Adds service for managing securetty
This adds the ability to manage the securetty file. By allowing management of securetty, operators can limit root console access and improve security through hardening. Change-Id: I0767c9529b40a721ebce1eadc2dea263e0a5d4d7 Partial-Bug: #1665042 Depends-On: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
This commit is contained in:
parent
cd6128d0a5
commit
9945538069
@ -597,3 +597,8 @@ topics:
|
||||
environments:
|
||||
- file: environments/cadf.yaml
|
||||
title: Keystone CADF auditing
|
||||
- title: SecureTTY Values
|
||||
description: Set values within /etc/securetty
|
||||
environments:
|
||||
- file: environments/securetty.yaml
|
||||
title: SecureTTY Values
|
||||
|
@ -51,6 +51,7 @@ parameter_defaults:
|
||||
- OS::TripleO::Services::Ntp
|
||||
- OS::TripleO::Services::Snmp
|
||||
- OS::TripleO::Services::Sshd
|
||||
- OS::TripleO::Services::Securetty
|
||||
- OS::TripleO::Services::Timezone
|
||||
- OS::TripleO::Services::NovaCompute
|
||||
- OS::TripleO::Services::NovaLibvirt
|
||||
@ -124,3 +125,11 @@ parameter_defaults:
|
||||
MonitoringRabbitHost: 127.0.0.1
|
||||
MonitoringRabbitPort: 5676
|
||||
MonitoringRabbitPassword: sensu
|
||||
TtyValues:
|
||||
- console
|
||||
- tty1
|
||||
- tty2
|
||||
- tty3
|
||||
- tty4
|
||||
- tty5
|
||||
- tty6
|
||||
|
@ -13,6 +13,7 @@ parameter_defaults:
|
||||
- OS::TripleO::Services::Ntp
|
||||
- OS::TripleO::Services::Snmp
|
||||
- OS::TripleO::Services::Sshd
|
||||
- OS::TripleO::Services::Securetty
|
||||
- OS::TripleO::Services::NovaCompute
|
||||
- OS::TripleO::Services::NovaLibvirt
|
||||
- OS::TripleO::Services::Kernel
|
||||
|
12
environments/securetty.yaml
Normal file
12
environments/securetty.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
resource_registry:
|
||||
OS::TripleO::Services::Securetty: ../puppet/services/securetty.yaml
|
||||
|
||||
parameter_defaults:
|
||||
TtyValues:
|
||||
- console
|
||||
- tty1
|
||||
- tty2
|
||||
- tty3
|
||||
- tty4
|
||||
- tty5
|
||||
- tty6
|
@ -178,6 +178,7 @@ resource_registry:
|
||||
OS::TripleO::Services::SaharaApi: OS::Heat::None
|
||||
OS::TripleO::Services::SaharaEngine: OS::Heat::None
|
||||
OS::TripleO::Services::Sshd: OS::Heat::None
|
||||
OS::TripleO::Services::Securetty: OS::Heat::None
|
||||
OS::TripleO::Services::Redis: puppet/services/database/redis.yaml
|
||||
OS::TripleO::Services::NovaConductor: puppet/services/nova-conductor.yaml
|
||||
OS::TripleO::Services::MongoDb: puppet/services/database/mongodb.yaml
|
||||
|
36
puppet/services/securetty.yaml
Normal file
36
puppet/services/securetty.yaml
Normal file
@ -0,0 +1,36 @@
|
||||
heat_template_version: ocata
|
||||
|
||||
description: >
|
||||
Configure securetty values
|
||||
|
||||
parameters:
|
||||
ServiceNetMap:
|
||||
default: {}
|
||||
description: Mapping of service_name -> network name. Typically set
|
||||
via parameter_defaults in the resource registry. This
|
||||
mapping overrides those in ServiceNetMapDefaults.
|
||||
type: json
|
||||
DefaultPasswords:
|
||||
default: {}
|
||||
type: json
|
||||
EndpointMap:
|
||||
default: {}
|
||||
description: Mapping of service endpoint -> protocol. Typically set
|
||||
via parameter_defaults in the resource registry.
|
||||
type: json
|
||||
TtyValues:
|
||||
default: {}
|
||||
description: Configures console values in securetty
|
||||
type: json
|
||||
constraints:
|
||||
- length: { min: 1}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Console data for the securetty
|
||||
value:
|
||||
service_name: securetty
|
||||
config_settings:
|
||||
tripleo::profile::base::securetty::tty_list: {get_param: TtyValues}
|
||||
step_config: |
|
||||
include ::tripleo::profile::base::securetty
|
@ -82,6 +82,7 @@
|
||||
- OS::TripleO::Services::SwiftRingBuilder
|
||||
- OS::TripleO::Services::Snmp
|
||||
- OS::TripleO::Services::Sshd
|
||||
- OS::TripleO::Services::Securetty
|
||||
- OS::TripleO::Services::Timezone
|
||||
- OS::TripleO::Services::CeilometerApi
|
||||
- OS::TripleO::Services::CeilometerCollector
|
||||
@ -144,6 +145,7 @@
|
||||
- OS::TripleO::Services::Ntp
|
||||
- OS::TripleO::Services::Snmp
|
||||
- OS::TripleO::Services::Sshd
|
||||
- OS::TripleO::Services::Securetty
|
||||
- OS::TripleO::Services::NovaCompute
|
||||
- OS::TripleO::Services::NovaLibvirt
|
||||
- OS::TripleO::Services::Kernel
|
||||
@ -173,6 +175,7 @@
|
||||
- OS::TripleO::Services::Timezone
|
||||
- OS::TripleO::Services::Snmp
|
||||
- OS::TripleO::Services::Sshd
|
||||
- OS::TripleO::Services::Securetty
|
||||
- OS::TripleO::Services::TripleoPackages
|
||||
- OS::TripleO::Services::TripleoFirewall
|
||||
- OS::TripleO::Services::SensuClient
|
||||
@ -192,6 +195,7 @@
|
||||
- OS::TripleO::Services::SwiftRingBuilder
|
||||
- OS::TripleO::Services::Snmp
|
||||
- OS::TripleO::Services::Sshd
|
||||
- OS::TripleO::Services::Securetty
|
||||
- OS::TripleO::Services::Timezone
|
||||
- OS::TripleO::Services::TripleoPackages
|
||||
- OS::TripleO::Services::TripleoFirewall
|
||||
@ -210,6 +214,7 @@
|
||||
- OS::TripleO::Services::Ntp
|
||||
- OS::TripleO::Services::Snmp
|
||||
- OS::TripleO::Services::Sshd
|
||||
- OS::TripleO::Services::Securetty
|
||||
- OS::TripleO::Services::Timezone
|
||||
- OS::TripleO::Services::TripleoPackages
|
||||
- OS::TripleO::Services::TripleoFirewall
|
||||
|
Loading…
Reference in New Issue
Block a user