openstack
/
tripleo-heat-templates
Code Issues Proposed changes
Browse Source

Adds service for managing securetty 

This adds the ability to manage the securetty file.

By allowing management of securetty, operators can limit root
console access and improve security through hardening.

Change-Id: I0767c9529b40a721ebce1eadc2dea263e0a5d4d7
Partial-Bug: #1665042
Depends-On: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
changes/53/449153/7
lhinds 4 years ago
parent
cd6128d0a5
commit
9945538069
7 changed files with 69 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      capabilities-map.yaml
  2. 9
      ci/environments/scenario001-multinode.yaml
  3. 1
      environments/hyperconverged-ceph.yaml
  4. 12
      environments/securetty.yaml
  5. 1
      overcloud-resource-registry-puppet.j2.yaml
  6. 36
      puppet/services/securetty.yaml
  7. 5
      roles_data.yaml

5
capabilities-map.yaml
View File

@ -597,3 +597,8 @@ topics:
environments:
- file: environments/cadf.yaml
title: Keystone CADF auditing
- title: SecureTTY Values
description: Set values within /etc/securetty
environments:
- file: environments/securetty.yaml
title: SecureTTY Values

9
ci/environments/scenario001-multinode.yaml
View File

@ -51,6 +51,7 @@ parameter_defaults:
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Securetty
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::NovaCompute
- OS::TripleO::Services::NovaLibvirt
@ -124,3 +125,11 @@ parameter_defaults:
MonitoringRabbitHost: 127.0.0.1
MonitoringRabbitPort: 5676
MonitoringRabbitPassword: sensu
TtyValues:
- console
- tty1
- tty2
- tty3
- tty4
- tty5
- tty6

1
environments/hyperconverged-ceph.yaml
View File

@ -13,6 +13,7 @@ parameter_defaults:
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Securetty
- OS::TripleO::Services::NovaCompute
- OS::TripleO::Services::NovaLibvirt
- OS::TripleO::Services::Kernel

12
environments/securetty.yaml
View File

@ -0,0 +1,12 @@
resource_registry:
OS::TripleO::Services::Securetty: ../puppet/services/securetty.yaml
parameter_defaults:
TtyValues:
- console
- tty1
- tty2
- tty3
- tty4
- tty5
- tty6

1
overcloud-resource-registry-puppet.j2.yaml
View File

@ -178,6 +178,7 @@ resource_registry:
OS::TripleO::Services::SaharaApi: OS::Heat::None
OS::TripleO::Services::SaharaEngine: OS::Heat::None
OS::TripleO::Services::Sshd: OS::Heat::None
OS::TripleO::Services::Securetty: OS::Heat::None
OS::TripleO::Services::Redis: puppet/services/database/redis.yaml
OS::TripleO::Services::NovaConductor: puppet/services/nova-conductor.yaml
OS::TripleO::Services::MongoDb: puppet/services/database/mongodb.yaml

36
puppet/services/securetty.yaml
View File

@ -0,0 +1,36 @@
heat_template_version: ocata
description: >
Configure securetty values
parameters:
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
TtyValues:
default: {}
description: Configures console values in securetty
type: json
constraints:
- length: { min: 1}
outputs:
role_data:
description: Console data for the securetty
value:
service_name: securetty
config_settings:
tripleo::profile::base::securetty::tty_list: {get_param: TtyValues}
step_config: |
include ::tripleo::profile::base::securetty

5
roles_data.yaml
View File

@ -82,6 +82,7 @@
- OS::TripleO::Services::SwiftRingBuilder
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Securetty
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::CeilometerApi
- OS::TripleO::Services::CeilometerCollector
@ -144,6 +145,7 @@
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Securetty
- OS::TripleO::Services::NovaCompute
- OS::TripleO::Services::NovaLibvirt
- OS::TripleO::Services::Kernel
@ -173,6 +175,7 @@
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Securetty
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::SensuClient
@ -192,6 +195,7 @@
- OS::TripleO::Services::SwiftRingBuilder
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Securetty
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall
@ -210,6 +214,7 @@
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Securetty
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall

Write Preview
Loading…
Cancel
Save