Securing OpenStack Hosts with Ansible

Deploying OpenStack can be a challenging process, and securing it can be even more daunting. Fortunately, there's a new project in the OpenStack big tent that wants to make this process easier: openstack-ansible-security.

Start Standardizing With the STIG

Securing an OpenStack deployment involves multiple levels of configuration:

1. Securing the network
2. Securing the host
3. Securing the interconnected services

The goal of openstack-ansible-security is to tackle the second level -- securing the host.  A spec was proposed for the Mitaka release of OpenStack to secure OpenStack infrastructure hosts using the Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG).

The STIG is a collection of best practices for securing a host and its services against common attacks.  The collection is broken up into multiple sections, called categories.  The STIG Viewer service makes these categories easier to review.  The categories include:

• Cat 1: For highly sensitive systems
• Cat 2: For medium sensitivity systems
• Cat 3: For low sensitivity systems

These are meant to be stackable, so an extremely sensitive system would require categories 1, 2 and 3.  Each STIG item provides a description of what needs to be changed, why it should be changed, how to change it, and Continue reading