diff options
Diffstat (limited to 'environments')
| -rw-r--r-- | environments/auditd.yaml | 119 | ||||
| -rw-r--r-- | environments/cinder-dellps-config.yaml | 31 | ||||
| -rw-r--r-- | environments/cinder-eqlx-config.yaml | 17 | ||||
| -rw-r--r-- | environments/collectd-environment.yaml | 23 | ||||
| -rw-r--r-- | environments/deployed-server-bootstrap-environment-rhel.yaml | 7 | ||||
| -rw-r--r-- | environments/enable-internal-tls.yaml | 9 | ||||
| -rw-r--r-- | environments/major-upgrade-all-in-one.yaml | 8 | ||||
| -rw-r--r-- | environments/major-upgrade-composable-steps.yaml | 3 | ||||
| -rw-r--r-- | environments/neutron-opendaylight-l3.yaml | 14 | ||||
| -rw-r--r-- | environments/services/octavia.yaml | 9 | ||||
| -rw-r--r-- | environments/sshd-banner.yaml | 13 |
11 files changed, 213 insertions, 40 deletions
diff --git a/environments/auditd.yaml b/environments/auditd.yaml new file mode 100644 index 00000000..b358c98a --- /dev/null +++ b/environments/auditd.yaml @@ -0,0 +1,119 @@ +resource_registry: + OS::TripleO::Services::AuditD: ../puppet/services/auditd.yaml + +parameter_defaults: + AuditdRules: + 'Record attempts to alter time through adjtimex': + content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules' + order : 1 + 'Record attempts to alter time through settimeofday': + content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules' + order : 2 + 'Record Attempts to Alter Time Through stime': + content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules' + order : 3 + 'Record Attempts to Alter Time Through clock_settime': + content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules' + order : 4 + 'Record Attempts to Alter the localtime File': + content: '-w /etc/localtime -p wa -k audit_time_rules' + order : 5 + 'Record Events that Modify the Systems Discretionary Access Controls - chmod': + content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 5 + 'Record Events that Modify the Systems Discretionary Access Controls - chown': + content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 6 + 'Record Events that Modify the Systems Discretionary Access Controls - fchmod': + content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 7 + 'Record Events that Modify the Systems Discretionary Access Controls - fchmodat': + content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 8 + 'Record Events that Modify the Systems Discretionary Access Controls - fchown': + content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 9 + 'Record Events that Modify the Systems Discretionary Access Controls - fchownat': + content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 10 + 'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr': + content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 11 + 'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr': + content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 12 + 'Record Events that Modify the Systems Discretionary Access Controls - lchown': + content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 13 + 'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr': + content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 14 + 'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr': + content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 15 + 'Record Events that Modify the Systems Discretionary Access Controls - removexattr': + content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 16 + 'Record Events that Modify the Systems Discretionary Access Controls - setxattr': + content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 17 + 'Record Events that Modify User/Group Information - /etc/group': + content: '-w /etc/group -p wa -k audit_rules_usergroup_modification' + order : 18 + 'Record Events that Modify User/Group Information - /etc/passwd': + content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification' + order : 19 + 'Record Events that Modify User/Group Information - /etc/gshadow': + content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification' + order : 20 + 'Record Events that Modify User/Group Information - /etc/shadow': + content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification' + order : 21 + 'Record Events that Modify User/Group Information - /etc/opasswd': + content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification' + order : 22 + 'Record Events that Modify the Systems Network Environment - sethostname / setdomainname': + content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification' + order : 23 + 'Record Events that Modify the Systems Network Environment - /etc/issue': + content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification' + order : 