Merge "Fix screen usage in Security Guide"
This commit is contained in:
commit
f501ad8f0a
@ -94,8 +94,7 @@ ciphers = "kEECDH:kEDH:kRSA:HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM"
|
||||
</variablelist>
|
||||
<section xml:id="ch020_ssl-everywhere-idp45712">
|
||||
<title>Pound - with AES-NI acceleration</title>
|
||||
<screen>
|
||||
## see pound(8) for details
|
||||
<programlisting>## see pound(8) for details
|
||||
daemon 1
|
||||
######################################################################
|
||||
## global options:
|
||||
@ -143,13 +142,12 @@ ListenHTTPS
|
||||
Port 80
|
||||
End
|
||||
End
|
||||
End</screen>
|
||||
End</programlisting>
|
||||
</section>
|
||||
<section xml:id="ch020_ssl-everywhere-idp50320">
|
||||
<title>Stud</title>
|
||||
<para>This stud example enables SSL v3 for client compatibility. The ciphers line can be tweaked based on your needs, however this is a reasonable starting place.</para>
|
||||
<screen>
|
||||
# SSL x509 certificate file.
|
||||
<programlisting># SSL x509 certificate file.
|
||||
pem-file = "
|
||||
# SSL protocol.
|
||||
ssl = on
|
||||
@ -181,14 +179,13 @@ syslog-facility = "daemon"
|
||||
daemon = off
|
||||
# Report client address using SENDPROXY protocol for haproxy
|
||||
# Disabling this until we upgrade to HAProxy 1.5
|
||||
write-proxy = off</screen>
|
||||
write-proxy = off</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
<section xml:id="ch020_ssl-everywhere-idp53424">
|
||||
<title>nginx</title>
|
||||
<para>This nginx example requires TLS v1.1 or v1.2 for maximum security. The ssl_ciphers line can be tweaked based on your needs, however this is a reasonable starting place.</para>
|
||||
<screen>
|
||||
server {
|
||||
<programlisting>server {
|
||||
listen : ssl;
|
||||
ssl_certificate ;
|
||||
ssl_certificate_key ;
|
||||
@ -201,11 +198,10 @@ server {
|
||||
location / {
|
||||
|
||||
}
|
||||
}</screen>
|
||||
}</programlisting>
|
||||
<section xml:id="ch020_ssl-everywhere-idp55264">
|
||||
<title>Apache</title>
|
||||
<screen>
|
||||
<VirtualHost <ip address>:80>
|
||||
<programlisting><VirtualHost <ip address>:80>
|
||||
ServerName <site FQDN>
|
||||
RedirectPermanent / https://<site FQDN>/
|
||||
</VirtualHost>
|
||||
@ -228,11 +224,10 @@ server {
|
||||
# Or, in Apache http server 2.4 and later:
|
||||
# Require all granted
|
||||
</Directory>
|
||||
</VirtualHost></screen>
|
||||
</VirtualHost></programlisting>
|
||||
<para>Compute API SSL endpoint in Apache2, which needs to be paired with
|
||||
a short WSGI script.</para>
|
||||
<screen>
|
||||
<VirtualHost <ip address>:8447>
|
||||
<programlisting><VirtualHost <ip address>:8447>
|
||||
ServerName <site FQDN>
|
||||
SSLEngine On
|
||||
SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2,
|
||||
@ -250,14 +245,13 @@ server {
|
||||
# Or, in Apache http server 2.4 and later:
|
||||
# Require all granted
|
||||
</Directory>
|
||||
</VirtualHost></screen>
|
||||
</VirtualHost></programlisting>
|
||||
</section>
|
||||
</section>
|
||||
<section xml:id="ch020_ssl-everywhere-idp59152">
|
||||
<title>HTTP Strict Transport Security</title>
|
||||
<para>We recommend that all production deployments use HSTS. This header prevents browsers from making insecure connections after they have made a single secure one. If you have deployed your HTTP services on a public or an untrusted domain, HSTS is especially important. To enable HSTS, configure your web server to send a header like this with all requests:</para>
|
||||
<screen>
|
||||
Strict-Transport-Security: max-age=31536000; includeSubDomains</screen>
|
||||
<screen><computeroutput>Strict-Transport-Security: max-age=31536000; includeSubDomains</computeroutput></screen>
|
||||
<para>Start with a short timeout of 1 day during testing, and raise it to one year after testing has shown that you haven't introduced problems for users. Note that once this header is set to a large timeout, it is (by design) very difficult to disable.</para>
|
||||
</section>
|
||||
</chapter>
|
||||
|
@ -10,13 +10,12 @@
|
||||
<title>Configure Internal URLs in Identity Service Catalog</title>
|
||||
<para>The Identity Service catalog should be aware of your internal URLs. While this feature is not utilized by default, it may be leveraged through configuration. Additionally, it should be forward-compatible with expectant changes once this behavior becomes the default.</para>
