Major Hayden 6f6c08f4c3 Enable RHEL 7 STIG tasks as default [+Docs]

This patch enables the RHEL 7 STIG content tasks as the default.
Documentation has also been updated to reflect the change and provide
more concise information about what is available with each release.

The OpenStack-Ansible repo is still set to use the RHEL 6 STIG until
some issues with individual roles are resolved.

Implements: blueprint security-rhel7-stig
Change-Id: Ic72d97b87c0fb16646e5a31030404e1a9ad6a469

2017-01-13 19:06:07 +00:00

3.8 KiB

Raw Blame History

Automated security hardening for Linux hosts

The openstack-ansible-security Ansible role uses industry-standard security hardening guides to secure Linux hosts. Although the role is designed to work well in OpenStack environments that are deployed with OpenStack-Ansible, it can be used with almost any Linux system.

What does the role do?

It all starts with the Security Technical Implementation Guide (STIG) from the Defense Information Systems Agency (DISA), part of the United States Department of Defense. The guide is released with a public domain license and it is commonly used to secure systems at public and private organizations around the world.

Each configuration from the STIG is analyzed to determine what impact it could have on a live production environment and how to implement it in Ansible. Tasks are added to the role that configure a host to meet the configuration requirement. Each task is documented to explain what was changed, why it was changed, and what deployers need to understand about the change.

Deployers have the option to pick and choose which configurations are applied using Ansible variables and tags. Some tasks allow deployers to provide custom configurations to tighten down or relax certain requirements.

For more details, review the Documentation section below.

Documentation

The following documentation applies to the Ocata release. Documentation from previous releases are available in the Releases section below.

faq.rst getting-started.rst special-notes.rst controls-rhel7.rst developer-guide.rst

The RHEL 7 STIG content was first added in the Ocata release. The original RHEL 6 STIG content is deprecated in the Ocata release and will be removed in the next OpenStack release (Pike). The documentation for the RHEL 6 STIG content is still available:

controls.rst

Releases

Deployers should use the latest stable release for all production deployments.

Ocata

Status: Development (anticipated release: February 2017)
Supported Operating Systems:
- Ubuntu 14.04 Trusty (Deprecated)
- Ubuntu 16.04 Xenial
- CentOS 7
- Red Hat Enterprise Linux 7 (partial automated test coverage)
Documentation:
- openstack-ansible-security Ocata Release Notes

Newton

Status: Latest stable release (released 2016-10-20)
Supported Operating Systems:
- Ubuntu 14.04 Trusty
- Ubuntu 16.04 Xenial
- CentOS 7
- Red Hat Enterprise Linux 7 (partial automated test coverage)
Documentation:
- openstack-ansible-security Newton Documentation
- openstack-ansible-security Newton Release Notes

Mitaka

Status: Stable release (released 2016-04-01)
Supported Operating Systems: Ubuntu 14.04 Trusty
Documentation:
- openstack-ansible-security Mitaka Documentation
- openstack-ansible-security Mitaka Release Notes

3.8 KiB Raw Blame History