Security Hardening for OpenStack-Ansible Hosts
There are some additional configurations which can be added within OSA containers or hosts that provide a better security posture. Some of these configuration changes can be made in OSA while others will need to be presented to deployers in OSA documentation.
Blueprint information
- Status:
- Complete
- Approver:
- Jesse Pretorius
- Priority:
- High
- Drafter:
- Major Hayden
- Direction:
- Approved
- Assignee:
- Major Hayden
- Definition:
- Approved
- Series goal:
- Accepted for trunk
- Implementation:
- Implemented
- Milestone target:
- mitaka-2
- Started by
- Jesse Pretorius
- Completed by
- Jesse Pretorius
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Adding security hardening spec
Gerrit topic: https:/
Addressed by: https:/
Initial security documentation
Addressed by: https:/
Initial security documentation
Gerrit topic: https:/
Addressed by: https:/
Initial import of openstack-
Addressed by: https:/
V-3851{8,9}: Log file ownership
Addressed by: https:/
V-3852{0,1}: Back up log/audit records
Addressed by: https:/
V-3852{3,4,6,9} and V-3853{2,3}: IPv4 restrictions
Addressed by: https:/
V-38535: Don't respond to ICMPv4 broadcast
Addressed by: https:/
V-38528: Log martian packets
Addressed by: https:/
V-38537: Ignore ICMPv4 bogus error messages
Addressed by: https:/
V-38539: Enable TCP SYN cookies
Addressed by: https:/
V-3854{8,9}, V-38553: IPv6 filtering/security
Addressed by: https:/
V-38555, V-38560: IPv4 firewalling
Addressed by: https:/
V-38579: grub.conf owned by root
Addressed by: https:/
V-38624: Rotate logs
Addressed by: https:/
V-3862{5,6,7}: LDAP server security
Addressed by: https:/
V-3865{2,4}, V-57569: Mounting filesystems
Addressed by: https:/
V-3863{3,4,6}: Audit log files
Addressed by: https:/
Graphical login exceptions
Addressed by: https:/
V-38655: Mount w/no exec exception
Addressed by: https:/
V-386**: Disabling various unneeded services
Addressed by: https:/
V-38637, V-3866{3,4,5}: Verify auditd pkg contents
Addressed by: https:/
V-38621: System clock sync
Addressed by: https:/
V-3865{6,7}: Samba
Addressed by: https:/
V-38643: World writable files
Addressed by: https:/
V-38658: Password reuse restrictions
Addressed by: https:/
V-38659: Encrypted storage exception docs
Addressed by: https:/
V-38660: SNMPv3
Addressed by: https:/
V-38678: Auditd space_left size
Addressed by: https:/
V-38672: Remove netconsole service
Addressed by: https:/
V-38680: Audit log capacity notifications
Addressed by: https:/
V-38692: Lock inactive accounts
Addressed by: https:/
V-3867{4,6}: X windows
Addressed by: https:/
V-38684: Max concurrent sessions
Addressed by: https:/
V-386{
Addressed by: https:/
V-53481: Auditd disk space + single-user mode
Addressed by: https:/
V-38702: FTP daemon logging
Addressed by: https:/
V-38458: /etc/group user ownership
Addressed by: https:/
V-3851{1,2,3}: IPv4 security controls
Addressed by: https:/
V-51875: Symlink for docs
Addressed by: https:/
V-38622: Restricted mail relaying
Addressed by: https:/
V-38683: Check for non-unique usernames
Addressed by: https:/
V-38681: GID's in /etc/passwd & /etc/group
Addressed by: https:/
V-51739: LSM device labeling exception
Addressed by: https:/
V-38699: Public directories exception
Addressed by: https:/
V-38685: Temporary accounts (exception)
Addressed by: https:/
V-58901: sudo requires auth
Addressed by: https:/
V-38697: Sticky bit (exception)
Addressed by: https:/
V-51391: Initialize AIDE
Addressed by: https:/
V-38623: rsyslog file permissions
Addressed by: https:/
V-38546: Disable IPv6 system-wide
Gerrit topic: https:/
Addressed by: https:/
Docs overhaul
Addressed by: https:/
Adding notes for V-38543
Addressed by: https:/
Check mode compatibility for apt/auditd tasks
Addressed by: https:/
Check mode compatibility for auth tasks
Gerrit topic: https:/
Addressed by: https:/
Adding benefits faq + config docs
Gerrit topic: https:/
Addressed by: https:/
Download openstack-
Addressed by: https:/
Add config option + docs for security hardening
Work Items
Dependency tree
* Blueprints in grey have been implemented.