Initial import of openstack-ansible-security role
This role contains around 150 controls from the 270+ controls that exist in the RHEL 6 STIG. New controls are still being added. Implements: blueprint security-hardening Change-Id: I0578f86bf42d55242bc72b97b40a5935a3cb18d6
This commit is contained in:
parent
74b2aa6d0d
commit
bfcf6c7423
60
.gitignore
vendored
Normal file
60
.gitignore
vendored
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
# Override Files #
|
||||||
|
rpc_deployment/playbooks/lab_plays
|
||||||
|
rpc_deployment/vars/overrides/*.yml
|
||||||
|
|
||||||
|
# Compiled source #
|
||||||
|
###################
|
||||||
|
*.com
|
||||||
|
*.class
|
||||||
|
*.dll
|
||||||
|
*.exe
|
||||||
|
*.o
|
||||||
|
*.so
|
||||||
|
*.pyc
|
||||||
|
build/
|
||||||
|
dist/
|
||||||
|
doc/build/
|
||||||
|
|
||||||
|
# Packages #
|
||||||
|
############
|
||||||
|
# it's better to unpack these files and commit the raw source
|
||||||
|
# git has its own built in compression methods
|
||||||
|
*.7z
|
||||||
|
*.dmg
|
||||||
|
*.gz
|
||||||
|
*.iso
|
||||||
|
*.jar
|
||||||
|
*.rar
|
||||||
|
*.tar
|
||||||
|
*.zip
|
||||||
|
|
||||||
|
# Logs and databases #
|
||||||
|
######################
|
||||||
|
*.log
|
||||||
|
*.sql
|
||||||
|
*.sqlite
|
||||||
|
|
||||||
|
# OS generated files #
|
||||||
|
######################
|
||||||
|
.DS_Store
|
||||||
|
.DS_Store?
|
||||||
|
._*
|
||||||
|
.Spotlight-V100
|
||||||
|
.Trashes
|
||||||
|
.idea
|
||||||
|
.tox
|
||||||
|
*.sublime*
|
||||||
|
*.egg-info
|
||||||
|
Icon?
|
||||||
|
ehthumbs.db
|
||||||
|
Thumbs.db
|
||||||
|
.eggs
|
||||||
|
|
||||||
|
# User driven backup files #
|
||||||
|
############################
|
||||||
|
*.bak
|
||||||
|
|
||||||
|
# Generated by pbr while building docs
|
||||||
|
######################################
|
||||||
|
AUTHORS
|
||||||
|
ChangeLog
|
202
LICENSE
Normal file
202
LICENSE
Normal file
@ -0,0 +1,202 @@
|
|||||||
|
Apache License
|
||||||
|
Version 2.0, January 2004
|
||||||
|
http://www.apache.org/licenses/
|
||||||
|
|
||||||
|
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||||
|
|
||||||
|
1. Definitions.
|
||||||
|
|
||||||
|
"License" shall mean the terms and conditions for use, reproduction,
|
||||||
|
and distribution as defined by Sections 1 through 9 of this document.
|
||||||
|
|
||||||
|
"Licensor" shall mean the copyright owner or entity authorized by
|
||||||
|
the copyright owner that is granting the License.
|
||||||
|
|
||||||
|
"Legal Entity" shall mean the union of the acting entity and all
|
||||||
|
other entities that control, are controlled by, or are under common
|
||||||
|
control with that entity. For the purposes of this definition,
|
||||||
|
"control" means (i) the power, direct or indirect, to cause the
|
||||||
|
direction or management of such entity, whether by contract or
|
||||||
|
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||||
|
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||||
|
|
||||||
|
"You" (or "Your") shall mean an individual or Legal Entity
|
||||||
|
exercising permissions granted by this License.
|
||||||
|
|
||||||
|
"Source" form shall mean the preferred form for making modifications,
|
||||||
|
including but not limited to software source code, documentation
|
||||||
|
source, and configuration files.
|
||||||
|
|
||||||
|
"Object" form shall mean any form resulting from mechanical
|
||||||
|
transformation or translation of a Source form, including but
|
||||||
|
not limited to compiled object code, generated documentation,
|
||||||
|
and conversions to other media types.
|
||||||
|
|
||||||
|
"Work" shall mean the work of authorship, whether in Source or
|
||||||
|
Object form, made available under the License, as indicated by a
|
||||||
|
copyright notice that is included in or attached to the work
|
||||||
|
(an example is provided in the Appendix below).
|
||||||
|
|
||||||
|
"Derivative Works" shall mean any work, whether in Source or Object
|
||||||
|
form, that is based on (or derived from) the Work and for which the
|
||||||
|
editorial revisions, annotations, elaborations, or other modifications
|
||||||
|
represent, as a whole, an original work of authorship. For the purposes
|
||||||
|
of this License, Derivative Works shall not include works that remain
|
||||||
|
separable from, or merely link (or bind by name) to the interfaces of,
|
||||||
|
the Work and Derivative Works thereof.
|
||||||
|
|
||||||
|
"Contribution" shall mean any work of authorship, including
|
||||||
|
the original version of the Work and any modifications or additions
|
||||||
|
to that Work or Derivative Works thereof, that is intentionally
|
||||||
|
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||||
|
or by an individual or Legal Entity authorized to submit on behalf of
|
||||||
|
the copyright owner. For the purposes of this definition, "submitted"
|
||||||
|
means any form of electronic, verbal, or written communication sent
|
||||||
|
to the Licensor or its representatives, including but not limited to
|
||||||
|
communication on electronic mailing lists, source code control systems,
|
||||||
|
and issue tracking systems that are managed by, or on behalf of, the
|
||||||
|
Licensor for the purpose of discussing and improving the Work, but
|
||||||
|
excluding communication that is conspicuously marked or otherwise
|
||||||
|
designated in writing by the copyright owner as "Not a Contribution."
|
||||||
|
|
||||||
|
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||||
|
on behalf of whom a Contribution has been received by Licensor and
|
||||||
|
subsequently incorporated within the Work.
|
||||||
|
|
||||||
|
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
copyright license to reproduce, prepare Derivative Works of,
|
||||||
|
publicly display, publicly perform, sublicense, and distribute the
|
||||||
|
Work and such Derivative Works in Source or Object form.
|
||||||
|
|
||||||
|
3. Grant of Patent License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
(except as stated in this section) patent license to make, have made,
|
||||||
|
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||||
|
where such license applies only to those patent claims licensable
|
||||||
|
by such Contributor that are necessarily infringed by their
|
||||||
|
Contribution(s) alone or by combination of their Contribution(s)
|
||||||
|
with the Work to which such Contribution(s) was submitted. If You
|
||||||
|
institute patent litigation against any entity (including a
|
||||||
|
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||||
|
or a Contribution incorporated within the Work constitutes direct
|
||||||
|
or contributory patent infringement, then any patent licenses
|
||||||
|
granted to You under this License for that Work shall terminate
|
||||||
|
as of the date such litigation is filed.
|
||||||
|
|
||||||
|
4. Redistribution. You may reproduce and distribute copies of the
|
||||||
|
Work or Derivative Works thereof in any medium, with or without
|
||||||
|
modifications, and in Source or Object form, provided that You
|
||||||
|
meet the following conditions:
|
||||||
|
|
||||||
|
(a) You must give any other recipients of the Work or
|
||||||
|
Derivative Works a copy of this License; and
|
||||||
|
|
||||||
|
(b) You must cause any modified files to carry prominent notices
|
||||||
|
stating that You changed the files; and
|
||||||
|
|
||||||
|
(c) You must retain, in the Source form of any Derivative Works
|
||||||
|
that You distribute, all copyright, patent, trademark, and
|
||||||
|
attribution notices from the Source form of the Work,
|
||||||
|
excluding those notices that do not pertain to any part of
|
||||||
|
the Derivative Works; and
|
||||||
|
|
||||||
|
(d) If the Work includes a "NOTICE" text file as part of its
|
||||||
|
distribution, then any Derivative Works that You distribute must
|
||||||
|
include a readable copy of the attribution notices contained
|
||||||
|
within such NOTICE file, excluding those notices that do not
|
||||||
|
pertain to any part of the Derivative Works, in at least one
|
||||||
|
of the following places: within a NOTICE text file distributed
|
||||||
|
as part of the Derivative Works; within the Source form or
|
||||||
|
documentation, if provided along with the Derivative Works; or,
|
||||||
|
within a display generated by the Derivative Works, if and
|
||||||
|
wherever such third-party notices normally appear. The contents
|
||||||
|
of the NOTICE file are for informational purposes only and
|
||||||
|
do not modify the License. You may add Your own attribution
|
||||||
|
notices within Derivative Works that You distribute, alongside
|
||||||
|
or as an addendum to the NOTICE text from the Work, provided
|
||||||
|
that such additional attribution notices cannot be construed
|
||||||
|
as modifying the License.
|
||||||
|
|
||||||
|
You may add Your own copyright statement to Your modifications and
|
||||||
|
may provide additional or different license terms and conditions
|
||||||
|
for use, reproduction, or distribution of Your modifications, or
|
||||||
|
for any such Derivative Works as a whole, provided Your use,
|
||||||
|
reproduction, and distribution of the Work otherwise complies with
|
||||||
|
the conditions stated in this License.
|
||||||
|
|
||||||
|
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||||
|
any Contribution intentionally submitted for inclusion in the Work
|
||||||
|
by You to the Licensor shall be under the terms and conditions of
|
||||||
|
this License, without any additional terms or conditions.
|
||||||
|
Notwithstanding the above, nothing herein shall supersede or modify
|
||||||
|
the terms of any separate license agreement you may have executed
|
||||||
|
with Licensor regarding such Contributions.
|
||||||
|
|
||||||
|
6. Trademarks. This License does not grant permission to use the trade
|
||||||
|
names, trademarks, service marks, or product names of the Licensor,
|
||||||
|
except as required for reasonable and customary use in describing the
|
||||||
|
origin of the Work and reproducing the content of the NOTICE file.
|
||||||
|
|
||||||
|
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||||
|
agreed to in writing, Licensor provides the Work (and each
|
||||||
|
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||||
|
implied, including, without limitation, any warranties or conditions
|
||||||
|
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||||
|
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||||
|
appropriateness of using or redistributing the Work and assume any
|
||||||
|
risks associated with Your exercise of permissions under this License.
|
||||||
|
|
||||||
|
8. Limitation of Liability. In no event and under no legal theory,
|
||||||
|
whether in tort (including negligence), contract, or otherwise,
|
||||||
|
unless required by applicable law (such as deliberate and grossly
|
||||||
|
negligent acts) or agreed to in writing, shall any Contributor be
|
||||||
|
liable to You for damages, including any direct, indirect, special,
|
||||||
|
incidental, or consequential damages of any character arising as a
|
||||||
|
result of this License or out of the use or inability to use the
|
||||||
|
Work (including but not limited to damages for loss of goodwill,
|
||||||
|
work stoppage, computer failure or malfunction, or any and all
|
||||||
|
other commercial damages or losses), even if such Contributor
|
||||||
|
has been advised of the possibility of such damages.
|
||||||
|
|
||||||
|
9. Accepting Warranty or Additional Liability. While redistributing
|
||||||
|
the Work or Derivative Works thereof, You may choose to offer,
|
||||||
|
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||||
|
or other liability obligations and/or rights consistent with this
|
||||||
|
License. However, in accepting such obligations, You may act only
|
||||||
|
on Your own behalf and on Your sole responsibility, not on behalf
|
||||||
|
of any other Contributor, and only if You agree to indemnify,
|
||||||
|
defend, and hold each Contributor harmless for any liability
|
||||||
|
incurred by, or claims asserted against, such Contributor by reason
|
||||||
|
of your accepting any such warranty or additional liability.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
APPENDIX: How to apply the Apache License to your work.
|
||||||
|
|
||||||
|
To apply the Apache License to your work, attach the following
|
||||||
|
boilerplate notice, with the fields enclosed by brackets "{}"
|
||||||
|
replaced with your own identifying information. (Don't include
|
||||||
|
the brackets!) The text should be enclosed in the appropriate
|
||||||
|
comment syntax for the file format. We also recommend that a
|
||||||
|
file or class name and description of purpose be included on the
|
||||||
|
same "printed page" as the copyright notice for easier
|
||||||
|
identification within third-party archives.
|
||||||
|
|
||||||
|
Copyright {yyyy} {name of copyright owner}
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
|
30
README.rst
Normal file
30
README.rst
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
Security hardening for openstack-ansible
|
||||||
|
----------------------------------------
|
||||||
|
|
||||||
|
**--- Currently a work in progress ---**
|
||||||
|
|
||||||
|
Documentation is on `ReadTheDocs`_ temporarily.
|
||||||
|
|
||||||
|
.. _ReadTheDocs: http://openstack-ansible-security.readthedocs.org/en/latest/
|
||||||
|
|
||||||
|
What is this?
|
||||||
|
~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
The goal of this Ansible role is to provide additional security for deployments of openstack-ansible, the OpenStack project which deploys a fully-functional OpenStack environment using Ansible roles. For a more detailed explanation, review the security hardening spec in the section below.
|
||||||
|
|
||||||
|
How do I learn more?
|
||||||
|
~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
* `openstack-ansible`_
|
||||||
|
* `Security hardening spec`_ in openstack-ansible
|
||||||
|
* `RHEL 6 STIG`_ in `STIG Viewer`_
|
||||||
|
|
||||||
|
.. _openstack-ansible: https://github.com/openstack/openstack-ansible
|
||||||
|
.. _Security hardening spec: http://specs.openstack.org/openstack/openstack-ansible-specs/specs/mitaka/security-hardening.html
|
||||||
|
.. _RHEL 6 STIG: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/
|
||||||
|
.. _STIG Viewer: https://www.stigviewer.com
|
||||||
|
|
||||||
|
Questions or comments?