24 + 'Record Events that Modify the Systems Network Environment - /etc/issue.net': + content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification' + order : 25 + 'Record Events that Modify the Systems Network Environment - /etc/hosts': + content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification' + order : 26 + 'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network': + content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification' + order : 27 + 'Record Events that Modify the Systems Mandatory Access Controls': + content: '-w /etc/selinux/ -p wa -k MAC-policy' + order : 28 + 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)': + content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' + order : 29 + 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)': + content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' + order : 30 + 'Ensure auditd Collects Information on the Use of Privileged Commands': + content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged' + order : 31 + 'Ensure auditd Collects Information on Exporting to Media (successful)': + content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export' + order : 32 + 'Ensure auditd Collects File Deletion Events by User': + content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' + order : 33 + 'Ensure auditd Collects System Administrator Actions': + content: '-w /etc/sudoers -p wa -k actions' + order : 34 + 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)': + content: '-w /usr/sbin/insmod -p x -k modules' + order : 35 + 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)': + content: '-w /usr/sbin/rmmod -p x -k modules' + order : 36 + 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)': + content: '-w /usr/sbin/modprobe -p x -k modules' + order : 37 diff --git a/environments/cinder-dellps-config.yaml b/environments/cinder-dellps-config.yaml new file mode 100644 index 00000000..eefd0fd6 --- /dev/null +++ b/environments/cinder-dellps-config.yaml @@ -0,0 +1,31 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# A Heat environment file which can be used to enable a +# a Cinder Dell EMC PS Series backend, configured via puppet +resource_registry: + OS::TripleO::Services::CinderBackendDellPs: ../puppet/services/cinder-backend-dellps.yaml + +parameter_defaults: + CinderEnableDellPsBackend: true + CinderDellPsBackendName: 'tripleo_dellps' + CinderDellPsSanIp: '' + CinderDellPsSanLogin: '' + CinderDellPsSanPassword: '' + CinderDellPsSanThinProvision: true + CinderDellPsGroupname: 'group-0' + CinderDellPsPool: 'default' + CinderDellPsChapLogin: '' + CinderDellPsChapPassword: '' + CinderDellPsUseChap: false diff --git a/environments/cinder-eqlx-config.yaml b/environments/cinder-eqlx-config.yaml deleted file mode 100644 index ca2c5e5a..00000000 --- a/environments/cinder-eqlx-config.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# A Heat environment file which can be used to enable a -# a Cinder eqlx backen, configured via puppet -resource_registry: - OS::TripleO::ControllerExtraConfigPre: ../puppet/extraconfig/pre_deploy/controller/cinder-eqlx.yaml - -parameter_defaults: - CinderEnableEqlxBackend: true - CinderEqlxBackendName: 'tripleo_eqlx' - CinderEqlxSanIp: '' - CinderEqlxSanLogin: '' - CinderEqlxSanPassword: '' - CinderEqlxSanThinProvision: true - CinderEqlxGroupname: 'group-0' - CinderEqlxPool: 'default' - CinderEqlxChapLogin: '' - CinderEqlxChapPassword: '' - CinderEqlxUseChap: false diff --git a/environments/collectd-environment.yaml b/environments/collectd-environment.yaml new file mode 100644 index 00000000..7780530c --- /dev/null +++ b/environments/collectd-environment.yaml @@ -0,0 +1,23 @@ +resource_registry: + OS::TripleO::Services::Collectd: ../puppet/services/metrics/collectd.yaml + +# parameter_defaults: +# +## You can specify additional plugins to load using the +## CollectdExtraPlugins key: +# +# CollectdExtraPlugins: +# - disk +# - df +# +## You can use ExtraConfig (or one of the related *ExtraConfig keys) +## to configure collectd. See the documentation for puppet-collectd at +## https://github.com/voxpupuli/puppet-collectd for details. +# +# ExtraConfig: +# collectd::plugin::disk::disks: +# - "/^[vhs]d[a-f][0-9]?