diff --git a/deploy-guide/source/run-playbooks.rst b/deploy-guide/source/run-playbooks.rst index 3d6e1e3144..899a7cb7d3 100644 --- a/deploy-guide/source/run-playbooks.rst +++ b/deploy-guide/source/run-playbooks.rst @@ -132,3 +132,10 @@ Run the playbooks to install OpenStack Confirm satisfactory completion with zero items unreachable or failed. + +.. note:: + + You can also consider applying a hardening role for the deployment host + to improve security. For more details, see the + `Apply ansible-hardening `_. + diff --git a/doc/source/user/security/hardening.rst b/doc/source/user/security/hardening.rst index 49b91bd639..5933bc42b0 100644 --- a/doc/source/user/security/hardening.rst +++ b/doc/source/user/security/hardening.rst @@ -27,3 +27,38 @@ For more information about the security configurations, see the `security hardening role`_ documentation. .. _security hardening role: https://docs.openstack.org/ansible-hardening/latest/ + +Deployment Host Hardening +------------------------- + +You can extend security hardening to the deployment host by defining the +``security_host_group`` variable in your ``openstack_user_variables`` file. +Include ``localhost`` along with your other hosts, like this: + +.. code-block:: yaml + + security_host_group: localhost, hosts + +Then apply the hardening with: + +.. code-block:: shell-session + + openstack-ansible openstack.osa.security_hardening + +Or alternatively, you can also supply this variable as extra variable +during runtime, for example: + +.. code-block:: shell-session + + openstack-ansible openstack.osa.security_hardening -e security_host_group=localhost + +.. warning:: + + After applying security hardening, root login via password will be + disabled. Make sure you configure SSH key authentication or set up + a non-root user with sudo privileges before applying the changes, + otherwise you may lose access to the host. + +Including the deployment host can be useful to reduce its attack surface +and ensure that the host running OpenStack-Ansible follows the same security +best practices as your other nodes.