The document discusses the challenges of achieving effective information security in openstack environments through automated hardening using ansible. It emphasizes the need for security practices that are easy to implement, maintain, and non-disruptive, while also meeting compliance standards. Key highlights include the deployment of a security hardening role in openstack-ansible that applies over 200 security configurations rapidly, supporting users in maintaining secure systems without significant operational overhead.

1. Automated Security
Hardening with
OpenStack-Ansible
Major Hayden
major.hayden@rackspace.com
@majorhayden

2. 2
Major Hayden
Principal Architect
since 2006
since 2012
since 2011

3. 3
Agenda
• Security tug-of-war
• Meeting halfway
• Get involved!

4. 4
We can all agree on one thing:
information security is
insanely difficult

5. 5
We want just enough security
to create valuable outcomes
for our customers

6. 6
We avoid security changes that
increase drag and friction
within our organizations

7. 7Photo credit: Bruce Guenter (Flickr)
If the auditors aren’t happy,
nobody is happy.

8. 8
How do we make valuable security
changes without disruption (and
keep the auditors happy)?

9. 9Photo credit: Jaime Walker (jw1697, Flickr)
Make security automatic
(And yes, I know that makes it sound easy.)

10. 10
When the going gets tough,
the tough adopt standards
(This isn’t a famous quote. I just made it up for these slides.)

11. 11
Information security tip:
People should feel like
security is something
they are a part of;
not something that is
being done to them.
(I learned this lesson the hard way.)

12. 12
Which sounds better?
Option #1
“As developers, you don’t know how
to secure systems properly. We will tell you
what to do and you must have it done in three months.
If you don’t, we can’t take credit cards.”

13. 13
Which sounds better?
Option #2
“Since you use Ansible, we wrote some automation that
fits into your existing deployment method and won’t
disrupt your production environments.
Can we work with you to test it this month?”

14. 14
Automated security
for OpenStack must be:
Easy to implement
Simple to maintain
Non-disruptive to existing clouds
Effective against attacks
Open and transparent

15. 15
PCI-DSS 3.1 Requirement 2.2:
“Develop configuration standards for all system
components. Assure that these standards address all
known security vulnerabilities and are consistent with
industry-accepted system hardening standards.”

16. 16
Selecting the right standard
is challenging
Some are as
long as novels
Very few
directly apply
to Ubuntu
Some have
restrictive
licenses

17. 17
Our selection:
Security Technical Implementation Guide (STIG)
from the Defense Information Systems Agency (DISA)

18. 18
Active services
Authentication
Boot-time security
Consoles
File permissions/ownership
File integrity management
Kernel tuning
Mail
Package management
SSH daemon
Syscall Auditing
The STIG covers many
of the most critical
security domains

19. 19
STIG(RHEL 6)

20. 20
Ansible is a
software platform for
configuration management
and deployment
(among many other things)

21. 21
OpenStack-Ansible deploys a
production-ready OpenStack system
using Ansible tasks and roles

22. 22
OpenStack-Ansible has
a security hardening role
with two components:
Ansible Role
Applies automated
security hardening to
multiple systems
Documentation
With content
for deployers
as well as auditors

23. 23
openstack-ansible-security
role features:
Applies 200+ security
configurations in 90 seconds
Highly configurable
Comes with a built-in auditing
mode for testing or for use with
compliance auditors
Carefully written to be non-
disruptive to existing
OpenStack clouds

24. 24
Documentation
Configuration requirement from
the STIG
Link to the STIG viewer
Notes for deployers about
exceptions and additional
configurations
(auditors want to see these, too)

25. 25
Documentation
References Ansible
variable configuration
options
Warnings and advice

26. 26
Configuration

27. 27
Configuration
Flip a boolean and redeploy
the entire role or use a tag to
only deploy certain parts.

28. 28
How do I get it?
OpenStack-Ansible
deployers
Rackspace Private Cloud
customers
Anyone on Earth
Already available in OpenStack-Ansible’s Liberty,
Mitaka, and Newton releases!
Adjust apply_security_hardening to True and deploy!
Coming soon in Rackspace Private Cloud 12.2!
Speak with your account manager for more details.
Use it with your existing Ansible playbooks!
The role works well in OpenStack and non-
OpenStack environments (see the docs).

29. 29Photo credit: fvanrenterghem (Flickr)
The road ahead:
Support for Ubuntu 16.04 and
CentOS 7
Rebase using the new
STIG guidelines for RHEL 7
Improved reporting and metrics
Identify configuration security
issues within OpenStack services

30. 30
Design Summit:
Join the
OpenStack-Ansible developers
this Thursday/Friday in Austin!
IRC:
#openstack-ansible
Mailing list:
openstack-dev (tag with [openstack-
ansible][security])
Want to get involved?
Found a bug?
Have a new idea?

31. 31
Links:
Documentation: http://docs.openstack.org/developer/openstack-ansible-
security/
Source code:
https://github.com/openstack/openstack-ansible-security

33. Thank you!
Major Hayden
major.hayden@rackspace.com
@majorhayden