Implementing stricter permissions on config files

The security guide suggests that all OpenStack service config files should be owned by root and in the service user group with 0640 permissions. http://docs.openstack.org/security-guide/networking/checklist.html Change-Id: I603eb691828bb3456ae0686ed80342765f52ecea
2017-02-07 14:24:18 -05:00 · 2017-02-07 14:24:18 -05:00 · f927760d88
commit f927760d88
parent 3d3a2c3e7d
2 changed files with 14 additions and 16 deletions
--- a/tasks/neutron_post_install.yml
+++ b/tasks/neutron_post_install.yml
@ -17,9 +17,9 @@
  config_template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
-    owner: "{{ item.owner|default(neutron_system_user_name) }}"
+    owner: "root"
    group: "{{ item.group|default(neutron_system_group_name) }}"
-    mode: "0644"
+    mode: "0640"
    config_overrides: "{{ item.config_overrides }}"
    config_type: "{{ item.config_type }}"
  with_items:
@ -37,8 +37,6 @@
      config_type: "ini"
    - src: "rootwrap.conf.j2"
      dest: "{{ neutron_conf_dir }}/rootwrap.conf"
-      owner: "root"
-      group: "root"
      config_overrides: "{{ neutron_rootwrap_conf_overrides }}"
      config_type: "ini"
    - src: "policy.json.j2"
@ -52,9 +50,9 @@
  config_template:
    src: "{{ neutron_plugins[item].plugin_ini }}.j2"
    dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[item].plugin_ini }}"
-    owner: "{{ neutron_system_user_name }}"
+    owner: "root"
    group: "{{ neutron_system_group_name }}"
-    mode: "0644"
+    mode: "0640"
    config_overrides: "{{ neutron_plugins[item].plugin_conf_ini_overrides }}"
    config_type: "ini"
  with_items: "{{ neutron_plugin_types }}"
@ -63,9 +61,9 @@
  config_template:
    src: "dnsmasq-neutron.conf.j2"
    dest: "{{ neutron_conf_dir }}/dnsmasq-neutron.conf"
-    owner: "{{ neutron_system_user_name }}"
+    owner: "root"
    group: "{{ neutron_system_group_name }}"
-    mode: "0644"
+    mode: "0640"
    config_overrides: "{{ neutron_dnsmasq_neutron_conf_overrides }}"
    config_type: "ini"
  notify:
@ -82,19 +80,19 @@
  config_template:
    src: "{{ item.value.service_conf }}.j2"
    dest: "{{ item.value.service_conf_path }}/{{ item.value.service_conf }}"
-    owner: "{{ neutron_system_user_name }}"
+    owner: "root"
    group: "{{ neutron_system_group_name }}"
-    mode: "0644"
+    mode: "0640"
    config_overrides: "{{ item.value.config_overrides }}"
    config_type: "{{ item.value.config_type }}"
  with_dict: "{{ neutron_services }}"
  notify:
    - Restart neutron services
  when:
-       - item.value.service_en | bool
-       - item.value.service_conf_path is defined
-       - item.value.service_conf is defined
-       - item.value.group in group_names
+    - item.value.service_en | bool
+    - item.value.service_conf_path is defined
+    - item.value.service_conf is defined
+    - item.value.group in group_names

 - name: Copy neutron rootwrap filters
  copy:
--- a/tasks/neutron_pre_install.yml
+++ b/tasks/neutron_pre_install.yml
@ -39,8 +39,8 @@
  with_items:
    - { path: "/openstack", owner: "root", group: "root" }
    - { path: "{{ neutron_conf_dir }}", mode: "0750" }
-    - { path: "{{ neutron_conf_dir }}/plugins" }
-    - { path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}" }
+    - { path: "{{ neutron_conf_dir }}/plugins", mode: "0750" }
+    - { path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}", mode: "0750" }
    - { path: "{{ neutron_conf_dir }}/rootwrap.d", owner: "root", group: "root" }
    - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
    - { path: "/var/cache/neutron" }