Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Securing OpenStack clouds
and beyond with Ansible
Major Hayden
@majorhayden
Photo: Luciof (Wikipedia)
Major Hayden
Principal Architect at Rackspace
● Builds OpenStack private clouds
● OpenStack contributor since Diablo
● Fed...
SECURITY IS HARD
(This is what people keep telling me.)
Photo: Santeri Viinamäki
WHAT MAKES SECURITY SO HARD?
Photo: Santeri Viinamäki
“Complexity is the enemy of security.
As systems get more complex,
they get less secure.”
-- Bruce Schneier
Photo: nicolle...
Complexity is here to stay.
Is security a hopeless cause?
Photo: dnizz
“Nothing prompts creativity
like poverty, a feeling of hopelessness,
and a bit of panic.”
-- Catherine Tate
We already handle
IT complexity with:
DESIGN
COLLABORATION
AUTOMATION
TESTING
Photo: victorgrigas
Why can’t we approach
security the same way?
IMAGINE A WORLD:
Where you can harden servers
without disrupting OpenStack
Photo: NASA
IMAGINE A WORLD:
Where you have the freedom
to tighten or loosen restrictions
at any time
Photo: NASA
IMAGINE A WORLD:
Where you can delight* auditors
with proof of compliance
Photo: NASA
* I’m not sure if an auditor has eve...
Get one step closer to that world
with openstack-ansible-security.
https://github.com/openstack/openstack-ansible-security
openstack-ansible-security
is an Ansible role that applies
industry-standard security hardening
through automation in a fl...
Let’s break that down.
The Defense Information Systems
Agency (DISA) releases
the Security Technical
Implementation Guide (STIG).
The Pike releas...
The STIG is translated into tasks,
templates, and handlers within an
Ansible role.
The Ansible role is adjusted to avoid
disruptions to an OpenStack
environment (or other production
environments without Op...
Finally, the role gets final tweaks and
translations so that it works well on
multiple distributions.
(Every distribution ...
Supported deployments
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
(deprecated)
CentOS 7
Red Hat Enterprise
Linux 7
X86 and PPC
Archi...
FEATURES:
Idempotent
Highly configurable
Zero disruptions to an existing system
Read-only audits of existing deployments
R...
How do I get started?
OpenStack-Ansible users:
Included since Mitaka.
Enabled by default since Newton.
Linux users:
Install using ansible-galaxy.
Use standalone or with your existing playbooks.
Aren’t Linux systems secure already?
They are consistently inconsistent
Configuration drift happens over time
Why not OpenSCAP?
Difficult to tighten/loosen restrictions easily
Challenging to integrate with a system post-deployment
X...
What’s next?
Support for SUSE Leap,
Amazon Linux and ARM.
Easily parseable playbook
output for audits. (ARA?)
Photo: NASA
Demonstration time!
Join our community!
#openstack-ansible on Freenode
openstack-dev@lists.rackspace.com
https://github.com/openstack/openstac...
Thank you!
Major Hayden
@majorhayden
Photo: Luciof (Wikipedia)
Upcoming SlideShare
Loading in …5
×

Securing OpenStack and Beyond with Ansible

1,745 views

Published on

The openstack-ansible-security role applies security hardening configurations to any system -- those running OpenStack and those that don't -- without disruption.

Published in: Travel
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Securing OpenStack and Beyond with Ansible

  1. 1. Securing OpenStack clouds and beyond with Ansible Major Hayden @majorhayden Photo: Luciof (Wikipedia)
  2. 2. Major Hayden Principal Architect at Rackspace ● Builds OpenStack private clouds ● OpenStack contributor since Diablo ● Fedora Linux Security Team / Server WG member ● Actually one of the few people who likes SELinux ● Owns far too many domain names
  3. 3. SECURITY IS HARD (This is what people keep telling me.) Photo: Santeri Viinamäki
  4. 4. WHAT MAKES SECURITY SO HARD? Photo: Santeri Viinamäki
  5. 5. “Complexity is the enemy of security. As systems get more complex, they get less secure.” -- Bruce Schneier Photo: nicolletec
  6. 6. Complexity is here to stay. Is security a hopeless cause? Photo: dnizz
  7. 7. “Nothing prompts creativity like poverty, a feeling of hopelessness, and a bit of panic.” -- Catherine Tate
  8. 8. We already handle IT complexity with: DESIGN COLLABORATION AUTOMATION TESTING Photo: victorgrigas
  9. 9. Why can’t we approach security the same way?
  10. 10. IMAGINE A WORLD: Where you can harden servers without disrupting OpenStack Photo: NASA
  11. 11. IMAGINE A WORLD: Where you have the freedom to tighten or loosen restrictions at any time Photo: NASA
  12. 12. IMAGINE A WORLD: Where you can delight* auditors with proof of compliance Photo: NASA * I’m not sure if an auditor has ever been delighted before, but we are certainly going to try.
  13. 13. Get one step closer to that world with openstack-ansible-security. https://github.com/openstack/openstack-ansible-security
  14. 14. openstack-ansible-security is an Ansible role that applies industry-standard security hardening through automation in a flexible way.
  15. 15. Let’s break that down.
  16. 16. The Defense Information Systems Agency (DISA) releases the Security Technical Implementation Guide (STIG). The Pike release will feature the RHEL 7 STIG final version!
  17. 17. The STIG is translated into tasks, templates, and handlers within an Ansible role.
  18. 18. The Ansible role is adjusted to avoid disruptions to an OpenStack environment (or other production environments without OpenStack). (This step also includes lots of documentation and functional tests.)
  19. 19. Finally, the role gets final tweaks and translations so that it works well on multiple distributions. (Every distribution has its quirks, especially with security.)
  20. 20. Supported deployments Ubuntu 16.04 LTS Ubuntu 14.04 LTS (deprecated) CentOS 7 Red Hat Enterprise Linux 7 X86 and PPC Architectures With or without OpenStack New or existing systems
  21. 21. FEATURES: Idempotent Highly configurable Zero disruptions to an existing system Read-only audits of existing deployments Regularly tested with and without OpenStack
  22. 22. How do I get started?
  23. 23. OpenStack-Ansible users: Included since Mitaka. Enabled by default since Newton.
  24. 24. Linux users: Install using ansible-galaxy. Use standalone or with your existing playbooks.
  25. 25. Aren’t Linux systems secure already? They are consistently inconsistent Configuration drift happens over time
  26. 26. Why not OpenSCAP? Difficult to tighten/loosen restrictions easily Challenging to integrate with a system post-deployment XML. Lots of XML.
  27. 27. What’s next? Support for SUSE Leap, Amazon Linux and ARM. Easily parseable playbook output for audits. (ARA?) Photo: NASA
  28. 28. Demonstration time!
  29. 29. Join our community! #openstack-ansible on Freenode openstack-dev@lists.rackspace.com https://github.com/openstack/openstack-ansible-security
  30. 30. Thank you! Major Hayden @majorhayden Photo: Luciof (Wikipedia)

×