https://github.com/gunh0/openstack-security-hub
✅ A security compliance checker for OpenStack environments
https://github.com/gunh0/openstack-security-hub
cloud-security compliance openstack security-audit security-automation
Last synced: about 1 year ago
JSON representation
✅ A security compliance checker for OpenStack environments
- Host: GitHub
- URL: https://github.com/gunh0/openstack-security-hub
- Owner: gunh0
- License: apache-2.0
- Created: 2024-11-11T01:50:21.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-12-20T07:37:29.000Z (over 1 year ago)
- Last Synced: 2025-01-30T14:18:23.220Z (over 1 year ago)
- Topics: cloud-security, compliance, openstack, security-audit, security-automation
- Language: Go
- Homepage:
- Size: 76.2 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# openstack-security-hub
### Environment Setup
**Setup from `openstack/devstack`**
>
>
> DevStack is a series of extensible scripts used to quickly bring up a complete OpenStack environment based on the latest versions of everything from git master. It is used interactively as a development environment and as the basis for much of the OpenStack project’s functional testing.
>
> ...
>
> Install Linux
>
> Start with a clean and minimal install of a Linux system. DevStack attempts to support the two latest LTS releases of Ubuntu, Rocky Linux 9 and openEuler.
>
> If you do not have a preference, **Ubuntu 22.04 (Jammy)** is the most tested, and will probably go the smoothest.
**Installed (Tested) Versions**
- Ubuntu 22.04 (Jammy)
- openstack 7.1.3
### Openstack Security Guide
>
**This book provides best practices and conceptual information about securing an OpenStack cloud.**
- **Identity**
- [ ] [identity-01] Is user/group ownership of config files set to keystone?
- [x] [identity-01-01] `/etc/keystone/keystone.conf`
- [x] [identity-01-02] `/etc/keystone/keystone-paste.ini`
- [x] [identity-01-03] `/etc/keystone/policy.json`
- [x] [identity-01-04] `/etc/keystone/logging.conf`
- [x] [identity-01-05] `/etc/keystone/ssl/certs/signing_cert.pem`
- [x] [identity-01-06] `/etc/keystone/ssl/private/signing_key.pem`
- [x] [identity-01-07] `/etc/keystone/ssl/certs/ca.pem`
- [x] [identity-01-08] `/etc/keystone`
- [ ] [identity-02] Are strict permissions set for Identity configuration files?
- [x] [identity-02-01] `/etc/keystone/keystone.conf`
- [ ] [identity-02-02] `/etc/keystone/keystone-paste.ini`
- [ ] [identity-02-03] `/etc/keystone/policy.json`
- [ ] [identity-02-04] `/etc/keystone/logging.conf`
- [ ] [identity-02-05] `/etc/keystone/ssl/certs/signing_cert.pem`
- [ ] [identity-02-06] `/etc/keystone/ssl/private/signing_key.pem`
- [ ] [identity-02-07] `/etc/keystone/ssl/certs/ca.pem`
- [ ] [identity-02-08] `/etc/keystone`
- [ ] [identity-03] is TLS enabled for Identity?
- [identity-04] (Obsolete)
- [ ] [identity-05] Is max_request_body_size set to default (114688)?
- [ ] [identity-06] Disable admin token in /etc/keystone/keystone.conf
- **Dashboard**
- [x] [dashboard-01] Is user/group of config files set to root/horizon?
- [ ] [dashboard-02] Are strict permissions set for horizon configuration files?
- [ ] [dashboard-03] Is DISALLOW_IFRAME_EMBED parameter set to True?
- [x] [dashboard-04] Is CSRF_COOKIE_SECURE parameter set to True?
- [x] [dashboard-05] Is SESSION_COOKIE_SECURE parameter set to True?
- [x] [dashboard-06] Is SESSION_COOKIE_HTTPONLY parameter set to True?
- [ ] [dashboard-07] Is PASSWORD_AUTOCOMPLETE set to False?
- [ ] [dashboard-08] Is DISABLE_PASSWORD_REVEAL set to True?
- **Compute**
- **Block Storage**
- **Image Storage**
- **Shared File Systems**
- **Networking**
- [ ] [networking-01] Is user/group ownership of config files set to root/neutron?
- [ ] [networking-01-01] `/etc/neutron/neutron.conf`
- [ ] [networking-01-02] `/etc/neutron/api-paste.ini`
- [ ] [networking-01-03] `/etc/neutron/policy.json`
- [ ] [networking-01-04] `/etc/neutron/rootwrap.conf`
- [ ] [networking-01-05] `/etc/neutron`
- [ ] [networking-02] Are strict permissions set for configuration files?
- [ ] [networking-03] Is keystone used for authentication?
- [ ] [networking-04] Is secure protocol used for authentication?
- [ ] [networking-05] Is TLS enabled on Neutron API server?
- **Secrets Management**
- [ ] [key-manager-01] Is user/group ownership of config files set to barbican?
- [x] [key-manager-01-01] `/etc/barbican/barbican.conf`
- [x] [key-manager-01-02] `/etc/barbican/barbican-api-paste.ini`
- [ ] [key-manager-02] Are strict permissions set for configuration files?
- [x] [key-manager-03] Is OpenStack Identity used for authentication?
- [ ] [key-manager-04] Is TLS enabled for authentication?¶