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
Join ``#openstack-ansible`` on Freenode or email openstack-dev@lists.openstack.org with the tag ``[openstack-ansible]`` in the subject line.
|
3
dev-requirements.txt
Normal file
3
dev-requirements.txt
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
ansible-lint
|
||||||
|
oslosphinx>=2.5.0
|
||||||
|
sphinx
|
195
doc/Makefile
Normal file
195
doc/Makefile
Normal file
@ -0,0 +1,195 @@
|
|||||||
|
# Makefile for Sphinx documentation
|
||||||
|
#
|
||||||
|
|
||||||
|
# You can set these variables from the command line.
|
||||||
|
SPHINXOPTS =
|
||||||
|
SPHINXBUILD = sphinx-build
|
||||||
|
PAPER =
|
||||||
|
BUILDDIR = build
|
||||||
|
|
||||||
|
# User-friendly check for sphinx-build
|
||||||
|
ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
|
||||||
|
$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/)
|
||||||
|
endif
|
||||||
|
|
||||||
|
# Internal variables.
|
||||||
|
PAPEROPT_a4 = -D latex_paper_size=a4
|
||||||
|
PAPEROPT_letter = -D latex_paper_size=letter
|
||||||
|
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source
|
||||||
|
# the i18n builder cannot share the environment and doctrees with the others
|
||||||
|
I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source
|
||||||
|
|
||||||
|
.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest coverage gettext
|
||||||
|
|
||||||
|
help:
|
||||||
|
@echo "Please use \`make <target>' where <target> is one of"
|
||||||
|
@echo " html to make standalone HTML files"
|
||||||
|
@echo " dirhtml to make HTML files named index.html in directories"
|
||||||
|
@echo " singlehtml to make a single large HTML file"
|
||||||
|
@echo " pickle to make pickle files"
|
||||||
|
@echo " json to make JSON files"
|
||||||
|
@echo " htmlhelp to make HTML files and a HTML help project"
|
||||||
|
@echo " qthelp to make HTML files and a qthelp project"
|
||||||
|
@echo " applehelp to make an Apple Help Book"
|
||||||
|
@echo " devhelp to make HTML files and a Devhelp project"
|
||||||
|
@echo " epub to make an epub"
|
||||||
|
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
|
||||||
|
@echo " latexpdf to make LaTeX files and run them through pdflatex"
|
||||||
|
@echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
|
||||||
|
@echo " text to make text files"
|
||||||
|
@echo " man to make manual pages"
|
||||||
|
@echo " texinfo to make Texinfo files"
|
||||||
|
@echo " info to make Texinfo files and run them through makeinfo"
|
||||||
|
@echo " gettext to make PO message catalogs"
|
||||||
|
@echo " changes to make an overview of all changed/added/deprecated items"
|
||||||
|
@echo " xml to make Docutils-native XML files"
|
||||||
|
@echo " pseudoxml to make pseudoxml-XML files for display purposes"
|
||||||
|
@echo " linkcheck to check all external links for integrity"
|
||||||
|
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
|
||||||
|
@echo " coverage to run coverage check of the documentation (if enabled)"
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -rf $(BUILDDIR)/*
|
||||||
|
|
||||||
|
html:
|
||||||
|
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
|
||||||
|
|
||||||
|
dirhtml:
|
||||||
|
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
|
||||||
|
|
||||||
|
singlehtml:
|
||||||
|
$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
|
||||||
|
|
||||||
|
pickle:
|
||||||
|
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; now you can process the pickle files."
|
||||||
|
|
||||||
|
json:
|
||||||
|
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; now you can process the JSON files."
|
||||||
|
|
||||||
|
htmlhelp:
|
||||||
|
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; now you can run HTML Help Workshop with the" \
|
||||||
|
".hhp project file in $(BUILDDIR)/htmlhelp."
|
||||||
|
|
||||||
|
qthelp:
|
||||||
|
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
|
||||||
|
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
|
||||||
|
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/openstack-ansible.qhcp"
|
||||||
|
@echo "To view the help file:"
|
||||||
|
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/openstack-ansible.qhc"
|
||||||
|
|
||||||
|
applehelp:
|
||||||
|
$(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The help book is in $(BUILDDIR)/applehelp."
|
||||||
|
@echo "N.B. You won't be able to view it unless you put it in" \
|
||||||
|
"~/Library/Documentation/Help or install it in your application" \
|
||||||
|
"bundle."
|
||||||
|
|
||||||
|
devhelp:
|
||||||
|
$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
|
||||||
|
@echo
|
||||||
|
@echo "Build finished."
|
||||||
|
@echo "To view the help file:"
|
||||||
|
@echo "# mkdir -p $$HOME/.local/share/devhelp/openstack-ansible"
|
||||||
|
@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/openstack-ansible"
|
||||||
|
@echo "# devhelp"
|
||||||
|
|
||||||
|
epub:
|
||||||
|
$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
|
||||||
|
|
||||||
|
latex:
|
||||||
|
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
|
||||||
|
@echo "Run \`make' in that directory to run these through (pdf)latex" \
|
||||||
|
"(use \`make latexpdf' here to do that automatically)."
|
||||||
|
|
||||||
|
latexpdf:
|
||||||
|
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
|
||||||
|
@echo "Running LaTeX files through pdflatex..."
|
||||||
|
$(MAKE) -C $(BUILDDIR)/latex all-pdf
|
||||||
|
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
|
||||||
|
|
||||||
|
latexpdfja:
|
||||||
|
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
|
||||||
|
@echo "Running LaTeX files through platex and dvipdfmx..."
|
||||||
|
$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
|
||||||
|
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
|
||||||
|
|
||||||
|
text:
|
||||||
|
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The text files are in $(BUILDDIR)/text."
|
||||||
|
|
||||||
|
man:
|
||||||
|
$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
|
||||||
|
|
||||||
|
texinfo:
|
||||||
|
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
|
||||||
|
@echo "Run \`make' in that directory to run these through makeinfo" \
|
||||||
|
"(use \`make info' here to do that automatically)."
|
||||||
|
|
||||||
|
info:
|
||||||
|
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
|
||||||
|
@echo "Running Texinfo files through makeinfo..."
|
||||||
|
make -C $(BUILDDIR)/texinfo info
|
||||||
|
@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
|
||||||
|
|
||||||
|
gettext:
|
||||||
|
$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
|
||||||
|
|
||||||
|
changes:
|
||||||
|
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
|
||||||
|
@echo
|
||||||
|
@echo "The overview file is in $(BUILDDIR)/changes."
|
||||||
|
|
||||||
|
linkcheck:
|
||||||
|
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
|
||||||
|
@echo
|
||||||
|
@echo "Link check complete; look for any errors in the above output " \
|
||||||
|
"or in $(BUILDDIR)/linkcheck/output.txt."
|
||||||
|
|
||||||
|
doctest:
|
||||||
|
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
|
||||||
|
@echo "Testing of doctests in the sources finished, look at the " \
|
||||||
|
"results in $(BUILDDIR)/doctest/output.txt."
|
||||||
|
|
||||||
|
coverage:
|
||||||
|
$(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage
|
||||||
|
@echo "Testing of coverage in the sources finished, look at the " \
|
||||||
|
"results in $(BUILDDIR)/coverage/python.txt."
|
||||||
|
|
||||||
|
xml:
|
||||||
|
$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
|
||||||
|
|
||||||
|
pseudoxml:
|
||||||
|
$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
|
||||||
|
|
||||||
|
livehtml: html
|
||||||
|
sphinx-autobuild -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
|
0
doc/source/_static/.gitkeep
Normal file
0
doc/source/_static/.gitkeep
Normal file
109
doc/source/_themes/openstack/layout.html
Normal file
109
doc/source/_themes/openstack/layout.html
Normal file
@ -0,0 +1,109 @@
|
|||||||
|
{% extends "basic/layout.html" %}
|
||||||
|
{% set css_files = css_files + ['_static/tweaks.css'] %}
|
||||||
|
|
||||||
|
{% block sidebar2 %}
|
||||||
|
<div class="sphinxsidebar">
|
||||||
|
<div class="sphinxsidebarwrapper">
|
||||||
|
{%- if not embedded %}{% if not theme_nosidebar|tobool %}
|
||||||
|
{%- block sidebarlogo %}
|
||||||
|
{%- if logo %}
|
||||||
|
<p class="logo"><a href="{{ pathto(master_doc) }}">
|
||||||
|
<img class="logo" src="{{ pathto('_static/' + logo, 1) }}" alt="Logo"/>
|
||||||
|
</a></p>
|
||||||
|
{%- endif %}
|
||||||
|
{%- endblock %}
|
||||||
|
{%- block sidebartoc %}
|
||||||
|
{%- if display_toc %}
|
||||||
|
<h3><a href="{{ pathto(master_doc) }}">{{ _('Table Of Contents') }}</a></h3>
|
||||||
|
{{ toc }}
|
||||||
|
{%- endif %}
|
||||||
|
{%- endblock %}
|
||||||
|
{%- block sidebarrel %}
|
||||||
|
{%- if prev %}
|
||||||
|
<h4>{{ _('Previous topic') }}</h4>
|
||||||
|
<p class="topless"><a href="{{ prev.link|e }}"
|
||||||
|
title="{{ _('previous chapter') }}">{{ prev.title }}</a></p>
|
||||||
|
{%- endif %}
|
||||||
|
{%- if next %}
|
||||||
|
<h4>{{ _('Next topic') }}</h4>
|
||||||
|
<p class="topless"><a href="{{ next.link|e }}"
|
||||||
|
title="{{ _('next chapter') }}">{{ next.title }}</a></p>
|
||||||
|
{%- endif %}
|
||||||
|
{%- endblock %}
|
||||||
|
{%- block projectsource %}
|
||||||
|
{%- if cgit_link %}
|
||||||
|
<h3>{{ _('Project Source') }}</h3>
|
||||||
|
<ul class="this-page-menu">
|
||||||
|
<li><a href="{{cgit_link}}"
|
||||||
|
rel="nofollow">{{ _('Project Source') }}</a></li>
|
||||||
|
</ul>
|
||||||
|
{%- endif %}
|
||||||
|
{%- endblock %}
|
||||||
|
{%- block sidebarsourcelink %}
|
||||||
|
{%- if show_source and has_source and sourcename %}
|
||||||
|
<h3>{{ _('This Page') }}</h3>
|
||||||
|
<ul class="this-page-menu">
|
||||||
|
<li><a href="{{ pathto('_sources/' + sourcename, true)|e }}"
|
||||||
|
rel="nofollow">{{ _('Show Source') }}</a></li>
|
||||||
|
</ul>
|
||||||
|
{%- endif %}
|
||||||
|
{%- endblock %}
|
||||||
|
{%- if customsidebar %}
|
||||||
|
{% include customsidebar %}
|
||||||
|
{%- endif %}
|
||||||
|
{%- block sidebarsearch %}
|
||||||
|
{%- if pagename != "search" %}
|
||||||
|
<div id="searchbox" style="display: none">
|
||||||
|
<h3>{{ _('Quick search') }}</h3>
|
||||||
|
<form class="search" action="{{ pathto('search') }}" method="get">
|
||||||
|
<input type="text" name="q" size="18" />
|
||||||
|
<input type="submit" value="{{ _('Go') }}" />
|
||||||
|
<input type="hidden" name="check_keywords" value="yes" />
|
||||||
|
<input type="hidden" name="area" value="default" />
|
||||||
|
</form>
|
||||||
|
<p class="searchtip" style="font-size: 90%">
|
||||||
|
{{ _('Enter search terms or a module, class or function name.') }}
|
||||||
|
</p>
|
||||||
|
</div>
|
||||||
|
<script type="text/javascript">$('#searchbox').show(0);</script>
|
||||||
|
{%- endif %}
|
||||||
|
{%- endblock %}
|
||||||
|
{%- endif %}{% endif %}
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
{% endblock %}
|
||||||
|
|
||||||
|
{% block relbar1 %}{% endblock relbar1 %}
|
||||||
|
|
||||||
|
{% block header %}
|
||||||
|
<div id="header">
|
||||||
|
<h1 id="logo"><a href="http://www.openstack.org/">OpenStack</a></h1>
|
||||||
|
<ul id="navigation">
|
||||||
|
{% block header_navigation %}
|
||||||
|
<li><a href="http://www.openstack.org/" title="Go to the Home page" class="link">Home</a></li>
|
||||||
|
<li><a href="http://www.openstack.org/projects/" title="Go to the OpenStack Projects page">Projects</a></li>
|
||||||
|
<li><a href="http://www.openstack.org/user-stories/" title="Go to the User Stories page" class="link">User Stories</a></li>
|
||||||
|
<li><a href="http://www.openstack.org/community/" title="Go to the Community page" class="link">Community</a></li>
|
||||||
|
<li><a href="http://www.openstack.org/blog/" title="Go to the OpenStack Blog">Blog</a></li>
|
||||||
|
<li><a href="http://wiki.openstack.org/" title="Go to the OpenStack Wiki">Wiki</a></li>
|
||||||
|
<li><a href="http://docs.openstack.org/" title="Go to OpenStack Documentation" class="current">Documentation</a></li>
|
||||||
|
{% endblock %}
|
||||||
|
</ul>
|
||||||
|
</div>
|
||||||
|
{% endblock %}
|
||||||
|
|
||||||
|
{% block footer %}
|
||||||
|
{{ super() }}
|
||||||
|
<script type="text/javascript">
|
||||||
|
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
|
||||||
|
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
|
||||||
|
</script>
|
||||||
|
<script type="text/javascript">
|
||||||
|
try {
|
||||||
|
//Tracking docs.openstack.org/developer/<projectname> only
|
||||||
|
//The URL is built from the project variable in conf.py
|
||||||
|
var pageTracker = _gat._getTracker("UA-17511903-1");
|
||||||
|
pageTracker._setCookiePath("/developer/{{ project }}");
|
||||||
|
pageTracker._trackPageview();
|
||||||
|
} catch(err) {}</script>
|
||||||
|
{% endblock %}
|
419
doc/source/_themes/openstack/static/basic.css
Normal file
419
doc/source/_themes/openstack/static/basic.css
Normal file
@ -0,0 +1,419 @@
|
|||||||
|
/**
|
||||||
|
* Sphinx stylesheet -- basic theme
|
||||||
|
* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* -- main layout ----------------------------------------------------------- */
|
||||||
|
|
||||||
|
div.clearer {
|
||||||
|
clear: both;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- relbar ---------------------------------------------------------------- */
|
||||||
|
|
||||||
|
div.related {
|
||||||
|
font-size: 90%;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.related h3 {
|
||||||
|
display: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.related ul {
|
||||||
|
margin: 0;
|
||||||
|
padding: 0 0 0 10px;
|
||||||
|
list-style: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.related li {
|
||||||
|
display: inline;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.related li.right {
