Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OpenStack-Ansible Security


Published on

The openstack-ansible-security role provides security hardening for OpenStack environments deployed with OpenStack-Ansible.

Published in: Technology
  • Be the first to comment

OpenStack-Ansible Security

  1. 1. OpenStack-Ansible Security Major Hayden OpenStack Security Mid-cycle - January 12-15, 2016
  2. 2. Agenda • Who am I? • Overview of openstack-ansible-security • Wish list
  3. 3. Who am I? • At Rackspace since 2006 • OpenStack public cloud team • Former Chief Security Architect • Currently project: Rackspace’s OpenStack Private Cloud
  4. 4. Help customers meet compliance requirements Provide baseline security enhancements openstack-ansible-security Purpose Easy to deploy and configurable Must not harm production OpenStack environments Must satisfy PCI-DSS 3.1 Requirement 2.2 Requirements PCI-DSS 3.1 Requirement 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
  5. 5. Based on the DISA STIG • No restrictive licensing or terms of use (unlike CIS benchmarks) • Industry-accepted (used by the US Government among others) • Divided into categories/severity • STIG for Ubuntu doesn’t exist, but the Red Hat Enterprise Linux 6 STIG is very close
  6. 6. What exists today? • Ansible role: openstack-ansible-security • Documentation: within the role’s code and on docs. • Exceptions are heavily documented • Easy integration with OpenStack-Ansible
  7. 7. Documentation Text from the official STIG to explain why the standard is applied. Deployer notes explain what the role does or doesn’t do. Link to the STIG Viewer site.
  8. 8. Documentation for exceptions Standards that could disrupt a production environment are noted and a sane default is used. Additional documentation is provided/linked when needed.
  9. 9. Wish list • Need additional testing in larger environments • Applied by default in OpenStack-Ansible all-in-one (AIO) builds (patch proposed) • Expand to additional operating systems (multi-OS support is in an OpenStack-Ansible spec) • QSA validation that the role meets PCI-DSS 3.1 Req 2.2 (meeting with QSA scheduled)
  10. 10. Wish list • Container security improvements • Better output/reporting for audits
  11. 11. Links • Role: • Docs: • Ansible blog post: • Blueprint/Spec: