2. Agenda
• Who am I?
• Overview of openstack-ansible-security
• Wish list
3. Who am I?
• At Rackspace since 2006
• OpenStack public cloud team
• Former Chief Security Architect
• Currently project: Rackspace’s OpenStack
Private Cloud
4. Help customers meet
compliance
requirements
Provide baseline security
enhancements
openstack-ansible-security
Purpose
Easy to deploy and
configurable
Must not harm
production OpenStack
environments
Must satisfy PCI-DSS 3.1
Requirement 2.2
Requirements
PCI-DSS 3.1 Requirement 2.2
Develop configuration standards for all
system components. Assure that these
standards address all known security
vulnerabilities and are consistent with
industry-accepted system hardening
standards.
5. Based on the DISA STIG
• No restrictive licensing or terms of use (unlike CIS benchmarks)
• Industry-accepted (used by the US Government among others)
• Divided into categories/severity
• STIG for Ubuntu doesn’t exist, but the Red Hat
Enterprise Linux 6 STIG is very close
6. What exists today?
• Ansible role: openstack-ansible-security
• Documentation: within the role’s code and on docs.
openstack.org
• Exceptions are heavily documented
• Easy integration with OpenStack-Ansible
7. Documentation
Text from the official STIG
to explain why the
standard is applied.
Deployer notes explain
what the role does or
doesn’t do.
Link to the STIG Viewer site.
8. Documentation for exceptions
Standards that could disrupt
a production environment
are noted and a sane default
is used.
Additional documentation is
provided/linked when
needed.
9. Wish list
• Need additional testing in larger environments
• Applied by default in OpenStack-Ansible all-in-one (AIO)
builds (patch proposed)
• Expand to additional operating systems (multi-OS support is in an
OpenStack-Ansible spec)
• QSA validation that the role meets PCI-DSS 3.1 Req 2.2
(meeting with QSA scheduled)