openstack-manuals/doc/security-guide/locale/ja.po
Tom Fifield 5447eb4035 Imported Translations from Transifex
Change-Id: Ia67097d964b62d2fef2b32d93b5988400bb27bfa
2014-01-18 01:02:05 +08:00

10002 lines
615 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#
# Translators:
# Akira Yoshiyama <akirayoshiyama@gmail.com>, 2013-2014
# myamamot <myamamot@redhat.com>, 2013
# *pokotan-in-Eorzea* <>, 2013-2014
# tomoya.goto <tomoyan777@gmail.com>, 2013-2014
# Tomoyuki KATO <tomo@dream.daynight.jp>, 2013-2014
# tmak <t.makabe@gmail.com>, 2013
# ykatabam <ykatabam@redhat.com>, 2013
msgid ""
msgstr ""
"Project-Id-Version: OpenStack Manuals\n"
"POT-Creation-Date: 2014-01-17 07:15+0000\n"
"PO-Revision-Date: 2014-01-16 07:13+0000\n"
"Last-Translator: Tomoyuki KATO <tomo@dream.daynight.jp>\n"
"Language-Team: Japanese (http://www.transifex.com/projects/p/openstack/language/ja/)\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Language: ja\n"
"Plural-Forms: nplurals=1; plural=0;\n"
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml30(None)
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml33(None)
msgid "@@image: 'static/group.png'; md5=aec1f0af66d29c1a5d1f174df1f12812"
msgstr "@@image: 'static/group.png'; md5=aec1f0af66d29c1a5d1f174df1f12812"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml3(title)
msgid "Why and how we wrote this book"
msgstr "このドキュメントを作成した理由と方法"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml4(para)
msgid ""
"As OpenStack adoption continues to grow and the product matures, security "
"has become a priority. The OpenStack Security Group has recognized the need "
"for a comprehensive and authoritative security guide. The <emphasis "
"role=\"bold\">OpenStack Security Guide</emphasis> has been written to "
"provide an overview of security best practices, guidelines, and "
"recommendations for increasing the security of an OpenStack deployment. The "
"authors bring their expertise from deploying and securing OpenStack in a "
"variety of environments."
msgstr "OpenStack が拡大を続け、製品が成熟してきたので、セキュリティが重要事項になってきました。OpenStack Security Group は包括的かつ権威のあるセキュリティガイドの必要性を認識しました。<emphasis role=\"bold\">OpenStack セキュリティガイド</emphasis>は、OpenStack のセキュリティ向上を目的とした、セキュリティのベストプラクティス、ガイドライン、推奨事項の概要について記載しています。著者は\nさまざまな環境で OpenStack の導入やセキュア化をした専門知識をもたらします。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml5(para)
msgid ""
"The guide augments the <link "
"href=\"http://docs.openstack.org/ops/\"><citetitle>OpenStack Operations "
"Guide</citetitle></link> and can be referenced to harden existing OpenStack "
"deployments or to evaluate the security controls of OpenStack cloud "
"providers."
msgstr "このガイドは <link href=\"http://docs.openstack.org/ops/\"><citetitle>OpenStack Operations Guide</citetitle></link> (OpenStack 運用ガイド) を補足します。既存の OpenStack 環境をセキュリティ強化するため、または OpenStack を用いたクラウド事業者のセキュリティ制御を評価するために参照できます。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml7(title)
msgid "Objectives"
msgstr "目的"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml9(para)
msgid "Identify the security domains in OpenStack"
msgstr "OpenStack のセキュリティ領域を明確にする"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml12(para)
msgid "Provide guidance to secure your OpenStack deployment"
msgstr "OpenStack をセキュア化するガイドを提供する"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml15(para)
msgid ""
"Highlight security concerns and potential mitigations in present day "
"OpenStack"
msgstr "今日の OpenStack におけるセキュリティ考慮事項と実現可能な軽減策を強調する"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml18(para)
msgid "Discuss upcoming security features"
msgstr "将来のセキュリティ機能について議論する"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml21(para)
msgid ""
"To provide a community driven facility for knowledge capture and "
"dissemination"
msgstr "コミュニティ主導のナレッジ蓄積と普及を容易にする"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml26(title)
msgid "How"
msgstr "執筆方法"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml27(para)
msgid ""
"As with the OpenStack Operations Guide, we followed the book sprint "
"methodology. The book sprint process allows for rapid development and "
"production of large bodies of written work. Coordinators from the OpenStack "
"Security Group re-enlisted the services of Adam Hyde as facilitator. "
"Corporate support was obtained and the project was formally announced during"
" the OpenStack summit in Portland, Oregon."
msgstr "OpenStack Operations Guide (OpenStack 運用ガイド) と同じく、Book Sprint メソッドを用いました。Book Sprint のプロセスにより、執筆作業の大部分を迅速に開発および作成できました。OpenStack Security Group のコーディネーターはファシリテーターとして Adam Hyde のサービスを再び利用しました。企業サポートが得られ、オレゴン州ポートランドの OpenStack サミット中にプロジェクトが正式に公表されました。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml28(para)
msgid ""
"The team converged in Annapolis, MD due to the close proximity of some key "
"members of the group. This was a remarkable collaboration between public "
"sector intelligence community members, silicon valley startups and some "
"large, well-known technology companies. The book sprint ran during the last "
"week in June 2013 and the first edition was created in five days."
msgstr "チームは、グループの主要なメンバーが集まるために、メリーランド州アナポリスに集まりました。これは、公共部門のインテリジェンス・コミュニティーのメンバー、シリコンバレーのスタートアップ、いくつかの有名な大手技術企業の間での驚くべきコラボレーションです。Book Sprint は 2013 年 6 月の最終週に行われ、初版は 5 日間で作成されました。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml36(para)
msgid "The team included:"
msgstr "チームは以下のとおりです。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml39(para)
msgid "<emphasis role=\"bold\">Bryan D. Payne</emphasis>, Nebula"
msgstr "<emphasis role=\"bold\">Bryan D. Payne</emphasis>, Nebula"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml40(para)
msgid ""
"Dr. Bryan D. Payne is the Director of Security Research at Nebula and co-"
"founder of the OpenStack Security Group (OSSG). Prior to joining Nebula, he "
"worked at Sandia National Labs, the National Security Agency, BAE Systems, "
"and IBM Research. He graduated with a Ph.D. in Computer Science from the "
"Georgia Tech College of Computing, specializing in systems security."
msgstr "Dr. Bryan D. Payne は、Nebula の Security Research の Director です。また、OpenStack Security Group (OSSG) の共同創設者です。Nebula に参加する前は、Sandia National Labs、National Security Agency、BAE Systems、IBM Research に勤務していました。Georgia Tech College of Computing でシステムセキュリティを専攻し、コンピューターサイエンスの Ph.D. を取得しました。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml43(para)
msgid "<emphasis role=\"bold\">Robert Clark</emphasis>, HP"
msgstr "<emphasis role=\"bold\">Robert Clark</emphasis>, HP"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml44(para)
msgid ""
"Robert Clark is the Lead Security Architect for HP Cloud Services and co-"
"founder of the OpenStack Security Group (OSSG). Prior to being recruited by "
"HP, he worked in the UK Intelligence Community. Robert has a strong "
"background in threat modeling, security architecture and virtualization "
"technology. Robert has a master's degree in Software Engineering from the "
"University of Wales."
msgstr "Robert Clark は、Nebula の HP Cloud Services の Lead Security Architect です。また、OpenStack Security Group (OSSG) の共同創設者です。HP に入社する前は、UK Intelligence Community に勤務していました。脅威モデリング、セキュリティアーキテクチャー、仮想化技術に関する強固なバックグラウンドを持ちます。University of Wales のソフトウェアエンジニアリングの修士号を持っています。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml47(para)
msgid "<emphasis role=\"bold\">Keith Basil</emphasis>, Red Hat"
msgstr "<emphasis role=\"bold\">Keith Basil</emphasis>, Red Hat"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml48(para)
msgid ""
"Keith Basil is a Principal Product Manager for Red Hat OpenStack and is "
"focused on Red Hat's OpenStack product management, development and strategy."
" Within the US public sector, Basil brings previous experience from the "
"design of an authorized, secure, high-performance cloud architecture for "
"Federal civilian agencies and contractors."
msgstr "Keith Basil は Red Hat OpenStack の Principal Product Manager です。Red Hat の OpenStack 製品マネジメント、開発、戦略に注力しています。アメリカの公共部門の中で、アメリカの民間機関と委託業者向けの認定済み、セキュアかつハイパフォーマンスなクラウドアーキテクチャーの設計から、これまでの経験をもたらします。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml51(para)
msgid "<emphasis role=\"bold\">Cody Bunch</emphasis>, Rackspace"
msgstr "<emphasis role=\"bold\">Cody Bunch</emphasis>, Rackspace"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml52(para)
msgid ""
"Cody Bunch is a Private Cloud architect with Rackspace. Cody has co-authored"
" an update to \"The OpenStack Cookbook\" as well as books on VMware "
"automation."
msgstr "Cody Bunch は Rackspace の Private Cloud architect です。『The OpenStack Cookbook』と VMware 自動化の書籍の共同執筆者です。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml55(para)
msgid "<emphasis role=\"bold\">Malini Bhandaru</emphasis>, Intel"
msgstr "<emphasis role=\"bold\">Malini Bhandaru</emphasis>, Intel"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml56(para)
msgid ""
"Malini Bhandaru is a security architect at Intel. She has a varied "
"background, having worked on platform power and performance at Intel, speech"
" products at Nuance, remote monitoring and management at ComBrio, and web "
"commerce at Verizon. She has a Ph.D. in Artificial Intelligence from the "
"University of Massachusetts, Amherst."
msgstr "Malini Bhandaru は Intel のセキュリティアーキテクトです。Intel でプラットフォームの電力とパフォーマンス、Nuance でスピーチ製品、ComBrio でリモートモニタリングと管理、Verizon でウェブコマースに関するさまざまなバックグラウンドを持ちます。University of Massachusetts, Amherst で人工知能に関する Ph.D. を持っています。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml59(para)
msgid ""
"<emphasis role=\"bold\">Gregg Tally</emphasis>, Johns Hopkins University "
"Applied Physics Laboratory"
msgstr "<emphasis role=\"bold\">Gregg Tally</emphasis>, Johns Hopkins University Applied Physics Laboratory"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml60(para)
msgid ""
"Gregg Tally is the Chief Engineer at JHU/APL's Cyber Systems Group within "
"the Asymmetric Operations Department. He works primarily in systems security"
" engineering. Previously, he has worked at SPARTA, McAfee, and Trusted "
"Information Systems where he was involved in cyber security research "
"projects."
msgstr "Gregg Tally は Asymmetric Operations Department の JHU/APL's Cyber Systems Group の Chief Engineer です。主にシステムセキュリティエンジニアリングに関する仕事をしています。以前は、サイバーセキュリティ研究プロジェクトに関わり、SPARTA、McAfee、Trusted Information Systems に勤務していました。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml63(para)
msgid "<emphasis role=\"bold\">Eric Lopez</emphasis>, Nicira / VMware"
msgstr "<emphasis role=\"bold\">Eric Lopez</emphasis>, Nicira / VMware"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml64(para)
msgid ""
"Eric Lopez is Senior Solution Architect at VMware's Networking and Security "
"Business Unit where he helps customer implement OpenStack and Nicira's "
"Network Virtualization Platform. Prior to joining Nicira, he worked for Q1 "
"Labs, Symantec, Vontu, and Brightmail. He has a B.S in Electrical "
"Engineering/Computer Science and Nuclear Engineering from U.C. Berkeley and "
"MBA from the University of San Francisco."
msgstr "Eric Lopez は VMware の Networking and Security Business Unit の Senior Solution Architect です。顧客が OpenStack や Nicira の Network Virtualization Platform を導入する手助けをしています。Nicira に参加する前は、Q1 Labs、Symantec、Vontu、Brightmail に勤務していました。U.C. Berkeley の Electrical Engineering/Computer Science、Nuclear Engineering の B.S. を保持してます。また、University of San Francisco の MBA を保持しています。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml67(para)
msgid "<emphasis role=\"bold\">Shawn Wells</emphasis>, Red Hat"
msgstr "<emphasis role=\"bold\">Shawn Wells</emphasis>, Red Hat"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml68(para)
msgid ""
"Shawn Wells is the Director, Innovation Programs at Red Hat, focused on "
"improving the process of adopting, contributing to, and managing open source"
" technologies within the U.S. Government. Additionally, Shawn is an upstream"
" maintainer of the SCAP Security Guide project which forms virtualization "
"and operating system hardening policy with the U.S. Military, NSA, and DISA."