|
||||||
|
float: right;
|
||||||
|
margin-right: 5px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- sidebar --------------------------------------------------------------- */
|
||||||
|
|
||||||
|
div.sphinxsidebarwrapper {
|
||||||
|
padding: 10px 5px 0 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar {
|
||||||
|
float: left;
|
||||||
|
width: 260px;
|
||||||
|
margin-left: -100%;
|
||||||
|
font-size: 90%;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar ul {
|
||||||
|
list-style: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar ul ul,
|
||||||
|
div.sphinxsidebar ul.want-points {
|
||||||
|
margin-left: 20px;
|
||||||
|
list-style: square;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar ul ul {
|
||||||
|
margin-top: 0;
|
||||||
|
margin-bottom: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar form {
|
||||||
|
margin-top: 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar input {
|
||||||
|
border: 1px solid #98dbcc;
|
||||||
|
font-family: sans-serif;
|
||||||
|
font-size: 1em;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar span.pre {
|
||||||
|
word-wrap: break-word;
|
||||||
|
}
|
||||||
|
|
||||||
|
img {
|
||||||
|
border: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- search page ----------------------------------------------------------- */
|
||||||
|
|
||||||
|
ul.search {
|
||||||
|
margin: 10px 0 0 20px;
|
||||||
|
padding: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.search li {
|
||||||
|
padding: 5px 0 5px 20px;
|
||||||
|
background-image: url(file.png);
|
||||||
|
background-repeat: no-repeat;
|
||||||
|
background-position: 0 7px;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.search li a {
|
||||||
|
font-weight: bold;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.search li div.context {
|
||||||
|
color: #888;
|
||||||
|
margin: 2px 0 0 30px;
|
||||||
|
text-align: left;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.keywordmatches li.goodmatch a {
|
||||||
|
font-weight: bold;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- index page ------------------------------------------------------------ */
|
||||||
|
|
||||||
|
table.contentstable {
|
||||||
|
width: 90%;
|
||||||
|
}
|
||||||
|
|
||||||
|
table.contentstable p.biglink {
|
||||||
|
line-height: 150%;
|
||||||
|
}
|
||||||
|
|
||||||
|
a.biglink {
|
||||||
|
font-size: 1.3em;
|
||||||
|
}
|
||||||
|
|
||||||
|
span.linkdescr {
|
||||||
|
font-style: italic;
|
||||||
|
padding-top: 5px;
|
||||||
|
font-size: 90%;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- general index --------------------------------------------------------- */
|
||||||
|
|
||||||
|
table.indextable td {
|
||||||
|
text-align: left;
|
||||||
|
vertical-align: top;
|
||||||
|
}
|
||||||
|
|
||||||
|
table.indextable dl, table.indextable dd {
|
||||||
|
margin-top: 0;
|
||||||
|
margin-bottom: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
table.indextable tr.pcap {
|
||||||
|
height: 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
table.indextable tr.cap {
|
||||||
|
margin-top: 10px;
|
||||||
|
background-color: #f2f2f2;
|
||||||
|
}
|
||||||
|
|
||||||
|
img.toggler {
|
||||||
|
margin-right: 3px;
|
||||||
|
margin-top: 3px;
|
||||||
|
cursor: pointer;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- general body styles --------------------------------------------------- */
|
||||||
|
|
||||||
|
a.headerlink {
|
||||||
|
visibility: hidden;
|
||||||
|
}
|
||||||
|
|
||||||
|
h1:hover > a.headerlink,
|
||||||
|
h2:hover > a.headerlink,
|
||||||
|
h3:hover > a.headerlink,
|
||||||
|
h4:hover > a.headerlink,
|
||||||
|
h5:hover > a.headerlink,
|
||||||
|
h6:hover > a.headerlink,
|
||||||
|
dt:hover > a.headerlink {
|
||||||
|
visibility: visible;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.body p.caption {
|
||||||
|
text-align: inherit;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.body td {
|
||||||
|
text-align: left;
|
||||||
|
}
|
||||||
|
|
||||||
|
.field-list ul {
|
||||||
|
padding-left: 1em;
|
||||||
|
}
|
||||||
|
|
||||||
|
.first {
|
||||||
|
}
|
||||||
|
|
||||||
|
p.rubric {
|
||||||
|
margin-top: 30px;
|
||||||
|
font-weight: bold;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- sidebars -------------------------------------------------------------- */
|
||||||
|
|
||||||
|
div.sidebar {
|
||||||
|
margin: 0 0 0.5em 1em;
|
||||||
|
border: 1px solid #ddb;
|
||||||
|
padding: 7px 7px 0 7px;
|
||||||
|
background-color: #ffe;
|
||||||
|
width: 40%;
|
||||||
|
float: right;
|
||||||
|
}
|
||||||
|
|
||||||
|
p.sidebar-title {
|
||||||
|
font-weight: bold;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- topics ---------------------------------------------------------------- */
|
||||||
|
|
||||||
|
div.topic {
|
||||||
|
border: 1px solid #ccc;
|
||||||
|
padding: 7px 7px 0 7px;
|
||||||
|
margin: 10px 0 10px 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
p.topic-title {
|
||||||
|
font-size: 1.1em;
|
||||||
|
font-weight: bold;
|
||||||
|
margin-top: 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- admonitions ----------------------------------------------------------- */
|
||||||
|
|
||||||
|
div.admonition {
|
||||||
|
margin-top: 10px;
|
||||||
|
margin-bottom: 10px;
|
||||||
|
padding: 7px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.admonition dt {
|
||||||
|
font-weight: bold;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.admonition dl {
|
||||||
|
margin-bottom: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
p.admonition-title {
|
||||||
|
margin: 0px 10px 5px 0px;
|
||||||
|
font-weight: bold;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.body p.centered {
|
||||||
|
text-align: center;
|
||||||
|
margin-top: 25px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- tables ---------------------------------------------------------------- */
|
||||||
|
|
||||||
|
table.docutils {
|
||||||
|
border: 0;
|
||||||
|
border-collapse: collapse;
|
||||||
|
}
|
||||||
|
|
||||||
|
table.docutils td, table.docutils th {
|
||||||
|
padding: 1px 8px 1px 0;
|
||||||
|
border-top: 0;
|
||||||
|
border-left: 0;
|
||||||
|
border-right: 0;
|
||||||
|
border-bottom: 1px solid #aaa;
|
||||||
|
}
|
||||||
|
|
||||||
|
table.field-list td, table.field-list th {
|
||||||
|
border: 0 !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
table.footnote td, table.footnote th {
|
||||||
|
border: 0 !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
th {
|
||||||
|
text-align: left;
|
||||||
|
padding-right: 5px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- other body styles ----------------------------------------------------- */
|
||||||
|
|
||||||
|
dl {
|
||||||
|
margin-bottom: 15px;
|
||||||
|
}
|
||||||
|
|
||||||
|
dd p {
|
||||||
|
margin-top: 0px;
|
||||||
|
}
|
||||||
|
|
||||||
|
dd ul, dd table {
|
||||||
|
margin-bottom: 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
dd {
|
||||||
|
margin-top: 3px;
|
||||||
|
margin-bottom: 10px;
|
||||||
|
margin-left: 30px;
|
||||||
|
}
|
||||||
|
|
||||||
|
dt:target, .highlight {
|
||||||
|
background-color: #fbe54e;
|
||||||
|
}
|
||||||
|
|
||||||
|
dl.glossary dt {
|
||||||
|
font-weight: bold;
|
||||||
|
font-size: 1.1em;
|
||||||
|
}
|
||||||
|
|
||||||
|
.field-list ul {
|
||||||
|
margin: 0;
|
||||||
|
padding-left: 1em;
|
||||||
|
}
|
||||||
|
|
||||||
|
.field-list p {
|
||||||
|
margin: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
.refcount {
|
||||||
|
color: #060;
|
||||||
|
}
|
||||||
|
|
||||||
|
.optional {
|
||||||
|
font-size: 1.3em;
|
||||||
|
}
|
||||||
|
|
||||||
|
.versionmodified {
|
||||||
|
font-style: italic;
|
||||||
|
}
|
||||||
|
|
||||||
|
.system-message {
|
||||||
|
background-color: #fda;
|
||||||
|
padding: 5px;
|
||||||
|
border: 3px solid red;
|
||||||
|
}
|
||||||
|
|
||||||
|
.footnote:target {
|
||||||
|
background-color: #ffa
|
||||||
|
}
|
||||||
|
|
||||||
|
.line-block {
|
||||||
|
display: block;
|
||||||
|
margin-top: 1em;
|
||||||
|
margin-bottom: 1em;
|
||||||
|
}
|
||||||
|
|
||||||
|
.line-block .line-block {
|
||||||
|
margin-top: 0;
|
||||||
|
margin-bottom: 0;
|
||||||
|
margin-left: 1.5em;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- code displays --------------------------------------------------------- */
|
||||||
|
|
||||||
|
pre {
|
||||||
|
overflow: auto;
|
||||||
|
}
|
||||||
|
|
||||||
|
td.linenos pre {
|
||||||
|
padding: 5px 0px;
|
||||||
|
border: 0;
|
||||||
|
background-color: transparent;
|
||||||
|
color: #aaa;
|
||||||
|
}
|
||||||
|
|
||||||
|
table.highlighttable {
|
||||||
|
margin-left: 0.5em;
|
||||||
|
}
|
||||||
|
|
||||||
|
table.highlighttable td {
|
||||||
|
padding: 0 0.5em 0 0.5em;
|
||||||
|
}
|
||||||
|
|
||||||
|
tt.descname {
|
||||||
|
background-color: transparent;
|
||||||
|
font-weight: bold;
|
||||||
|
font-size: 1.2em;
|
||||||
|
}
|
||||||
|
|
||||||
|
tt.descclassname {
|
||||||
|
background-color: transparent;
|
||||||
|
}
|
||||||
|
|
||||||
|
tt.xref, a tt {
|
||||||
|
background-color: transparent;
|
||||||
|
font-weight: bold;
|
||||||
|
}
|
||||||
|
|
||||||
|
h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt {
|
||||||
|
background-color: transparent;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- math display ---------------------------------------------------------- */
|
||||||
|
|
||||||
|
img.math {
|
||||||
|
vertical-align: middle;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.body div.math p {
|
||||||
|
text-align: center;
|
||||||
|
}
|
||||||
|
|
||||||
|
span.eqno {
|
||||||
|
float: right;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- printout stylesheet --------------------------------------------------- */
|
||||||
|
|
||||||
|
@media print {
|
||||||
|
div.document,
|
||||||
|
div.documentwrapper,
|
||||||
|
div.bodywrapper {
|
||||||
|
margin: 0 !important;
|
||||||
|
width: 100%;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar,
|
||||||
|
div.related,
|
||||||
|
div.footer,
|
||||||
|
#top-link {
|
||||||
|
display: none;
|
||||||
|
}
|
||||||
|
}
|
230
doc/source/_themes/openstack/static/default.css
Normal file
230
doc/source/_themes/openstack/static/default.css
Normal file
@ -0,0 +1,230 @@
|
|||||||
|
/**
|
||||||
|
* Sphinx stylesheet -- default theme
|
||||||
|
* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
*/
|
||||||
|
|
||||||
|
@import url("basic.css");
|
||||||
|
|
||||||
|
/* -- page layout ----------------------------------------------------------- */
|
||||||
|
|
||||||
|
body {
|
||||||
|
font-family: sans-serif;
|
||||||
|
font-size: 100%;
|
||||||
|
background-color: #11303d;
|
||||||
|
color: #000;
|
||||||
|
margin: 0;
|
||||||
|
padding: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.document {
|
||||||
|
background-color: #1c4e63;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.documentwrapper {
|
||||||
|
float: left;
|
||||||
|
width: 100%;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.bodywrapper {
|
||||||
|
margin: 0 0 0 230px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.body {
|
||||||
|
background-color: #ffffff;
|
||||||
|
color: #000000;
|
||||||
|
padding: 0 20px 30px 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.footer {
|
||||||
|
color: #ffffff;
|
||||||
|
width: 100%;
|
||||||
|
padding: 9px 0 9px 0;
|
||||||
|
text-align: center;
|
||||||
|
font-size: 75%;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.footer a {
|
||||||
|
color: #ffffff;
|
||||||
|
text-decoration: underline;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.related {
|
||||||
|
background-color: #133f52;
|
||||||
|
line-height: 30px;
|
||||||
|
color: #ffffff;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.related a {
|
||||||
|
color: #ffffff;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar {
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar h3 {
|
||||||
|
font-family: 'Trebuchet MS', sans-serif;
|
||||||
|
color: #ffffff;
|
||||||
|
font-size: 1.4em;
|
||||||
|
font-weight: normal;
|
||||||
|
margin: 0;
|
||||||
|
padding: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar h3 a {
|
||||||
|
color: #ffffff;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar h4 {
|
||||||
|
font-family: 'Trebuchet MS', sans-serif;
|
||||||
|
color: #ffffff;
|
||||||
|
font-size: 1.3em;
|
||||||
|
font-weight: normal;
|
||||||
|
margin: 5px 0 0 0;
|
||||||
|
padding: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar p {
|
||||||
|
color: #ffffff;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar p.topless {
|
||||||
|
margin: 5px 10px 10px 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar ul {
|
||||||
|
margin: 10px;
|
||||||
|
padding: 0;
|
||||||
|
color: #ffffff;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar a {
|
||||||
|
color: #98dbcc;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar input {
|
||||||
|
border: 1px solid #98dbcc;
|
||||||
|
font-family: sans-serif;
|
||||||
|
font-size: 1em;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- body styles ----------------------------------------------------------- */
|
||||||
|
|
||||||
|
a {
|
||||||
|
color: #355f7c;
|
||||||
|
text-decoration: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
a:hover {
|
||||||
|
text-decoration: underline;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.body p, div.body dd, div.body li {
|
||||||
|
text-align: left;
|
||||||
|
line-height: 130%;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.body h1,
|
||||||
|
div.body h2,
|
||||||
|
div.body h3,
|
||||||
|
div.body h4,
|
||||||
|
div.body h5,
|
||||||
|
div.body h6 {
|
||||||
|
font-family: 'Trebuchet MS', sans-serif;
|
||||||
|
background-color: #f2f2f2;
|
||||||
|
font-weight: normal;
|
||||||
|
color: #20435c;
|
||||||
|
border-bottom: 1px solid #ccc;
|
||||||
|
margin: 20px -20px 10px -20px;
|
||||||
|
