Browse Source

Adds service for managing securetty

This adds the ability to manage the securetty file.

By allowing management of securetty, operators can limit root
console access and improve security through hardening.

Change-Id: I0767c9529b40a721ebce1eadc2dea263e0a5d4d7
Partial-Bug: #1665042
Depends-On: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
changes/53/449153/7
lhinds 4 years ago
parent
commit
9945538069
  1. 5
      capabilities-map.yaml
  2. 9
      ci/environments/scenario001-multinode.yaml
  3. 1
      environments/hyperconverged-ceph.yaml
  4. 12
      environments/securetty.yaml
  5. 1
      overcloud-resource-registry-puppet.j2.yaml
  6. 36
      puppet/services/securetty.yaml
  7. 5
      roles_data.yaml

5
capabilities-map.yaml

@ -597,3 +597,8 @@ topics:
environments:
- file: environments/cadf.yaml
title: Keystone CADF auditing
- title: SecureTTY Values
description: Set values within /etc/securetty
environments:
- file: environments/securetty.yaml
title: SecureTTY Values

9
ci/environments/scenario001-multinode.yaml

@ -51,6 +51,7 @@ parameter_defaults:
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Securetty
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::NovaCompute
- OS::TripleO::Services::NovaLibvirt
@ -124,3 +125,11 @@ parameter_defaults:
MonitoringRabbitHost: 127.0.0.1
MonitoringRabbitPort: 5676
MonitoringRabbitPassword: sensu
TtyValues:
- console
- tty1
- tty2
- tty3
- tty4
- tty5
- tty6

1
environments/hyperconverged-ceph.yaml

@ -13,6 +13,7 @@ parameter_defaults:
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Securetty
- OS::TripleO::Services::NovaCompute
- OS::TripleO::Services::NovaLibvirt
- OS::TripleO::Services::Kernel

12
environments/securetty.yaml

@ -0,0 +1,12 @@
resource_registry:
OS::TripleO::Services::Securetty: ../puppet/services/securetty.yaml
parameter_defaults:
TtyValues:
- console
- tty1
- tty2
- tty3
- tty4
- tty5
- tty6

1
overcloud-resource-registry-puppet.j2.yaml

@ -178,6 +178,7 @@ resource_registry:
OS::TripleO::Services::SaharaApi: OS::Heat::None
OS::TripleO::Services::SaharaEngine: OS::Heat::None
OS::TripleO::Services::Sshd: OS::Heat::None
OS::TripleO::Services::Securetty: OS::Heat::None
OS::TripleO::Services::Redis: puppet/services/database/redis.yaml
OS::TripleO::Services::NovaConductor: puppet/services/nova-conductor.yaml
OS::TripleO::Services::MongoDb: puppet/services/database/mongodb.yaml

36
puppet/services/securetty.yaml

@ -0,0 +1,36 @@
heat_template_version: ocata
description: >
Configure securetty values
parameters:
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
TtyValues:
default: {}
description: Configures console values in securetty
type: json
constraints:
- length: { min: 1}
outputs:
role_data:
description: Console data for the securetty
value:
service_name: securetty
config_settings:
tripleo::profile::base::securetty::tty_list: {get_param: TtyValues}
step_config: |
include ::tripleo::profile::base::securetty

5
roles_data.yaml

@ -82,6 +82,7 @@
- OS::TripleO::Services::SwiftRingBuilder
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Securetty
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::CeilometerApi
- OS::TripleO::Services::CeilometerCollector
@ -144,6 +145,7 @@
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Securetty
- OS::TripleO::Services::NovaCompute
- OS::TripleO::Services::NovaLibvirt
- OS::TripleO::Services::Kernel
@ -173,6 +175,7 @@
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Securetty
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::SensuClient
@ -192,6 +195,7 @@
- OS::TripleO::Services::SwiftRingBuilder
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Securetty
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall
@ -210,6 +214,7 @@
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::Snmp
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Securetty
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall

Loading…
Cancel
Save