
+description: >
+  Configure securetty values
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  TtyValues:
+    default: {}
+    description: Configures console values in securetty
+    type: json
+    constraints:
+      - length: { min: 1}
+
+outputs:
+  role_data:
+    description: Console data for the securetty
+    value:
+      service_name: securetty
+      config_settings:
+        tripleo::profile::base::securetty::tty_list: {get_param: TtyValues}
+      step_config: |
+        include ::tripleo::profile::base::securetty
--- a/roles_data.yaml
+++ b/roles_data.yaml
@ -82,6 +82,7 @@
    - OS::TripleO::Services::SwiftRingBuilder
    - OS::TripleO::Services::Snmp
    - OS::TripleO::Services::Sshd
+    - OS::TripleO::Services::Securetty
    - OS::TripleO::Services::Timezone
    - OS::TripleO::Services::CeilometerApi
    - OS::TripleO::Services::CeilometerCollector
@ -144,6 +145,7 @@
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::Snmp
    - OS::TripleO::Services::Sshd
+    - OS::TripleO::Services::Securetty
    - OS::TripleO::Services::NovaCompute
    - OS::TripleO::Services::NovaLibvirt
    - OS::TripleO::Services::Kernel
@ -173,6 +175,7 @@
    - OS::TripleO::Services::Timezone
    - OS::TripleO::Services::Snmp
    - OS::TripleO::Services::Sshd
+    - OS::TripleO::Services::Securetty
    - OS::TripleO::Services::TripleoPackages
    - OS::TripleO::Services::TripleoFirewall
    - OS::TripleO::Services::SensuClient
@ -192,6 +195,7 @@
    - OS::TripleO::Services::SwiftRingBuilder
    - OS::TripleO::Services::Snmp
    - OS::TripleO::Services::Sshd
+    - OS::TripleO::Services::Securetty
    - OS::TripleO::Services::Timezone
    - OS::TripleO::Services::TripleoPackages
    - OS::TripleO::Services::TripleoFirewall
@ -210,6 +214,7 @@
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::Snmp
    - OS::TripleO::Services::Sshd
+    - OS::TripleO::Services::Securetty
    - OS::TripleO::Services::Timezone
    - OS::TripleO::Services::TripleoPackages
    - OS::TripleO::Services::TripleoFirewall