padding: 3px 0 3px 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.body h1 { margin-top: 0; font-size: 200%; }
|
||||||
|
div.body h2 { font-size: 160%; }
|
||||||
|
div.body h3 { font-size: 140%; }
|
||||||
|
div.body h4 { font-size: 120%; }
|
||||||
|
div.body h5 { font-size: 110%; }
|
||||||
|
div.body h6 { font-size: 100%; }
|
||||||
|
|
||||||
|
a.headerlink {
|
||||||
|
color: #c60f0f;
|
||||||
|
font-size: 0.8em;
|
||||||
|
padding: 0 4px 0 4px;
|
||||||
|
text-decoration: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
a.headerlink:hover {
|
||||||
|
background-color: #c60f0f;
|
||||||
|
color: white;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.body p, div.body dd, div.body li {
|
||||||
|
text-align: left;
|
||||||
|
line-height: 130%;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.admonition p.admonition-title + p {
|
||||||
|
display: inline;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.admonition p {
|
||||||
|
margin-bottom: 5px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.admonition pre {
|
||||||
|
margin-bottom: 5px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.admonition ul, div.admonition ol {
|
||||||
|
margin-bottom: 5px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.note {
|
||||||
|
background-color: #eee;
|
||||||
|
border: 1px solid #ccc;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.seealso {
|
||||||
|
background-color: #ffc;
|
||||||
|
border: 1px solid #ff6;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.topic {
|
||||||
|
background-color: #eee;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.warning {
|
||||||
|
background-color: #ffe4e4;
|
||||||
|
border: 1px solid #f66;
|
||||||
|
}
|
||||||
|
|
||||||
|
p.admonition-title {
|
||||||
|
display: inline;
|
||||||
|
}
|
||||||
|
|
||||||
|
p.admonition-title:after {
|
||||||
|
content: ":";
|
||||||
|
}
|
||||||
|
|
||||||
|
pre {
|
||||||
|
padding: 5px;
|
||||||
|
background-color: #eeffcc;
|
||||||
|
color: #333333;
|
||||||
|
line-height: 120%;
|
||||||
|
border: 1px solid #ac9;
|
||||||
|
border-left: none;
|
||||||
|
border-right: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
tt {
|
||||||
|
background-color: #ecf0f3;
|
||||||
|
padding: 0 1px 0 1px;
|
||||||
|
font-size: 0.95em;
|
||||||
|
}
|
||||||
|
|
||||||
|
.warning tt {
|
||||||
|
background: #efc2c2;
|
||||||
|
}
|
||||||
|
|
||||||
|
.note tt {
|
||||||
|
background: #d6d6d6;
|
||||||
|
}
|
BIN
doc/source/_themes/openstack/static/header-line.gif
Normal file
BIN
doc/source/_themes/openstack/static/header-line.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 48 B |
BIN
doc/source/_themes/openstack/static/header_bg.jpg
Normal file
BIN
doc/source/_themes/openstack/static/header_bg.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 3.7 KiB |
245
doc/source/_themes/openstack/static/nature.css
Normal file
245
doc/source/_themes/openstack/static/nature.css
Normal file
@ -0,0 +1,245 @@
|
|||||||
|
/*
|
||||||
|
* nature.css_t
|
||||||
|
* ~~~~~~~~~~~~
|
||||||
|
*
|
||||||
|
* Sphinx stylesheet -- nature theme.
|
||||||
|
*
|
||||||
|
* :copyright: Copyright 2007-2011 by the Sphinx team, see AUTHORS.
|
||||||
|
* :license: BSD, see LICENSE for details.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
@import url("basic.css");
|
||||||
|
|
||||||
|
/* -- page layout ----------------------------------------------------------- */
|
||||||
|
|
||||||
|
body {
|
||||||
|
font-family: Arial, sans-serif;
|
||||||
|
font-size: 100%;
|
||||||
|
background-color: #111;
|
||||||
|
color: #555;
|
||||||
|
margin: 0;
|
||||||
|
padding: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.documentwrapper {
|
||||||
|
float: left;
|
||||||
|
width: 100%;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.bodywrapper {
|
||||||
|
margin: 0 0 0 {{ theme_sidebarwidth|toint }}px;
|
||||||
|
}
|
||||||
|
|
||||||
|
hr {
|
||||||
|
border: 1px solid #B1B4B6;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.document {
|
||||||
|
background-color: #eee;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.body {
|
||||||
|
background-color: #ffffff;
|
||||||
|
color: #3E4349;
|
||||||
|
padding: 0 30px 30px 30px;
|
||||||
|
font-size: 0.9em;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.footer {
|
||||||
|
color: #555;
|
||||||
|
width: 100%;
|
||||||
|
padding: 13px 0;
|
||||||
|
text-align: center;
|
||||||
|
font-size: 75%;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.footer a {
|
||||||
|
color: #444;
|
||||||
|
text-decoration: underline;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.related {
|
||||||
|
background-color: #6BA81E;
|
||||||
|
line-height: 32px;
|
||||||
|
color: #fff;
|
||||||
|
text-shadow: 0px 1px 0 #444;
|
||||||
|
font-size: 0.9em;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.related a {
|
||||||
|
color: #E2F3CC;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar {
|
||||||
|
font-size: 0.75em;
|
||||||
|
line-height: 1.5em;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebarwrapper{
|
||||||
|
padding: 20px 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar h3,
|
||||||
|
div.sphinxsidebar h4 {
|
||||||
|
font-family: Arial, sans-serif;
|
||||||
|
color: #222;
|
||||||
|
font-size: 1.2em;
|
||||||
|
font-weight: normal;
|
||||||
|
margin: 0;
|
||||||
|
padding: 5px 10px;
|
||||||
|
background-color: #ddd;
|
||||||
|
text-shadow: 1px 1px 0 white
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar h4{
|
||||||
|
font-size: 1.1em;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar h3 a {
|
||||||
|
color: #444;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
div.sphinxsidebar p {
|
||||||
|
color: #888;
|
||||||
|
padding: 5px 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar p.topless {
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar ul {
|
||||||
|
margin: 10px 20px;
|
||||||
|
padding: 0;
|
||||||
|
color: #000;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar a {
|
||||||
|
color: #444;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar input {
|
||||||
|
border: 1px solid #ccc;
|
||||||
|
font-family: sans-serif;
|
||||||
|
font-size: 1em;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar input[type=text]{
|
||||||
|
margin-left: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -- body styles ----------------------------------------------------------- */
|
||||||
|
|
||||||
|
a {
|
||||||
|
color: #005B81;
|
||||||
|
text-decoration: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
a:hover {
|
||||||
|
color: #E32E00;
|
||||||
|
text-decoration: underline;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.body h1,
|
||||||
|
div.body h2,
|
||||||
|
div.body h3,
|
||||||
|
div.body h4,
|
||||||
|
div.body h5,
|
||||||
|
div.body h6 {
|
||||||
|
font-family: Arial, sans-serif;
|
||||||
|
background-color: #BED4EB;
|
||||||
|
font-weight: normal;
|
||||||
|
color: #212224;
|
||||||
|
margin: 30px 0px 10px 0px;
|
||||||
|
padding: 5px 0 5px 10px;
|
||||||
|
text-shadow: 0px 1px 0 white
|
||||||
|
}
|
||||||
|
|
||||||
|
div.body h1 { border-top: 20px solid white; margin-top: 0; font-size: 200%; }
|
||||||
|
div.body h2 { font-size: 150%; background-color: #C8D5E3; }
|
||||||
|
div.body h3 { font-size: 120%; background-color: #D8DEE3; }
|
||||||
|
div.body h4 { font-size: 110%; background-color: #D8DEE3; }
|
||||||
|
div.body h5 { font-size: 100%; background-color: #D8DEE3; }
|
||||||
|
div.body h6 { font-size: 100%; background-color: #D8DEE3; }
|
||||||
|
|
||||||
|
a.headerlink {
|
||||||
|
color: #c60f0f;
|
||||||
|
font-size: 0.8em;
|
||||||
|
padding: 0 4px 0 4px;
|
||||||
|
text-decoration: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
a.headerlink:hover {
|
||||||
|
background-color: #c60f0f;
|
||||||
|
color: white;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.body p, div.body dd, div.body li {
|
||||||
|
line-height: 1.5em;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.admonition p.admonition-title + p {
|
||||||
|
display: inline;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.highlight{
|
||||||
|
background-color: white;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.note {
|
||||||
|
background-color: #eee;
|
||||||
|
border: 1px solid #ccc;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.seealso {
|
||||||
|
background-color: #ffc;
|
||||||
|
border: 1px solid #ff6;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.topic {
|
||||||
|
background-color: #eee;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.warning {
|
||||||
|
background-color: #ffe4e4;
|
||||||
|
border: 1px solid #f66;
|
||||||
|
}
|
||||||
|
|
||||||
|
p.admonition-title {
|
||||||
|
display: inline;
|
||||||
|
}
|
||||||
|
|
||||||
|
p.admonition-title:after {
|
||||||
|
content: ":";
|
||||||
|
}
|
||||||
|
|
||||||
|
pre {
|
||||||
|
padding: 10px;
|
||||||
|
background-color: White;
|
||||||
|
color: #222;
|
||||||
|
line-height: 1.2em;
|
||||||
|
border: 1px solid #C6C9CB;
|
||||||
|
font-size: 1.1em;
|
||||||
|
margin: 1.5em 0 1.5em 0;
|
||||||
|
-webkit-box-shadow: 1px 1px 1px #d8d8d8;
|
||||||
|
-moz-box-shadow: 1px 1px 1px #d8d8d8;
|
||||||
|
}
|
||||||
|
|
||||||
|
tt {
|
||||||
|
background-color: #ecf0f3;
|
||||||
|
color: #222;
|
||||||
|
/* padding: 1px 2px; */
|
||||||
|
font-size: 1.1em;
|
||||||
|
font-family: monospace;
|
||||||
|
}
|
||||||
|
|
||||||
|
.viewcode-back {
|
||||||
|
font-family: Arial, sans-serif;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.viewcode-block:target {
|
||||||
|
background-color: #f4debf;
|
||||||
|
border-top: 1px solid #ac9;
|
||||||
|
border-bottom: 1px solid #ac9;
|
||||||
|
}
|
BIN
doc/source/_themes/openstack/static/openstack_logo.png
Normal file
BIN
doc/source/_themes/openstack/static/openstack_logo.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 3.6 KiB |
128
doc/source/_themes/openstack/static/tweaks.css
Normal file
128
doc/source/_themes/openstack/static/tweaks.css
Normal file
@ -0,0 +1,128 @@
|
|||||||
|
body {
|
||||||
|
background: #fff url(../_static/header_bg.jpg) top left no-repeat;
|
||||||
|
}
|
||||||
|
|
||||||
|
#header {
|
||||||
|
width: 950px;
|
||||||
|
margin: 0 auto;
|
||||||
|
height: 102px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#header h1#logo {
|
||||||
|
background: url(../_static/openstack_logo.png) top left no-repeat;
|
||||||
|
display: block;
|
||||||
|
float: left;
|
||||||
|
text-indent: -9999px;
|
||||||
|
width: 175px;
|
||||||
|
height: 55px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#navigation {
|
||||||
|
background: url(../_static/header-line.gif) repeat-x 0 bottom;
|
||||||
|
display: block;
|
||||||
|
float: left;
|
||||||
|
margin: 27px 0 0 25px;
|
||||||
|
padding: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#navigation li{
|
||||||
|
float: left;
|
||||||
|
display: block;
|
||||||
|
margin-right: 25px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#navigation li a {
|
||||||
|
display: block;
|
||||||
|
font-weight: normal;
|
||||||
|
text-decoration: none;
|
||||||
|
background-position: 50% 0;
|
||||||
|
padding: 20px 0 5px;
|
||||||
|
color: #353535;
|
||||||
|
font-size: 14px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#navigation li a.current, #navigation li a.section {
|
||||||
|
border-bottom: 3px solid #cf2f19;
|
||||||
|
color: #cf2f19;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.related {
|
||||||
|
background-color: #cde2f8;
|
||||||
|
border: 1px solid #b0d3f8;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.related a {
|
||||||
|
color: #4078ba;
|
||||||
|
text-shadow: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebarwrapper {
|
||||||
|
padding-top: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
pre {
|
||||||
|
color: #555;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.documentwrapper h1, div.documentwrapper h2, div.documentwrapper h3, div.documentwrapper h4, div.documentwrapper h5, div.documentwrapper h6 {
|
||||||
|
font-family: 'PT Sans', sans-serif !important;
|
||||||
|
color: #264D69;
|
||||||
|
border-bottom: 1px dotted #C5E2EA;
|
||||||
|
padding: 0;
|
||||||
|
background: none;
|
||||||
|
padding-bottom: 5px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.documentwrapper h3 {
|
||||||
|
color: #CF2F19;
|
||||||
|
}
|
||||||
|
|
||||||
|
a.headerlink {
|
||||||
|
color: #fff !important;
|
||||||
|
margin-left: 5px;
|
||||||
|
background: #CF2F19 !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.body {
|
||||||
|
margin-top: -25px;
|
||||||
|
margin-left: 260px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.document {
|
||||||
|
width: 960px;
|
||||||
|
margin: 0 auto;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar h3.highlighted {
|
||||||
|
background-color: #cf2f19;
|
||||||
|
color: #EEE;
|
||||||
|
text-shadow: 1px 1px 0 #740101;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar h3.highlighted a {
|
||||||
|
color: #EEE;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** provide visual separation for sidebar for increased readability. */
|
||||||
|
div.sphinxsidebar ul li {
|
||||||
|
margin-top: 1em;
|
||||||
|
font-weight: bold;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar ul li ul li {
|
||||||
|
margin-top: 0;
|
||||||
|
font-weight: normal;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Provide the sidebar to allow long words to go to the next line
|
||||||
|
making them easier to read.*/
|
||||||
|
div.sphinxsidebar a {
|
||||||
|
display: block;
|
||||||
|
text-indent: -1em;
|
||||||
|
margin-left: 1em;
|
||||||
|
word-wrap: break-word;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.sphinxsidebar ul {
|
||||||
|
margin: 10px 10px;
|
||||||
|
}
|
7
doc/source/_themes/openstack/theme.conf
Normal file
7
doc/source/_themes/openstack/theme.conf
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
[theme]
|
||||||
|
inherit = basic
|
||||||
|
stylesheet = nature.css
|
||||||
|
pygments_style = tango
|
||||||
|
|
||||||
|
[options]
