Embed Size (px)
Citation preview
OpenStack-Ansible Security
Major HaydenOpenStack Security Mid-cycle - January 12-15, 2016
Agenda
• Who am I?• Overview of openstack-ansible-security• Wish list
Who am I?
• At Rackspace since 2006• OpenStack public cloud team• Former Chief Security Architect• Currently project: Rackspace’s OpenStack
Private Cloud
Help customers meet compliance requirements
Provide baseline security enhancements
openstack-ansible-security
Purpose
Easy to deploy and configurable
Must not harm production OpenStack environments
Must satisfy PCI-DSS 3.1 Requirement 2.2
Requirements
PCI-DSS 3.1 Requirement 2.2
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
Based on the DISA STIG
• No restrictive licensing or terms of use (unlike CIS benchmarks)
• Industry-accepted (used by the US Government among others)
• Divided into categories/severity• STIG for Ubuntu doesn’t exist, but the Red Hat
Enterprise Linux 6 STIG is very close
What exists today?
• Ansible role: openstack-ansible-security• Documentation: within the role’s code and on docs.
openstack.org• Exceptions are heavily documented• Easy integration with OpenStack-Ansible
Documentation
Text from the official STIG to explain why the standard is applied.
Deployer notes explain what the role does or doesn’t do.
Link to the STIG Viewer site.
Documentation for exceptions
Standards that could disrupt a production environment are noted and a sane default is used.
Additional documentation is provided/linked when needed.
Wish list
• Need additional testing in larger environments• Applied by default in OpenStack-Ansible all-in-one (AIO)
builds (patch proposed)
• Expand to additional operating systems (multi-OS support is in an
OpenStack-Ansible spec)
• QSA validation that the role meets PCI-DSS 3.1 Req 2.2 (meeting with QSA scheduled)
Wish list
• Container security improvements• Better output/reporting for audits
Links
• Role: https://github.com/openstack/openstack-ansible-security• Docs: http://docs.openstack.org/developer/openstack-ansible-security/• Ansible blog post: http://www.ansible.com/blog/securing-openstack-hosts-with-ansible• Blueprint/Spec: https://blueprints.launchpad.net/openstack-ansible/+spec/security-hardening