|
||||
<para>To register an internal URL for an endpoint:</para>
|
||||
<screen>
|
||||
$ keystone endpoint-create \
|
||||
<screen><prompt>$</prompt> <userinput>keystone endpoint-create \
|
||||
--region RegionOne \
|
||||
--service-id=1ff4ece13c3e48d8a6461faebd9cd38f \
|
||||
--publicurl='https://public-ip:8776/v1/%(tenant_id)s' \
|
||||
--internalurl='https://management-ip:8776/v1/%(tenant_id)s' \
|
||||
--adminurl='https://management-ip:8776/v1/%(tenant_id)s'</screen>
|
||||
--adminurl='https://management-ip:8776/v1/%(tenant_id)s'</userinput></screen>
|
||||
</section>
|
||||
<section xml:id="ch021_paste-and-middleware-idp43360">
|
||||
<title>Configure Applications for Internal URLs</title>
|
||||
@ -24,19 +23,17 @@ $ keystone endpoint-create \
|
||||
<para>Each project may present an inconsistent way of defining target API endpoints. Future releases of OpenStack seek to resolve these inconsistencies through consistent use of the Identity Service catalog.</para>
|
||||
<section xml:id="ch021_paste-and-middleware-idp45520">
|
||||
<title>Configuration Example #1: Nova</title>
|
||||
<screen>
|
||||
[DEFAULT]
|
||||
<programlisting language="ini">[DEFAULT]
|
||||
cinder_catalog_info='volume:cinder:internalURL'
|
||||
glance_protocol='https'
|
||||
neutron_url='https://neutron-host:9696'
|
||||
neutron_admin_auth_url='https://neutron-host:9696'
|
||||
s3_host='s3-host'
|
||||
s3_use_ssl=True</screen>
|
||||
s3_use_ssl=True</programlisting>
|
||||
</section>
|
||||
<section xml:id="ch021_paste-and-middleware-idp47184">
|
||||
<title>Configuration Example #2: Cinder</title>
|
||||
<screen>
|
||||
glance_host='https://glance-server'</screen>
|
||||
<programlisting language="ini">glance_host='https://glance-server'</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
</section>
|
||||
|
@ -178,14 +178,12 @@
|
||||
<section xml:id="ch025_web-dashboard-idp264272">
|
||||
<title>Cookies</title>
|
||||
<para>Session Cookies should be set to HTTPONLY:</para>
|
||||
<screen>
|
||||
SESSION_COOKIE_HTTPONLY = True</screen>
|
||||
<programlisting>SESSION_COOKIE_HTTPONLY = True</programlisting>
|
||||
<para>Never configure CSRF or session cookies to have a wild card
|
||||
domain with a leading dot. Horizon's session and CSRF cookie
|
||||
should be secured when deployed with HTTPS:</para>
|
||||
<screen>
|
||||
Code CSRF_COOKIE_SECURE = True
|
||||
SESSION_COOKIE_SECURE = True</screen>
|
||||
<programlisting>Code CSRF_COOKIE_SECURE = True
|
||||
SESSION_COOKIE_SECURE = True</programlisting>
|
||||
</section>
|
||||
<section xml:id="ch025_web-dashboard-idp266976">
|
||||
<title>Password Auto Complete</title>
|
||||
@ -228,8 +226,7 @@ SESSION_COOKIE_SECURE = True</screen>
|
||||
<para>Configure your web server to send a restrictive CORS header
|
||||
with each response, allowing only the Horizon domain and
|
||||
protocol:</para>
|
||||
<screen>
|
||||
Access-Control-Allow-Origin: https://example.com/</screen>
|
||||
<programlisting>Access-Control-Allow-Origin: https://example.com/</programlisting>
|
||||
<para>Never allow the wild card origin.</para>
|
||||
</section>
|
||||
<section xml:id="ch025_web-dashboard-idp275056">
|
||||
|
@ -130,11 +130,9 @@
|
||||
<para>/etc/swift contains information about the ring
|
||||
topology and environment configuration. The following
|
||||
permissions are recommended:</para>
|
||||
<screen>
|
||||
<prompt>#</prompt><userinput>chown -R root:swift /etc/swift/*</userinput>
|
||||
<prompt>#</prompt><userinput>find /etc/swift/ -type f -exec chmod 640 {} \;</userinput>
|
||||
<prompt>#</prompt><userinput>find /etc/swift/ -type d -exec chmod 750 {} \;</userinput>
|
||||
</screen>
|
||||
<screen><prompt>#</prompt> <userinput>chown -R root:swift /etc/swift/*</userinput>
|
||||
<prompt>#</prompt> <userinput>find /etc/swift/ -type f -exec chmod 640 {} \;</userinput>
|
||||
<prompt>#</prompt> <userinput>find /etc/swift/ -type d -exec chmod 750 {} \;</userinput></screen>
|
||||
<para>This restricts only root to be able to modify
|
||||
configuration files while allowing the services to
|
||||
read them via their group membership in
|
||||
|
@ -33,12 +33,12 @@
|
||||
<section xml:id="ch033_securing-neutron-services-idp56016">
|
||||
<title>Restrict Bind Address of the API server: neutron-server</title>
|
||||