|
||||||
|
incubating = false
|
287
doc/source/conf.py
Normal file
287
doc/source/conf.py
Normal file
@ -0,0 +1,287 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
#
|
||||||
|
# openstack-ansible documentation build configuration file, created by
|
||||||
|
# sphinx-quickstart on Mon Apr 13 20:42:26 2015.
|
||||||
|
#
|
||||||
|
# This file is execfile()d with the current directory set to its
|
||||||
|
# containing dir.
|
||||||
|
#
|
||||||
|
# Note that not all possible configuration values are present in this
|
||||||
|
# autogenerated file.
|
||||||
|
#
|
||||||
|
# All configuration values have a default; values that are commented out
|
||||||
|
# serve to show the default.
|
||||||
|
|
||||||
|
# If extensions (or modules to document with autodoc) are in another directory,
|
||||||
|
# add these directories to sys.path here. If the directory is relative to the
|
||||||
|
# documentation root, use os.path.abspath to make it absolute, like shown here.
|
||||||
|
# sys.path.insert(0, os.path.abspath('.'))
|
||||||
|
|
||||||
|
# -- General configuration ------------------------------------------------
|
||||||
|
|
||||||
|
# If your documentation needs a minimal Sphinx version, state it here.
|
||||||
|
# needs_sphinx = '1.0'
|
||||||
|
|
||||||
|
# Add any Sphinx extension module names here, as strings. They can be
|
||||||
|
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
|
||||||
|
# ones.
|
||||||
|
extensions = [
|
||||||
|
'sphinx.ext.autodoc',
|
||||||
|
'oslosphinx'
|
||||||
|
]
|
||||||
|
|
||||||
|
# Add any paths that contain templates here, relative to this directory.
|
||||||
|
templates_path = ['_templates']
|
||||||
|
|
||||||
|
# The suffix(es) of source filenames.
|
||||||
|
# You can specify multiple suffix as a list of string:
|
||||||
|
# source_suffix = ['.rst', '.md']
|
||||||
|
source_suffix = '.rst'
|
||||||
|
|
||||||
|
# The encoding of source files.
|
||||||
|
# source_encoding = 'utf-8-sig'
|
||||||
|
|
||||||
|
# The master toctree document.
|
||||||
|
master_doc = 'index'
|
||||||
|
|
||||||
|
# General information about the project.
|
||||||
|
project = 'openstack-ansible-security'
|
||||||
|
copyright = '2015, openstack-ansible contributors'
|
||||||
|
author = 'openstack-ansible contributors'
|
||||||
|
|
||||||
|
# The version info for the project you're documenting, acts as replacement for
|
||||||
|
# |version| and |release|, also used in various other places throughout the
|
||||||
|
# built documents.
|
||||||
|
#
|
||||||
|
# The short X.Y version.
|
||||||
|
version = 'master'
|
||||||
|
# The full version, including alpha/beta/rc tags.
|
||||||
|
release = 'master'
|
||||||
|
|
||||||
|
# The language for content autogenerated by Sphinx. Refer to documentation
|
||||||
|
# for a list of supported languages.
|
||||||
|
#
|
||||||
|
# This is also used if you do content translation via gettext catalogs.
|
||||||
|
# Usually you set "language" from the command line for these cases.
|
||||||
|
language = None
|
||||||
|
|
||||||
|
# There are two options for replacing |today|: either, you set today to some
|
||||||
|
# non-false value, then it is used:
|
||||||
|
# today = ''
|
||||||
|
# Else, today_fmt is used as the format for a strftime call.
|
||||||
|
# today_fmt = '%B %d, %Y'
|
||||||
|
|
||||||
|
# List of patterns, relative to source directory, that match files and
|
||||||
|
# directories to ignore when looking for source files.
|
||||||
|
exclude_patterns = []
|
||||||
|
|
||||||
|
# The reST default role (used for this markup: `text`) to use for all
|
||||||
|
# documents.
|
||||||
|
# default_role = None
|
||||||
|
|
||||||
|
# If true, '()' will be appended to :func: etc. cross-reference text.
|
||||||
|
# add_function_parentheses = True
|
||||||
|
|
||||||
|
# If true, the current module name will be prepended to all description
|
||||||
|
# unit titles (such as .. function::).
|
||||||
|
# add_module_names = True
|
||||||
|
|
||||||
|
# If true, sectionauthor and moduleauthor directives will be shown in the
|
||||||
|
# output. They are ignored by default.
|
||||||
|
# show_authors = False
|
||||||
|
|
||||||
|
# The name of the Pygments (syntax highlighting) style to use.
|
||||||
|
pygments_style = 'sphinx'
|
||||||
|
|
||||||
|
# A list of ignored prefixes for module index sorting.
|
||||||
|
# modindex_common_prefix = []
|
||||||
|
|
||||||
|
# If true, keep warnings as "system message" paragraphs in the built documents.
|
||||||
|
# keep_warnings = False
|
||||||
|
|
||||||
|
# If true, `todo` and `todoList` produce output, else they produce nothing.
|
||||||
|
todo_include_todos = False
|
||||||
|
|
||||||
|
|
||||||
|
# -- Options for HTML output ----------------------------------------------
|
||||||
|
|
||||||
|
# The theme to use for HTML and HTML Help pages. See the documentation for
|
||||||
|
# a list of builtin themes.
|
||||||
|
html_theme = 'openstack'
|
||||||
|
|
||||||
|
# Theme options are theme-specific and customize the look and feel of a theme
|
||||||
|
# further. For a list of options available for each theme, see the
|
||||||
|
# documentation.
|
||||||
|
# html_theme_options = {}
|
||||||
|
|
||||||
|
# Add any paths that contain custom themes here, relative to this directory.
|
||||||
|
html_theme_path = ['_themes']
|
||||||
|
|
||||||
|
# The name for this set of Sphinx documents. If None, it defaults to
|
||||||
|
# "<project> v<release> documentation".
|
||||||
|
# html_title = None
|
||||||
|
|
||||||
|
# A shorter title for the navigation bar. Default is the same as html_title.
|
||||||
|
# html_short_title = None
|
||||||
|
|
||||||
|
# The name of an image file (relative to this directory) to place at the top
|
||||||
|
# of the sidebar.
|
||||||
|
# html_logo = None
|
||||||
|
|
||||||
|
# The name of an image file (within the static path) to use as favicon of the
|
||||||
|
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
|
||||||
|
# pixels large.
|
||||||
|
# html_favicon = None
|
||||||
|
|
||||||
|
# Add any paths that contain custom static files (such as style sheets) here,
|
||||||
|
# relative to this directory. They are copied after the builtin static files,
|
||||||
|
# so a file named "default.css" will overwrite the builtin "default.css".
|
||||||
|
html_static_path = ['_static']
|
||||||
|
|
||||||
|
# Add any extra paths that contain custom files (such as robots.txt or
|
||||||
|
# .htaccess) here, relative to this directory. These files are copied
|
||||||
|
# directly to the root of the documentation.
|
||||||
|
# html_extra_path = []
|
||||||
|
|
||||||
|
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
|
||||||
|
# using the given strftime format.
|
||||||
|
# html_last_updated_fmt = '%b %d, %Y'
|
||||||
|
|
||||||
|
# If true, SmartyPants will be used to convert quotes and dashes to
|
||||||
|
# typographically correct entities.
|
||||||
|
# html_use_smartypants = True
|
||||||
|
|
||||||
|
# Custom sidebar templates, maps document names to template names.
|
||||||
|
# html_sidebars = {}
|
||||||
|
|
||||||
|
# Additional templates that should be rendered to pages, maps page names to
|
||||||
|
# template names.
|
||||||
|
# html_additional_pages = {}
|
||||||
|
|
||||||
|
# If false, no module index is generated.
|
||||||
|
# html_domain_indices = True
|
||||||
|
|
||||||
|
# If false, no index is generated.
|
||||||
|
# html_use_index = True
|
||||||
|
|
||||||
|
# If true, the index is split into individual pages for each letter.
|
||||||
|
# html_split_index = False
|
||||||
|
|
||||||
|
# If true, links to the reST sources are added to the pages.
|
||||||
|
# html_show_sourcelink = True
|
||||||
|
|
||||||
|
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
|
||||||
|
# html_show_sphinx = True
|
||||||
|
|
||||||
|
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
|
||||||
|
# html_show_copyright = True
|
||||||
|
|
||||||
|
# If true, an OpenSearch description file will be output, and all pages will
|
||||||
|
# contain a <link> tag referring to it. The value of this option must be the
|
||||||
|
# base URL from which the finished HTML is served.
|
||||||
|
# html_use_opensearch = ''
|
||||||
|
|
||||||
|
# This is the file name suffix for HTML files (e.g. ".xhtml").
|
||||||
|
# html_file_suffix = None
|
||||||
|
|
||||||
|
# Language to be used for generating the HTML full-text search index.
|
||||||
|
# Sphinx supports the following languages:
|
||||||
|
# 'da', 'de', 'en', 'es', 'fi', 'fr', 'h', 'it', 'ja'
|
||||||
|
# 'nl', 'no', 'pt', 'ro', 'r', 'sv', 'tr'
|
||||||
|
# html_search_language = 'en'
|
||||||
|
|
||||||
|
# A dictionary with options for the search language support, empty by default.
|
||||||
|
# Now only 'ja' uses this config value
|
||||||
|
# html_search_options = {'type': 'default'}
|
||||||
|
|
||||||
|
# The name of a javascript file (relative to the configuration directory) that
|
||||||
|
# implements a search results scorer. If empty, the default will be used.
|
||||||
|
# html_search_scorer = 'scorer.js'
|
||||||
|
|
||||||
|
# Output file base name for HTML help builder.
|
||||||
|
htmlhelp_basename = 'openstack-ansibledoc'
|
||||||
|
|
||||||
|
# -- Options for LaTeX output ---------------------------------------------
|
||||||
|
|
||||||
|
latex_elements = {
|
||||||
|
# The paper size ('letterpaper' or 'a4paper').
|
||||||
|
# 'papersize': 'letterpaper',
|
||||||
|
|
||||||
|
# The font size ('10pt', '11pt' or '12pt').
|
||||||
|
# 'pointsize': '10pt',
|
||||||
|
|
||||||
|
# Additional stuff for the LaTeX preamble.
|
||||||
|
# 'preamble': '',
|
||||||
|
|
||||||
|
# Latex figure (float) alignment
|
||||||
|
# 'figure_align': 'htbp',
|
||||||
|
}
|
||||||
|
|
||||||
|
# Grouping the document tree into LaTeX files. List of tuples
|
||||||
|
# (source start file, target name, title,
|
||||||
|
# author, documentclass [howto, manual, or own class]).
|
||||||
|
latex_documents = [
|
||||||
|
(master_doc, 'openstack-ansible.tex',
|
||||||
|
'openstack-ansible Documentation',
|
||||||
|
'openstack-ansible contributors', 'manual'),
|
||||||
|
]
