Merge "Add config option + docs for security hardening"

ansible-role-requirements.yml

@@ -25,6 +25,10 @@
   src: https://git.openstack.org/openstack/openstack-ansible-openstack_hosts
   scm: git
   version: master
+- name: openstack-ansible-security
+  src: https://git.openstack.org/openstack/openstack-ansible-security
+  scm: git
+  version: master
 - name: pip_install
   src: https://git.openstack.org/openstack/openstack-ansible-pip_install
   scm: git

doc/source/install-guide/configure-initial.rst

@@ -76,6 +76,34 @@ this configuration, their ``openstack_user_config.yml`` would look like this:
 The configuration above would still deploy a memcached container and a database
 container on each host, but there would be no RabbitMQ containers deployed.
 
+
+.. _security_hardening:
+
+Security Hardening
+^^^^^^^^^^^^^^^^^^
+
+Deployers have the option to automatically apply security hardening to an
+OpenStack Ansible deployment using the `openstack-ansible-security`_ role. The
+role uses a version of the `Security Technical Implementation Guide (STIG)`_
+that has been adapted for Ubuntu 14.04 and OpenStack.
+
+The role is applicable to physical hosts within an OpenStack-Ansible deployment
+that are operating as any type of node -- infrastructure or compute. By
+default, the role is disabled. Deployers can enable it by changing a variable
+within ``user_variables.yml``:
+
+.. code-block:: yaml
+
+    apply_security_hardening: true
+
+For more details on the security configurations that will be applied, refer to
+the `openstack-ansible-security`_ documentation. Review the _Configuration_
+section of the openstack-ansible-security documentation to find out how to
+fine-tune certain security configurations.
+
+.. _openstack-ansible-security: http://docs.openstack.org/developer/openstack-ansible-security/
+.. _Security Technical Implementation Guide (STIG): https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide
+
 --------------
 
 .. include:: navigation.txt

doc/source/install-guide/overview-security.rst

@@ -44,6 +44,17 @@ to configure SSL certificates, refer to the documentation section titled
 
 .. _Securing services with SSL certificates: configure-sslcertificates.html
 
+Host security hardening
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Deployers can apply security hardening to OpenStack infrastructure and compute
+hosts using the openstack-ansible-security role. The purpose of the role is to
+apply as many security configurations as possible without disrupting the
+operation of an OpenStack deployment.
+
+Refer to the documentation on :ref:`security_hardening` for more information
+on the role and how to enable it in OpenStack-Ansible.
+
 --------------
 
 .. include:: navigation.txt

etc/openstack_deploy/user_variables.yml

@@ -210,3 +210,12 @@ haproxy_keepalived_internal_vip_cidr: "{{internal_lb_vip_address}}/32"
 # All the previous variables are used in a var file, fed to the keepalived role.
 # To use another file to feed the role, override the following var:
 #haproxy_keepalived_vars_file: 'vars/configs/keepalived_haproxy.yml'
+
+## Host security hardening
+# The openstack-ansible-security role provides security hardening for hosts
+# by applying security configurations from the STIG. Hardening is disabled by
+# default, but it can be applied to all hosts by adjusting the following
+# variable to 'true'.
+#
+# Docs: http://docs.openstack.org/developer/openstack-ansible-security/
+apply_security_hardening: false

playbooks/security-hardening.yml

@@ -0,0 +1,24 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# As an additional safeguard, this playbook requires the
+# 'apply_security_hardening' boolean set to True for it to apply security
+# hardening standards to a system.
+- name: Apply security hardening configurations
+  hosts: "{{ host_group|default('hosts') }}"
+  user: root
+  roles:
+    - { role: "openstack-ansible-security",
+        when: apply_security_hardening | bool }

scripts/run-playbooks.sh

@@ -55,6 +55,9 @@ pushd "playbooks"
     install_bits openstack-hosts-setup.yml
     install_bits lxc-hosts-setup.yml
 
+    # Apply security hardening
+    install_bits security-hardening.yml
+
     # Bring the lxc bridge down and back up to ensures the iptables rules are in-place
     # This also will ensure that the lxc dnsmasq rules are active.
     mkdir -p "${COMMAND_LOGS}/host_net_bounce"

tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2

@@ -89,3 +89,6 @@ lxc_net_dhcp_range: 10.255.255.2,10.255.255.253
 lxc_cache_resolvers: {{ lxc_cache_resolvers }}
 lxc_container_template_main_apt_repo: {{ bootstrap_host_ubuntu_repo }}
 lxc_container_template_security_apt_repo: {{ bootstrap_host_ubuntu_security_repo }}
+
+## Security hardening
+apply_security_hardening: true