" Formerly an NSA civilian, Shawn developed SIGINT collection systems "
"utilizing large distributed computing infrastructures."
msgstr "Shawn Wells は Red Hat の Innovation Programs の Director です。アメリカ政府の中でオープンソース技術を適用、貢献、管理するプロセスを改善することに注力しています。さらに、SCAP Security Guide プロジェクトのアップストリームのメンテナーです。このプロジェクトは、 U.S. Military、NSA、DISA で仮想化とオペレーティングシステムの強化ポリシーを作成しています。NSA の契約者になる前は、大規模分散コンピューティング環境を利便化する SIGINT 収集システムを開発していました。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml71(para)
msgid "<emphasis role=\"bold\">Ben de Bont</emphasis>, HP"
msgstr "<emphasis role=\"bold\">Ben de Bont</emphasis>, HP"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml72(para)
msgid ""
"Ben de Bont is the CSO for HP Cloud Services. Prior to his current role Ben "
"led the information security group at MySpace and the incident response team"
" at MSN Security. Ben holds a master's degree in Computer Science from the "
"Queensland University of Technology."
msgstr "Ben de Bont は HP Cloud Services の CSO です。その前は、MySpace の情報セキュリティグループ、MSN Security のインシデントレスポンスチームを率いていました。Queensland University of Technology のコンピューターサイエンスの修士号を保持しています。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml75(para)
msgid ""
"<emphasis role=\"bold\">Nathanael Burton</emphasis>, National Security "
"Agency"
msgstr "<emphasis role=\"bold\">Nathanael Burton</emphasis>, National Security Agency"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml76(para)
msgid ""
"Nathanael Burton is a Computer Scientist at the National Security Agency. He"
" has worked for the Agency for over 10 years working on distributed systems,"
" large-scale hosting, open source initiatives, operating systems, security, "
"storage, and virtualization technology. He has a B.S. in Computer Science "
"from Virginia Tech."
msgstr "Nathanael Burton は National Security Agency のコンピューターサイエンティストです。Agency に 10 年以上勤務し、分散システム、大規模ホスティング、オープンソースイニシアティブ、オペレーティングシステム、セキュリティ、ストレージ、仮想化技術に携わっています。Virginia Tech でコンピューターサイエンスの B.S. を取得しました。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml79(emphasis)
msgid "Vibha Fauver"
msgstr "Vibha Fauver"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml80(para)
msgid ""
"Vibha Fauver, GWEB, CISSP, PMP, has over fifteen years of experience in "
"Information Technology. Her areas of specialization include software "
"engineering, project management and information security. She has a B.S. in "
"Computer &amp; Information Science and a M.S. in Engineering Management with"
" specialization and a certificate in Systems Engineering."
msgstr "Vibha Fauver (GWEB, CISSP, PMP) は情報技術に関する 15 年以上の経験があります。専門分野はソフトウェアエンジニアリング、プロジェクト管理と情報セキュリティです。Computer &amp; Information Science の B.S. と Engineering Management の M.S. を保持しています。Systems Engineering の資格を保持しています。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml83(para)
msgid "<emphasis role=\"bold\">Eric Windisch</emphasis>, Cloudscaling"
msgstr "<emphasis role=\"bold\">Eric Windisch</emphasis>, Cloudscaling"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml84(para)
msgid ""
"Eric Windisch is a Principal Engineer at Cloudscaling where he has been "
"contributing to OpenStack for over two years. Eric has been in the trenches "
"of hostile environments, building tenant isolation and infrastructure "
"security through more than a decade of experience in the web hosting "
"industry. He has been building cloud computing infrastructure and automation"
" since 2007."
msgstr "Eric Windisch は Cloudscaling の Principal Engineer です。OpenStack に 2 年以上貢献しています。ウェブホスティング業界における 10 年以上の経験から、ホスティング環境の分離性、テナント独立性の構築、インフラセキュリティに携わっています。2007 年以降、クラウドコンピューティング環境の構築と自動化に携わっています。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml87(para)
msgid "<emphasis role=\"bold\">Andrew Hay</emphasis>, CloudPassage"
msgstr "<emphasis role=\"bold\">Andrew Hay</emphasis>, CloudPassage"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml88(para)
msgid ""
"Andrew Hay is the Director of Applied Security Research at CloudPassage, "
"Inc. where he leads the security research efforts for the company and its "
"server security products purpose-built for dynamic public, private, and "
"hybrid cloud hosting environments."
msgstr "Andrew Hay は CloudPassage, Inc. の Applied Security Research の Director です。社内セキュリティおよび、ダイナミックパブリック、プライベート、ハイブリッドクラウドのホスティング環境向けに設計されたサーバーセキュリティ製品のセキュリティ研究チームを率いています。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml91(emphasis)
msgid "Adam Hyde"
msgstr "Adam Hyde"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml92(para)
msgid ""
"Adam facilitated this Book Sprint. He also founded the Book Sprint "
"methodology and is the most experienced Book Sprint facilitator around. Adam"
" founded FLOSS Manuals—a community of some 3,000 individuals developing Free"
" Manuals about Free Software. He is also the founder and project manager for"
" Booktype, an open source project for writing, editing, and publishing books"
" online and in print."
msgstr "Adam はこの Book Sprint をリードしました。彼は Book Sprint メソッドの創設者でもあり、一番経験豊富な Book Sprint のファシリテーターです。3000 人もの参加者がいる、フリーソフトウェアのフリーなマニュアルを作成するコミュニティである FLOSS Manuals の創設者です。また、Booktype の創設者でプロジェクトマネージャーです。 Booktype はオンラインで本の執筆、編集、出版を行うオープンソースプロジェクトです。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml95(para)
msgid ""
"During the sprint we also had help from Anne Gentle, Warren Wang, Paul "
"McMillan, Brian Schott and Lorin Hochstein."
msgstr "また、Book Sprint 期間中、Anne Gentle、Warren Wang、Paul McMillan、Brian Schott、Lorin Hochstein からの手助けがありました。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml96(para)
msgid ""
"This Book was produced in a 5 day book sprint. A book sprint is an intensely"
" collaborative, facilitated process which brings together a group to produce"
" a book in 3-5 days. It is a strongly facilitated process with a specific "
"methodology founded and developed by Adam Hyde. For more information visit "
"the book sprint web page at <link "
"href=\"http://www.booksprints.net\">http://www.booksprints.net</link>."
msgstr "このドキュメントは、5日間の Book Sprint で作成されました。Book Sprint は、3〜5 日でドキュメントを作成するために、グループを集めて、強くコラボレーションし、プロセスをファシリテーションします。Adam Hyde により、設立され、開発された特別な方法でプロセスを強くファシリテーションします。詳細は Book Sprint のウェブページ <link href=\"http://www.booksprints.net\">http://www.booksprints.net</link> を参照してください。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml104(para)
msgid "After initial publication, the following added new content:"
msgstr ""
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml107(para)
msgid "<emphasis role=\"bold\">Rodney D. Beede</emphasis>, Seagate Technology"
msgstr ""
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml110(para)
msgid ""
"Rodney D. Beede is the Cloud Security Engineer for Seagate Technology. He "
"contributed the missing chapter on securing OpenStack Object Storage "
"(Swift). He holds a M.S. in Computer Science from the University of "
"Colorado."
msgstr ""
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml119(title)
msgid "How to contribute to this book"
msgstr "このドキュメントへの貢献方法"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml120(para)
msgid ""
"The initial work on this book was conducted in an overly air-conditioned "
"room that served as our group office for the entirety of the documentation "
"sprint."
msgstr "このドキュメントの初期作業は、非常に空調の効いた部屋で行われました。ドキュメントスプリントの期間中、私たちグループのオフィスとして役に立ちました。"
#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml123(para)
msgid ""
"Learn more about how to contribute to the OpenStack docs: <link "
"href=\"http://wiki.openstack.org/Documentation/HowTo\">http://wiki.openstack.org/Documentation/HowTo</link>."