|
||||||
|
|
||||||
|
# The name of an image file (relative to this directory) to place at the top of
|
||||||
|
# the title page.
|
||||||
|
# latex_logo = None
|
||||||
|
|
||||||
|
# For "manual" documents, if this is true, then toplevel headings are parts,
|
||||||
|
# not chapters.
|
||||||
|
# latex_use_parts = False
|
||||||
|
|
||||||
|
# If true, show page references after internal links.
|
||||||
|
# latex_show_pagerefs = False
|
||||||
|
|
||||||
|
# If true, show URL addresses after external links.
|
||||||
|
# latex_show_urls = False
|
||||||
|
|
||||||
|
# Documents to append as an appendix to all manuals.
|
||||||
|
# latex_appendices = []
|
||||||
|
|
||||||
|
# If false, no module index is generated.
|
||||||
|
# latex_domain_indices = True
|
||||||
|
|
||||||
|
|
||||||
|
# -- Options for manual page output ---------------------------------------
|
||||||
|
|
||||||
|
# One entry per manual page. List of tuples
|
||||||
|
# (source start file, name, description, authors, manual section).
|
||||||
|
man_pages = [
|
||||||
|
(master_doc, 'openstack-ansible',
|
||||||
|
'openstack-ansible Documentation',
|
||||||
|
[author], 1)
|
||||||
|
]
|
||||||
|
|
||||||
|
# If true, show URL addresses after external links.
|
||||||
|
# man_show_urls = False
|
||||||
|
|
||||||
|
|
||||||
|
# -- Options for Texinfo output -------------------------------------------
|
||||||
|
|
||||||
|
# Grouping the document tree into Texinfo files. List of tuples
|
||||||
|
# (source start file, target name, title, author,
|
||||||
|
# dir menu entry, description, category)
|
||||||
|
texinfo_documents = [
|
||||||
|
(master_doc, 'openstack-ansible',
|
||||||
|
'openstack-ansible Documentation',
|
||||||
|
author, 'openstack-ansible', 'One line description of project.',
|
||||||
|
'Miscellaneous'),
|
||||||
|
]
|
||||||
|
|
||||||
|
# Documents to append as an appendix to all manuals.
|
||||||
|
# texinfo_appendices = []
|
||||||
|
|
||||||
|
# If false, no module index is generated.
|
||||||
|
# texinfo_domain_indices = True
|
||||||
|
|
||||||
|
# How to display URL addresses: 'footnote', 'no', or 'inline'.
|
||||||
|
# texinfo_show_urls = 'footnote'
|
||||||
|
|
||||||
|
# If true, do not generate a @detailmenu in the "Top" node's menu.
|
||||||
|
# texinfo_no_detailmenu = False
|
1543
doc/source/configurations-cat1.rst
Normal file
1543
doc/source/configurations-cat1.rst
Normal file
File diff suppressed because it is too large
Load Diff
2194
doc/source/configurations-cat2.rst
Normal file
2194
doc/source/configurations-cat2.rst
Normal file
File diff suppressed because it is too large
Load Diff
267
doc/source/configurations-cat3.rst
Normal file
267
doc/source/configurations-cat3.rst
Normal file
@ -0,0 +1,267 @@
|
|||||||
|
.. include:: <xhtml1-lat1.txt>
|
||||||
|
`Home <index.html>`__ |raquo| Security hardening for openstack-ansible
|
||||||
|
|
||||||
|
Category 3 (High) configurations
|
||||||
|
================================
|
||||||
|
|
||||||
|
.. contents::
|
||||||
|
:depth: 2
|
||||||
|
|
||||||
|
|
||||||
|
V-38653: The snmpd service must not use a default password.
|
||||||
|
-----------------------------------------------------------
|
||||||
|
|
||||||
|
Presence of the default SNMP password enables querying of different system
|
||||||
|
aspects and could result in unauthorized knowledge of the system.
|
||||||
|
|
||||||
|
Details: `V-38653 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38653 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38653
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38653.rst
|
||||||
|
|
||||||
|
V-38666: The system must use and update a DoD-approved virus scan program.
|
||||||
|
--------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Virus scanning software can be used to detect if a system has been compromised
|
||||||
|
by computer viruses, as well as to limit their spread to other systems.
|
||||||
|
|
||||||
|
Details: `V-38666 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38666 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38666
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38666.rst
|
||||||
|
|
||||||
|
V-38668: The x86 Ctrl-Alt-Delete key sequence must be disabled.
|
||||||
|
---------------------------------------------------------------
|
||||||
|
|
||||||
|
A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can
|
||||||
|
reboot the system. If accidentally pressed, as could happen in the case of
|
||||||
|
mixed OS environment, this can create the risk of short-term loss of
|
||||||
|
availability of systems due to unintentional reboot. In the GNOME graphical
|
||||||
|
environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is
|
||||||
|
reduced because the user will be prompted before any action is taken.
|
||||||
|
|
||||||
|
Details: `V-38668 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38668 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38668
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38668.rst
|
||||||
|
|
||||||
|
V-38462: The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
|
||||||
|
-------------------------------------------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Ensuring all packages' cryptographic signatures are valid prior to
|
||||||
|
installation ensures the provenance of the software and protects against
|
||||||
|
malicious tampering.
|
||||||
|
|
||||||
|
Details: `V-38462 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38462 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38462
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38462.rst
|
||||||
|
|
||||||
|
V-38497: The system must not have accounts configured with blank or null passwords.
|
||||||
|
-----------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
If an account has an empty password, anyone could log in and run commands with
|
||||||
|
the privileges of that account. Accounts with empty passwords should never be
|
||||||
|
used in operational environments.
|
||||||
|
|
||||||
|
Details: `V-38497 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38497 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38497
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38497.rst
|
||||||
|
|
||||||
|
V-38677: The NFS server must not have the insecure file locking option enabled.
|
||||||
|
-------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Allowing insecure file locking could allow for sensitive data to be viewed or
|
||||||
|
edited by an unauthorized user.
|
||||||
|
|
||||||
|
Details: `V-38677 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38677 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38677
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38677.rst
|
||||||
|
|
||||||
|
V-38476: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
|
||||||
|
-----------------------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The Red Hat GPG keys are necessary to cryptographically verify packages are
|
||||||
|
from Red Hat.
|
||||||
|
|
||||||
|
Details: `V-38476 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38476 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38476
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38476.rst
|
||||||
|
|
||||||
|
V-38491: There must be no .rhosts or hosts.equiv files on the system.
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
|
||||||
|
Trust files are convenient, but when used in conjunction with the R-services,
|
||||||
|
they can allow unauthenticated access to a system.
|
||||||
|
|
||||||
|
Details: `V-38491 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38491 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38491
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38491.rst
|
||||||
|
|
||||||
|
V-38607: The SSH daemon must be configured to use only the SSHv2 protocol.
|
||||||
|
--------------------------------------------------------------------------
|
||||||
|
|
||||||
|
SSH protocol version 1 suffers from design flaws that result in security
|
||||||
|
vulnerabilities and should not be used.
|
||||||
|
|
||||||
|
Details: `V-38607 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38607 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38607
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38607.rst
|
||||||
|
|
||||||
|
V-38602: The rlogind service must not be running.
|
||||||
|
-------------------------------------------------
|
||||||
|
|
||||||
|
The rlogin service uses unencrypted network communications, which means that
|
||||||
|
data from the login session, including passwords and all other information
|
||||||
|
transmitted during the session, can be stolen by eavesdroppers on the network.
|
||||||
|
|
||||||
|
Details: `V-38602 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38602 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38602
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38602.rst
|
||||||
|
|
||||||
|
V-38594: The rshd service must not be running.
|
||||||
|
----------------------------------------------
|
||||||
|
|
||||||
|
The rsh service uses unencrypted network communications, which means that data
|
||||||
|
from the login session, including passwords and all other information
|
||||||
|
transmitted during the session, can be stolen by eavesdroppers on the network.
|
||||||
|
|
||||||
|
Details: `V-38594 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38594 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38594
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38594.rst
|
||||||
|
|
||||||
|
V-38591: The rsh-server package must not be installed.
|
||||||
|
------------------------------------------------------
|
||||||
|
|
||||||
|
The "rsh-server" package provides several obsolete and insecure network
|
||||||
|
services. Removing it decreases the risk of those services' accidental (or
|
||||||
|
intentional) activation.
|
||||||
|
|
||||||
|
Details: `V-38591 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38591 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38591
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38591.rst
|
||||||
|
|
||||||
|
V-38598: The rexecd service must not be running.
|
||||||
|
------------------------------------------------
|
||||||
|
|
||||||
|
The rexec service uses unencrypted network communications, which means that
|
||||||
|
data from the login session, including passwords and all other information
|
||||||
|
transmitted during the session, can be stolen by eavesdroppers on the network.
|
||||||
|
|
||||||
|
Details: `V-38598 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38598 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38598
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38598.rst
|
||||||
|
|
||||||
|
V-38587: The telnet-server package must not be installed.
|
||||||
|
---------------------------------------------------------
|
||||||
|
|
||||||
|
Removing the "telnet-server" package decreases the risk of the unencrypted
|
||||||
|
telnet service's accidental (or intentional) activation. Mitigation: If the
|
||||||
|
telnet-server package is configured to only allow encrypted sessions, such as
|
||||||
|
with Kerberos or the use of encrypted network tunnels, the risk of exposing
|
||||||
|
sensitive information is mitigated.
|
||||||
|
|
||||||
|
Details: `V-38587 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38587 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38587
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38587.rst
|
||||||
|
|
||||||
|
V-38589: The telnet daemon must not be running.
|
||||||
|
-----------------------------------------------
|
||||||
|
|
||||||
|
The telnet protocol uses unencrypted network communication, which means that
|
||||||
|
data from the login session, including passwords and all other information
|
||||||
|
transmitted during the session, can be stolen by eavesdroppers on the network.
|
||||||
|
The telnet protocol is also subject to man-in-the-middle attacks. Mitigation:
|
||||||
|
If an enabled telnet daemon is configured to only allow encrypted sessions,
|
||||||
|
such as with Kerberos or the use of encrypted network tunnels, the risk of
|
||||||
|
exposing sensitive information is mitigated.
|
||||||
|
|
||||||
|
Details: `V-38589 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38589 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38589
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38589.rst
|
||||||
|
|
||||||
|
V-38701: The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
|
||||||
|
------------------------------------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Using the "-s" option causes the TFTP service to only serve files from the
|
||||||
|
given directory. Serving files from an intentionally specified directory
|
||||||
|
reduces the risk of sharing files which should remain private.
|
||||||
|
|
||||||
|
Details: `V-38701 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38701 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38701
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38701.rst
|
||||||
|
|
||||||
|
V-38614: The SSH daemon must not allow authentication using an empty password.
|
||||||
|
------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Configuring this setting for the SSH daemon provides additional assurance that
|
||||||
|
remote login via SSH will require a password, even in the event of
|
||||||
|
misconfiguration elsewhere.
|
||||||
|
|
||||||
|
Details: `V-38614 in STIG Viewer`_.
|
||||||
|
|
||||||
|
.. _V-38614 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38614
|
||||||
|
|
||||||
|
Developer Notes
|
||||||
|
~~~~~~~~~~~~~~~
|
||||||
|
.. include:: developer-notes/V-38614.rst
|
12
doc/source/configurations.rst
Normal file
12
doc/source/configurations.rst
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
.. include:: <xhtml1-lat1.txt>
|
||||||
|
`Home <index.html>`__ |raquo| Security hardening for openstack-ansible
|
||||||
|
|
||||||
|
Security hardening configurations
|
||||||
|
=================================
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth: 2
|
||||||
|
|
||||||
|
configurations-cat3.rst
|
||||||
|
configurations-cat2.rst
|
||||||
|
configurations-cat1.rst
|
6
doc/source/developer-notes/V-38437.rst
Normal file
6
doc/source/developer-notes/V-38437.rst
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out
|
||||||
|
of this change, adjust the following variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
disable_services['autofs'] = no
|
8
doc/source/developer-notes/V-38438.rst
Normal file
8
doc/source/developer-notes/V-38438.rst
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Adjusting the bootloader configuration can cause issues with reboots and this
|
||||||
|
work is left up to the deployer. Enabling auditing at boot time is helpful,
|
||||||
|
but the risk may not be worth the change in most environments.
|
||||||
|
|
||||||
|
The ``auditd`` process starts very early during the boot process to catch
|
||||||
|
events already, and this should be sufficient for most environments.
|
5
doc/source/developer-notes/V-38439.rst
Normal file
5
doc/source/developer-notes/V-38439.rst
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Although adding centralized authentication and carefully managing user
|
||||||
|
accounts is critical for securing any system, that's left up to deployers
|
||||||
|
to handle via their internal business processes.
|
4
doc/source/developer-notes/V-38443.rst
Normal file
4
doc/source/developer-notes/V-38443.rst
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
The Ansible tasks will ensure that ``/etc/gshadow`` is owned by root. This is
|
||||||
|
the default in Ubuntu 14.04 already, but the tasks will ensure that the
|
||||||
|
permissions match the STIG requirements in case they were changed by other
|
||||||
|
means after the installation of the operating system.
|
4
doc/source/developer-notes/V-38444.rst
Normal file
4
doc/source/developer-notes/V-38444.rst
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
See V-38551 for additional details. IPv6 configuration and filtering is left
|
||||||
|
up to the deployer.
|
3
doc/source/developer-notes/V-38445.rst
Normal file
3
doc/source/developer-notes/V-38445.rst
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
Although audit log files are owned by the root user and group by default
|
||||||
|
in Ubuntu 14.04, the Ansible task for V-38445 will ensure that they are
|
||||||
|
configured as such.
