[openstack-dev] [openstack-ansible][security] Update: Host security hardening

Major Hayden major at mhtx.net
Mon Apr 4 17:50:02 UTC 2016


Howdy folks,

I wanted to take a few moments to update everyone on the host security hardening work in the openstack-ansible-security[1] role for OpenStack-Ansible.

Current status
--------------

The role has run in every Mitaka gate job for OpenStack-Ansible since January 2016 and seems to be stable.  Other than issues with overzealous auditd rules and an improved check for unlocked system accounts, the role has worked well.  The auditd issues are fixed and the unlocked system account fix is pending a Mitaka backport now. 

Release status
--------------

Newton:
  * Available, but not enabled by default
  * Patch submitted[2] to make it enabled on all deployments by default

Mitaka:
  * Available, but not enabled by default
  * Plan to backport Newton's "enabled by default" change to Mitaka soon

Liberty:
  * Not available, but can be added easily (docs exist for this)
  * Need input on whether this should be backported
  * If backported, I suggest we leave it disabled by default (much like we did for LBaaS v2)

Request for feedback
--------------------

Would there be opposition to backporting openstack-ansible-security into OpenStack-Ansible's Liberty release with it being disabled by default?

The only impact from this change to an existing deployment would be an additional role downloaded via ansible-galaxy within the bootstrap-ansible.sh script.  Deployers would need to change 'apply_security_hardening' to 'true' in order to activate the role.

Thanks!

[1] http://docs.openstack.org/developer/openstack-ansible-security/
[2] https://review.openstack.org/#/c/301152/

--
Major Hayden



More information about the OpenStack-dev mailing list