diff options
| author |   lhinds <lhinds@redhat.com> | 2017-03-23 13:41:42 +0000 |
|---|---|---|
| committer | lhinds <lhinds@redhat.com> | 2017-04-06 13:30:50 +0100 |
| commit | 99455380692f233f64c7fb68eb8a11105d39f5ac (patch) | |
| tree | 70987a55443cf1cb176c039d900fb82fd69360bd | |
| parent | cd6128d0a54989926709f42b7be80bf5daba2f8f (diff) | |
Adds service for managing securetty
This adds the ability to manage the securetty file.
By allowing management of securetty, operators can limit root
console access and improve security through hardening.
Change-Id: I0767c9529b40a721ebce1eadc2dea263e0a5d4d7
Partial-Bug: #1665042
Depends-On: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
| -rw-r--r-- | capabilities-map.yaml | 5 | ||||
| -rw-r--r-- | ci/environments/scenario001-multinode.yaml | 9 | ||||
| -rw-r--r-- | environments/hyperconverged-ceph.yaml | 1 | ||||
| -rw-r--r-- | environments/securetty.yaml | 12 | ||||
| -rw-r--r-- | overcloud-resource-registry-puppet.j2.yaml | 1 | ||||
| -rw-r--r-- | puppet/services/securetty.yaml | 36 | ||||
| -rw-r--r-- | roles_data.yaml | 5 |
7 files changed, 69 insertions, 0 deletions
diff --git a/capabilities-map.yaml b/capabilities-map.yaml index 85c327c1..947ba8b6 100644 --- a/capabilities-map.yaml +++ b/capabilities-map.yaml @@ -597,3 +597,8 @@ topics: environments: - file: environments/cadf.yaml title: Keystone CADF auditing + - title: SecureTTY Values + description: Set values within /etc/securetty + environments: + - file: environments/securetty.yaml + title: SecureTTY Values diff --git a/ci/environments/scenario001-multinode.yaml b/ci/environments/scenario001-multinode.yaml index 63e51e29..5dd1f0f6 100644 --- a/ci/environments/scenario001-multinode.yaml +++ b/ci/environments/scenario001-multinode.yaml @@ -51,6 +51,7 @@ parameter_defaults: - OS::TripleO::Services::Ntp - OS::TripleO::Services::Snmp - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Securetty - OS::TripleO::Services::Timezone - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt @@ -124,3 +125,11 @@ parameter_defaults: MonitoringRabbitHost: 127.0.0.1 MonitoringRabbitPort: 5676 MonitoringRabbitPassword: sensu + TtyValues: + - console + - tty1 + - tty2 + - tty3 + - tty4 + - tty5 + - tty6 diff --git a/environments/hyperconverged-ceph.yaml b/environments/hyperconverged-ceph.yaml index 8f74ec35..7b778aad 100644 --- a/environments/hyperconverged-ceph.yaml +++ b/environments/hyperconverged-ceph.yaml @@ -13,6 +13,7 @@ parameter_defaults: - OS::TripleO::Services::Ntp - OS::TripleO::Services::Snmp - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Securetty - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt - OS::TripleO::Services::Kernel diff --git a/environments/securetty.yaml b/environments/securetty.yaml new file mode 100644 index 00000000..cdadf376 --- /dev/null +++ b/environments/securetty.yaml @@ -0,0 +1,12 @@ +resource_registry: + OS::TripleO::Services::Securetty: ../puppet/services/securetty.yaml + +parameter_defaults: + TtyValues: + - console + - tty1 + - tty2 + - tty3 + - tty4 + - tty5 + - tty6 diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index a7c9b0a6..a97ae296 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -178,6 +178,7 @@ resource_registry: OS::TripleO::Services::SaharaApi: OS::Heat::None OS::TripleO::Services::SaharaEngine: OS::Heat::None OS::TripleO::Services::Sshd: OS::Heat::None + OS::TripleO::Services::Securetty: OS::Heat::None OS::TripleO::Services::Redis: puppet/services/database/redis.yaml OS::TripleO::Services::NovaConductor: puppet/services/nova-conductor.yaml OS::TripleO::Services::MongoDb: puppet/services/database/mongodb.yaml diff --git a/puppet/services/securetty.yaml b/puppet/services/securetty.yaml new file mode 100644 index 00000000..6d32fe82 --- /dev/null +++ b/puppet/services/securetty.yaml @@ -0,0 +1,36 @@ +heat_template_version: ocata + +description: > + Configure securetty values + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + TtyValues: + default: {} + description: Configures console values in securetty + type: json + constraints: + - length: { min: 1} + +outputs: + role_data: + description: Console data for the securetty + value: + service_name: securetty + config_settings: + tripleo::profile::base::securetty::tty_list: {get_param: TtyValues} + step_config: | + include ::tripleo::profile::base::securetty diff --git a/roles_data.yaml b/roles_data.yaml index 780c9c93..f0ba5f81 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -82,6 +82,7 @@ - OS::TripleO::Services::SwiftRingBuilder - OS::TripleO::Services::Snmp - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Securetty - OS::TripleO::Services::Timezone - OS::TripleO::Services::CeilometerApi - OS::TripleO::Services::CeilometerCollector @@ -144,6 +145,7 @@ - OS::TripleO::Services::Ntp - OS::TripleO::Services::Snmp - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Securetty - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt - OS::TripleO::Services::Kernel @@ -173,6 +175,7 @@ - OS::TripleO::Services::Timezone - OS::TripleO::Services::Snmp - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Securetty - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::SensuClient @@ -192,6 +195,7 @@ - OS::TripleO::Services::SwiftRingBuilder - OS::TripleO::Services::Snmp - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Securetty - OS::TripleO::Services::Timezone - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall @@ -210,6 +214,7 @@ - OS::TripleO::Services::Ntp - OS::TripleO::Services::Snmp - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Securetty - OS::TripleO::Services::Timezone - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall |