The ansible-hardening role can be used along with the OpenStack-Ansible project or as a standalone role that can be used along with other Ansible playbooks.
Start by installing ansible and then install the role itself using ansible-galaxy:
pip install ansible
ansible-galaxy install git+https://git.openstack.org/openstack/ansible-hardening
The role will be installed into /etc/ansible/roles/ansible-hardening.
Some of the security configurations need initial configuration or they may require you to opt-in for a change to be applied. Start by reviewing the list of STIG controls that require initial configuration or require opt-in.
An example of a STIG requiring initial configuration is V-38446, which requires an email address for a person who can receive email sent to root.
Many of the STIG configurations are in an opt-in status because they can be helpful for some systems and harmful to others. A good example of this is :ref`V-38481 <stig-V-38481>`, which requires that automatic package updates are configured on a host. In some environments, this isn’t a problem, but this could cause disruptions in environments with low tolerance for changes.
Adding the ansible-hardening role to existing playbooks is straightforward. Here is an example of an existing role for deploying web servers with the security hardening role added:
---
- name: Deploy web servers
hosts: webservers
become: yes
roles:
- common
- webserver
- ansible-hardening
The ansible-hardening role is automatically enabled and applied in the Newton release of OpenStack-Ansible. In the Liberty and Mitaka releases, the role is easily enabled by adjusting the following Ansible variable:
apply_security_hardening: true
For more information, refer to the OpenStack-Ansible documentation on configuring security hardening.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.