<para>To restrict the interface or IP address on which the OpenStack Networking API service binds a network socket for incoming client connections, specify the bind_host and bind_port in the neutron.conf file as shown:</para>
|
||||
<screen>
|
||||
<programlisting language="ini">
|
||||
# Address to bind the API server
|
||||
bind_host = <ip address of server>
|
||||
bind_host = <replaceable>IP ADDRESS OF SERVER</replaceable>
|
||||
|
||||
# Port the bind the API server to
|
||||
bind_port = 9696</screen>
|
||||
bind_port = 9696</programlisting>
|
||||
</section>
|
||||
<section xml:id="ch033_securing-neutron-services-idp58320">
|
||||
<title>Restrict DB and RPC communication of the OpenStack Networking services:</title>
|
||||
|
@ -40,10 +40,13 @@
|
||||
</section>
|
||||
<section xml:id="ch034_tenant-secure-networking-best-practices-idp58016">
|
||||
<title>Quotas</title>
|
||||
<para>Quotas provide the ability to limit the number of network resources available to tenants. You can enforce default quotas for all tenants.</para>
|
||||
<screen>
|
||||
/etc/neutron/neutron.conf
|
||||
[QUOTAS]
|
||||
|
||||
<para>Quotas provide the ability to limit the number of network
|
||||
resources available to tenants. You can enforce default quotas
|
||||
for all tenants. The
|
||||
<filename>/etc/neutron/neutron.conf</filename> includes these
|
||||
options for quota:</para>
|
||||
<programlisting language="ini">[QUOTAS]
|
||||
# resource name(s) that are supported in quota features
|
||||
quota_items = network,subnet,port
|
||||
|
||||
@ -66,9 +69,11 @@ quota_security_group = 10
|
||||
quota_security_group_rule = 100
|
||||
|
||||
# default driver to use for quota checks
|
||||
quota_driver = neutron.quota.ConfDriver</screen>
|
||||
<para>OpenStack Networking also supports per-tenant quotas limit via a quota extension API. To enable per-tenant quotas, you need to set <literal>quota_driver</literal> in <literal>neutron.conf</literal>.</para>
|
||||
<screen>
|
||||
quota_driver = neutron.db.quota_db.DbQuotaDriver</screen>
|
||||
quota_driver = neutron.quota.ConfDriver</programlisting>
|
||||
<para>OpenStack Networking also supports per-tenant quotas limit
|
||||
via a quota extension API. To enable per-tenant quotas, you must
|
||||
set the <literal>quota_driver</literal> option in
|
||||
<filename>neutron.conf</filename>.</para>
|
||||
<programlisting language="ini">quota_driver = neutron.db.quota_db.DbQuotaDriver</programlisting>
|
||||
</section>
|
||||
</chapter>
|
||||
|
@ -8,9 +8,11 @@
|
||||
<para>We highly recommend enabling transport-level cryptography for your message queue. Using SSL for the messaging client connections provides protection of the communications from tampering and eavesdropping in-transit to the messaging server. Below is guidance on how SSL is typically configured for the two popular messaging servers Qpid and RabbitMQ. When configuring the trusted certificate authority (CA) bundle that your messaging server uses to verify client connections, it is recommended that this be limited to only the CA used for your nodes, preferably an internally managed CA. The bundle of trusted CAs will determine which client certificates will be authorized and pass the client-server verification step of the setting up the SSL connection. Note, when installing the certificate and key files, ensure that the file permissions are restricted, for example chmod 0600, and the ownership is restricted to the messaging server daemon user to prevent unauthorized access by other processes and users on the messaging server.</para>
|
||||
<section xml:id="ch038_transport-security-idp40512">
|
||||
<title>RabbitMQ Server SSL Configuration</title>
|
||||
<para>The following lines should be added to the system-wide RabbitMQ configuration file, typically /etc/rabbitmq/rabbitmq.config:</para>
|
||||
<screen>
|
||||
[
|
||||
<para>The following lines should be added to the system-wide
|
||||
RabbitMQ configuration file, typically
|
||||
<filename>/etc/rabbitmq/rabbitmq.config</filename>:
|
||||
</para>
|
||||
<programlisting>[
|
||||
{rabbit, [
|
||||
{tcp_listeners, [] },
|
||||
{ssl_listeners, [{"<ip address or hostname of management network interface", 5671}] },
|
||||
@ -20,11 +22,17 @@
|
||||
{verify,verify_peer},
|
||||
{fail_if_no_peer_cert,true}]}
|
||||
]}
|
||||
].</screen>
|
||||
<para>Note, the 'tcp_listeners' option is set to '[]' to prevent it from listening an on non-SSL port. 'ssl_listeners' option should be restricted to only listen on the management network for the services.</para>
