diff --git a/doc/source/install-guide/configure-initial.rst b/doc/source/install-guide/configure-initial.rst index 67cff56e02..3a54cffa9a 100644 --- a/doc/source/install-guide/configure-initial.rst +++ b/doc/source/install-guide/configure-initial.rst @@ -85,22 +85,22 @@ container on each host, but there would be no RabbitMQ containers deployed. Security Hardening ^^^^^^^^^^^^^^^^^^ -Deployers have the option to automatically apply security hardening to an -OpenStack Ansible deployment using the `openstack-ansible-security`_ role. The -role uses a version of the `Security Technical Implementation Guide (STIG)`_ -that has been adapted for Ubuntu 14.04 and OpenStack. +OpenStack-Ansible automatically applies host security hardening configurations +using the `openstack-ansible-security`_ role. The role uses a version of the +`Security Technical Implementation Guide (STIG)`_ that has been adapted for +Ubuntu 14.04 and OpenStack. The role is applicable to physical hosts within an OpenStack-Ansible deployment that are operating as any type of node -- infrastructure or compute. By -default, the role is disabled. Deployers can enable it by changing a variable +default, the role is enabled. Deployers can disable it by changing a variable within ``user_variables.yml``: .. code-block:: yaml - apply_security_hardening: true + apply_security_hardening: false -When the variable is set, the role will be applied by the ``setup-hosts.yml`` -playbook automatically during deployments. +When the variable is set to ``true``, the ``setup-hosts.yml`` playbook applies +the role during deployments. Deployers can apply security configurations to an existing environment or audit an environment using a playbook supplied with OpenStack-Ansible: diff --git a/playbooks/inventory/group_vars/hosts.yml b/playbooks/inventory/group_vars/hosts.yml index e34d6b900a..21541f27dc 100644 --- a/playbooks/inventory/group_vars/hosts.yml +++ b/playbooks/inventory/group_vars/hosts.yml @@ -75,11 +75,11 @@ memcached_servers: "{% for host in groups['memcached'] %}{{ hostvars[host]['ansi ## Host security hardening # The openstack-ansible-security role provides security hardening for hosts -# by applying security configurations from the STIG. Hardening is disabled by -# default, but an option to opt-in is available by setting the following -# variable to 'true'. +# by applying security configurations from the STIG. Hardening is enabled by +# default, but an option to opt out is available by setting the following +# variable to 'false'. # Docs: http://docs.openstack.org/developer/openstack-ansible-security/ -apply_security_hardening: false +apply_security_hardening: true ## Region Name service_region: RegionOne diff --git a/releasenotes/notes/default-enable-host-security-hardening-eb73923218abbc2c.yaml b/releasenotes/notes/default-enable-host-security-hardening-eb73923218abbc2c.yaml new file mode 100644 index 0000000000..2736210207 --- /dev/null +++ b/releasenotes/notes/default-enable-host-security-hardening-eb73923218abbc2c.yaml @@ -0,0 +1,7 @@ +--- +features: + - Host security hardening is now applied by default using the + ``openstack-ansible-security`` role. Developers can opt out by setting the + ``apply_security_hardening`` Ansible variable to ``false``. For more + information about the role and the changes it makes, refer to the + `openstack-ansible-security documentation `_.