msgstr "OpenStack ドキュメントに貢献する方法の詳細: <link href=\"http://wiki.openstack.org/Documentation/HowTo\">http://wiki.openstack.org/Documentation/HowTo</link>。"
#: ./doc/security-guide/ch051_vss-intro.xml3(title)
msgid "Hypervisor Selection"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml4(para)
msgid ""
"Virtualization provides flexibility and other key benefits that enable cloud"
" building. However, a virtualization stack also needs to be secured "
"appropriately to reduce the risks associated with hypervisor breakout "
"attacks. That is, while a virtualization stack can provide isolation between"
" instances, or guest virtual machines, there are situations where that "
"isolation can be less than perfect. Making intelligent selections for "
"virtualization stack as well as following the best practices outlined in "
"this chapter can be included in a layered approach to cloud security. "
"Finally, securing your virtualization stack is critical in order to deliver "
"on the promise of multitennancy, either between customers in a public cloud,"
" between business units in a private cloud, or some mixture of the two in a "
"hybrid cloud."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml5(para)
msgid ""
"In this chapter, we discuss the hypervisor selection process.  In the "
"chapters that follow, we provide the foundational information needed for "
"securing a virtualization stack."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml7(title)
msgid "Hypervisors in OpenStack"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml8(para)
msgid ""
"Whether OpenStack is deployed within private data centers or as a public "
"cloud service, the underlying virtualization technology provides enterprise-"
"level capabilities in the realms of scalability, resource efficiency, and "
"uptime. While such high-level benefits are generally available across many "
"OpenStack-supported hypervisor technologies, there are significant "
"differences in each hypervisor's security architecture and features, "
"particularly when considering the security threat vectors which are unique "
"to elastic OpenStack environments. As applications consolidate into single "
"Infrastructure as a Service (IaaS) platforms, instance isolation at the "
"hypervisor level becomes paramount. The requirement for secure isolation "
"holds true across commercial, government, and military communities."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml9(para)
msgid ""
"Within the framework of OpenStack you can choose from any number of "
"hypervisor platforms and corresponding OpenStack plugins to optimize your "
"cloud environment. In the context of the OpenStack Security guide, we will "
"be highlighting hypervisor selection considerations as they pertains to "
"feature sets that are critical to security. However, these considerations "
"are not meant to be an exhaustive investigation into the pros and cons of "
"particular hypervisors. NIST provides additional guidance in Special "
"Publication 800-125, \"<emphasis>Guide to Security for Full Virtualization "
"Technologies</emphasis>\"."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml12(title)
msgid "Selection Criteria"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml13(para)
msgid ""
"As part of your hypervisor selection process, you will need to consider a "
"number of important factors to help increase your security posture. "
"Specifically, we will be looking into the following areas:"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml15(para)
msgid "Team Expertise"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml18(para)
msgid "Product or Project maturity"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml21(para)
msgid "Certifications, Attestations"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml24(para)
#: ./doc/security-guide/ch051_vss-intro.xml266(title)
msgid "Additional Security Features"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml27(para)
#: ./doc/security-guide/ch051_vss-intro.xml259(title)
msgid "Hypervisor vs. Baremetal"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml30(para)
#: ./doc/security-guide/ch051_vss-intro.xml221(title)
msgid "Hardware Concerns"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml33(para)
#: ./doc/security-guide/ch051_vss-intro.xml67(title)
msgid "Common Criteria"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml37(para)
msgid ""
"Has the hypervisor undergone Common Criteria certification? If so, to what "
"levels?"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml40(para)
msgid "Is the underlying cryptography certified by a third-party?"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml36(para)
msgid ""
"Additionally, the following security-related criteria are highly encouraged "
"to be evaluated when selecting a hypervisor for OpenStack "
"deployments:<placeholder-1/><bridgehead>Team Expertise</bridgehead> Most "
"likely, the most important aspect in hypervisor selection is the expertise "
"of your staff in managing and maintaining a particular hypervisor platform. "
"The more familiar your team is with a given product, its configuration, and "
"its eccentricities, the less likely will there be configuration mistakes. "
"Additionally, having staff expertise spread across an organization on a "
"given hypervisor will increase availability of your systems, allow for "
"developing a segregation of duties, and mitigate problems in the event that "
"a team member is unavailable."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml44(title)
msgid "Product or Project Maturity"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml45(para)
msgid ""
"The maturity of a given hypervisor product or project is critical to your "
"security posture as well. Product maturity will have a number of effects "
"once you have deployed your cloud, in the context of this security guide we "
"are interested in the following:"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml47(para)
msgid "Availability of expertise"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml50(para)
msgid "Active developer and user communities"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml53(para)
msgid "Timeliness and Availability of updates"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml56(para)
msgid "Incidence response"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml59(para)
msgid ""
"One of the biggest indicators of a hypervisor's maturity is the size and "
"vibrancy of the community that surrounds it. As this concerns security, the "
"quality of the community will affect the availability of expertise should "
"you need additional cloud operators. It is also a sign of how widely "
"deployed the hypervisor is, in turn leading to the battle readiness of any "
"reference architectures and best practices."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml60(para)
msgid ""
"Further, the quality of community, as it surrounds an open source hypervisor"
" like KVM or Xen, will have a direct impact on the timeliness of bug fixes "
"and security updates. When investigating both commercial and open source "
"hypervisors, you will want to look into their release and support cycles as "
"well as the time delta between the announcement of a bug or security issue "
"and a patch or response. Lastly, the supported capabilities of OpenStack "
"compute vary depending on the hypervisor chosen. Refer to the <link "
"href=\"https://wiki.openstack.org/wiki/HypervisorSupportMatrix\">OpenStack "
"Hypervisor Support Matrix</link> for OpenStack compute feature support by "
"hypervisor."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml63(title)
msgid "Certifications and Attestations"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml64(para)
msgid ""
"One additional consideration when selecting a hypervisor is the availability"
" of various formal certifications and attestations. While they may not be "
"requirements for your specific organization, these certifications and "
"attestations speak to the maturity, production readiness, and thoroughness "
"of the testing a particular hypervisor platform has been subjected to."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml68(para)
msgid ""
"Common Criteria is an internationally standardized software evaluation "
"process, used by governments and commercial companies to validate software "
"technologies perform as advertised. In the government sector, NSTISSP No. 11"
" mandates that U.S. Government agencies only procure software which has been"
" Common Criteria certified, a policy which has been in place since July "
"2002. It should be specifically noted that OpenStack has not undergone "
"Common Criteria certification, however many of the available hypervisors "
"have."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml69(para)
msgid ""
"In addition to validating a technologies capabilities, the Common Criteria "
"process evaluates <emphasis>how</emphasis> technologies are developed."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml71(para)
msgid "How is source code management performed?"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml74(para)
msgid "How are users granted access to build systems?"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml77(para)
msgid "Is the technology cryptographically signed before distribution?"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml80(para)
msgid ""
"The KVM hypervisor has been Common Criteria certified through the U.S. "
"Government and commercial distributions, which have been validated to "
"separate the runtime environment of virtual machines from each other, "
"providing foundational technology to enforce instance isolation. In addition"
" to virtual machine isolation, KVM has been Common Criteria certified to"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml82(para)
msgid ""
"\"<emphasis>provide system-inherent separation mechanisms to the resources "
"of virtual machines. This separation ensures that large software component "
"used for virtualizing and simulating devices executing for each virtual "
"machine cannot interfere with each other. Using the SELinux multi-category "
"mechanism, the virtualization and simulation software instances are "
"isolated. The virtual machine management framework configures SELinux multi-"
"category settings transparently to the administrator</emphasis>\""
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml84(para)
msgid ""
"While many hypervisor vendors, such as Red Hat, Microsoft, and VMWare have "
"achieved Common Criteria Certification their underlying certified feature "
"set differs. It is recommended to evaluate vendor claims to ensure they "
"minimally satisfy the following requirements:"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml91(para)
msgid "Identification and Authentication"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml92(para)
msgid ""
"Identification and authentication using pluggable authentication modules "
"(PAM) based upon user passwords. The quality of the passwords used can be "
"enforced through configuration options."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml95(para)
msgid "Audit"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml96(para)
msgid ""
"The system provides the capability to audit a large number of events "
"including individual system calls as well as events generated by trusted "
"processes. Audit data is collected in regular files in ASCII format. The "
"system provides a program for the purpose of searching the audit records."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml96(para)
msgid ""
"The system administrator can define a rule base to restrict auditing to the "
"events they are interested in. This includes the ability to restrict "
"auditing to specific events, specific users, specific objects or a "
"combination of all of this. "
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml96(para)
msgid "Audit records can be transferred to a remote audit daemon."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml99(para)
msgid "Discretionary Access Control"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml100(para)
msgid ""
"Discretionary Access Control (DAC) restricts access to file system objects "
"based on Access Control Lists (ACLs) that include the standard UNIX "
"permissions for user, group and others. Access control mechanisms also "
"protect IPC objects from unauthorized access."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml100(para)
msgid ""
"The system includes the ext4 file system, which supports POSIX ACLs. This "
"allows defining access rights to files within this type of file system down "
"to the granularity of a single user."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml103(para)
msgid "Mandatory Access Control"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml104(para)
msgid ""
"Mandatory Access Control (MAC) restricts access to objects based on labels "
"assigned to subjects and objects. Sensitivity labels are automatically "
"attached to processes and objects. The access control policy enforced using "
"these labels is derived from the BellLaPadula access control model."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml104(para)
msgid ""
"SELinux categories are attached to virtual machines and its resources. The "
"access control policy enforced using these categories grant virtual machines"
" access to resources if the category of the virtual machine is identical to "
"the category of the accessed resource."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml104(para)
msgid ""
"The TOE implements non-hierarchical categories to control access to virtual "
"machines."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml107(para)
msgid "Role-Based Access Control"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml108(para)
msgid ""
"Role-based access control (RBAC) allows separation of roles to eliminate the"
" need for an all-powerful system administrator."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml111(para)
msgid "Object Reuse"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml112(para)
msgid ""
"File system objects as well as memory and IPC objects will be cleared before"
" they can be reused by a process belonging to a different user."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml115(para)
msgid "Security Management"
msgstr "セキュリティ管理"
#: ./doc/security-guide/ch051_vss-intro.xml116(para)
msgid ""
"The management of the security critical parameters of the system is "
"performed by administrative users. A set of commands that require root "
"privileges (or specific roles when RBAC is used) are used for system "
"management. Security parameters are stored in specific files that are "
"protected by the access control mechanisms of the system against "
"unauthorized access by users that are not administrative users."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml119(para)
msgid "Secure Communication"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml120(para)
msgid ""
"The system supports the definition of trusted channels using SSH. Password "
"based authentication is supported. Only a restricted number of cipher suites"
" are supported for those protocols in the evaluated configuration."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml123(para)
msgid "Storage Encryption"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml124(para)
msgid ""
"The system supports encrypted block devices to provide storage "
"confidentiality via dm_crypt."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml127(para)
msgid "TSF Protection"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml128(para)
msgid ""
"While in operation, the kernel software and data are protected by the "
"hardware memory protection mechanisms. The memory and process management "
"components of the kernel ensure a user process cannot access kernel storage "
"or storage belonging to other processes."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml128(para)
msgid ""
"Non-kernel TSF software and data are protected by DAC and process isolation"
"  mechanisms. In the evaluated configuration, the reserved user ID root owns"
" the directories and files that define the TSF configuration. In general, "
"files and directories containing internal TSF data (e.g., configuration "
