securing openstack and beyond with ansible
TRANSCRIPT
Securing OpenStack clouds and beyond with Ansible
Major Hayden
@majorhayden
Photo: Luciof (Wikipedia)
Major HaydenPrincipal Architect at Rackspace
● Builds OpenStack private clouds● OpenStack contributor since Diablo● Fedora Linux Security Team / Server WG member● Actually one of the few people who likes SELinux● Owns far too many domain names
SECURITY IS HARD(This is what people keep telling me.)
Photo: Santeri Viinamäki
WHAT MAKES SECURITY SO HARD?
Photo: Santeri Viinamäki
“Complexity is the enemy of security.As systems get more complex,
they get less secure.”-- Bruce Schneier
Photo: nicolletec
Complexity is here to stay.Is security a hopeless cause?
Photo: dnizz
“Nothing prompts creativitylike poverty, a feeling of hopelessness,
and a bit of panic.”
-- Catherine Tate
We already handle IT complexity with:
DESIGNCOLLABORATIONAUTOMATIONTESTING
Photo: victorgrigas
Why can’t we approachsecurity the same way?
IMAGINE A WORLD:Where you can harden serverswithout disrupting OpenStack
Photo: NASA
IMAGINE A WORLD:Where you have the freedom
to tighten or loosen restrictionsat any time
Photo: NASA
IMAGINE A WORLD:Where you can delight* auditors
with proof of compliance
Photo: NASA
* I’m not sure if an auditor has ever been delighted before, but we are certainly going to try.
Get one step closer to that worldwith openstack-ansible-security.
https://github.com/openstack/openstack-ansible-security
openstack-ansible-securityis an Ansible role that applies
industry-standard security hardening through automation in a flexible way.
Let’s break that down.
The Defense Information Systems Agency (DISA) releasesthe Security Technical Implementation Guide (STIG).
The Pike release will feature the RHEL 7 STIG final version!
The STIG is translated into tasks, templates, and handlers within an Ansible role.
The Ansible role is adjusted to avoid disruptions to an OpenStack environment (or other production environments without OpenStack).
(This step also includes lots of documentation and functional tests.)
Finally, the role gets final tweaks and translations so that it works well on multiple distributions.
(Every distribution has its quirks, especially with security.)
Supported deployments
Ubuntu 16.04 LTSUbuntu 14.04 LTS(deprecated)
CentOS 7
Red Hat Enterprise Linux 7
X86 and PPCArchitectures
With or withoutOpenStack
New or existingsystems
FEATURES:Idempotent
Highly configurableZero disruptions to an existing system
Read-only audits of existing deploymentsRegularly tested with and without OpenStack
How do I get started?
OpenStack-Ansible users:Included since Mitaka.
Enabled by default since Newton.
Linux users:Install using ansible-galaxy.
Use standalone or with your existing playbooks.
Aren’t Linux systems secure already?They are consistently inconsistent
Configuration drift happens over time
Why not OpenSCAP?Difficult to tighten/loosen restrictions easily
Challenging to integrate with a system post-deploymentXML. Lots of XML.
What’s next?
Support for SUSE Leap,Amazon Linux and ARM.
Easily parseable playbook output for audits. (ARA?)
Photo: NASA
Demonstration time!
Join our community!#openstack-ansible on Freenode
[email protected]://github.com/openstack/openstack-ansible-security
Thank you!Major Hayden
@majorhayden
Photo: Luciof (Wikipedia)