|
||||
].</programlisting>
|
||||
<para>Note, the <literal>tcp_listeners</literal> option is set
|
||||
to <literal>[]</literal> to prevent it from listening an on
|
||||
non-SSL port. The <literal>ssl_listeners</literal> option
|
||||
should be restricted to only listen on the management network
|
||||
for the services.</para>
|
||||
<para>For more information on RabbitMQ SSL configuration see:</para>
|
||||
<itemizedlist><listitem>
|
||||
<para><link xlink:href="http://www.rabbitmq.com/configure.html">RabbitMQ Configuration</link></para>
|
||||
<para>
|
||||
<link xlink:href="http://www.rabbitmq.com/configure.html">RabbitMQ Configuration</link>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><link xlink:href="http://www.rabbitmq.com/ssl.html">RabbitMQ SSL</link></para>
|
||||
@ -45,16 +53,20 @@
|
||||
<para>RabbitMQ and Qpid offer authentication and access control mechanisms for controlling access to queues. ZeroMQ offers no such mechanisms.</para>
|
||||
<para>Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. Both RabbitMQ and Qpid offer SASL and other pluggable authentication mechanisms beyond simple usernames and passwords that allow for increased authentication security. While RabbitMQ supports SASL, support in OpenStack does not currently allow for requesting a specific SASL authentication mechanism. RabbitMQ support in OpenStack allows for either username and password authentication over an unencrypted connection or username and password in conjunction with X.509 client certificates to establish the secure SSL connection.</para>
|
||||
<para>We recommend configuring X.509 client certificates on all the OpenStack service nodes for client connections to the messaging queue and where possible (currently only Qpid) perform authentication with X.509 client certificates. When using usernames and passwords, accounts should be created per-service and node for finer grained auditability of access to the queue.</para>
|
||||
<para>The SSL libraries in use by these queuing servers should also be considered prior to deployment. Qpid uses Mozilla's NSS library, whereas RabbitMQ uses Erlang's SSL module which uses OpenSSL.</para>
|
||||
<para>
|
||||
Before deployment, consider the SSL libraries that the queuing
|
||||
servers use. Qpid uses Mozilla's NSS library, whereas RabbitMQ
|
||||
uses Erlang's SSL module which uses OpenSSL.</para>
|
||||
<section xml:id="ch038_transport-security-idp52640">
|
||||
<title>Authentication Configuration Example - RabbitMQ</title>
|
||||
<para>On the RabbitMQ server, delete the default 'guest' user:</para>
|
||||
<screen>
|
||||
rabbitmqctl delete_user quest</screen>
|
||||
<para>On the RabbitMQ server, for each OpenStack service or node that communicates with the message queue set up user accounts and privileges:</para>
|
||||
<screen>
|
||||
rabbitmqctl add_user compute01 password
|
||||
rabbitmqctl set_permissions compute01 ".*"".*"".*"</screen>
|
||||
<para>On the RabbitMQ server, delete the default
|
||||
<literal>guest</literal> user:</para>
|
||||
<screen><prompt>#</prompt> <userinput>rabbitmqctl delete_user quest</userinput></screen>
|
||||
<para>On the RabbitMQ server, for each OpenStack service or
|
||||
node that communicates with the message queue set up user
|
||||
accounts and privileges:</para>
|
||||
<screen><prompt>#</prompt> <userinput>rabbitmqctl add_user compute01 password</userinput>
|
||||
<prompt>#</prompt> <userinput>rabbitmqctl set_permissions compute01 ".*"".*"".*"</userinput></screen>
|
||||
<para>For additional configuration information see:</para>
|
||||
<itemizedlist><listitem>
|
||||
<para><link xlink:href="http://www.rabbitmq.com/access-control.html">RabbitMQ Access Control</link></para>
|
||||
@ -72,8 +84,7 @@ rabbitmqctl set_permissions compute01 ".*"".*"".*"</screen>
|
||||
</section>
|
||||
<section xml:id="ch038_transport-security-idp59648">
|
||||
<title>OpenStack Service Configuration - RabbitMQ</title>
|
||||
<screen>
|
||||
[DEFAULT]
|
||||
<programlisting language="ini">[DEFAULT]
|
||||
rpc_backend=nova.openstack.common.rpc.impl_kombu
|
||||
rabbit_use_ssl=True
|
||||
rabbit_host=
|
||||
@ -82,7 +93,7 @@ rabbit_user=compute01
|
||||
rabbit_password=password
|
||||
kombu_ssl_keyfile=/etc/ssl/node-key.pem
|
||||
kombu_ssl_certfile=/etc/ssl/node-cert.pem