$/" +# collectd::plugin::df::mountpoints: +# - "/" +# collectd::plugin::df::ignoreselected: false +# collectd::plugin::cpu::valuespercentage: true diff --git a/environments/deployed-server-bootstrap-environment-rhel.yaml b/environments/deployed-server-bootstrap-environment-rhel.yaml new file mode 100644 index 00000000..f614a91a --- /dev/null +++ b/environments/deployed-server-bootstrap-environment-rhel.yaml @@ -0,0 +1,7 @@ +# An environment that can be used with the deployed-server.yaml template to do +# initial bootstrapping of the deployed servers. +resource_registry: + OS::TripleO::DeployedServer::Bootstrap: ../deployed-server/deployed-server-bootstrap-rhel.yaml + +parameter_defaults: + EnablePackageInstall: True diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml index d2fc59c6..ff4ecfbe 100644 --- a/environments/enable-internal-tls.yaml +++ b/environments/enable-internal-tls.yaml @@ -2,9 +2,18 @@ # a TLS for in the internal network via certmonger parameter_defaults: EnableInternalTLS: true + + # Required for novajoin to enroll the overcloud nodes + ServerMetadata: + ipa_enroll: True + resource_registry: OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml # We use apache as a TLS proxy OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml + + # Creates nova metadata that will create the extra service principals per + # node. + OS::TripleO::ServiceServerMetadataHook: ../extraconfig/nova_metadata/krb-service-principals.yaml diff --git a/environments/major-upgrade-all-in-one.yaml b/environments/major-upgrade-all-in-one.yaml index 69d72edd..4283b212 100644 --- a/environments/major-upgrade-all-in-one.yaml +++ b/environments/major-upgrade-all-in-one.yaml @@ -1,8 +1,2 @@ -# We run the upgrade steps without disabling the OS::TripleO::PostDeploySteps -# this means you can do a major upgrade in one pass, which may be useful -# e.g for all-in-one deployments where we can upgrade the compute services -# at the same time as the controlplane -# Note that it will be necessary to pass a mapping of OS::Heat::None again for -# any subsequent updates, or the upgrade steps will run again. resource_registry: - OS::TripleO::UpgradeSteps: ../puppet/major_upgrade_steps.yaml + OS::TripleO::PostDeploySteps: ../puppet/major_upgrade_steps.yaml diff --git a/environments/major-upgrade-composable-steps.yaml b/environments/major-upgrade-composable-steps.yaml index 7e10014b..4283b212 100644 --- a/environments/major-upgrade-composable-steps.yaml +++ b/environments/major-upgrade-composable-steps.yaml @@ -1,3 +1,2 @@ resource_registry: - OS::TripleO::UpgradeSteps: ../puppet/major_upgrade_steps.yaml - OS::TripleO::PostDeploySteps: OS::Heat::None + OS::TripleO::PostDeploySteps: ../puppet/major_upgrade_steps.yaml diff --git a/environments/neutron-opendaylight-l3.yaml b/environments/neutron-opendaylight-l3.yaml deleted file mode 100644 index 6d5c7404..00000000 --- a/environments/neutron-opendaylight-l3.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# A Heat environment that can be used to deploy OpenDaylight with L3 DVR -resource_registry: - OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None - OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None - OS::TripleO::Services::ComputeNeutronCorePlugin: OS::Heat::None - OS::TripleO::Services::OpenDaylightApi: ../puppet/services/opendaylight-api.yaml - OS::TripleO::Services::OpenDaylightOvs: ../puppet/services/opendaylight-ovs.yaml - OS::TripleO::Services::NeutronL3Agent: OS::Heat::None - -parameter_defaults: - NeutronEnableForceMetadata: true - NeutronMechanismDrivers: 'opendaylight_v2' - NeutronServicePlugins: 'odl-router_v2' - OpenDaylightEnableL3: "'yes'" diff --git a/environments/services/octavia.yaml b/environments/services/octavia.yaml new file mode 100644 index 00000000..24c57b8c --- /dev/null +++ b/environments/services/octavia.yaml @@ -0,0 +1,9 @@ +resource_registry: + OS::TripleO::Services::OctaviaApi: ../../puppet/services/octavia-api.yaml + OS::TripleO::Services::OctaviaHealthManager: ../../puppet/services/octavia-health-manager.yaml + OS::TripleO::Services::OctaviaHousekeeping: ../../puppet/services/octavia-housekeeping.yaml + OS::TripleO::Services::OctaviaWorker: ../../puppet/services/octavia-worker.yaml + +parameter_defaults: + NeutronServicePlugins: "qos,router,trunk,lbaasv2" + NeutronEnableForceMetadata: true diff --git a/environments/sshd-banner.yaml b/environments/sshd-banner.yaml new file mode 100644 index 00000000..041c0990 --- /dev/null +++ b/environments/sshd-banner.yaml @@ -0,0 +1,13 @@ +resource_registry: + OS::TripleO::Services::Sshd: ../puppet/services/sshd.yaml + +parameter_defaults: + BannerText: | + ****************************************************************** + * This system is for the use of authorized users only. Usage of * + * this system may be monitored and recorded by system personnel. * + * Anyone using this system expressly consents to such monitoring * + * and is advised that if such monitoring reveals possible * + * evidence of criminal activity, system personnel may provide * + * the evidence from such monitoring to law enforcement officials.* + ****************************************************************** |