"files, batch job queues) are also protected from reading by DAC permissions."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml128(para)
msgid ""
"The system and the hardware and firmware components are required to be "
"physically protected from unauthorized access. The system kernel mediates "
"all access to the hardware mechanisms themselves, other than program visible"
" CPU instruction functions."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml128(para)
msgid ""
"In addition, mechanisms for protection against stack overflow attacks are "
"provided."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml135(title)
msgid "Cryptography Standards"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml136(para)
msgid ""
"Several cryptography algorithms are available within OpenStack for "
"identification and authorization, data transfer and protection of data at "
"rest. When selecting a hypervisor, the following are recommended algorithms "
"and implementation standards to ensure the virtualization layer supports:"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml146(emphasis)
msgid "Algorithm"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml147(emphasis)
msgid "Key Length"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml148(emphasis)
msgid "Intended Purpose"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml149(emphasis)
msgid "Security Function"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml150(emphasis)
msgid "Implementation Standard"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml153(para)
msgid "AES"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml154(para)
msgid "128 bits,192 bits,"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml154(para)
msgid "256 bits"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml155(para)
#: ./doc/security-guide/ch051_vss-intro.xml162(para)
msgid "Encryption / Decryption"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml156(para)
msgid "Protected Data Transfer, Protection for Data at Rest"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml157(para)
#: ./doc/security-guide/ch051_vss-intro.xml164(para)
msgid "RFC 4253"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml160(para)
msgid "TDES"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml161(para)
msgid "168 bits"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml163(para)
msgid "Protected Data Transfer"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml167(para)
msgid "RSA"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml168(para)
msgid "1024 bits,2048 bits,"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml168(para)
msgid "3072 bits "
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml169(para)
#: ./doc/security-guide/ch051_vss-intro.xml176(para)
msgid "Authentication,Key Exchange "
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml170(para)
#: ./doc/security-guide/ch051_vss-intro.xml177(para)
msgid "Identification and Authentication, Protected Data Transfer"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml171(para)
#: ./doc/security-guide/ch051_vss-intro.xml178(para)
msgid "U.S. NIST FIPS PUB 186-3"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml174(para)
msgid "DSA"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml175(para)
msgid "L=1024,N=160 bits "
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml181(para)
msgid "Serpent"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml182(para)
#: ./doc/security-guide/ch051_vss-intro.xml189(para)
msgid "128, 196, or256 bit "
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml183(para)
#: ./doc/security-guide/ch051_vss-intro.xml190(para)
msgid "Encryption /Decryption "
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml184(para)
#: ./doc/security-guide/ch051_vss-intro.xml191(para)
msgid "Protection of Data at Rest"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml185(link)
msgid "http://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml188(para)
msgid "Twofish"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml192(link)
msgid "http://www.schneier.com/paper-twofish-paper.html"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml195(para)
msgid "SHA-1"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml196(para)
#: ./doc/security-guide/ch051_vss-intro.xml203(para)
msgid "-"
msgstr "-"
#: ./doc/security-guide/ch051_vss-intro.xml197(para)
#: ./doc/security-guide/ch051_vss-intro.xml204(para)
msgid "MessageDigest "
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml198(para)
msgid "Protection of Data at Rest,Protected Data Transfer"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml199(para)
#: ./doc/security-guide/ch051_vss-intro.xml206(para)
msgid "U.S. NIST FIPS 180-3"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml202(para)
msgid "SHA-2(224-, 256-,"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml202(para)
msgid "384-, 512 bit)"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml205(para)
msgid "Protection for Data at Rest,Identification and Authentication "
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml212(title)
msgid "FIPS 140-2"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml213(para)
msgid ""
"In the United States the National Institute of Science and Technology (NIST)"
" certifies cryptographic algorithms through a process known the "
"Cryptographic Module Validation Program. NIST certifies algorithms for "
"conformance against Federal Information Processing Standard 140-2 (FIPS "
"140-2), which ensures:"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml215(emphasis)
msgid ""
"Products validated as conforming to FIPS 140-2 are accepted by the Federal "
"agencies of both countries [United States and Canada] for the protection of "
"sensitive information (United States) or Designated Information (Canada). "
"The goal of the CMVP is to promote the use of validated cryptographic "
"modules and provide Federal agencies with a security metric to use in "
"procuring equipment containing validated cryptographic modules."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml217(para)
msgid ""
"When evaluating base hypervisor technologies, consider if the hypervisor has"
" been certified against FIPS 140-2. Not only is conformance against FIPS "
"140-2 mandated per U.S. Government policy, formal certification indicates "
"that a given implementation of a cryptographic algorithm has been reviewed "
"for conformance against module specification, cryptographic module ports and"
" interfaces; roles, services, and authentication; finite state model; "
"physical security; operational environment; cryptographic key management; "
"electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-"
"tests; design assurance; and mitigation of other attacks."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml222(para)
msgid ""
"Further, when evaluating a hypervisor platform the supportability of the "
"hardware the hypervisor will run on should be considered. Additionally, "
"consider the additional features available in the hardware and how those "
"features are supported by the hypervisor you chose as part of the OpenStack "
"deployment. To that end, hypervisors will each have their own hardware "
"compatibility lists (HCLs). When selecting compatible hardware it is "
"important to know in advance which hardware-based virtualization "
"technologies are important from a security perspective."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml230(emphasis)
msgid "Description"
msgstr "説明"
#: ./doc/security-guide/ch051_vss-intro.xml231(emphasis)
msgid "Technology"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml232(emphasis)
msgid "Explanation"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml235(para)
msgid "I/O MMU"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml236(para)
msgid "VT-d / AMD-Vi"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml237(para)
msgid "Required for protecting PCI-passthrough"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml240(para)
msgid "Intel Trusted Execution Technology"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml241(para)
msgid "Intel TXT / SEM"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml242(para)
msgid "Required for dynamic attestation services"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml245(para)
msgid ""
"<anchor xml:id=\"PCI-SIG_I.2FO_virtualization_.28IOV.29\"/>PCI-SIG I/O "
"virtualization"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml246(para)
msgid "SR-IOV, MR-IOV, ATS"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml247(para)
msgid "Required to allow secure sharing of PCI Express devices"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml250(para)
msgid "Network virtualization"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml251(para)
msgid "VT-c"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml252(para)
msgid "Improves performance of network I/O on hypervisors"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml260(para)
msgid ""
"To wrap up our discussion around hypervisor selection, it is important to "
"call out the differences between using LXC (Linux Containers) or Baremetal "
"systems vs using a hypervisor like KVM. Specifically, the focus of this "
"security guide will be largely based on having a hypervisor and "
"virtualization platform. However, should your implementation require the use"
" of a baremetal or LXC environment, you will want to pay attention to the "
"particular differences in regard to deployment of that environment. In "
"particular, you will need to provide your end users with assurances that the"
" node has been properly sanitized of their data prior to re-provisioning. "
"Additionally, prior to reusing a node, you will need to provide assurances "
"that the hardware has not been tampered or otherwise compromised."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml261(para)
msgid ""
"It should be noted that while OpenStack has a baremetal project, a "
"discussion of the particular security implications of running baremetal is "
"beyond the scope of this book."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml262(para)
msgid ""
"Finally, due to the time constraints around a book sprint, the team chose to"
" use KVM as the hypervisor in our example implementations and architectures."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml263(para)
msgid ""
"There is an OpenStack Security Note pertaining to the <link "
"href=\"https://bugs.launchpad.net/ossn/+bug/1098582\">use of LXC in "
"Nova</link>."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml267(para)
msgid ""
"Another thing to look into when selecting a hypervisor platform is the "
"availability of specific security features. In particular, we are referring "
"to features like Xen Server's XSM or Xen Security Modules, sVirt, Intel TXT,"
" and AppArmor. The presence of these features will help increase your "
"security profile as well as provide a good foundation."
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml268(para)
msgid ""
"The following table calls out these features by common hypervisor platforms."
" "
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml281(para)
#: ./doc/security-guide/ch051_vss-intro.xml293(para)
#: ./doc/security-guide/ch051_vss-intro.xml302(para)
#: ./doc/security-guide/ch051_vss-intro.xml304(para)
#: ./doc/security-guide/ch051_vss-intro.xml306(para)
#: ./doc/security-guide/ch051_vss-intro.xml307(para)
#: ./doc/security-guide/ch051_vss-intro.xml312(para)
#: ./doc/security-guide/ch051_vss-intro.xml313(para)
#: ./doc/security-guide/ch051_vss-intro.xml314(para)
#: ./doc/security-guide/ch051_vss-intro.xml316(para)
#: ./doc/security-guide/ch051_vss-intro.xml317(para)
#: ./doc/security-guide/ch051_vss-intro.xml318(para)
#: ./doc/security-guide/ch051_vss-intro.xml322(para)
#: ./doc/security-guide/ch051_vss-intro.xml323(para)
#: ./doc/security-guide/ch051_vss-intro.xml324(para)
#: ./doc/security-guide/ch051_vss-intro.xml325(para)
#: ./doc/security-guide/ch051_vss-intro.xml326(para)
#: ./doc/security-guide/ch051_vss-intro.xml327(para)
#: ./doc/security-guide/ch051_vss-intro.xml328(para)
#: ./doc/security-guide/ch012_configuration-management.xml39(para)
#: ./doc/security-guide/ch012_configuration-management.xml43(emphasis)
msgid " "
msgstr " "
#: ./doc/security-guide/ch051_vss-intro.xml282(para)
msgid "KSM"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml283(para)
msgid "XSM"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml284(para)
msgid "sVirt"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml285(para)
msgid "TXT"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml286(para)
msgid "AppArmor"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml287(para)
msgid "cGroups"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml288(para)
msgid "MAC Policy"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml291(para)
msgid "KVM"
msgstr "KVM"
#: ./doc/security-guide/ch051_vss-intro.xml292(para)
#: ./doc/security-guide/ch051_vss-intro.xml294(para)
#: ./doc/security-guide/ch051_vss-intro.xml295(para)
#: ./doc/security-guide/ch051_vss-intro.xml303(para)
msgid "X"
msgstr "X"
#: ./doc/security-guide/ch051_vss-intro.xml296(address)
#: ./doc/security-guide/ch051_vss-intro.xml297(para)
#: ./doc/security-guide/ch051_vss-intro.xml298(para)
#: ./doc/security-guide/ch051_vss-intro.xml308(para)
msgid "x"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml301(para)
msgid "Xen"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml305(para)
#: ./doc/security-guide/ch051_vss-intro.xml315(para)
msgid " X"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml311(para)
msgid "ESXi"
msgstr "ESXi"
#: ./doc/security-guide/ch051_vss-intro.xml321(para)
msgid "Hyper-V"
msgstr "Hyper-V"
#: ./doc/security-guide/ch051_vss-intro.xml333(link)
msgid "KSM: Kernel Samepage Merging"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml334(link)
msgid "XSM: Xen Security Modules"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml335(link)
msgid "xVirt: Mandatory Access Control for Linux-based virtualization"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml336(link)
msgid "TXT: Intel Trusted Execution Technology"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml337(link)
msgid "AppArmor: Linux security module implementing MAC"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml338(link)
msgid "cgroups: Linux kernel feature to control resource usage"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml339(para)
msgid ""
"MAC Policy: Mandatory Access Control; may be implemented with SELinux or "
"other operating systems"
msgstr ""
#: ./doc/security-guide/ch051_vss-intro.xml340(para)
msgid ""
"* Features in this table may not be applicable to all hypervisors or "
"directly mappable between hypervisors."
msgstr ""
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml3(title)
msgid "Introduction to SSL/TLS"
msgstr "SSL/TLSの導入"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml4(para)
msgid ""
"OpenStack services receive requests on behalf of users on public networks as"
" well as from other internal services over management networks. Inter-"
"service communications can also occur over public networks depending on "
"deployment and architecture choices."
msgstr "OpenStack のサービスは、管理ネットワーク経由の他の内部サービスからのリクエストと同様、パ\nブリックネットワーク上のユーザによるリクエストを受信します。サービス間通信は、デプロイとアーキテクチャ選択によってはパブリックネットワーク経由で行われる事もあります。"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml5(para)
msgid ""
"While it is commonly accepted that data over public networks should be "
"secured using cryptographic measures, such as Secure Sockets Layer or "
"Transport Layer Security (SSL/TLS) protocols, it is insufficient to rely on "
"security domain separation to protect internal traffic. Using a security-in-"
"depth approach, we recommend securing all domains with SSL/TLS, including "
"the management domain services. It is important that should a tenant escape "
"their VM isolation and gain access to the hypervisor or host resources, "
"compromise an API endpoint, or any other service, they must not be able to "
"easily inject or capture messages, commands, or otherwise affect or control "
"management capabilities of the cloud. SSL/TLS provides the mechanisms to "
"ensure authentication, non-repudiation, confidentiality, and integrity of "
"user communications to the OpenStack services and between the OpenStack "
"services themselves."
