[openstack-dev] [openstack-ansible] Security hardening

Major Hayden major at mhtx.net
Thu Sep 10 14:54:20 UTC 2015

Hey there,

I've been looking for some ways to harden the systems that are deployed by os-ansible-deployment (soon to be openstack-ansible?) and I've been using the Center for Internet Security (CIS)[1] benchmarks as a potential pathway for that.  There are benchmarks available for various operating systems and applications there.

Many of the items shown there fall into a few different categories:

  1) things OSAD should configure
  2) things deployers should configure
  3) things nobody should configure (they break the deployment, for example)

#3 is often quite obvious, but #1 and #2 are a bit more nebulous.  For example, I opened a ticket[2] about getting auditd installed by default with openstack-ansible.  My gut says that many deployers could use auditd since it collects denials from AppArmor and that can help with troubleshooting broken policies.

Also, I opened another ticket[3] for compressing all logs by default.  This affects availability (part of the information security CIA triad[4]) in a fairly critical way in the long term.

My question is this: How should I go about determining which security changes should go upstream and which should go into documentation as things deployers should do locally?

[1] https://benchmarks.cisecurity.org/
[2] https://bugs.launchpad.net/openstack-ansible/+bug/1491915
[3] https://bugs.launchpad.net/openstack-ansible/+bug/1493981
[4] https://en.wikipedia.org/wiki/Information_security#Key_concepts

Major Hayden

More information about the OpenStack-dev mailing list