Security hardening for openstack-ansible

The openstack-ansible-security role provides security hardening for OpenStack environments deployed with openstack-ansible. The role has multiple goals:

• Provide additional security in a highly configurable, integrated way without disrupting a production OpenStack environment.
• Make it easier for organizations to meet the requirements of compliance programs, such as Payment Card Industry Data Security Standard (PCI-DSS).
• Document all changes to allow deployers to make educated decisions on which security configuration changes to apply.

At this time, the role follows the requirements of the US Government’s Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 6. Since openstack-ansible only supports Ubuntu 14.04 (as of late 2015), many of the configuration changes in the STIG will be adapted to fit an Ubuntu 14.04 system. Those adaptations are noted within the playbook tasks themselves and also within this documentation.

The easiest method for reviewing the STIG configurations and the relevant metadata is through the STIG Viewer service provided by UCF.

Table of Contents

• Security benefits FAQ
  • Why should this role be applied to a system?
  • What systems are covered by openstack-ansible-security?
• Configuration
  • AIDE
  • Audit daemon
  • Authentication
  • Kernel
  • Linux Security Module (LSM)
  • Mail
  • Services and packages
  • SSH server
  • Time synchronization with chrony
  • umask adjustments
• Getting started
  • Using with OpenStack-Ansible
  • Using as a standalone role
• Security hardening controls in detail
  • Category 1 (Low) controls
  • Category 2 (Medium) controls
  • Category 3 (High) controls
• Developer Guide
  • Building a development environment
  • Writing documentation
  • Release notes