msgstr "パブリックネット上のデータはSecure Sockets Layer や Transport Layer Security (SSL/TLS)プロトコルのような暗号化方式を使用してセキュリティを確保すべきであるという事は一般に認識されている一方で、内部トラフィックの保護の為セキュリティドメイン分割に依存する事は不十分です。security-in-depth アプローチを用いて、管理ドメインサービスを含め、SSL/TLSを用いて全ドメインをセキュリティ確保する事を推奨します。テナントがVM分割を回避して、ハイパーバイザーやホストリソースへのアクセスを得て、APIエンドポイントやあらゆる他のサービスを妥協させる事は重大です。テナントが容易にインジェクトしたり、メッセージ・コマンド・その他クラウド上の管理機能に影響を与える又は制御する事が出来るようにスべきではありません。SSL/TLS は、OpenStackサービスへのユーザ通信やOpenStackサービス自体の相互間通信の認証、回避不能、秘密性、完全性を確保する仕組みを提供します。"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml6(para)
msgid ""
"Public Key Infrastructure (PKI) is the set of hardware, software, and "
"policies to operate a secure system which provides authentication, non-"
"repudiation, confidentiality, and integrity. The core components of PKI are:"
msgstr "Public Key Infrastructure (PKI)は認証、偽証不可、秘匿性、完全性を提供するセキュアなシステムを運用するハードウェア、ソフトウェア、ポリシーのセットです。PKIのコアコンポーネントは以下の通り。"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml8(para)
msgid ""
"End Entity - user, process, or system that is the subject of a certificate"
msgstr "End Entity - 証明対象のユーザ、プロセス、システム"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml11(para)
msgid ""
"Certification Authority (<glossterm>CA</glossterm>) - defines certificate "
"policies, management, and issuance of certificates"
msgstr "認証局 (Certification Authority、<glossterm>CA</glossterm>) - 証明ポリシーの定義、管理、証明書の発行"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml14(para)
msgid ""
"Registration Authority (RA) - an optional system to which a CA delegates "
"certain management functions"
msgstr "Registration Authority (RA) -CAが一定の管理機能を委任する追加システム"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml17(para)
msgid ""
"Repository - Where the end entity certificates and certificate revocation "
"lists are stored and looked up - sometimes referred to as the \"certificate "
"bundle\""
msgstr "リポジトリ - End Entity が証明され、証明書の廃止リストが保存・参照される場所 - 時々「証明バンドル(Certificate bundle)」と呼ばれます。"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml20(para)
msgid "Relying Party - The end point that is trusting that the CA is valid."
msgstr "Relying Party - CAが有効であると証明するエンドポイント"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml23(para)
msgid ""
"PKI builds the framework on which to provide encryption algorithms, cipher "
"modes, and protocols for securing data and authentication. We strongly "
"recommend securing all services with Public Key Infrastructure (PKI), "
"including the use of SSL/TLS for API endpoints. It is impossible for the "
"encryption or signing of transports or messages alone to solve all these "
"problems. Hosts themselves must be secure and implement policy, namespaces, "
"and other controls to protect their private credentials and keys. However, "
"the challenges of key management and protection do not reduce the necessity "
"of these controls, or lessen their importance."
msgstr "PKIはデータと認証をセキュアにする暗号アルゴリズム、暗号モード(cipher mode)、プロトコルの\nフレームワークをバンドルしています。APIエンドポイントの為のSSL/TLS 使用を含み、Public Key Infrastructure (PKI)を用いて、全サービスをセキュアにする事をお勧めします。暗号化や通信路・メッセージの署名の為に、これら全ての問題を解決する事は重要です。プライベート証明と鍵の保護の為、ホスト自身がセキュアで、ポリシー、ネームスペース、その他の制御を実装しなければなりません。しかし、キー管理や保護のチャレンジはこれらの制御の必要性を削減したり、その重要性を失ったりはしません。"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml25(title)
msgid "Certification Authorities"
msgstr "認証局(CA)"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml26(para)
msgid ""
"Many organizations have an established Public Key Infrastructure with their "
"own certification authority (CA), certificate policies, and management for "
"which they should use to issue certificates for internal OpenStack users or "
"services. Organizations in which the public security domain is Internet "
"facing will additionally need certificates signed by a widely recognized "
"public CA. For cryptographic communications over the management network, it "
"is recommended one not use a public CA. Instead, we expect and recommend "
"most deployments deploy their own internal CA."
msgstr "多くの組織には、内部のOpenStackユーザやサービス用に証明書を発行する為に使用されるべき場所用の自身の認証局(CA)、証明ポリシー、管理を備えたPublic Key Infrastructure (PKI)が設置されています\n。加えて、パブリックセキュリティドメインがインターネットに面している所の組織は、幅広く認識された公共のCAにより署名された証明書が必要になるでしょう。管理ネットワーク上の暗号化通信用には、パブリックCAを使用しない事をお勧めします。代わりに、多くのデプロイでは自身の内部CAを設置していると思いますし、推奨します。"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml27(para)
msgid ""
"It is recommended that the OpenStack cloud architect consider using separate"
" PKI deployments for internal systems and customer facing services. This "
"allows the cloud deployer to maintain control of their PKI infrastructure "
"and among other things makes requesting, signing and deploying certificates "
"for internal systems easier. Advanced configurations may use separate PKI "
"deployments for different security domains. This allows deployers to "
"maintain cryptographic separation of environments, ensuring that "
"certificates issued to one are not recognised by another."
msgstr "OpenStackクラウドアーキテクトには、内部のシステムと顧客が接するサービス用に、分断されたPKIデプロイの使用を検討する事をお勧めします。これは、クラウドをデプロイする人が他の物が内部のシステ\nム用に証明書を要求・署名・デプロイする事を容易にするPKIインフラを制御できるようにします。異なる設定\nは異なるセキュリティドメイン用にPKIデプロイを分割使用しても構いません。これは、デプロイする人が環境\nの暗号の分断を管理できるようにし、一方で発行された証明書が他方で認証されない事を保証します。"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml28(para)
msgid ""
"Certificates used to support SSL/TLS on internet facing cloud endpoints (or "
"customer interfaces where the customer is not expected to have installed "
"anything other than standard operating system provided certificate bundles) "
"should be provisioned using Certificate Authorities that are installed in "
"the operating system certificate bundle. Typical well known vendors include "
"Verisign and Thawte but many others exist."
msgstr "インターネットに面したクラウドのエンドポイント(あるいは証明書をバンドルした標準的なOS以外の何かがインストールされていると顧客が想定していない顧客インターフェース)上のSSL/TLSに対応に使用される証明書はOSの証明書バンドル中にインストールされるCAを用いてプロビジョニングされるべきです。通常、有名ベンダーにはベリサインやThawteを含みますが、他の多くのベンダーもあります。"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml29(para)
msgid ""
"There are many management, policy, and technical challenges around creating "
"and signing certificates as such is an area where cloud architects or "
"operators may wish to seek the advice of industry leaders and vendors in "
"addition to the guidance recommended here."
msgstr "証明書の作成・署名については多数の管理・ポリシー・技術的ハードルがあるため、証明書は、\nここで推奨されたガイドに加え、クラウドアーキテクトや運用者が工業リーダーやベンダのアドバイスを望みうる所です。"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml32(title)
msgid "SSL/TLS Libraries"
msgstr "SSL/TLSライブラリ"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml33(para)
msgid ""
"Various components, services, and applications within the OpenStack "
"ecosystem or dependencies of OpenStack are implemented and can be configured"
" to use SSL/TLS libraries. The SSL/TLS and HTTP services within OpenStack "
"are typically implemented using OpenSSL which has been proven to be fairly "
"secure and has a module that has been validated for FIPS 140-2. However, "
"keep in mind that each application or service can still introduce weaknesses"
" in how they use the OpenSSL libraries."
msgstr "OpenStackエコシステムやOpenStackが依存する様々なコンポーネント、サービス、アプリケーションはSSL/TLSライブラリを使用するよう実装され、設定ができるようになっています。OpenStack中のSSL/TLSとHTTPサービスは通常、非常にセキュアである事が証明され、FIPS 140-2用に検証されてきたOpenSSLを使用して実装されています。しかし、各アプリケーション又はサービスは、OpenSSLライブラリをどのように使用するかという点で、未だ脆弱性を招きうるという事を忘れないで下さい。"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml36(title)
msgid "Cryptographic Algorithms, Cipher Modes, and Protocols"
msgstr "暗号化アルゴリズム、暗号モード、プロトコル"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml37(para)
msgid ""
"We recommend only using TLS v1.1 or v1.2. SSLv3 and TLSv1.0 may be used for "
"compatibility but we recommend using caution and only enabling these "
"protocols if you have a strong requirement to do so. Other SSL/TLS versions,"
" explicitly older versions, should not be used. These older versions include"
" SSLv1 and SSLv2. As this book does not intend to be a thorough reference on"
" cryptography we do not wish to be prescriptive about what specific "
"algorithms or cipher modes you should enable or disable in your OpenStack "
"services. However, there are some authoritative references we would like to "
"recommend for further information:"
msgstr "我々は TLS v1.1 又は v1.2 の使用のみ推奨します。SSL v3 と TLS v1.0 は互換性目的で使用出来ますが、我々は、注意深く、これらのプロトコルの有効化が強い要望としてある場合にのみ有効にする事をお勧めします。他のSSL/TLSバージョン(はっきり言えば古いバージョン)は使用すべきではありません。これらの古いバージョンには SSL v1 と v2 が含まれます。本書では暗号方式の初めから終わりまでの参考書を志向していない為、我々はあなたのOpenStackサービス中でどの特定アルゴリズムや暗号モードを有効・無効にすべきかについて指図する事を望みません。しかしながら、今後の情報としてお勧めしたい権威ある参考文献があります。"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml39(link)
msgid "National Security Agency, Suite B Cryptography"
msgstr "National Security Agency, Suite B Cryptography"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml42(link)
msgid "OWASP Guide to Cryptography"
msgstr "OWASP Guide to Cryptography"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml45(link)
msgid "OWASP Transport Layer Protection Cheat Sheet"
msgstr "OWASP Transport Layer Protection Cheat Sheet"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml48(link)
msgid ""
"SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate "
"trust model enhancements"
msgstr "SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml51(link)
msgid ""
"The Most Dangerous Code in the World: Validating SSL Certificates in Non-"
"Browser Software"
msgstr "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml54(link)
msgid "OpenSSL and FIPS 140-2"
msgstr "OpenSSL and FIPS 140-2"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml59(title)
msgid "Summary"
msgstr "概要"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml60(para)
msgid ""
"Given the complexity of the OpenStack components and the number of "
"deployment possibilities, you must take care to ensure that each component "
"gets the appropriate configuration of SSL certificates, keys, and CAs. The "
"following services will be discussed in later sections of this book where "
"SSL and PKI is available (either natively or possible via SSL proxy):"
msgstr "OpenStack コンポーネントの複雑さとデプロイの発展性を考慮すると、確実に各コンポーネントがSSL証明書・鍵・CAを適切に設定されている事に注意を払う必要があります。以下のサービスは(標準機能又はSSLプロキシ経由可のどちらかで)SSLとPKIが利用可能な本書の後の章で議論します。"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml62(para)
msgid "Compute API endpoints"
msgstr "Compute APIエンドポイント"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml65(para)
msgid "Identity API endpoints"
msgstr "Identity APIエンドポイント"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml68(para)
msgid "Networking API endpoints"
msgstr "Networking APIエンドポイント"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml71(para)
msgid "Storage API endpoints"
msgstr "ストレージAPIエンドポイント"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml74(para)
msgid "Messaging server"
msgstr "メッセージングサーバー"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml77(para)
msgid "Database server"
msgstr "データベースサーバー"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml80(para)
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml23(title)
#: ./doc/security-guide/ch004_book-introduction.xml103(title)
#: ./doc/security-guide/ch025_web-dashboard.xml3(title)
msgid "Dashboard"
msgstr "ダッシュボード"
#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml83(para)
msgid ""
"Throughout this book we will use SSL as shorthand to refer to these "
"recommendations for SSL/TLS protocols."