|
||||
kombu_ssl_ca_certs=/etc/ssl/cacert.pem</screen>
|
||||
kombu_ssl_ca_certs=/etc/ssl/cacert.pem</programlisting>
|
||||
</section>
|
||||
<section xml:id="ch038_transport-security-idp62112">
|
||||
<title>Authentication Configuration Example - Qpid</title>
|
||||
@ -97,17 +108,16 @@ kombu_ssl_ca_certs=/etc/ssl/cacert.pem</screen>
|
||||
</section>
|
||||
<section xml:id="ch038_transport-security-idp65584">
|
||||
<title>OpenStack Service Configuration - Qpid</title>
|
||||
<screen>
|
||||
<programlisting language="ini">
|
||||
[DEFAULT]
|
||||
rpc_backend=nova.openstack.common.rpc.impl_qpid
|
||||
qpid_protocol=ssl
|
||||
qpid_hostname=<ip or hostname of management network interface of messaging server>
|
||||
qpid_port=5671qpid_username=compute01
|
||||
|
||||
qpid_password=password</screen>
|
||||
qpid_password=password</programlisting>
|
||||
<para>Optionally, if using SASL with Qpid specify the SASL mechanisms in use by adding:</para>
|
||||
<screen>
|
||||
qpid_sasl_mechanisms=<space separated list of SASL mechanisms to use for auth></screen>
|
||||
<programlisting language="ini">qpid_sasl_mechanisms=<space separated list of SASL mechanisms to use for auth></programlisting>
|
||||
</section>
|
||||
</section>
|
||||
<section xml:id="ch038_transport-security-idp68512">
|
||||
|
@ -56,14 +56,12 @@
|
||||
<title>Require User Accounts to Require SSL Transport</title>
|
||||
<section xml:id="ch042_database-overview-idp88784">
|
||||
<title>Configuration Example #1: (MySQL)</title>
|
||||
<screen>
|
||||
GRANT ALL ON dbname.* to 'compute01'@'hostname' IDENTIFIED BY 'password' REQUIRE SSL;</screen>
|
||||
<programlisting>GRANT ALL ON dbname.* to 'compute01'@'hostname' IDENTIFIED BY 'password' REQUIRE SSL;</programlisting>
|
||||
</section>
|
||||
<section xml:id="ch042_database-overview-idp90096">
|
||||
<title>Configuration Example #2: (PostgreSQL)</title>
|
||||
<para>In file pg_hba.conf:</para>
|
||||
<screen>
|
||||
hostssl dbname compute01 hostname md5</screen>
|
||||
<programlisting>hostssl dbname compute01 hostname md5</programlisting>
|
||||
<para>Note this command only adds the ability to communicate over SSL and is non-exclusive. Other access methods that may allow unencrypted transport should be disabled so that SSL is the sole access method.</para>
|
||||
<para>The 'md5' parameter defines the authentication method as a hashed password. We provide a secure authentication example in the section below.</para>
|
||||
</section>
|
||||
@ -73,24 +71,21 @@ hostssl dbname compute01 hostname md5</screen>
|
||||
<para>Security may be enhanced by requiring X.509 client certificates for authentication. Authenticating to the database in this manner provides greater identity assurance of the client making the connection to the database and ensures that the communications are encrypted.</para>
|
||||
<section xml:id="ch042_database-overview-idp94704">
|
||||
<title>Configuration Example #1: (MySQL)</title>
|
||||
<screen>
|
||||
GRANT ALL on dbname.* to 'compute01'@'hostname' IDENTIFIED BY 'password' REQUIRE SUBJECT
|
||||
<programlisting>GRANT ALL on dbname.* to 'compute01'@'hostname' IDENTIFIED BY 'password' REQUIRE SUBJECT
|
||||
'/C=XX/ST=YYY/L=ZZZZ/O=cloudycloud/CN=compute01' AND ISSUER
|
||||
'/C=XX/ST=YYY/L=ZZZZ/O=cloudycloud/CN=cloud-ca';</screen>
|
||||
'/C=XX/ST=YYY/L=ZZZZ/O=cloudycloud/CN=cloud-ca';</programlisting>
|
||||
</section>
|
||||
<section xml:id="ch042_database-overview-idp96192">
|
||||
<title>Configuration Example #2: (PostgreSQL)</title>
|
||||
<screen>
|
||||
hostssl dbname compute01 hostname cert</screen>
|
||||
<programlisting>hostssl dbname compute01 hostname cert</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
<section xml:id="ch042_database-overview-idp97536">
|
||||
<title>OpenStack Service Database Configuration</title>
|
||||
<para>If your database server is configured to require X.509 certificates for authentication you will need to specify the appropriate SQLAlchemy query parameters for the database backend. These parameters specify the certificate, private key, and certificate authority information for use with the initial connection string.</para>
|
||||
<para>Example of an <literal>:sql_connection</literal> string for X.509 certificate authentication to MySQL:</para>
|
||||
<screen>
|
||||
sql_connection = mysql://compute01:password@localhost/nova?
