[ English | русский | Indonesia ]
Menerapkan ansible-hardening¶
Role ansible-hardening berlaku untuk host fisik dalam penyebaran OpenStack-Ansible yang beroperasi sebagai semua jenis node, infrastruktur, atau komputasi. Secara default, role diaktifkan. Anda dapat menonaktifkannya dengan mengubah nilai variabel apply_security_hardening dalam file user_variables.yml menjadi false:
apply_security_hardening: false
Anda dapat menerapkan konfigurasi pengerasan keamanan untuk lingkungan yang ada atau mengaudit lingkungan dengan menggunakan playbook yang disediakan dengan OpenStack-Ansible:
# Apply security hardening configurations
openstack-ansible openstack.osa.security_hardening
# Perform a quick audit by using Ansible's check mode
openstack-ansible --check openstack.osa.security_hardening
Untuk informasi lebih lanjut tentang konfigurasi keamanan, lihat dokumentasi security hardening role .
Deployment Host Hardening¶
You can extend security hardening to the deployment host by defining the
security_host_group variable in your openstack_user_variables file.
Include localhost along with your other hosts, like this:
security_host_group: localhost, hosts
Then apply the hardening with:
openstack-ansible openstack.osa.security_hardening
Or alternatively, you can also supply this variable as extra variable during runtime, for example:
openstack-ansible openstack.osa.security_hardening -e security_host_group=localhost
Peringatan
After applying security hardening, root login via password will be disabled. Make sure you configure SSH key authentication or set up a non-root user with sudo privileges before applying the changes, otherwise you may lose access to the host.
Including the deployment host can be useful to reduce its attack surface and ensure that the host running OpenStack-Ansible follows the same security best practices as your other nodes.
Hiding Secrets in OpenStack-Ansible¶
OpenStack-Ansible roles use variables like _oslodb_setup_nolog,
_service_setup_nolog, and _oslomsg_nolog to control whether
task output is hidden in logs.
By default, this prevents sensitive values (such as passwords) from being written to log files. Disabling these variables can make debugging easier, but it also risks exposing secrets in plain text.
Peringatan
Use them with caution: keep logging enabled for troubleshooting, but remember that passwords may appear in the logs if protection is turned off.
