From b6a5c9a0ba2eacb515a6150d8debef064d762446 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 5 Apr 2016 13:18:22 -0500 Subject: [PATCH] Apply host security hardening by default Security hardening has been applied to all gate jobs since January 2016 in the Mitaka release. This patch enables security hardening for all deployments in Newton by changing the apply_security_hardening variable to true by default. Change-Id: Ia30a54f9e94c7341a306a7ed7561cdbc3e234db2 --- doc/source/install-guide/configure-initial.rst | 16 ++++++++-------- playbooks/inventory/group_vars/hosts.yml | 8 ++++---- ...host-security-hardening-eb73923218abbc2c.yaml | 7 +++++++ 3 files changed, 19 insertions(+), 12 deletions(-) create mode 100644 releasenotes/notes/default-enable-host-security-hardening-eb73923218abbc2c.yaml diff --git a/doc/source/install-guide/configure-initial.rst b/doc/source/install-guide/configure-initial.rst index 67cff56e02..3a54cffa9a 100644 --- a/doc/source/install-guide/configure-initial.rst +++ b/doc/source/install-guide/configure-initial.rst @@ -85,22 +85,22 @@ container on each host, but there would be no RabbitMQ containers deployed. Security Hardening ^^^^^^^^^^^^^^^^^^ -Deployers have the option to automatically apply security hardening to an -OpenStack Ansible deployment using the `openstack-ansible-security`_ role. The -role uses a version of the `Security Technical Implementation Guide (STIG)`_ -that has been adapted for Ubuntu 14.04 and OpenStack. +OpenStack-Ansible automatically applies host security hardening configurations +using the `openstack-ansible-security`_ role. The role uses a version of the +`Security Technical Implementation Guide (STIG)`_ that has been adapted for +Ubuntu 14.04 and OpenStack. The role is applicable to physical hosts within an OpenStack-Ansible deployment that are operating as any type of node -- infrastructure or compute. By -default, the role is disabled. Deployers can enable it by changing a variable +default, the role is enabled. Deployers can disable it by changing a variable within ``user_variables.yml``: .. code-block:: yaml - apply_security_hardening: true + apply_security_hardening: false -When the variable is set, the role will be applied by the ``setup-hosts.yml`` -playbook automatically during deployments. +When the variable is set to ``true``, the ``setup-hosts.yml`` playbook applies +the role during deployments. Deployers can apply security configurations to an existing environment or audit an environment using a playbook supplied with OpenStack-Ansible: diff --git a/playbooks/inventory/group_vars/hosts.yml b/playbooks/inventory/group_vars/hosts.yml index e34d6b900a..21541f27dc 100644 --- a/playbooks/inventory/group_vars/hosts.yml +++ b/playbooks/inventory/group_vars/hosts.yml @@ -75,11 +75,11 @@ memcached_servers: "{% for host in groups['memcached'] %}{{ hostvars[host]['ansi ## Host security hardening # The openstack-ansible-security role provides security hardening for hosts -# by applying security configurations from the STIG. Hardening is disabled by -# default, but an option to opt-in is available by setting the following -# variable to 'true'. +# by applying security configurations from the STIG. Hardening is enabled by +# default, but an option to opt out is available by setting the following +# variable to 'false'. # Docs: http://docs.openstack.org/developer/openstack-ansible-security/ -apply_security_hardening: false +apply_security_hardening: true ## Region Name service_region: RegionOne diff --git a/releasenotes/notes/default-enable-host-security-hardening-eb73923218abbc2c.yaml b/releasenotes/notes/default-enable-host-security-hardening-eb73923218abbc2c.yaml new file mode 100644 index 0000000000..2736210207 --- /dev/null +++ b/releasenotes/notes/default-enable-host-security-hardening-eb73923218abbc2c.yaml @@ -0,0 +1,7 @@ +--- +features: + - Host security hardening is now applied by default using the + ``openstack-ansible-security`` role. Developers can opt out by setting the + ``apply_security_hardening`` Ansible variable to ``false``. For more + information about the role and the changes it makes, refer to the + `openstack-ansible-security documentation `_.