|
||||
charset=utf8&ssl_ca=/etc/mysql/cacert.pem&ssl_cert=/etc/mysql/server-cert.pem&ssl_key=/etc/mysql/server-key.pem</screen>
|
||||
<programlisting language="ini">sql_connection = mysql://compute01:password@localhost/nova?
|
||||
charset=utf8&ssl_ca=/etc/mysql/cacert.pem&ssl_cert=/etc/mysql/server-cert.pem&ssl_key=/etc/mysql/server-key.pem</programlisting>
|
||||
</section>
|
||||
<section xml:id="ch042_database-overview-idp100688">
|
||||
<title>Nova Conductor</title>
|
||||
@ -109,8 +104,7 @@ charset=utf8&ssl_ca=/etc/mysql/cacert.pem&ssl_cert=/etc/mysql/server-cer
|
||||
<para>Note, as <systemitem class="service">nova-conductor</systemitem> only applies to OpenStack Compute, direct database access from compute hosts may still be necessary for the operation of other OpenStack components such as Telemetry (Ceilometer), Networking, and Block Storage.</para>
|
||||
<para>Implementors should weigh the benefits and risks of both configurations before enabling or disabling the <systemitem class="service">nova-conductor</systemitem> service. We are not yet prepared to recommend the use of <systemitem class="service">nova-conductor</systemitem> in the Grizzly release. However, we do believe that this recommendation will change as additional features are added into OpenStack.</para>
|
||||
<para>To disable the <systemitem class="service">nova-conductor</systemitem>, place the following into your <filename>nova.conf</filename> file (on your compute hosts):</para>
|
||||
<screen>
|
||||
[conductor]
|
||||
use_local = true</screen>
|
||||
<programlisting language="ini">[conductor]
|
||||
use_local = true</programlisting>
|
||||
</section>
|
||||
</chapter>
|
||||
|
@ -8,16 +8,14 @@
|
||||
<section xml:id="ch043_database-transport-security-idp39696">
|
||||
<title>Restricting Bind Address for MySQL</title>
|
||||
<para>In my.cnf:</para>
|
||||
<screen>
|
||||
[mysqld]
|
||||
<programlisting>[mysqld]
|
||||
...
|
||||
bind-address <ip address or hostname of management network interface></screen>
|
||||
bind-address <ip address or hostname of management network interface></programlisting>
|
||||
</section>
|
||||
<section xml:id="ch043_database-transport-security-idp41568">
|
||||
<title>Restricting Listen Address for PostgreSQL</title>
|
||||
<para>In postgresql.conf:</para>
|
||||
<screen>
|
||||
listen_addresses = <ip address or hostname of management network interface></screen>
|
||||
<programlisting>listen_addresses = <ip address or hostname of management network interface></programlisting>
|
||||
</section>
|
||||
</section>
|
||||
<section xml:id="ch043_database-transport-security-idp43520">
|
||||
@ -31,25 +29,21 @@ listen_addresses = <ip address or hostname of management network interface>
|
||||
<title>MySQL SSL Configuration</title>
|
||||
<para>The following lines should be added in the system-wide MySQL configuration file:</para>
|
||||
<para>In my.cnf:</para>
|
||||
<screen>
|
||||
[[mysqld]]
|
||||
<programlisting>[[mysqld]]
|
||||
...
|
||||
ssl-ca=/path/to/ssl/cacert.pem
|
||||
ssl-cert=/path/to/ssl/server-cert.pem
|
||||
ssl-key=/path/to/ssl/server-key.pem</screen>
|
||||
ssl-key=/path/to/ssl/server-key.pem</programlisting>
|
||||
<para>Optionally, if you wish to restrict the set of SSL ciphers
|
||||
used for the encrypted connection. See <link xlink:href="http://www.openssl.org/docs/apps/ciphers.html">http://www.openssl.org/docs/apps/ciphers.html</link> for a list of ciphers and the syntax for specifying the cipher string:</para>
|
||||
<screen>
|
||||
ssl-cipher='cipher:list'</screen>
|
||||
<programlisting>ssl-cipher='cipher:list'</programlisting>
|
||||
</section>
|
||||
<section xml:id="ch043_database-transport-security-idp50288">
|
||||
<title>PostgreSQL SSL Configuration</title>
|
||||
<para>The following lines should be added in the system-wide PostgreSQL configuration file, <literal>postgresql.conf</literal>.</para>
|
||||
<screen>
|
||||
ssl = true</screen>
|
||||
<programlisting>ssl = true</programlisting>
|
||||
<para>Optionally, if you wish to restrict the set of SSL ciphers used for the encrypted connection. See <link xlink:href="http://www.openssl.org/docs/apps/ciphers.html">http://www.openssl.org/docs/apps/ciphers.html</link> for a list of ciphers and the syntax for specifying the cipher string:</para>
|
||||
<screen>
|
||||
ssl-ciphers = 'cipher:list'</screen>
|
||||
<programlisting>ssl-ciphers = 'cipher:list'</programlisting>
|
||||
<para>The server certificate, key, and certificate authority (CA) files should be placed in the $PGDATA directory in the following files:</para>
|
||||
<itemizedlist><listitem>
