Merge "[Docs] Remove duplicate hardening content"

This commit is contained in:
Zuul 2018-02-15 13:57:24 +00:00 committed by Gerrit Code Review
commit da6ea2a8e4
3 changed files with 24 additions and 42 deletions

View File

@ -9,6 +9,5 @@ Appendix I: Advanced configuration
:maxdepth: 2
app-advanced-config-override
app-advanced-config-security
app-advanced-config-sslcertificates
app-advanced-config-affinity

View File

@ -1,38 +0,0 @@
.. _security_hardening:
==================
Security hardening
==================
OpenStack-Ansible automatically applies host security hardening configurations
by using the `ansible-hardening`_ role. The role uses a version of the
`Security Technical Implementation Guide (STIG)`_ that has been adapted for
Ubuntu 14.04 and OpenStack.
The role is applicable to physical hosts within an OpenStack-Ansible deployment
that are operating as any type of node, infrastructure or compute. By
default, the role is enabled. You can disable it by changing the value of
the ``apply_security_hardening`` variable in the ``user_variables.yml`` file
to ``false``:
.. code-block:: yaml
apply_security_hardening: false
You can apply security hardening configurations to an existing environment or
audit an environment by using a playbook supplied with OpenStack-Ansible:
.. code-block:: bash
# Apply security hardening configurations
openstack-ansible security-hardening.yml
# Perform a quick audit by using Ansible's check mode
openstack-ansible --check security-hardening.yml
For more information about the security configurations, see the
`OpenStack-Ansible host security`_ hardening documentation.
.. _ansible-hardening: http://docs.openstack.org/developer/ansible-hardening/
.. _Security Technical Implementation Guide (STIG): https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide
.. _OpenStack-Ansible host security: http://docs.openstack.org/developer/ansible-hardening/

View File

@ -48,15 +48,36 @@ Host security hardening is required by several compliance and regulatory
programs, such as the `Payment Card Industry Data Security Standard`_ (PCI
DSS) (Requirement 2.2).
By default, OpenStack-Ansible automatically applies the security hardening role
By default, OpenStack-Ansible automatically applies the ansible-hardening role
to all deployments. The role has been carefully designed to perform as follows:
* Apply nondisruptively to a production OpenStack environment
* Balance security with OpenStack performance and functionality
* Run as quickly as possible
For more information about configuring the role in OpenStack-Ansible, see
:ref:`security_hardening`.
The role is applicable to physical hosts within an OpenStack-Ansible deployment
that are operating as any type of node, infrastructure or compute. By
default, the role is enabled. You can disable it by changing the value of
the ``apply_security_hardening`` variable in the ``user_variables.yml`` file
to ``false``:
.. code-block:: yaml
apply_security_hardening: false
You can apply security hardening configurations to an existing environment or
audit an environment by using a playbook supplied with OpenStack-Ansible:
.. code-block:: bash
# Apply security hardening configurations
openstack-ansible security-hardening.yml
# Perform a quick audit by using Ansible's check mode
openstack-ansible --check security-hardening.yml
For more information about the security configurations, see the
`security hardening role`_ documentation.
.. _security hardening role: http://docs.openstack.org/developer/ansible-hardening/
.. _Security Technical Implementation Guide: https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide