From 411c51c8d196a6ec22327ead0035003e41d5b11b Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Tue, 26 Jan 2016 08:30:52 -0600
Subject: [PATCH] Add config option + docs for security hardening

This patch adds a configurable option for deployers to apply security
hardening by adjusting apply_security_hardening to true within
the user_variables.yml file. In addition, security hardening is enabled
on AIO builds by default.

Documentation about the security role and how to enable it are also included
in this patch.

Implements: blueprint security-hardening

Change-Id: Ic05ab7eacd6a1966814764b8290817fb78732758
---
 ansible-role-requirements.yml                 |  4 +++
 .../install-guide/configure-initial.rst       | 28 +++++++++++++++++++
 .../install-guide/overview-security.rst       | 11 ++++++++
 etc/openstack_deploy/user_variables.yml       |  9 ++++++
 playbooks/security-hardening.yml              | 24 ++++++++++++++++
 scripts/run-playbooks.sh                      |  3 ++
 .../templates/user_variables.aio.yml.j2       |  3 ++
 7 files changed, 82 insertions(+)
 create mode 100644 playbooks/security-hardening.yml

diff --git a/ansible-role-requirements.yml b/ansible-role-requirements.yml
index fc861ac3bf..c424385932 100644
--- a/ansible-role-requirements.yml
+++ b/ansible-role-requirements.yml
@@ -25,6 +25,10 @@
   src: https://git.openstack.org/openstack/openstack-ansible-openstack_hosts
   scm: git
   version: master
+- name: openstack-ansible-security
+  src: https://git.openstack.org/openstack/openstack-ansible-security
+  scm: git
+  version: master
 - name: pip_install
   src: https://git.openstack.org/openstack/openstack-ansible-pip_install
   scm: git
diff --git a/doc/source/install-guide/configure-initial.rst b/doc/source/install-guide/configure-initial.rst
index 8b27a4942e..7819f4887d 100644
--- a/doc/source/install-guide/configure-initial.rst
+++ b/doc/source/install-guide/configure-initial.rst
@@ -76,6 +76,34 @@ this configuration, their ``openstack_user_config.yml`` would look like this:
 The configuration above would still deploy a memcached container and a database
 container on each host, but there would be no RabbitMQ containers deployed.
 
+
+.. _security_hardening:
+
+Security Hardening
+^^^^^^^^^^^^^^^^^^
+
+Deployers have the option to automatically apply security hardening to an
+OpenStack Ansible deployment using the `openstack-ansible-security`_ role. The
+role uses a version of the `Security Technical Implementation Guide (STIG)`_
+that has been adapted for Ubuntu 14.04 and OpenStack.
+
+The role is applicable to physical hosts within an OpenStack-Ansible deployment
+that are operating as any type of node -- infrastructure or compute. By
+default, the role is disabled. Deployers can enable it by changing a variable
+within ``user_variables.yml``:
+
+.. code-block:: yaml
+
+    apply_security_hardening: true
+
+For more details on the security configurations that will be applied, refer to
+the `openstack-ansible-security`_ documentation. Review the _Configuration_
+section of the openstack-ansible-security documentation to find out how to
+fine-tune certain security configurations.
+
+.. _openstack-ansible-security: http://docs.openstack.org/developer/openstack-ansible-security/
+.. _Security Technical Implementation Guide (STIG): https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide
+
 --------------
 
 .. include:: navigation.txt
diff --git a/doc/source/install-guide/overview-security.rst b/doc/source/install-guide/overview-security.rst
index d3243b2d3a..9f9332c26d 100644
--- a/doc/source/install-guide/overview-security.rst
+++ b/doc/source/install-guide/overview-security.rst
@@ -44,6 +44,17 @@ to configure SSL certificates, refer to the documentation section titled
 
 .. _Securing services with SSL certificates: configure-sslcertificates.html
 
+Host security hardening
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Deployers can apply security hardening to OpenStack infrastructure and compute
+hosts using the openstack-ansible-security role. The purpose of the role is to
+apply as many security configurations as possible without disrupting the
+operation of an OpenStack deployment.
+
+Refer to the documentation on :ref:`security_hardening` for more information
+on the role and how to enable it in OpenStack-Ansible.
+
 --------------
 
 .. include:: navigation.txt
diff --git a/etc/openstack_deploy/user_variables.yml b/etc/openstack_deploy/user_variables.yml
index 2e4b3d02da..047ce10b84 100644
--- a/etc/openstack_deploy/user_variables.yml
+++ b/etc/openstack_deploy/user_variables.yml
@@ -210,3 +210,12 @@ haproxy_keepalived_internal_vip_cidr: "{{internal_lb_vip_address}}/32"
 # All the previous variables are used in a var file, fed to the keepalived role.
 # To use another file to feed the role, override the following var:
 #haproxy_keepalived_vars_file: 'vars/configs/keepalived_haproxy.yml'
+
+## Host security hardening
+# The openstack-ansible-security role provides security hardening for hosts
+# by applying security configurations from the STIG. Hardening is disabled by
+# default, but it can be applied to all hosts by adjusting the following
+# variable to 'true'.
+#
+# Docs: http://docs.openstack.org/developer/openstack-ansible-security/
+apply_security_hardening: false
diff --git a/playbooks/security-hardening.yml b/playbooks/security-hardening.yml
new file mode 100644
index 0000000000..12c5a6bf58
--- /dev/null
+++ b/playbooks/security-hardening.yml
@@ -0,0 +1,24 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# As an additional safeguard, this playbook requires the
+# 'apply_security_hardening' boolean set to True for it to apply security
+# hardening standards to a system.
+- name: Apply security hardening configurations
+  hosts: "{{ host_group|default('hosts') }}"
+  user: root
+  roles:
+    - { role: "openstack-ansible-security",
+        when: apply_security_hardening | bool }
diff --git a/scripts/run-playbooks.sh b/scripts/run-playbooks.sh
index 127800acb2..f0fcc328f5 100755
--- a/scripts/run-playbooks.sh
+++ b/scripts/run-playbooks.sh
@@ -55,6 +55,9 @@ pushd "playbooks"
     install_bits openstack-hosts-setup.yml
     install_bits lxc-hosts-setup.yml
 
+    # Apply security hardening
+    install_bits security-hardening.yml
+
     # Bring the lxc bridge down and back up to ensures the iptables rules are in-place
     # This also will ensure that the lxc dnsmasq rules are active.
     mkdir -p "${COMMAND_LOGS}/host_net_bounce"
diff --git a/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2 b/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
index 6e7aae2dc8..06c4618a78 100644
--- a/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
+++ b/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
@@ -89,3 +89,6 @@ lxc_net_dhcp_range: 10.255.255.2,10.255.255.253
 lxc_cache_resolvers: {{ lxc_cache_resolvers }}
 lxc_container_template_main_apt_repo: {{ bootstrap_host_ubuntu_repo }}
 lxc_container_template_security_apt_repo: {{ bootstrap_host_ubuntu_security_repo }}
+
+## Security hardening
+apply_security_hardening: true