securing open stack for compliance
DESCRIPTION
Slides from lecture delivered at OpenStack Summit Hong KongTRANSCRIPT
© MIRANTIS 2013 PAGE 1 © MIRANTIS 2013
Securing for compliance
Tomasz ‘Zen’ Napierała
Sr. OpenStack Engineer
© MIRANTIS 2013 PAGE 2
Tomasz Z. Napierała
Senior OpenStack Engineer @ Mirantis, Inc.
automation, web performance, compliance, security
© MIRANTIS 2013 PAGE 3
Mirantis, Inc.
Largest independent vendor of OpenStack services and technology.
We operate from Mountain View, California, with remote offices in Russia, Ukraine and Poland.
60+ successful OpenStack implementations and 400+ infrastructure experts.
© MIRANTIS 2013 PAGE 4
Mirantis, Inc.
© MIRANTIS 2013 PAGE 5
Agenda
© MIRANTIS 2013 PAGE 6
What’s included
• State of cloud compliance
• Modules overview
• Practical tips
© MIRANTIS 2013 PAGE 7
What’s not included
• Securing VMs
• Guarantee
© MIRANTIS 2013 PAGE 8
PCI DSS overview
© MIRANTIS 2013 PAGE 9
PCI DSS recap
• Set of policies and procedures
• Optimize security of financial data processing
• Protect cardholders
• 12 general requirements
• Ongoing process
• PCI DSS version 2.0
© MIRANTIS 2013 PAGE 10
State of compliance in cloud
• Not possible (pre 2012)
• Hard, not clear (pre 2013)
• PCI DSS 2.0 Cloud Computing Guide (Feb. 2013)
• Production deployments • Rackspace
© MIRANTIS 2013 PAGE 11
Where are we
Rely on Cloud Service Provider for HW-‐>Hypervisor related compliance
Phil Cox, RightScale
12 x
© MIRANTIS 2013 PAGE 12
Whare are we
Hardware Network
Storage
Hypervisor
VM
© MIRANTIS 2013 PAGE 13
PCI DSS requirements
Source: hSp://www.datasecureworks.com/images/Trustwave/pci-‐requirements-‐grid.png
© MIRANTIS 2013 PAGE 14
Projects history
• Initially launched for customer (2 engineers)
• Moved into internal project (2+ engineers)
• Some parts reused in other projects
• 2 clients using the tools
© MIRANTIS 2013 PAGE 15
Projects limitations
• RedHat / CentOS compatible • Only for private IaaS clouds • Operator centric • Technology focused • Everything in scope • No “redo” • No OpenStack patches • No firwall management
© MIRANTIS 2013 PAGE 16
Ingredients
© MIRANTIS 2013 PAGE 17
Elements
• Baseline hardening
• HSM PoC
• Auditing system
• Log collection system
• Intra cluster secure communication
• Audit tools
• Documentation
© MIRANTIS 2013 PAGE 18
Tools
• Fuel extension
• Puppet modules
• OpenStack patches (not included)
• OpenSCAP profiles (SRR)
• Documentation
• Checklist
© MIRANTIS 2013 PAGE 19
Notes
• PCI DSS 2.0
• NIST
© MIRANTIS 2013 PAGE 20
External dependencies
• LDAP / AD
• HSM (PoC available)
• Secure database + SSL
© MIRANTIS 2013 PAGE 21
Puppet modules
© MIRANTIS 2013 PAGE 22
aide
• File integrity checking with AIDE
© MIRANTIS 2013 PAGE 23
auditd
• Auditing and logging during boot
• Auditing ang logging in runtime • Crucial file access monitoring • Over 80 rules • Based on Aqueduct project https://fedorahosted.org/
aqueduct/
© MIRANTIS 2013 PAGE 24
baseline
• Disabling services
• Sysctl tuning
• Disabling interactive startup
• Password for single mode
• Profile tuning
• PCI DSS required info in issue/issue.net
© MIRANTIS 2013 PAGE 25
clamav
• Scanning policies
• Update policies
• Logging
© MIRANTIS 2013 PAGE 26
controller_ipsec
• Mesh tunnels between controllers
© MIRANTIS 2013 PAGE 27
limits
• Tuning system limits
© MIRANTIS 2013 PAGE 28
Logstash (+ kibana + zeromq)
• Entire log collection infrastructure
• Predefinded OpenStack inputs + filters
© MIRANTIS 2013 PAGE 29
pam
• Cracklib
• Blocking accounts
© MIRANTIS 2013 PAGE 30
pwpolicy
• Password policies
© MIRANTIS 2013 PAGE 31
rabbitmq
• Added SSL support
© MIRANTIS 2013 PAGE 32
securetty
• Disabling root login on console
© MIRANTIS 2013 PAGE 33
secureusers
• Securing internl OpenStack and systems users
© MIRANTIS 2013 PAGE 34
ssh
• Secure SSH client and server configuration
© MIRANTIS 2013 PAGE 35
sudo
• Protecting from shell escapes
• Disabling sudo su for root
• Secure defaults for sessions
© MIRANTIS 2013 PAGE 36
What’s not included
• System images
• Glance protection
• Swift encryption
© MIRANTIS 2013 PAGE 37
Tips
• HSM (PoC available)
• Compliance is not technology
• Virtualized != cloud
• Automation is a king
• Get an expert
• Get experienced QSA
• Use Quantum
© MIRANTIS 2013 PAGE 38
Notes
• Buggy egress filtering in Grizzly • No default TLS support in VNC • No image scanning, shredding, etc. • User cleanup scripts • No logging framework for tracking cloud
activities? • No granular access rights • No default „zero access” policy
© MIRANTIS 2013 PAGE 39
Notes on 8.5
© MIRANTIS 2013 PAGE 40
Notes on 10.1
© MIRANTIS 2013 PAGE 41
Roadmap
• Publication will be annouced on Mirantis blog
• Planned date: end of 2013
© MIRANTIS 2013 PAGE 42
Questions?