The document discusses the complexities of securing OpenStack clouds and introduces the openstack-ansible-security role, which automates industry-standard security hardening while minimizing disruptions. It details the integration of security guidelines from the Defense Information Systems Agency (DISA) into Ansible for effective security management across various Linux distributions. The role's features include configurability, zero disruptions, and compatibility with both new and existing systems.

1. Securing OpenStack clouds
and beyond with Ansible
Major Hayden
@majorhayden
Photo: Luciof (Wikipedia)

2. Major Hayden
Principal Architect at Rackspace
● Builds OpenStack private clouds
● OpenStack contributor since Diablo
● Fedora Linux Security Team / Server WG member
● Actually one of the few people who likes SELinux
● Owns far too many domain names

3. SECURITY IS HARD
(This is what people keep telling me.)
Photo: Santeri Viinamäki

4. WHAT MAKES SECURITY SO HARD?
Photo: Santeri Viinamäki

5. “Complexity is the enemy of security.
As systems get more complex,
they get less secure.”
-- Bruce Schneier
Photo: nicolletec

6. Complexity is here to stay.
Is security a hopeless cause?
Photo: dnizz

7. “Nothing prompts creativity
like poverty, a feeling of hopelessness,
and a bit of panic.”
-- Catherine Tate

8. We already handle
IT complexity with:
DESIGN
COLLABORATION
AUTOMATION
TESTING
Photo: victorgrigas

9. Why can’t we approach
security the same way?

10. IMAGINE A WORLD:
Where you can harden servers
without disrupting OpenStack
Photo: NASA

11. IMAGINE A WORLD:
Where you have the freedom
to tighten or loosen restrictions
at any time
Photo: NASA

12. IMAGINE A WORLD:
Where you can delight* auditors
with proof of compliance
Photo: NASA
* I’m not sure if an auditor has ever been delighted before, but we are certainly going to try.

13. Get one step closer to that world
with openstack-ansible-security.
https://github.com/openstack/openstack-ansible-security

14. openstack-ansible-security
is an Ansible role that applies
industry-standard security hardening
through automation in a flexible way.

15. Let’s break that down.

16. The Defense Information Systems
Agency (DISA) releases
the Security Technical
Implementation Guide (STIG).
The Pike release will feature the RHEL 7 STIG final version!

17. The STIG is translated into tasks,
templates, and handlers within an
Ansible role.

18. The Ansible role is adjusted to avoid
disruptions to an OpenStack
environment (or other production
environments without OpenStack).
(This step also includes lots of documentation and functional tests.)

19. Finally, the role gets final tweaks and
translations so that it works well on
multiple distributions.
(Every distribution has its quirks, especially with security.)

20. Supported deployments
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
(deprecated)
CentOS 7
Red Hat Enterprise
Linux 7
X86 and PPC
Architectures
With or without
OpenStack
New or existing
systems

21. FEATURES:
Idempotent
Highly configurable
Zero disruptions to an existing system
Read-only audits of existing deployments
Regularly tested with and without OpenStack

22. How do I get started?

23. OpenStack-Ansible users:
Included since Mitaka.
Enabled by default since Newton.

24. Linux users:
Install using ansible-galaxy.
Use standalone or with your existing playbooks.

25. Aren’t Linux systems secure already?
They are consistently inconsistent
Configuration drift happens over time

26. Why not OpenSCAP?
Difficult to tighten/loosen restrictions easily
Challenging to integrate with a system post-deployment
XML. Lots of XML.

27. What’s next?
Support for SUSE Leap,
Amazon Linux and ARM.
Easily parseable playbook
output for audits. (ARA?)
Photo: NASA

28. Demonstration time!

29. Join our community!
#openstack-ansible on Freenode
openstack-dev@lists.rackspace.com
https://github.com/openstack/openstack-ansible-security

30. Thank you!
Major Hayden
@majorhayden
Photo: Luciof (Wikipedia)