|
||||
<para>$PGDATA/server.crt - Server certificate</para>
|
||||
|
@ -46,11 +46,11 @@
|
||||
<section xml:id="ch052_devices-idp490976">
|
||||
<title>Minimizing the Qemu Code base</title>
|
||||
<para>One classic security principle is to remove any unused components from your system. QEMU provides support for many different virtual hardware devices. However, only a small number of devices are needed for a given instance. Most instances will use the virtio devices. However, some legacy instances will need access to specific hardware, which can be specified using glance metadata:</para>
|
||||
<screen>glance image-update \
|
||||
<screen><prompt>$</prompt> <userinput>glance image-update \
|
||||
--property hw_disk_bus=ide \
|
||||
--property hw_cdrom_bus=ide \
|
||||
--property hw_vif_model=e1000 \
|
||||
f16-x86_64-openstack-sda</screen>
|
||||
f16-x86_64-openstack-sda</userinput></screen>
|
||||
<para>A cloud architect should decide what devices to make available to cloud users. Anything that is not needed should be removed from QEMU. This step requires recompiling QEMU after modifying the options passed to the QEMU configure script. For a complete list of up-to-date options simply run <literal>./configure --help</literal> from within the QEMU source directory. Decide what is needed for your deployment, and disable the remaining options.</para>
|
||||
</section>
|
||||
<section xml:id="ch052_devices-idp494336">
|
||||
@ -74,8 +74,7 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<para>Putting this all together, and adding in some additional useful protections, we recommend the following compiler options for gcc when compiling QEMU:</para>
|
||||
<screen>
|
||||
CFLAGS="-arch x86_64 -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -pie -fPIE -ftrapv -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now"</screen>
|
||||
<programlisting>CFLAGS="-arch x86_64 -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -pie -fPIE -ftrapv -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now"</programlisting>
|
||||
<para>We recommend testing your QEMU executable file after it is compiled to ensure that the compiler hardening worked properly.</para>
|
||||
<para>Most cloud deployments will not want to build software such as QEMU by hand. It is better to use packaging to ensure that the process is repeatable and to ensure that the end result can be easily deployed throughout the cloud. The references below provide some additional details on applying compiler hardening options to existing packages.</para>
|
||||
<itemizedlist><listitem>
|
||||
@ -138,15 +137,14 @@ CFLAGS="-arch x86_64 -fstack-protector-all -Wstack-protector --param ssp-buffer-
|
||||
<section xml:id="ch052_devices-idp523744">
|
||||
<title>Labels and Categories</title>
|
||||
<para>KVM-based virtual machine instances are labelled with their own SELinux data type, known as svirt_image_t. Kernel level protections prevent unauthorized system processes, such as malware, from manipulating the virtual machine image files on disk. When virtual machines are powered off, images are stored as svirt_image_t as shown below:</para>
|
||||
<screen>
|
||||
system_u:object_r:svirt_image_t:SystemLow image1
|
||||
<programlisting>system_u:object_r:svirt_image_t:SystemLow image1
|
||||
system_u:object_r:svirt_image_t:SystemLow image2
|
||||
system_u:object_r:svirt_image_t:SystemLow image3
|
||||
system_u:object_r:svirt_image_t:SystemLow image4</screen>
|
||||
system_u:object_r:svirt_image_t:SystemLow image4</programlisting>
|
||||
<para>The svirt_image_t label uniquely identifies image files on disk, allowing for the SELinux policy to restrict access. When a KVM-based Compute image is powered on, sVirt appends a random numerical identifier to the image. sVirt is technically capable of assigning numerical identifiers to 524,288 virtual machines per hypervisor node, however OpenStack deployments are highly unlikely to encounter this limitation.</para>
|
||||
<para>This example shows the sVirt category identifier:</para>
|
||||
<screen>system_u:object_r:svirt_image_t:s0:c87,c520 image1
|
||||
system_u:object_r:svirt_image_t:s0:419,c172 image2</screen>
|
||||
<programlisting>system_u:object_r:svirt_image_t:s0:c87,c520 image1
|
||||
system_u:object_r:svirt_image_t:s0:419,c172 image2</programlisting>
|
||||
</section>
|
||||
<section xml:id="ch052_devices-idp527632">
|
||||
<title>Booleans</title>
|
||||
|
@ -88,20 +88,16 @@
|
||||
<title>Image Creation Process</title>
|
||||