|
4
doc/source/developer-notes/V-38446.rst
Normal file
4
doc/source/developer-notes/V-38446.rst
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
Forwarding root's email to another user is highly recommended, but the Ansible
|
||||||
|
tasks won't configure an email address to receive root's email unless that
|
||||||
|
email address is configured. Set ``root_forward_email`` to an email address
|
||||||
|
that is ready to receive root's email.
|
11
doc/source/developer-notes/V-38447.rst
Normal file
11
doc/source/developer-notes/V-38447.rst
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Verifying contents of files installed from packages is more difficult in
|
||||||
|
Ubuntu, mainly due to the lack of an equivalent of ``rpm -V``. The ``debsums``
|
||||||
|
package installs the ``debsums`` command and that can be used to look for
|
||||||
|
files that have changed since the package was installed.
|
||||||
|
|
||||||
|
However, not all packages have MD5 checksums for all files and ``debsums``
|
||||||
|
doesn't do detailed checking like ``rpm``. Deployers are urged to run
|
||||||
|
``debsums -c`` to review changes made to files on their systems. This report
|
||||||
|
takes a long time to run on most systems.
|
2
doc/source/developer-notes/V-38448.rst
Normal file
2
doc/source/developer-notes/V-38448.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Although the ``/etc/gshadow`` file is group-owned by root by default, the
|
||||||
|
Ansible tasks will ensure that it is configured that way.
|
2
doc/source/developer-notes/V-38449.rst
Normal file
2
doc/source/developer-notes/V-38449.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet
|
||||||
|
the requirements of the STIG.
|
1
doc/source/developer-notes/V-38450.rst
Normal file
1
doc/source/developer-notes/V-38450.rst
Normal file
@ -0,0 +1 @@
|
|||||||
|
The ownership of ``/etc/passwd`` will be changed to root.
|
1
doc/source/developer-notes/V-38451.rst
Normal file
1
doc/source/developer-notes/V-38451.rst
Normal file
@ -0,0 +1 @@
|
|||||||
|
The group ownership for ``/etc/passwd`` will be set to root.
|
5
doc/source/developer-notes/V-38452.rst
Normal file
5
doc/source/developer-notes/V-38452.rst
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Verifying permissions of installed packages isn't possible in the current
|
||||||
|
version of ``dpkg`` as it is with ``rpm``. This security configuration is
|
||||||
|
skipped.
|
5
doc/source/developer-notes/V-38453.rst
Normal file
5
doc/source/developer-notes/V-38453.rst
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Verifying ownership of installed packages isn't possible in the current
|
||||||
|
version of ``dpkg`` as it is with ``rpm``. This security configuration is
|
||||||
|
skipped.
|
6
doc/source/developer-notes/V-38454.rst
Normal file
6
doc/source/developer-notes/V-38454.rst
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Verifying ownership of installed packages isn't possible in the current
|
||||||
|
version of ``dpkg`` as it is with ``rpm``. This security configuration is
|
||||||
|
skipped.
|
||||||
|
|
8
doc/source/developer-notes/V-38455.rst
Normal file
8
doc/source/developer-notes/V-38455.rst
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Configuring another mount for ``/tmp`` can disrupt a running system and this
|
||||||
|
configuration is skipped.
|
||||||
|
|
||||||
|
However, deployers are strongly urged to consider creating a separate
|
||||||
|
partition and/or LVM logical volume for ``/tmp`` during installation of the OS
|
||||||
|
if possible.
|
9
doc/source/developer-notes/V-38456.rst
Normal file
9
doc/source/developer-notes/V-38456.rst
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Configuring another mount for ``/var`` can disrupt a running system and this
|
||||||
|
configuration is skipped.
|
||||||
|
|
||||||
|
However, deployers are strongly urged to consider creating a separate
|
||||||
|
partition and/or LVM logical volume for ``/var`` during installation of the OS
|
||||||
|
if possible.
|
||||||
|
|
1
doc/source/developer-notes/V-38457.rst
Normal file
1
doc/source/developer-notes/V-38457.rst
Normal file
@ -0,0 +1 @@
|
|||||||
|
The permissions for ``/etc/passwd`` will be set to ``0644``.
|
1
doc/source/developer-notes/V-38459.rst
Normal file
1
doc/source/developer-notes/V-38459.rst
Normal file
@ -0,0 +1 @@
|
|||||||
|
The tasks in file_perms.yml will ensure that "/etc/group" is owned by the root account.
|
4
doc/source/developer-notes/V-38460.rst
Normal file
4
doc/source/developer-notes/V-38460.rst
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
The Ansible tasks will chek for ``all_squash`` in ``/etc/exports`` (if it is
|
||||||
|
present). If found, a warning message will be printed. No configuration
|
||||||
|
changes will be made since neither Ubuntu or openstack-ansible configures
|
||||||
|
the NFS server by default.
|
2
doc/source/developer-notes/V-38461.rst
Normal file
2
doc/source/developer-notes/V-38461.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Ubuntu sets the mode of ``/etc/group`` to ``0644`` by default and the Ansible
|
||||||
|
task will ensure that it is current set to those permissions.
|
9
doc/source/developer-notes/V-38462.rst
Normal file
9
doc/source/developer-notes/V-38462.rst
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
Ubuntu checks packages against GPG signatures by default. It can be turned
|
||||||
|
off for all package installations by a setting in /etc/apt/apt.conf.d/ and we
|
||||||
|
search for that in the Ansible task. A warning is printed if the
|
||||||
|
``AllowUnauthenticated`` configuration option is present in the apt
|
||||||
|
configuration directories.
|
||||||
|
|
||||||
|
Please note that users can pass an argument on the apt command line
|
||||||
|
to bypass the checks as well, but that's outside the scope of this check
|
||||||
|
and remediation.
|
8
doc/source/developer-notes/V-38463.rst
Normal file
8
doc/source/developer-notes/V-38463.rst
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Configuring a separate partition for ``/var/log`` is currently left up to the
|
||||||
|
deployer. There are security and operational benefits that come from the
|
||||||
|
change, but it must be done when the system is initially installed.
|
||||||
|
|
||||||
|
Deployers are urged to consider making a separate partition for ``/var/log``
|
||||||
|
during OS installation.
|
16
doc/source/developer-notes/V-38464.rst
Normal file
16
doc/source/developer-notes/V-38464.rst
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
Ubuntu's default for ``disk_error_action`` is ``SUSPEND``, which actually
|
||||||
|
only suspends audit logging. That could be a security issue, so ``SYSLOG``
|
||||||
|
is recommended and is set by default be openstack-ansible-security. There
|
||||||
|
are additional options available, like ``EXEC``, ``SINGLE`` or ``HALT``.
|
||||||
|
|
||||||
|
To configure a different ``disk_error_action``, set the following Ansible
|
||||||
|
variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
disk_error_action = SYSLOG
|
||||||
|
|
||||||
|
For details on available settings and what they do, run ``man auditd.conf``.
|
||||||
|
Some options can cause the host to go offline until the issue is fixed.
|
||||||
|
Deployers are urged to **carefully read the auditd documentation** prior to
|
||||||
|
changing the ``disk_error_action`` setting from the default.
|
5
doc/source/developer-notes/V-38465.rst
Normal file
5
doc/source/developer-notes/V-38465.rst
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Ubuntu 14.04 sets library files to have ``0755`` (or more restrictive)
|
||||||
|
permissions by default. Deployers are urged to review the permissions
|
||||||
|
of libraries regularly to ensure the system hasn't been altered.
|
5
doc/source/developer-notes/V-38466.rst
Normal file
5
doc/source/developer-notes/V-38466.rst
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
As with V-38465, Ubuntu sets the ownership of library files to root by
|
||||||
|
default. Deployers are urged to configure monitoring for changes to these
|
||||||
|
files.
|
4
doc/source/developer-notes/V-38467.rst
Normal file
4
doc/source/developer-notes/V-38467.rst
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Storing audit logs on a separate partition is recommended, but this change
|
||||||
|
is left up to deployers to configure during the installation of the OS.
|
19
doc/source/developer-notes/V-38468.rst
Normal file
19
doc/source/developer-notes/V-38468.rst
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
Ubuntu's default for ``disk_full_action`` is ``SUSPEND``, which actually
|
||||||
|
only suspends audit logging. That could be a security issue, so ``SYSLOG``
|
||||||
|
is recommended and is set by default be openstack-ansible-security. If syslog
|
||||||
|
messages are being sent to remote servers, these log messages should alert
|
||||||
|
an administrator about the disk being full. There are additional options
|
||||||
|
available, like ``EXEC``, ``SINGLE`` or ``HALT``.
|
||||||
|
|
||||||
|
To configure a different ``disk_full_action``, set the following Ansible
|
||||||
|
variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
disk_full_action = SYSLOG
|
||||||
|
|
||||||
|
For details on available settings and what they do, run ``man auditd.conf``.
|
||||||
|
Some options can cause the host to go offline until the issue is fixed.
|
||||||
|
Deployers are urged to **carefully read the auditd documentation** prior to
|
||||||
|
changing the ``disk_full_action`` setting from the default.
|
||||||
|
|
5
doc/source/developer-notes/V-38469.rst
Normal file
5
doc/source/developer-notes/V-38469.rst
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Ubuntu sets the permissions for system commands to ``0755`` or less already.
|
||||||
|
Deployers are urged to review these permissions for changes over time as they
|
||||||
|
can be a sign of a compromise.
|
18
doc/source/developer-notes/V-38470.rst
Normal file
18
doc/source/developer-notes/V-38470.rst
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
Ubuntu's default for ``space_left_action`` is ``SUSPEND``, which actually
|
||||||
|
only suspends audit logging. That could be a security issue, so ``SYSLOG``
|
||||||
|
is recommended and is set by default be openstack-ansible-security. If syslog
|
||||||
|
messages are being sent to remote servers, these log messages should alert
|
||||||
|
an administrator about the disk being almost full. There are additional options
|
||||||
|
available, like ``EXEC``, ``SINGLE`` or ``HALT``.
|
||||||
|
|
||||||
|
To configure a different ``space_left_action``, set the following Ansible
|
||||||
|
variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
space_left_action = SYSLOG
|
||||||
|
|
||||||
|
For details on available settings and what they do, run ``man auditd.conf``.
|
||||||
|
Some options can cause the host to go offline until the issue is fixed.
|
||||||
|
Deployers are urged to **carefully read the auditd documentation** prior to
|
||||||
|
changing the ``space_left_action`` setting from the default.
|
4
doc/source/developer-notes/V-38471.rst
Normal file
4
doc/source/developer-notes/V-38471.rst
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
An Ansible task will adjust ``active`` from `no` to `yes` in
|
||||||
|
``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to
|
||||||
|
syslog automatically. The auditd daemon will be restarted if the configuration
|
||||||
|
file is changed.
|
5
doc/source/developer-notes/V-38472.rst
Normal file
5
doc/source/developer-notes/V-38472.rst
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Ubuntu sets system commands to be owned by root by default Deployers are
|
||||||
|
urged to review ownership changes via auditd rules to ensure system
|
||||||
|
commands haven't changed ownership over time.
|
4
doc/source/developer-notes/V-38473.rst
Normal file
4
doc/source/developer-notes/V-38473.rst
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Creating ``/home`` on a different partition is highly recommended but it is
|
||||||
|
left to deployers to configure during the installation of the OS.
|
4
doc/source/developer-notes/V-38474.rst
Normal file
4
doc/source/developer-notes/V-38474.rst
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
The openstack-ansible roles don't install X by default, so there is no
|
||||||
|
graphical desktop to configure.
|
12
doc/source/developer-notes/V-38475.rst
Normal file
12
doc/source/developer-notes/V-38475.rst
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
**Configuration required**
|
||||||
|
|
||||||
|
Ubuntu 14.04 does not set a password length requirement by default. The STIG
|
||||||
|
recommends passwords to be a minimum of 14 characters in length. To apply this
|
||||||
|
setting, set the following Ansible variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
password_minimum_length: 14
|
||||||
|
|
||||||
|
Deployers are urged to avoid the use of passwords and rely upon SSH keys if
|
||||||
|
possible.
|
21
doc/source/developer-notes/V-38476.rst
Normal file
21
doc/source/developer-notes/V-38476.rst
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
The STIG talks about yum having the RHN GPG keys installed, but this
|
||||||
|
requirement has been adapted to check for the Ubuntu signing keys normally
|
||||||
|
present in Ubuntu 14.04.
|
||||||
|
|
||||||
|
See ``tasks/apt.yml`` for more details::
|
||||||
|
|
||||||
|
# apt-key list
|
||||||
|
/etc/apt/trusted.gpg
|
||||||
|
--------------------
|
||||||
|
pub 1024D/437D05B5 2004-09-12
|
||||||
|
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
|
||||||
|
sub 2048g/79164387 2004-09-12
|
||||||
|
|
||||||
|
pub 1024D/FBB75451 2004-12-30
|
||||||
|
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
|
||||||
|
|
||||||
|
pub 4096R/C0B21F32 2012-05-11
|
||||||
|
uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
|
||||||
|
|
||||||
|
pub 4096R/EFE21092 2012-05-11
|
||||||
|
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
|
10
doc/source/developer-notes/V-38477.rst
Normal file
10
doc/source/developer-notes/V-38477.rst
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
**Configuration required**
|
||||||
|
|
||||||
|
Ubuntu doesn't set a limitation on how frequently uses can change passwords.
|
||||||
|
However, the STIG recommends setting a limit of one password change per day.
|
||||||
|
|
||||||
|
To enable this configuration, use this Ansible variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
password_minimum_days: 14
|
4
doc/source/developer-notes/V-38478.rst
Normal file
4
doc/source/developer-notes/V-38478.rst
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Ubuntu doesn't use the Red Hat Network Service, so this requirement doesn't
|
||||||
|
apply.
