Security Hardening for OpenStack-Ansible Hosts

Registered by Major Hayden

There are some additional configurations which can be added within OSA containers or hosts that provide a better security posture. Some of these configuration changes can be made in OSA while others will need to be presented to deployers in OSA documentation.

Blueprint information

Status:
Complete
Approver:
Jesse Pretorius
Priority:
High
Drafter:
Major Hayden
Direction:
Approved
Assignee:
Major Hayden
Definition:
Approved
Series goal:
Accepted for trunk
Implementation:
Implemented
Milestone target:
milestone icon mitaka-2
Started by
Jesse Pretorius
Completed by
Jesse Pretorius

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:security-hardening,n,z

Addressed by: https://review.openstack.org/222619
    Adding security hardening spec

Gerrit topic: https://review.openstack.org/#q,topic:bug/1500564,n,z

Addressed by: https://review.openstack.org/228591
    Initial security documentation

Addressed by: https://review.openstack.org/231151
    Initial security documentation

Gerrit topic: https://review.openstack.org/#q,topic:bp/security-hardening,n,z

Addressed by: https://review.openstack.org/231165
    Initial import of openstack-ansible-security role

Addressed by: https://review.openstack.org/232171
    V-3851{8,9}: Log file ownership

Addressed by: https://review.openstack.org/232178
    V-3852{0,1}: Back up log/audit records

Addressed by: https://review.openstack.org/232196
    V-3852{3,4,6,9} and V-3853{2,3}: IPv4 restrictions

Addressed by: https://review.openstack.org/232198
    V-38535: Don't respond to ICMPv4 broadcast

Addressed by: https://review.openstack.org/232201
    V-38528: Log martian packets

Addressed by: https://review.openstack.org/232203
    V-38537: Ignore ICMPv4 bogus error messages

Addressed by: https://review.openstack.org/232212
    V-38539: Enable TCP SYN cookies

Addressed by: https://review.openstack.org/232226
    V-3854{8,9}, V-38553: IPv6 filtering/security

Addressed by: https://review.openstack.org/232229
    V-38555, V-38560: IPv4 firewalling

Addressed by: https://review.openstack.org/232237
    V-38579: grub.conf owned by root

Addressed by: https://review.openstack.org/232240
    V-38624: Rotate logs

Addressed by: https://review.openstack.org/232246
    V-3862{5,6,7}: LDAP server security

Addressed by: https://review.openstack.org/232254
    V-3865{2,4}, V-57569: Mounting filesystems

Addressed by: https://review.openstack.org/232578
    V-3863{3,4,6}: Audit log files

Addressed by: https://review.openstack.org/232593
    Graphical login exceptions

Addressed by: https://review.openstack.org/233147
    V-38655: Mount w/no exec exception

Addressed by: https://review.openstack.org/233198
    V-386**: Disabling various unneeded services

Addressed by: https://review.openstack.org/232767
    V-38637, V-3866{3,4,5}: Verify auditd pkg contents

Addressed by: https://review.openstack.org/233209
    V-38621: System clock sync

Addressed by: https://review.openstack.org/233215
    V-3865{6,7}: Samba

Addressed by: https://review.openstack.org/233216
    V-38643: World writable files

Addressed by: https://review.openstack.org/233219
    V-38658: Password reuse restrictions

Addressed by: https://review.openstack.org/233221
    V-38659: Encrypted storage exception docs

Addressed by: https://review.openstack.org/233226
    V-38660: SNMPv3

Addressed by: https://review.openstack.org/233237
    V-38678: Auditd space_left size

Addressed by: https://review.openstack.org/233243
    V-38672: Remove netconsole service

Addressed by: https://review.openstack.org/233247
    V-38680: Audit log capacity notifications

Addressed by: https://review.openstack.org/233255
    V-38692: Lock inactive accounts

Addressed by: https://review.openstack.org/233259
    V-3867{4,6}: X windows

Addressed by: https://review.openstack.org/233264
    V-38684: Max concurrent sessions

Addressed by: https://review.openstack.org/233231
    V-386{67,70,96}: Run AIDE via cron

Addressed by: https://review.openstack.org/233276
    V-53481: Auditd disk space + single-user mode

Addressed by: https://review.openstack.org/233279
    V-38702: FTP daemon logging

Addressed by: https://review.openstack.org/233283
    V-38458: /etc/group user ownership

Addressed by: https://review.openstack.org/232088
    V-3851{1,2,3}: IPv4 security controls

Addressed by: https://review.openstack.org/233285
    V-51875: Symlink for docs

Addressed by: https://review.openstack.org/234204
    V-38622: Restricted mail relaying

Addressed by: https://review.openstack.org/234209
    V-38683: Check for non-unique usernames

Addressed by: https://review.openstack.org/234215
    V-38681: GID's in /etc/passwd & /etc/group

Addressed by: https://review.openstack.org/234227
    V-51739: LSM device labeling exception

Addressed by: https://review.openstack.org/234235
    V-38699: Public directories exception

Addressed by: https://review.openstack.org/234237
    V-38685: Temporary accounts (exception)

Addressed by: https://review.openstack.org/234239
    V-58901: sudo requires auth

Addressed by: https://review.openstack.org/234249
    V-38697: Sticky bit (exception)

Addressed by: https://review.openstack.org/234264
    V-51391: Initialize AIDE

Addressed by: https://review.openstack.org/234331
    V-38623: rsyslog file permissions

Addressed by: https://review.openstack.org/234333
    V-38546: Disable IPv6 system-wide

Gerrit topic: https://review.openstack.org/#q,topic:bug/1505793,n,z

Addressed by: https://review.openstack.org/234439
    Docs overhaul

Addressed by: https://review.openstack.org/242101
    Adding notes for V-38543

Addressed by: https://review.openstack.org/245813
    Check mode compatibility for apt/auditd tasks

Addressed by: https://review.openstack.org/247623
    Check mode compatibility for auth tasks

Gerrit topic: https://review.openstack.org/#q,topic:bug/1516142,n,z

Addressed by: https://review.openstack.org/248181
    Adding benefits faq + config docs

Gerrit topic: https://review.openstack.org/#q,topic:bug/1521229,n,z

Addressed by: https://review.openstack.org/259005
    Download openstack-ansible-security role

Addressed by: https://review.openstack.org/273257
    Add config option + docs for security hardening

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.