OpenStack-Ansible Security
-
Upload
major-hayden -
Category
Technology
-
view
318 -
download
0
Transcript of OpenStack-Ansible Security
![Page 1: OpenStack-Ansible Security](https://reader031.fdocuments.us/reader031/viewer/2022030303/587bc42e1a28ab6c3c8b50c1/html5/thumbnails/1.jpg)
OpenStack-Ansible Security
Major HaydenOpenStack Security Mid-cycle - January 12-15, 2016
![Page 2: OpenStack-Ansible Security](https://reader031.fdocuments.us/reader031/viewer/2022030303/587bc42e1a28ab6c3c8b50c1/html5/thumbnails/2.jpg)
Agenda
• Who am I?• Overview of openstack-ansible-security• Wish list
![Page 3: OpenStack-Ansible Security](https://reader031.fdocuments.us/reader031/viewer/2022030303/587bc42e1a28ab6c3c8b50c1/html5/thumbnails/3.jpg)
Who am I?
• At Rackspace since 2006• OpenStack public cloud team• Former Chief Security Architect• Currently project: Rackspace’s OpenStack
Private Cloud
![Page 4: OpenStack-Ansible Security](https://reader031.fdocuments.us/reader031/viewer/2022030303/587bc42e1a28ab6c3c8b50c1/html5/thumbnails/4.jpg)
Help customers meet compliance requirements
Provide baseline security enhancements
openstack-ansible-security
Purpose
Easy to deploy and configurable
Must not harm production OpenStack environments
Must satisfy PCI-DSS 3.1 Requirement 2.2
Requirements
PCI-DSS 3.1 Requirement 2.2
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
![Page 5: OpenStack-Ansible Security](https://reader031.fdocuments.us/reader031/viewer/2022030303/587bc42e1a28ab6c3c8b50c1/html5/thumbnails/5.jpg)
Based on the DISA STIG
• No restrictive licensing or terms of use (unlike CIS benchmarks)
• Industry-accepted (used by the US Government among others)
• Divided into categories/severity• STIG for Ubuntu doesn’t exist, but the Red Hat
Enterprise Linux 6 STIG is very close
![Page 6: OpenStack-Ansible Security](https://reader031.fdocuments.us/reader031/viewer/2022030303/587bc42e1a28ab6c3c8b50c1/html5/thumbnails/6.jpg)
What exists today?
• Ansible role: openstack-ansible-security• Documentation: within the role’s code and on docs.
openstack.org• Exceptions are heavily documented• Easy integration with OpenStack-Ansible
![Page 7: OpenStack-Ansible Security](https://reader031.fdocuments.us/reader031/viewer/2022030303/587bc42e1a28ab6c3c8b50c1/html5/thumbnails/7.jpg)
Documentation
Text from the official STIG to explain why the standard is applied.
Deployer notes explain what the role does or doesn’t do.
Link to the STIG Viewer site.
![Page 8: OpenStack-Ansible Security](https://reader031.fdocuments.us/reader031/viewer/2022030303/587bc42e1a28ab6c3c8b50c1/html5/thumbnails/8.jpg)
Documentation for exceptions
Standards that could disrupt a production environment are noted and a sane default is used.
Additional documentation is provided/linked when needed.
![Page 9: OpenStack-Ansible Security](https://reader031.fdocuments.us/reader031/viewer/2022030303/587bc42e1a28ab6c3c8b50c1/html5/thumbnails/9.jpg)
Wish list
• Need additional testing in larger environments• Applied by default in OpenStack-Ansible all-in-one (AIO)
builds (patch proposed)
• Expand to additional operating systems (multi-OS support is in an
OpenStack-Ansible spec)
• QSA validation that the role meets PCI-DSS 3.1 Req 2.2 (meeting with QSA scheduled)
![Page 10: OpenStack-Ansible Security](https://reader031.fdocuments.us/reader031/viewer/2022030303/587bc42e1a28ab6c3c8b50c1/html5/thumbnails/10.jpg)
Wish list
• Container security improvements• Better output/reporting for audits
![Page 11: OpenStack-Ansible Security](https://reader031.fdocuments.us/reader031/viewer/2022030303/587bc42e1a28ab6c3c8b50c1/html5/thumbnails/11.jpg)
Links
• Role: https://github.com/openstack/openstack-ansible-security• Docs: http://docs.openstack.org/developer/openstack-ansible-security/• Ansible blog post: http://www.ansible.com/blog/securing-openstack-hosts-with-ansible• Blueprint/Spec: https://blueprints.launchpad.net/openstack-ansible/+spec/security-hardening
![Page 12: OpenStack-Ansible Security](https://reader031.fdocuments.us/reader031/viewer/2022030303/587bc42e1a28ab6c3c8b50c1/html5/thumbnails/12.jpg)