msgstr "本書の至る所で、我々はSSLをSSL/TLSプロトコルに関する推奨を示す略称として使用します。"
#: ./doc/security-guide/ch012_configuration-management.xml3(title)
msgid "Continuous Systems Management"
msgstr "継続的なシステム管理"
#: ./doc/security-guide/ch012_configuration-management.xml4(para)
msgid ""
"A cloud will always have bugs. Some of these will be security problems. For "
"this reason, it is critically important to be prepared to apply security "
"updates and general software updates. This involves smart use of "
"configuration management tools, which are discussed below. This also "
"involves knowing when an upgrade is necessary."
msgstr "クラウドには必ずバグがあります。その中にはセキュリティの問題も含まれています。このような理由から、セキュリティ更新や一般的なソフトウェア更新の適用準備を行うことが極めて重要です。例えば、構成管理ツールを賢く利用していくことになります。これについては以下で説明しています。また、更新が必要な時期を把握する必要があります。"
#: ./doc/security-guide/ch012_configuration-management.xml6(title)
#: ./doc/security-guide/ch063_compliance-activities.xml43(title)
msgid "Vulnerability Management"
msgstr "脆弱性の管理"
#: ./doc/security-guide/ch012_configuration-management.xml7(para)
msgid ""
"For announcements regarding security relevant changes, subscribe to the "
"<link href=\"http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-"
"announce\">OpenStack Announce mailing list</link>. The security "
"notifications are also posted through the downstream packages for example "
"through Linux distributions that you may be subscribed to as part of the "
"package updates."
msgstr "セキュリティ関連の変更に関するお知らせは、<link href=\"http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce\">OpenStack Announce mailing list</link> をサブスクライブしてください。セキュリティの通知は、パッケージ更新の一部としてサブスクライブしている可能性のある Linux ディストリビューションといったダウンストリームのパッケージでも掲載されます。"
#: ./doc/security-guide/ch012_configuration-management.xml12(para)
msgid ""
"The OpenStack components are only a small fraction of the software in a "
"cloud. It is important to keep up to date with all of these other "
"components, too. While the specific data sources will be deployment "
"specific, the key idea is to ensure that a cloud administrator subscribes to"
" the necessary mailing lists for receiving notification of any related "
"security updates. Often this is as simple as tracking an upstream Linux "
"distribution."
msgstr "OpenStack のコンポーネントは、クラウドにあるソフトウェアのごく一部です。このような他のコンポーネントすべても最新の状態に保つことが重要です。データソースはそれぞれデプロイメント固有のものですが、主な目的はクラウド管理者は必要なメーリングリストにサブスクライブして関連のセキュリティ更新の通知を受信できるようにすることです。通常、Linux のアップストリームディストリビューションをトラッキングするのと同じくらいシンプルです。"
#: ./doc/security-guide/ch012_configuration-management.xml15(para)
msgid ""
"OpenStack Security Advisories (OSSA) are created by the OpenStack "
"Vulnerability Management Team (VMT). They pertain to security holes in core "
"OpenStack services. More information on the VMT can be found here: <link "
"href=\"https://wiki.openstack.org/wiki/Vulnerability_Management\">https://wiki.openstack.org/wiki/Vulnerability_Management</link>"
msgstr "OpenStack セキュリティアドバイザリ (OSSA: OpenStack Security Advisories) は、OpenStack 脆弱性管理チーム (VMT: Vulnerability Management Team) が作成しています。コアとなる OpenStack サービスのセキュリティホールに関連するものです。VMT に関する詳細情報は、<link href=\"https://wiki.openstack.org/wiki/Vulnerability_Management\">https://wiki.openstack.org/wiki/Vulnerability_Management</link> を参照してください。"
#: ./doc/security-guide/ch012_configuration-management.xml19(para)
msgid ""
"OpenStack Security Notes (OSSN) were created by the OpenStack Security Group"
" (OSSG) to support the work of the VMT. OSSN address issues in supporting "
"software and common deployment configurations. They're referenced throughout"
" this guide. Security Notes are archived at <link "
"href=\"https://launchpad.net/ossn/\">https://launchpad.net/ossn/</link>"
msgstr "OpenStack セキュリティノート (OSSN: OpenStack Security Notes) は、VMT の作業をサポートする OpenStack セキュリティグループ (OSSG: OpenStack Security Group) が 作成しています。OSSN はソフトウェアや一般的なデプロイメント設定のサポートにおける問題に対応しています。本書でも OSNN については全体的に参照しています。セキュリティノートは <link href=\"https://launchpad.net/ossn/\">https://launchpad.net/ossn/</link> でアーカイブされています。"
#: ./doc/security-guide/ch012_configuration-management.xml13(para)
msgid ""
"OpenStack releases security information through two channels. "
"<placeholder-1/>"
msgstr "OpenStack は 2 つのチャネルからセキュリティ情報を発信しています。 <placeholder-1/>"
#: ./doc/security-guide/ch012_configuration-management.xml29(title)
msgid "Triage"
msgstr "トリアージ"
#: ./doc/security-guide/ch012_configuration-management.xml30(para)
msgid ""
"After receiving notification about a security update, the next step is to "
"determine how critical this update is to a given cloud deployment. In this "
"case, it is useful to have a pre-defined policy. Existing vulnerability "
"rating systems such as the common vulnerability scoring system (CVSS) v2 do "
"not properly account for cloud deployments."
msgstr "セキュリティ更新の通知を受信した後、次のステップとして、指定のクラウドデプロイメントにとって、この更新がどの程度重要かを判断します。このような場合、ポリシーを事前定義しておくと便利です。共通脆弱性評価システム (CVSS) v2 などの既存の脆弱性評価システムは、クラウドデプロイメントに正しく対応していません。"
#: ./doc/security-guide/ch012_configuration-management.xml31(para)
msgid ""
"In this example we introduce a scoring matrix that places vulnerabilities in"
" three categories: Privilege Escalation, Denial of Service and Information "
"Disclosure. Understanding the type of vulnerability and where it occurs in "
"your infrastructure will enable you to make reasoned response decisions."
msgstr "以下の例では、権限昇格、DoS (サービス妨害)、情報開示の 3 つのカテゴリーに脆弱性を分類した評価マトリクスを紹介しています。脆弱性の種類やインフラストラクチャー内での発生箇所を理解することで、裏付けに基いた対応意思決定を下すことができます。"
#: ./doc/security-guide/ch012_configuration-management.xml32(para)
msgid ""
"Privilege Escalation describes the ability of a user to act with the "
"privileges of some other user in a system, bypassing appropriate "
"authorization checks. For example a standard Linux user running code or "
"performing an operation that allows them to conduct further operations with "
"the privileges of the root users on the system."
msgstr "権限昇格とは、適切な認証チェックをすり抜けてシステム内の他のユーザーの権限を行使するユーザーの能力のことを指します。例えば、標準の Linux ユーザーがシステム上の root ユーザーの権限で自分の権限以上の操作を可能にするオペレーションを実行したり、コードを実行したりするなどです。"
#: ./doc/security-guide/ch012_configuration-management.xml33(para)
msgid ""
"Denial of Service refers to an exploited vulnerability that may cause "
"service or system disruption. This includes both distributed attacks to "
"overwhelm network resources, and single-user attacks that are typically "
"caused through resource allocation bugs or input induced system failure "
"flaws."
msgstr "サービス妨害 (DoS) とは、サービスやシステムの中断を引き起こす脆弱性を悪用することを指します。これには、ネットワークリソースを大量に使用する分散型攻撃や、リソース割り当てのバグや誘導型でのシステム障害の問題などで一般的に引き起こされるシングルユーザー攻撃の両方が含まれます。"
#: ./doc/security-guide/ch012_configuration-management.xml34(para)
msgid ""
"Information Disclosure vulnerabilities reveal information about your system "
"or operations. These vulnerabilities range from debugging information "
"disclosure, to exposure of critical security data, such as authentication "
"credentials and passwords."
msgstr "情報開示の脆弱性は、システムや操作の情報を公開します。これらの脆弱性は、情報開示のデバッグから認証情報やパスワードなどの重要なセキュリティデータの公開などが当てはまります。"
#: ./doc/security-guide/ch012_configuration-management.xml40(emphasis)
msgid "Attacker Position / Privilege Level"
msgstr "攻撃者の位置付け/権限レベル"
#: ./doc/security-guide/ch012_configuration-management.xml44(emphasis)
msgid "External"
msgstr "外部"
#: ./doc/security-guide/ch012_configuration-management.xml45(emphasis)
msgid "Cloud User"
msgstr "クラウドユーザー"
#: ./doc/security-guide/ch012_configuration-management.xml46(emphasis)
msgid "Cloud Admin"
msgstr "クラウドの管理者"
#: ./doc/security-guide/ch012_configuration-management.xml47(emphasis)
msgid "Control Plane"
msgstr "制御プレーン"
#: ./doc/security-guide/ch012_configuration-management.xml50(emphasis)
msgid "Privilege Elevation (3 levels)"
msgstr "権限昇格 (3 つのレベル)"
#: ./doc/security-guide/ch012_configuration-management.xml51(para)
#: ./doc/security-guide/ch012_configuration-management.xml58(para)
#: ./doc/security-guide/ch012_configuration-management.xml59(para)
#: ./doc/security-guide/ch012_configuration-management.xml65(para)
#: ./doc/security-guide/ch012_configuration-management.xml66(para)
#: ./doc/security-guide/ch012_configuration-management.xml67(para)
msgid "Critical"
msgstr "重要"
#: ./doc/security-guide/ch012_configuration-management.xml52(para)
#: ./doc/security-guide/ch012_configuration-management.xml53(para)
#: ./doc/security-guide/ch012_configuration-management.xml54(para)
#: ./doc/security-guide/ch012_configuration-management.xml60(para)
#: ./doc/security-guide/ch012_configuration-management.xml61(para)
#: ./doc/security-guide/ch012_configuration-management.xml68(para)
msgid "n/a"
msgstr "なし"
#: ./doc/security-guide/ch012_configuration-management.xml57(emphasis)
msgid "Privilege Elevation (2 levels)"
msgstr "権限昇格 (2 つのレベル)"
#: ./doc/security-guide/ch012_configuration-management.xml64(emphasis)
msgid "Privilege Elevation (1 level)"
msgstr "権限昇格 (1つのレベル)"
#: ./doc/security-guide/ch012_configuration-management.xml71(emphasis)
msgid "Denial of Service"
msgstr "サービス妨害 (DoS)"
#: ./doc/security-guide/ch012_configuration-management.xml72(para)
msgid "High"
msgstr "高"
#: ./doc/security-guide/ch012_configuration-management.xml73(para)
msgid "Medium"
msgstr "中"
#: ./doc/security-guide/ch012_configuration-management.xml74(para)
#: ./doc/security-guide/ch012_configuration-management.xml75(para)
#: ./doc/security-guide/ch012_configuration-management.xml82(para)
msgid "Low"
msgstr "低"
#: ./doc/security-guide/ch012_configuration-management.xml78(emphasis)
msgid "Information Disclosure"
msgstr "情報開示"
#: ./doc/security-guide/ch012_configuration-management.xml79(para)
#: ./doc/security-guide/ch012_configuration-management.xml80(para)
msgid "Critical / High"
msgstr "重要/高"
#: ./doc/security-guide/ch012_configuration-management.xml81(para)
msgid "Medium / Low"
msgstr "中/低"
#: ./doc/security-guide/ch012_configuration-management.xml86(para)
msgid ""
"The above table illustrates a generic approach to measuring the impact of a "
"vulnerability based on where it occurs in your deployment and the effect; "
"for example, a single level privilege escalation on a Compute API node would"
" potentially allow a standard user of the API to escalate to have the same "
"privileges as the root user on the node."
