-
Notifications
You must be signed in to change notification settings - Fork 3
/
outline.txt
89 lines (82 loc) · 2.38 KB
/
outline.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
Front Matter
* Contributors
* Changelog
Introduction
* General principles
- Assume attackers are in all parts of the cloud
- Use layered security
- Use least privilege
- Use encryption and authentication
- Reduce attack surface
- Isolate components to the greatest degree possible
- Mandetory Access Controls, AppArmour/SELinux
- Containers
- Keep it simple, reduce amount of software
- Continuously monitor and verify cloud
* How to use this guide
- All clouds are different, read sections that apply to you
- Test in a non-production environment
- Provide feedback and help improve the guide
OpenStack Overview
* OpenStack Core Projects vs Production OpenStack Deployment
- deployment involves much more than just core projects
- many configuration options
- many architectural decisions
* Generic view of an OpenStack deployment
Architecture Guidance
* Looking at key decision points and how they affect security
- provide the information needed to understand security relavence of choices
- don't necessarily suggest a specific choice, unless there're clear winners
- largely point to sections below for additional details
* Configuration options for core projects
* How to organize software on controller(s)
* Choice of external projects necessary for deployment (e.g., hypervisor)
OpenStack Projects
* Compute (Nova)
- Direct Threats
- Configuration Guideance
- Hypervisor Security
- General measures for securing hypervisors
- Refer to sectio below in hypervisor security
* Storage (Swift)
- Direct Threats
- Configuration Guideance
- SSL Stuff
* Networking (Quantam)
- Direct Threats
- Configuration Guideance
* Dashboard (Horizon)
- Direct Threats
- Configuration Guideance
* Identity (Keystone)
- Direct Threats
- Configuration Guideance
* Image (Glance)
- Direct Threats
- Configuration Guideance
Related Projects
* Virtualization / Containers
- KVM [most common]
- Xen
- LXC
- HyperV ??
* SSL Termination
- Stud
- Pound
- Stunnel
* HAProxy
* Messaging
- RabbitMQ [most common]
- QPid
- ZeroMQ
* Database
- Mysql [most common]
- what else are people using?
* NTP
* General Linux Hardening
- Beyond scope, see NSA Guide to the Secure Configuration of
Red Hat Enterprise Linux 5, June 2012 (useful for all distros)
Other OpenStack Security Guideance
* Security Notes
* Vulnerability Reports
Conclusions