<para>The OpenStack Documentation provides guidance on how to create and upload an image to Glance. Additionally it is assumed that you have a process by which you install and harden operating systems. Thus, the following items will provide additional guidance on how to ensure your images are built securely prior to upload. There are a variety of options for obtaining images. Each has specific steps that help validate the image's provenance.</para>
|
||||
<para>The first option is to obtain boot media from a trusted source.</para>
|
||||
<screen>
|
||||
mkdir -p /tmp/download_directorycd /tmp/download_directory
|
||||
|
||||
wget http://mirror.anl.gov/pub/ubuntu-iso/CDs/precise/ubuntu-12.04.2-server-amd64.iso
|
||||
wget http://mirror.anl.gov/pub/ubuntu-iso/CDs/precise/SHA256SUMS
|
||||
wget http://mirror.anl.gov/pub/ubuntu-iso/CDs/precise/SHA256SUMS.gpg
|
||||
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0xFBB75451
|
||||
gpg --verify SHA256SUMS.gpg SHA256SUMSsha256sum -c SHA256SUMS 2>&1 | grep OK
|
||||
</screen>
|
||||
<screen><prompt>$</prompt> <userinput>mkdir -p /tmp/download_directorycd /tmp/download_directory</userinput>
|
||||
<prompt>$</prompt> <userinput>wget http://mirror.anl.gov/pub/ubuntu-iso/CDs/precise/ubuntu-12.04.2-server-amd64.iso</userinput>
|
||||
<prompt>$</prompt> <userinput>wget http://mirror.anl.gov/pub/ubuntu-iso/CDs/precise/SHA256SUMS</userinput>
|
||||
<prompt>$</prompt> <userinput>wget http://mirror.anl.gov/pub/ubuntu-iso/CDs/precise/SHA256SUMS.gpg</userinput>
|
||||
<prompt>$</prompt> <userinput>gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0xFBB75451</userinput>
|
||||
<prompt>$</prompt> <userinput>gpg --verify SHA256SUMS.gpg SHA256SUMSsha256sum -c SHA256SUMS 2>&1 | grep OK</userinput></screen>
|
||||
<para>The second option is to use the <link xlink:href="http://docs.openstack.org/trunk/image-guide/content/"><citetitle>OpenStack Virtual Machine Image Guide</citetitle></link>. In this case, you will want to follow your organizations OS hardening guidelines or those provided by a trusted third-party such as the <link xlink:href="http://iase.disa.mil/stigs/os/unix/red_hat.html">RHEL6 STIG</link>.</para>
|
||||
<para>The final option is to use an automated image builder. The following example uses the Oz image builder. The OpenStack community has recently created a newer tool worth investigating: disk-image-builder. We have not evaluated this tool from a security perspective.</para>
|
||||
<para>Example of RHEL 6 CCE-26976-1 which will help implement NIST 800-53 Section<emphasis>AC-19(d) in</emphasis> Oz.</para>
|
||||
<screen>
|
||||
<template>
|
||||
<programlisting><template>
|
||||
<name>centos64</name>
|
||||
<os>
|
||||
<name>RHEL-6</name>
|
||||
@ -135,7 +131,7 @@ gpg --verify SHA256SUMS.gpg SHA256SUMSsha256sum -c SHA256SUMS 2>&1 | grep
|
||||
service autofs stop
|
||||
</command>
|
||||
</commands>
|
||||
</template></screen>
|
||||
</template></programlisting>
|
||||
<para>Note, it is the recommendation of this guide to shy away from the manual image building process as it is complex and prone to error. Further, using an automated system like Oz or disk-image-builder for image building, or a configuration management utility like Chef or Puppet for post boot image hardening gives you the ability to produce a consistent image as well as track compliance of your base image to its respective hardening guidelines over time.</para>
|
||||
<para>If subscribing to a public cloud service, you should check with the cloud provider for an outline of the process used to produce their default images. If the provider allows you to upload your own images, you will want to ensure that you are able to verify that your image was not modified before you spin it up. To do this, refer to the following section on Image Provenance.</para>
|
||||
</section>
|
||||
@ -198,9 +194,8 @@ gpg --verify SHA256SUMS.gpg SHA256SUMSsha256sum -c SHA256SUMS 2>&1 | grep
|
||||
<section xml:id="ch055_security-services-for-instances-idp187568">
|
||||
<title>Disable Live Migration</title>
|
||||
<para>At this time, live migration is enabled in OpenStack by default. Live migrations can be disabled by adding the following lines to the nova policy.json file:</para>
|
||||
<screen>
|
||||
"compute_extension:admin_actions:migrate": "!",
|
||||
"compute_extension:admin_actions:migrateLive": "!",</screen>
|
||||
<programlisting>"compute_extension:admin_actions:migrate": "!",
|
||||
"compute_extension:admin_actions:migrateLive": "!",</programlisting>
|
||||
</section>
|
||||
<section xml:id="ch055_security-services-for-instances-idp189488">
|
||||
<title>Migration Network</title>
|
||||
|
Loading…
Reference in New Issue
Block a user