|
12
doc/source/developer-notes/V-38479.rst
Normal file
12
doc/source/developer-notes/V-38479.rst
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
**Configuration required**
|
||||||
|
|
||||||
|
Ubuntu doesn't set a limitation on the age of passwords.
|
||||||
|
However, the STIG recommends setting a limit of 60 days before a password must
|
||||||
|
be changed.
|
||||||
|
|
||||||
|
To enable this configuration, use this Ansible variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
password_maximum_days: 60
|
||||||
|
|
10
doc/source/developer-notes/V-38480.rst
Normal file
10
doc/source/developer-notes/V-38480.rst
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
**Configuration required**
|
||||||
|
|
||||||
|
After enabling password age limits in V-38479, be sure to configure
|
||||||
|
warnings for users so they know when their password is approaching expiration.
|
||||||
|
STIG's recommendation is seven days prior to the expiration. Use an Ansible
|
||||||
|
variable to configure the warning:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
password_warn_age: 7
|
10
doc/source/developer-notes/V-38481.rst
Normal file
10
doc/source/developer-notes/V-38481.rst
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Operating system patching is left up to the deployer to configure based on
|
||||||
|
their business requirements and toleration for risk. Enabling automated
|
||||||
|
updates in Ubuntu can be done with changes to the apt configuration.
|
||||||
|
|
||||||
|
Ubuntu's documentation on `automatic updates`_ covers a few options for
|
||||||
|
configuring apt.
|
||||||
|
|
||||||
|
.. _automatic_updates: https://help.ubuntu.com/lts/serverguide/automatic-updates.html
|
10
doc/source/developer-notes/V-38482.rst
Normal file
10
doc/source/developer-notes/V-38482.rst
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Password complexity requirements are left up to the deployer. Deployers are
|
||||||
|
urged to rely on SSH keys as often as possible to avoid problems with
|
||||||
|
passwords.
|
||||||
|
|
||||||
|
Review the pam_cracklib documentation by running ``man pam_cracklib`` or
|
||||||
|
read the `detailed documentation from Hal Pomeranz`_.
|
||||||
|
|
||||||
|
.. _detailed documentation from Hal Pomeranz: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
|
3
doc/source/developer-notes/V-38483.rst
Normal file
3
doc/source/developer-notes/V-38483.rst
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
The Ansible task for V-38462 already checks for apt configurations that would
|
||||||
|
disable any GPG checks when installing packages. However, it's possible for
|
||||||
|
the root user to override these configurations via command line parameters.
|
3
doc/source/developer-notes/V-38484.rst
Normal file
3
doc/source/developer-notes/V-38484.rst
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
Ubuntu 14.04 already enables the display of the last successful login for a
|
||||||
|
user immediately after login. An Ansible task ensures this setting is
|
||||||
|
applied and restarts the ssh daemon if necessary.
|
5
doc/source/developer-notes/V-38486.rst
Normal file
5
doc/source/developer-notes/V-38486.rst
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
System backups are left to the deployer to configure. Deployers are stringly
|
||||||
|
urged to maintain backups of each system, including log files and critical
|
||||||
|
configuration information.
|
3
doc/source/developer-notes/V-38487.rst
Normal file
3
doc/source/developer-notes/V-38487.rst
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
The Ansible task for V-38462 already checks for apt configurations that would
|
||||||
|
disable any GPG checks when installing packages. However, it's possible for
|
||||||
|
the root user to override these configurations via command line parameters.
|
5
doc/source/developer-notes/V-38488.rst
Normal file
5
doc/source/developer-notes/V-38488.rst
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
System backups are left to the deployer to configure. Deployers are stringly
|
||||||
|
urged to maintain backups of each system, including log files and critical
|
||||||
|
configuration information.
|
1
doc/source/developer-notes/V-38489.rst
Normal file
1
doc/source/developer-notes/V-38489.rst
Normal file
@ -0,0 +1 @@
|
|||||||
|
The ``aide`` package will be installed by Ansible tasks.
|
9
doc/source/developer-notes/V-38490.rst
Normal file
9
doc/source/developer-notes/V-38490.rst
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Disabling the ``usb-storage`` module can add extra security, but it's not
|
||||||
|
necessary on most systems. To disable the ``usb-storage`` module on hosts,
|
||||||
|
set ``disable_usb_storage`` to ``yes``:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
disable_usb_storage: yes
|
4
doc/source/developer-notes/V-38491.rst
Normal file
4
doc/source/developer-notes/V-38491.rst
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
The Ansible task will check for the presence of ``/etc/hosts.equiv`` and
|
||||||
|
``/root/.rhosts``. Both of those files could potentially be used with ``rsh``
|
||||||
|
for host access, but ``rshd`` is not installed by default with Ubuntu 14.04
|
||||||
|
or openstack-ansible.
|
2
doc/source/developer-notes/V-38492.rst
Normal file
2
doc/source/developer-notes/V-38492.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
The virtual consoles mentioned in V-38492 aren't used in Ubuntu 14.04 by
|
||||||
|
default.
|
3
doc/source/developer-notes/V-38493.rst
Normal file
3
doc/source/developer-notes/V-38493.rst
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
Ubuntu 14.04 sets the mode of ``/var/log/audit/`` to ``0750`` by default. The
|
||||||
|
Ansible task for this requirement ensures that the mode is ``0750`` (which
|
||||||
|
is more strict than the STIG requirement).
|
7
doc/source/developer-notes/V-38494.rst
Normal file
7
doc/source/developer-notes/V-38494.rst
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Removing serial consoles from ``/etc/securetty`` can make troubleshooting
|
||||||
|
a server extremely difficult. Deployers are urged to use strong physical
|
||||||
|
security practices to prevent unauthorized users from gaining physical access
|
||||||
|
to critical hosts. In addition, out-of-band systems that allow for serial
|
||||||
|
over LAN access should also be heavily secured.
|
2
doc/source/developer-notes/V-38495.rst
Normal file
2
doc/source/developer-notes/V-38495.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
The Ansible tasks will ensure that files in ``/var/log/audit`` are owned
|
||||||
|
by the root user.
|
5
doc/source/developer-notes/V-38497.rst
Normal file
5
doc/source/developer-notes/V-38497.rst
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
Making adjustments to PAM configuration can be **very dangerous** for a
|
||||||
|
production system, so the Ansible task runs a check for text matching
|
||||||
|
``nullok`` in ``/etc/pam.d/common-auth`` (different than
|
||||||
|
``/etc/pam.d/system-auth`` found in RHEL 6) and prints a warning if it is
|
||||||
|
found.
|
2
doc/source/developer-notes/V-38499.rst
Normal file
2
doc/source/developer-notes/V-38499.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
The Ansible task will search for password hashes in ``/etc/passwd`` using
|
||||||
|
awk and report a failure if any are found.
|
1
doc/source/developer-notes/V-38522.rst
Normal file
1
doc/source/developer-notes/V-38522.rst
Normal file
@ -0,0 +1 @@
|
|||||||
|
Rules are added for auditing changes to system time made via ``settimeofday``.
|
1
doc/source/developer-notes/V-38525.rst
Normal file
1
doc/source/developer-notes/V-38525.rst
Normal file
@ -0,0 +1 @@
|
|||||||
|
Rules are added for auditing changes to system time done via ``stime``.
|
2
doc/source/developer-notes/V-38527.rst
Normal file
2
doc/source/developer-notes/V-38527.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Rules are added for auditing changes to system time done via
|
||||||
|
``clock_settime``.
|
2
doc/source/developer-notes/V-38530.rst
Normal file
2
doc/source/developer-notes/V-38530.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Rules are added to auditd to log all attempts to change the system time using
|
||||||
|
``/etc/localtime``.
|
3
doc/source/developer-notes/V-38531.rst
Normal file
3
doc/source/developer-notes/V-38531.rst
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
The audit rules from V-38534 already cover all account modifications.
|
3
doc/source/developer-notes/V-38534.rst
Normal file
3
doc/source/developer-notes/V-38534.rst
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
Audit rules are added in a task so that any events associated with
|
||||||
|
account modifications are logged. The new audit rule will be loaded immediately
|
||||||
|
with ``augenrules --load``.
|
3
doc/source/developer-notes/V-38536.rst
Normal file
3
doc/source/developer-notes/V-38536.rst
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
The audit rules from V-38534 already cover all account modifications.
|
3
doc/source/developer-notes/V-38538.rst
Normal file
3
doc/source/developer-notes/V-38538.rst
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
The audit rules from V-38534 already cover all account modifications.
|
3
doc/source/developer-notes/V-38540.rst
Normal file
3
doc/source/developer-notes/V-38540.rst
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
Rules are added for auditing network configuration changes. The path to
|
||||||
|
Ubuntu's standard network configuration location has replaced the path
|
||||||
|
to Red Hat's default network configuration location.
|
5
doc/source/developer-notes/V-38541.rst
Normal file
5
doc/source/developer-notes/V-38541.rst
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
The RHEL 6 STIG requires that changes to SELinux policies and configuration are
|
||||||
|
audited. However, Ubuntu's preference for Mandatory Access Control (MAC) is
|
||||||
|
AppArmor and openstack-ansible configures AppArmor by default.
|
||||||
|
|
||||||
|
This requirement has been modified to fit AppArmor on an Ubuntu system.
|
2
doc/source/developer-notes/V-38547.rst
Normal file
2
doc/source/developer-notes/V-38547.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Rules are added for auditd to log discretionary access control permission
|
||||||
|
changes done with fchmod.
|
2
doc/source/developer-notes/V-38550.rst
Normal file
2
doc/source/developer-notes/V-38550.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Rules are added for auditing discretionary access control changes made via
|
||||||
|
fchmodat.
|
18
doc/source/developer-notes/V-38551.rst
Normal file
18
doc/source/developer-notes/V-38551.rst
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Filtering IPv6 traffic is left up to the deployer to implement. The
|
||||||
|
openstack-ansible roles don't configure IPv6 (at this time) and adding
|
||||||
|
persistent ip6tables rules could harm a running system.
|
||||||
|
|
||||||
|
However, deployers are strongly recommended to implement IPv6 filtering at the
|
||||||
|
edges of the network via network devices. In addition, deployers should be
|
||||||
|
aware that link-local IPv6 addresses are configured automatcally by the system
|
||||||
|
and those addresses could open up new network paths for future attacks.
|
||||||
|
|
||||||
|
For example, if IPv4 access was tightly controlled and segmented, hosts and/or
|
||||||
|
containers could possibly communicate across these boundaries using IPv6
|
||||||
|
link-local addresses. For more detailed information on this security topic,
|
||||||
|
review Cisco's documentation titled `IPv6 Security Brief`_ that is available
|
||||||
|
on their website.
|
||||||
|
|
||||||
|
.. _IPv6 Security Brief: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-678658.html
|
2
doc/source/developer-notes/V-38552.rst
Normal file
2
doc/source/developer-notes/V-38552.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Rules are added for auditing discretionary access control changes
|
||||||
|
made by fchown.
|
2
doc/source/developer-notes/V-38556.rst
Normal file
2
doc/source/developer-notes/V-38556.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Rules are added for auditing discretionary access control changes made
|
||||||
|
by fremovexattr.
|
2
doc/source/developer-notes/V-38557.rst
Normal file
2
doc/source/developer-notes/V-38557.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Rules are added for auditing discretionary access control changes made via
|
||||||
|
``fsetxattr``.
|
2
doc/source/developer-notes/V-38558.rst
Normal file
2
doc/source/developer-notes/V-38558.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Rules are added for auditing discretionary access control changes made via
|
||||||
|
``lchown``.
|
2
doc/source/developer-notes/V-38559.rst
Normal file
2
doc/source/developer-notes/V-38559.rst
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Rules are added for auditing discretionary access control changes made via
|
||||||
|
``lremovexattr``.
|
3
doc/source/developer-notes/V-38561.rst
Normal file
3
doc/source/developer-notes/V-38561.rst
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
Rules are added to auditd to log all DAC modifications using `lsetxattr`_.
|
||||||
|
|
||||||
|
.. _lsetxattr: http://linux.die.net/man/2/lsetxattr
|
3
doc/source/developer-notes/V-38563.rst
Normal file
3
doc/source/developer-notes/V-38563.rst
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
Audit rules are added in a task so that any events associated with the
|
||||||
|
discretionary access controls (DAC) permission modifications are logged.
|
||||||
|
The new audit rule will be loaded immediately with ``augenrules --load``.
|
4
doc/source/developer-notes/V-38565.rst
Normal file
4
doc/source/developer-notes/V-38565.rst
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
Rules are added so that all permission modifications made via `setxattr`_ are
|
||||||
|
logged.
|
||||||
|
|
||||||
|
.. _setxattr: http://man7.org/linux/man-pages/man2/setxattr.2.html
|
1
doc/source/developer-notes/V-38566.rst
Normal file
1
doc/source/developer-notes/V-38566.rst
Normal file
@ -0,0 +1 @@
|
|||||||
|
Rules are added for auditd to log failed access attempts to files and programs.
|
6
doc/source/developer-notes/V-38567.rst
Normal file
6
doc/source/developer-notes/V-38567.rst
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
Keeping the list of setuid/setgid applications up to date and adding the paths
|
||||||
|
to those files within the ``audit.rules`` file is challenging. Deployers are
|
||||||
|
urged to use setuid/setgid sparingly and carefully monitor all applications
|
||||||
|
with those permissions set.
|
1
doc/source/developer-notes/V-38568.rst
Normal file
1
doc/source/developer-notes/V-38568.rst
Normal file
@ -0,0 +1 @@
|
|||||||
|
Rules are added for auditd to log successful filesystem mounts.
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user