OpenStack Security Mid-cycle - January 12-15, 2016
• Who am I?
• Overview of openstack-ansible-security
• Wish list
Who am I?
• At Rackspace since 2006
• OpenStack public cloud team
• Former Chief Security Architect
• Currently project: Rackspace’s OpenStack
Help customers meet
Provide baseline security
Easy to deploy and
Must not harm
Must satisfy PCI-DSS 3.1
PCI-DSS 3.1 Requirement 2.2
Develop configuration standards for all
system components. Assure that these
standards address all known security
vulnerabilities and are consistent with
industry-accepted system hardening
Based on the DISA STIG
• Industry-accepted (used by the US Government among others)
• Divided into categories/severity
• STIG for Ubuntu doesn’t exist, but the Red Hat
Enterprise Linux 6 STIG is very close
What exists today?
• Ansible role: openstack-ansible-security
• Documentation: within the role’s code and on docs.
• Exceptions are heavily documented
• Easy integration with OpenStack-Ansible
Text from the official STIG
to explain why the
standard is applied.
Deployer notes explain
what the role does or
Link to the STIG Viewer site.
Documentation for exceptions
Standards that could disrupt
a production environment
are noted and a sane default
Additional documentation is
• Need additional testing in larger environments
• Applied by default in OpenStack-Ansible all-in-one (AIO)
builds (patch proposed)
• Expand to additional operating systems (multi-OS support is in an
• QSA validation that the role meets PCI-DSS 3.1 Req 2.2
(meeting with QSA scheduled)
• Container security improvements
• Better output/reporting for audits