msgstr ""
#: ./doc/security-guide/ch012_configuration-management.xml87(para)
msgid ""
"We suggest cloud administrators customize and expand this table to suit "
"their needs. Then work to define how to handle the various severity levels. "
"For example, a critical-level security update might require the cloud to be "
"upgraded on a specified time line, whereas a low-level update might be more "
"relaxed."
msgstr "クラウド管理者は、ニーズ似あわせてこの表をカスタマイズ、拡張するよう推奨しています。その後、様々な深刻度に合わせて対応する方法を定義していくようにしてください。例えば、レベルが「重要」であるセキュリティ更新では、指定のスケジュールでクラウドのアップグレードが必要となる可能性がありますが、レベルが「低」の更新ではそこまで厳しくないでしょう。"
#: ./doc/security-guide/ch012_configuration-management.xml90(title)
msgid "Testing the Updates"
msgstr "更新のテスト"
#: ./doc/security-guide/ch012_configuration-management.xml91(para)
msgid ""
"Any update should be fully tested before deploying in a production "
"environment. Typically this requires having a separate test cloud setup that"
" first receives the update.  This cloud should be as close to the production"
" cloud as possible, in terms of software and hardware. Updates should be "
"tested thoroughly in terms of performance impact, stability, application "
"impact, and more. Especially important is to verify that the problem "
"theoretically addressed by the update (e.g., a specific vulnerability) is "
"actually fixed."
msgstr "実稼働環境でデプロイする前に、更新をすべて完全にテストするようにしてください。一般的に、更新を最初に受信するテスト用のクラウド設定が別途必要になります。このクラウドのソフトウェアやハードウェアはできるだけ実稼働クラウドと同じ環境にする必要があります。パフォーマンスの影響、安定性、アプリケーションへの影響など、更新全体をテストする必要があります。特に重要なのは、更新で理論上対応されている問題 (例: 特定の脆弱性) が実際に修正されているかどうかを確認することです。"
#: ./doc/security-guide/ch012_configuration-management.xml94(title)
msgid "Deploying the Updates"
msgstr "更新のデプロイ"
#: ./doc/security-guide/ch012_configuration-management.xml95(para)
msgid ""
"Once the updates are fully tested, they can be deployed to the production "
"environment. This deployment should be fully automated using the "
"configuration management tools described below."
msgstr "更新の完全なテストが終了すると、実稼働環境にデプロイすることができます。このデプロイメントは、以下に記載の構成管理ツールで完全に自動的に行われます。"
#: ./doc/security-guide/ch012_configuration-management.xml99(title)
msgid "Configuration Management"
msgstr "構成管理"
#: ./doc/security-guide/ch012_configuration-management.xml100(para)
msgid ""
"A production quality cloud should always use tools to automate configuration"
" and deployment. This eliminates human error, and allows the cloud to scale "
"much more rapidly. Automation also helps with continuous integration and "
"testing."
msgstr "実稼働環境の品質を持つクラウドは設定とデプロイメントの自動化ツールを必ず使用しています。こうすることで、人的ミスをなくし、クラウドの迅速なスケールアウトが可能になります。自動化により、継続的した統合やテストが行いやすくなります。"
#: ./doc/security-guide/ch012_configuration-management.xml101(para)
msgid ""
"When building an OpenStack cloud it is strongly recommended to approach your"
" design and implementation with a configuration management tool or framework"
" in mind. Configuration management allows you to avoid the many pitfalls "
"inherent in building, managing, and maintaining an infrastructure as complex"
" as OpenStack. By producing the manifests, cookbooks, or templates required "
"for a configuration management utility, you are able to satisfy a number of "
"documentation and regulatory reporting requirements. Further, configuration "
"management can also function as part of your BCP and DR plans wherein you "
"can rebuild a node or service back to a known state in a DR event or given a"
" compromise."
msgstr "OpenStack クラウドの構築時は、構成管理ツールまたはフレームワークを念頭に設計、実装に着手するように強く推奨します。構成管理により、OpenStack のように複雑なインフラストラクチャーの構築、管理、維持において陥りやすい多くの問題を回避することができます。構成管理ユーティリティに必要なマニフェスト、クックブック、テンプレートを作成することで、多くの文書や監督機関へのレポート要件を満たすことができます。さらに、構成管理は、BCP および DR プランの一部としても機能する可能性もあります。その場合、DR やセキュリティ侵害が合った場合にノードやサービスを既知の状態へ再構築することができます。"
#: ./doc/security-guide/ch012_configuration-management.xml102(para)
msgid ""
"Additionally, when combined with a version control system such as Git or "
"SVN, you can track changes to your environment over time and remediate "
"unauthorized changes that may occur. For example, a nova.conf or other "
"configuration file falls out of compliance with your standard, your "
"configuration management tool will be able to revert or replace the file and"
" bring your configuration back into a known state. Finally a configuration "
"management tool can also be used to deploy updates; simplifying the security"
" patch process. These tools have a broad range of capabilities that are "
"useful in this space. The key point for securing your cloud is to choose a "
"tool for configuration management and use it."
msgstr "さらに、Git や SVN などのバージョン管理システムと統合すると、経年の環境の変化をトラッキングして、発生する可能性のある未認証の変更を修正することができます。例えば、nova.conf やその他の設定ファイルが規格に準拠しなくなった場合、構成管理ツールは既知の状態にファイルを復元または置き換えることができます。最後に、構成管理ツールを使用して、更新のデプロイも可能で、セキュリティパッチのプロセスを簡素化します。これらのツールには、この項において便利な機能が幅広く含まれています。クラウドのセキュリティ確保の主な目的は、構成管理のツールを選択して使用することです。"
#: ./doc/security-guide/ch012_configuration-management.xml103(para)
msgid ""
"There are many configuration management solutions; at the time of this "
"writing there are two in the marketplace that are robust in their support of"
" OpenStack environments: <glossterm>Chef</glossterm> and "
"<glossterm>Puppet</glossterm>. A non-exhaustive listing of tools in this "
"space is provided below:"
msgstr "構成管理ソリューションは多数存在しますが、本書の作成時点で市場にあるソリューションで OpenStack 環境のサポートが強力なものは <glossterm>Chef</glossterm> と <glossterm>Puppet</glossterm> の 2 種類となっています。以下に完全ではありませんが、ツールのリストを示しています。"
#: ./doc/security-guide/ch012_configuration-management.xml105(para)
msgid "Chef"
msgstr "Chef"
#: ./doc/security-guide/ch012_configuration-management.xml108(para)
msgid "Puppet"
msgstr "Puppet"
#: ./doc/security-guide/ch012_configuration-management.xml111(para)
msgid "Salt Stack"
msgstr "Salt Stack"
#: ./doc/security-guide/ch012_configuration-management.xml114(para)
msgid "Ansible"
msgstr "Ansible"
#: ./doc/security-guide/ch012_configuration-management.xml118(title)
msgid "Policy Changes"
msgstr "ポリシーの変更"
#: ./doc/security-guide/ch012_configuration-management.xml119(para)
msgid ""
"Whenever a policy or configuration management is changed, it is good "
"practice to log the activity, and backup a copy of the new set. Often, such "
"policies and configurations are stored in a version controlled repository "
"such as git."
msgstr "ポリシーや構成管理が変更されると、そのアクティビティをロギングして、新しいセットのコピーをバックアップすると慣習として良いでしょう。通常、このようなポリシーや設定は Git などのバージョン管理リポジトリに保存されています。"
#: ./doc/security-guide/ch012_configuration-management.xml123(title)
msgid "Secure Backup and Recovery"
msgstr "セキュアなバックアップとリカバリ"
#: ./doc/security-guide/ch012_configuration-management.xml124(para)
msgid ""
"It is important to include Backup procedures and policies in the overall "
"System Security Plan. For a good overview of OpenStack's Backup and Recovery"
" capabilities and procedures, please refer to the OpenStack Operations "
"Guide."
msgstr "バックアップのプロシージャーとポリシーを全体的なシステムセキュリティプランに含めることは重要です。OpenStack のバックアップとリカバリー機能やプロシージャーについての適切な概要は、OpenStack 運用ガイドを参照してください。"
#: ./doc/security-guide/ch012_configuration-management.xml126(title)
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml45(title)
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml82(title)
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml113(title)
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml132(title)
#: ./doc/security-guide/ch026_compute.xml23(title)
#: ./doc/security-guide/ch026_compute.xml57(title)
msgid "Security Considerations"
msgstr "セキュリティの課題"
#: ./doc/security-guide/ch012_configuration-management.xml128(para)
msgid ""
"Ensure only authenticated users and backup clients have access to the backup"
" server."
msgstr "認証済みのユーザーおよびバックアップクライアントのみがバックアップサーバーにアクセスできるようにすること"
#: ./doc/security-guide/ch012_configuration-management.xml131(para)
msgid "Use data encryption options for storage and transmission of backups."
msgstr "バックアップの移動やストレージにはデータ暗号化オプションを使用すること"
#: ./doc/security-guide/ch012_configuration-management.xml134(para)
msgid ""
"Use a dedicated and hardened backup server(s). The backup server's logs "
"should be monitored daily and should be accessible by only few individuals."
msgstr "セキュリティが強化された専用のバックアップサーバーを使用すること。バックアップサーバーのログは日次で監査し、ほんの一握りの個人だけがこのログにアクセスできるようにします。"
#: ./doc/security-guide/ch012_configuration-management.xml137(para)
msgid ""
"Test data recovery options regularly. One of the things that can be restored"
" from secured backups is the images. In case of a compromise, the best "
"practice would be to terminate running instances immediately and then "
"relaunch the instances from the images in the secured backup repository."
msgstr "データのリカバリーオプションを定期的にテストすること。セキュアなバックアップからリストアが可能なものの 1 つにイメージがあります。情報漏洩などが発生した場合のベストプラクティスは、すぐに実行中のインスタンスを終了して、セキュアなバックアップリポジトリにあるイメージからインスタンスを再起動することです。"
#: ./doc/security-guide/ch012_configuration-management.xml142(title)
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml64(title)
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml123(title)
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml149(title)
#: ./doc/security-guide/ch026_compute.xml33(title)
#: ./doc/security-guide/ch026_compute.xml70(title)
#: ./doc/security-guide/ch058_forensicsincident-response.xml43(title)
msgid "References"
msgstr "参考資料"
#: ./doc/security-guide/ch012_configuration-management.xml144(para)
msgid ""
"<citetitle>OpenStack Operations Guide</citetitle> on <link "
"href=\"http://docs.openstack.org/trunk/openstack-"
"ops/content/backup_and_recovery.html\">backup and recovery</link>"
msgstr "<citetitle>OpenStack 運用ガイド</citetitle> の <link href=\"http://docs.openstack.org/trunk/openstack-ops/content/backup_and_recovery.html\">バックアップとリカバリー</link>"
#: ./doc/security-guide/ch012_configuration-management.xml147(link)
msgid ""
"http://www.sans.org/reading_room/whitepapers/backup/security-considerations-"
"enterprise-level-backups_515"
msgstr "http://www.sans.org/reading_room/whitepapers/backup/security-considerations-enterprise-level-backups_515"
#: ./doc/security-guide/ch012_configuration-management.xml150(link)
msgid "OpenStack Security Primer"
msgstr "OpenStack セキュリティ入門"
#: ./doc/security-guide/ch012_configuration-management.xml156(title)
msgid "Security Auditing Tools"
msgstr "セキュリティ監査ツール"
#: ./doc/security-guide/ch012_configuration-management.xml157(para)
msgid ""
"Security auditing tools can complement the configuration management tools.  "
"Security auditing tools automate the process of verifying that a large "
"number of security controls are satisfied for a given system configuration. "
"These tools help to bridge the gap from security configuration guidance "
"documentation (for example, the STIG and NSA Guides) to a specific system "
"installation. For example, <link href=\"https://fedorahosted.org/scap-"
"security-guide/\">SCAP</link> can compare a running system to a pre-defined "
"profile. SCAP outputs a report detailing which controls in the profile were "
"satisfied, which ones failed, and which ones were not checked."
msgstr "セキュリティ監査ツールは、構成管理ツールを補完することができます。セキュリティ監査ツールは、セキュリティ制御の多くが指定のシステム設定を満たしていることを確認するプロセスを自動化します。これらのツールは、セキュリティ設定方針文書 (例: STIG および NSA ガイド) から個別のシステムインストール環境のギャップを埋めるサポートをします。例えば、<link href=\"https://fedorahosted.org/scap-security-guide/\">SCAP</link> は実行中のシステムと事前定義済みのプロファイルを比較することができます。SCAP はプロファイル内のどの制御に対応しているか、問題があるものはどれか、確認されていないものはどれかを詳細にまとめたレポートを出力します。"
#: ./doc/security-guide/ch012_configuration-management.xml158(para)
msgid ""
"Combining configuration management and security auditing tools creates a "
"powerful combination. The auditing tools will highlight deployment concerns."
