{"id":22271183,"url":"https://github.com/gunh0/openstack-security-hub","last_synced_at":"2025-03-25T15:51:31.435Z","repository":{"id":262541691,"uuid":"886449346","full_name":"gunh0/openstack-security-hub","owner":"gunh0","description":"✅ A security compliance checker for OpenStack environments","archived":false,"fork":false,"pushed_at":"2024-12-20T07:37:29.000Z","size":78,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-30T14:18:23.220Z","etag":null,"topics":["cloud-security","compliance","openstack","security-audit","security-automation"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gunh0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-11-11T01:50:21.000Z","updated_at":"2024-12-20T07:37:33.000Z","dependencies_parsed_at":"2024-12-19T08:28:32.577Z","dependency_job_id":"9f06028c-f5ad-4633-af24-4726d1b0345a","html_url":"https://github.com/gunh0/openstack-security-hub","commit_stats":null,"previous_names":["gunh0/openstack-security-hub"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gunh0%2Fopenstack-security-hub","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gunh0%2Fopenstack-security-hub/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gunh0%2Fopenstack-security-hub/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gunh0%2Fopenstack-security-hub/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gunh0","download_url":"https://codeload.github.com/gunh0/openstack-security-hub/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245495375,"owners_count":20624805,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-security","compliance","openstack","security-audit","security-automation"],"created_at":"2024-12-03T12:10:59.702Z","updated_at":"2025-03-25T15:51:31.413Z","avatar_url":"https://github.com/gunh0.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# openstack-security-hub\n\n### Environment Setup\n\n**Setup from `openstack/devstack`**\n\n\u003e \u003chttps://opendev.org/openstack/devstack\u003e\n\u003e\n\u003e DevStack is a series of extensible scripts used to quickly bring up a complete OpenStack environment based on the latest versions of everything from git master. It is used interactively as a development environment and as the basis for much of the OpenStack project’s functional testing.\n\u003e\n\u003e ...\n\u003e\n\u003e Install Linux\n\u003e\n\u003e Start with a clean and minimal install of a Linux system. DevStack attempts to support the two latest LTS releases of Ubuntu, Rocky Linux 9 and openEuler.\n\u003e\n\u003e If you do not have a preference, **Ubuntu 22.04 (Jammy)** is the most tested, and will probably go the smoothest.\n\n**Installed (Tested) Versions**\n\n- Ubuntu 22.04 (Jammy)\n- openstack 7.1.3\n\n\u003cbr/\u003e\n\n### Openstack Security Guide\n\n\u003e \u003chttps://docs.openstack.org/security-guide/\u003e\n\n**This book provides best practices and conceptual information about securing an OpenStack cloud.**\n\n- **Identity**\n- [ ] [identity-01] Is user/group ownership of config files set to keystone?\n  - [x] [identity-01-01] `/etc/keystone/keystone.conf`\n  - [x] [identity-01-02] `/etc/keystone/keystone-paste.ini`\n  - [x] [identity-01-03] `/etc/keystone/policy.json`\n  - [x] [identity-01-04] `/etc/keystone/logging.conf`\n  - [x] [identity-01-05] `/etc/keystone/ssl/certs/signing_cert.pem`\n  - [x] [identity-01-06] `/etc/keystone/ssl/private/signing_key.pem`\n  - [x] [identity-01-07] `/etc/keystone/ssl/certs/ca.pem`\n  - [x] [identity-01-08] `/etc/keystone`\n- [ ] [identity-02] Are strict permissions set for Identity configuration files?\n  - [x] [identity-02-01] `/etc/keystone/keystone.conf`\n  - [ ] [identity-02-02] `/etc/keystone/keystone-paste.ini`\n  - [ ] [identity-02-03] `/etc/keystone/policy.json`\n  - [ ] [identity-02-04] `/etc/keystone/logging.conf`\n  - [ ] [identity-02-05] `/etc/keystone/ssl/certs/signing_cert.pem`\n  - [ ] [identity-02-06] `/etc/keystone/ssl/private/signing_key.pem`\n  - [ ] [identity-02-07] `/etc/keystone/ssl/certs/ca.pem`\n  - [ ] [identity-02-08] `/etc/keystone`\n- [ ] [identity-03] is TLS enabled for Identity?\n- [identity-04] (Obsolete)\n- [ ] [identity-05] Is max_request_body_size set to default (114688)?\n- [ ] [identity-06] Disable admin token in /etc/keystone/keystone.conf\n- **Dashboard**\n- [x] [dashboard-01] Is user/group of config files set to root/horizon?\n- [ ] [dashboard-02] Are strict permissions set for horizon configuration files?\n- [ ] [dashboard-03] Is DISALLOW_IFRAME_EMBED parameter set to True?\n- [x] [dashboard-04] Is CSRF_COOKIE_SECURE parameter set to True?\n- [x] [dashboard-05] Is SESSION_COOKIE_SECURE parameter set to True?\n- [x] [dashboard-06] Is SESSION_COOKIE_HTTPONLY parameter set to True?\n- [ ] [dashboard-07] Is PASSWORD_AUTOCOMPLETE set to False?\n- [ ] [dashboard-08] Is DISABLE_PASSWORD_REVEAL set to True?\n- **Compute**\n- **Block Storage**\n- **Image Storage**\n- **Shared File Systems**\n- **Networking**\n- [ ] [networking-01] Is user/group ownership of config files set to root/neutron?\n  - [ ] [networking-01-01] `/etc/neutron/neutron.conf`\n  - [ ] [networking-01-02] `/etc/neutron/api-paste.ini`\n  - [ ] [networking-01-03] `/etc/neutron/policy.json`\n  - [ ] [networking-01-04] `/etc/neutron/rootwrap.conf`\n  - [ ] [networking-01-05] `/etc/neutron`\n- [ ] [networking-02] Are strict permissions set for configuration files?\n- [ ] [networking-03] Is keystone used for authentication?\n- [ ] [networking-04] Is secure protocol used for authentication?\n- [ ] [networking-05] Is TLS enabled on Neutron API server?\n- **Secrets Management**\n- [ ] [key-manager-01] Is user/group ownership of config files set to barbican?\n  - [x] [key-manager-01-01] `/etc/barbican/barbican.conf`\n  - [x] [key-manager-01-02] `/etc/barbican/barbican-api-paste.ini`\n- [ ] [key-manager-02] Are strict permissions set for configuration files?\n- [x] [key-manager-03] Is OpenStack Identity used for authentication?\n- [ ] [key-manager-04] Is TLS enabled for authentication?¶\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgunh0%2Fopenstack-security-hub","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgunh0%2Fopenstack-security-hub","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgunh0%2Fopenstack-security-hub/lists"}