" And the configuration management tools simplify the process of changing "
"each system to address the audit concerns. Used together in this fashion, "
"these tools help to maintain a cloud that satisfies security requirements "
"ranging from basic hardening to compliance validation."
msgstr "構成管理とセキュリティ監査ツールを組み合わせることで強力になります。監査ツールはデプロイメントの課題をハイライトし、構成管理ツールは各システムの変更プロセスを簡素化して監査の課題に対応していきます。このような方法で組み合わせて使用することで、これらのツールは、基本的なセキュリティの強化からコンプライアンスのバリデーションに至るまで、このようなセキュリティ要件を満たすクラウドを維持できるようにします。"
#: ./doc/security-guide/ch012_configuration-management.xml159(para)
msgid ""
"Configuration management and security auditing tools will introduce another "
"layer of complexity into the cloud.  This complexity brings with it "
"additional security concerns. We view this as an acceptable risk trade-off, "
"given their security benefits. Securing the operational use of these tools "
"is beyond the scope of this guide."
msgstr "構成管理およびセキュリティ監査ツールは、別のレベルで複雑性をクラウドにもたらします。この複雑性により、新たなセキュリティの課題が出てきます。これについては、セキュリティの利点もあるため、許容範囲のリスクのトレードオフという見解を持っています。これらのツールの運用におけるセキュリティ確保については、本書の対象外となっています。"
#: ./doc/security-guide/ch059_case-studies-monitoring-logging.xml3(title)
msgid "Case Studies: Monitoring and Logging"
msgstr ""
#: ./doc/security-guide/ch059_case-studies-monitoring-logging.xml4(para)
msgid ""
"In this case study we discuss how Alice and Bob would address monitoring and"
" logging in the public vs a private cloud. In both instances, time "
"synchronization and a centralized store of logs become extremely important "
"for performing proper assessments and troubleshooting of anomalies. Just "
"collecting logs is not very useful, a robust monitoring system must be built"
" to generate actionable events."
msgstr ""
#: ./doc/security-guide/ch059_case-studies-monitoring-logging.xml6(title)
#: ./doc/security-guide/ch039_case-studies-messaging.xml6(title)
#: ./doc/security-guide/ch066_case-studies-compliance.xml6(title)
#: ./doc/security-guide/ch028_case-studies-identity-management.xml6(title)
#: ./doc/security-guide/ch044_case-studies-database.xml6(title)
#: ./doc/security-guide/ch009_case-studies.xml6(title)
#: ./doc/security-guide/ch056_case-studies-instance-management.xml6(title)
#: ./doc/security-guide/ch022_case-studies-api-endpoints.xml6(title)
#: ./doc/security-guide/ch015_case-studies-management.xml29(title)
#: ./doc/security-guide/ch018_case-studies-pkissl.xml6(title)
#: ./doc/security-guide/ch035_case-studies-networking.xml6(title)
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml6(title)
#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml6(title)
msgid "Alice's Private Cloud"
msgstr "アリスのプライベートクラウド"
#: ./doc/security-guide/ch059_case-studies-monitoring-logging.xml7(para)
msgid ""
"In the private cloud, Alice has a better understanding of the tenants "
"requirements and accordingly can add appropriate oversight and compliance on"
" monitoring and logging. Alice should identify critical services and data "
"and ensure that logging is turned at least on those services and is being "
"aggregated to a central log server. She should start with simple and known "
"use cases and implement correlation and alerting to limit the number of "
"false positives. To implement correlation and alerting, she sends the log "
"data to her organization's existing SIEM tool. Security monitoring should be"
" an ongoing process and she should continue to define use cases and alerts "
"as she has better understanding of the network traffic activity and usage "
"over time."
msgstr ""
#: ./doc/security-guide/ch059_case-studies-monitoring-logging.xml10(title)
#: ./doc/security-guide/ch039_case-studies-messaging.xml10(title)
#: ./doc/security-guide/ch066_case-studies-compliance.xml13(title)
#: ./doc/security-guide/ch028_case-studies-identity-management.xml12(title)
#: ./doc/security-guide/ch044_case-studies-database.xml10(title)
#: ./doc/security-guide/ch009_case-studies.xml11(title)
#: ./doc/security-guide/ch056_case-studies-instance-management.xml12(title)
#: ./doc/security-guide/ch022_case-studies-api-endpoints.xml10(title)
#: ./doc/security-guide/ch015_case-studies-management.xml34(title)
#: ./doc/security-guide/ch018_case-studies-pkissl.xml10(title)
#: ./doc/security-guide/ch035_case-studies-networking.xml24(title)
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml23(title)
#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml12(title)
msgid "Bob's Public Cloud"
msgstr "ボブのパブリッククラウド"
#: ./doc/security-guide/ch059_case-studies-monitoring-logging.xml11(para)
msgid ""
"When it comes to logging, as a public cloud provider, Bob is interested in "
"logging both for situational awareness as well as compliance. That is, "
"compliance that Bob as a provider is subject to as well as his ability to "
"provide timely and relevant logs or reports on the behalf of his customers "
"for their compliance audits. With that in mind, Bob configures all of his "
"instances, nodes, and infrastructure devices to perform time synchronization"
" with an external, known good time device. Additionally, Bob's team has "
"built a Django based web applications for his customers to perform self-"
"service log retrieval from Bob's SIEM tool. Bob also uses this SIEM tool "
"along with a robust set of alerts and integration with his CMDB to provide "
"operational awareness to both customers and cloud administrators."
msgstr ""
#: ./doc/security-guide/bk_openstack-sec-guide.xml6(title)
msgid "OpenStack Security Guide"
msgstr ""
#: ./doc/security-guide/bk_openstack-sec-guide.xml14(orgname)
#: ./doc/security-guide/bk_openstack-sec-guide.xml19(holder)
msgid "OpenStack Foundation"
msgstr "OpenStack Foundation"
#: ./doc/security-guide/bk_openstack-sec-guide.xml18(year)
msgid "2013"
msgstr "2013"
#: ./doc/security-guide/bk_openstack-sec-guide.xml21(releaseinfo)
msgid "havana"
msgstr "havana"
#: ./doc/security-guide/bk_openstack-sec-guide.xml22(productname)
msgid "OpenStack"
msgstr "OpenStack"
#: ./doc/security-guide/bk_openstack-sec-guide.xml26(remark)
msgid "Copyright details are filled in by the template."
msgstr "Copyright details are filled in by the template."
#: ./doc/security-guide/bk_openstack-sec-guide.xml31(para)
msgid ""
"This book provides best practices and conceptual information about securing "
"an OpenStack cloud."
msgstr ""
#: ./doc/security-guide/bk_openstack-sec-guide.xml38(date)
msgid "2013-12-02"
msgstr ""
#: ./doc/security-guide/bk_openstack-sec-guide.xml42(para)
msgid "Chapter on Object Storage added."
msgstr ""
#: ./doc/security-guide/bk_openstack-sec-guide.xml48(date)
msgid "2013-10-17"
msgstr "2013-10-17"
#: ./doc/security-guide/bk_openstack-sec-guide.xml52(para)
msgid "Havana release."
msgstr "Havana リリース。"
#: ./doc/security-guide/bk_openstack-sec-guide.xml58(date)
msgid "2013-07-02"
msgstr ""
#: ./doc/security-guide/bk_openstack-sec-guide.xml62(para)
msgid "Initial creation..."
msgstr ""
#: ./doc/security-guide/ch065_privacy.xml3(title)
msgid "Privacy"
msgstr "プライバシー"
#: ./doc/security-guide/ch065_privacy.xml4(para)
msgid ""
"Privacy is an increasingly important element of a compliance program. "
"Businesses are being held to a higher standard by their customers, who have "
"increased interest in understanding how their data is treated from a privacy"
" perspective."
msgstr "プライバシーはコンプライアンスプログラムの重要な要素になりつつあります。顧客はプライバシーの観点から、データがいかに扱われているか関心を高めており、データを扱う企業はより高い基準を期待されています。"
#: ./doc/security-guide/ch065_privacy.xml5(para)
msgid ""
"An OpenStack deployment will likely need to demonstrate compliance with an "
"organizations Privacy Policy, with the U.S. E.U. Safe Harbor framework, "
"the ISO/IEC 29100:2011 privacy framework or with other privacy-specific "
"guidelines. In the U.S. the AICPA has <link "
"href=\"http://www.aicpa.org/interestareas/informationtechnology/resources/privacy/generallyacceptedprivacyprinciples/\">defined"
" 10 privacy areas of focus</link>, OpenStack deployments within a commercial"
" environment may desire to attest to some or all of these principles."
msgstr "OpenStack環境では、組織のプライバシーポリシー、米国 - EU間のセーフハーバーフレームワーク、ISO/IEC 29100:2011 プライバシーフレームワークなど、プライバシー特化ガイドライン遵守の証明を求められることが多いです。米国ではAICPAが<link href=\"http://www.aicpa.org/interestareas/informationtechnology/resources/privacy/generallyacceptedprivacyprinciples/\">重視すべき10のプライバシー項目</link>を公表しており、ビジネス用途のOpenStack環境はそのうちのいくつか、もしくは全原則の立証を期待されます。"
#: ./doc/security-guide/ch065_privacy.xml6(para)
msgid ""
"To aid OpenStack architects in the protection of personal data, it is "
"recommended that OpenStack architects review the NIST publication 800-122, "
"titled \"<emphasis>Guide to Protecting the Confidentiality of Personally "
"Identifiable Information (PII)</emphasis>.\" This guide steps through the "
"process of protecting:"
msgstr "個人情報の保護に取り組むOpenStackアーキテクトを支援するため、OpenStackアーキテクトには、NIST刊行 800-122 \"<emphasis>Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)</emphasis>.をおすすめします。このガイドは以下を保護するプロセスについて述べています。"
#: ./doc/security-guide/ch065_privacy.xml8(para)
msgid ""
"\"<emphasis>any information about an individual maintained by an agency, "
"including (1) any information that can be used to distinguish or trace an "
"individuals identity, such as name, social security number, date and place "
"of birth, mothers maiden name, or biometric records; and (2) any other "
"information that is linked or linkable to an individual, such as medical, "
"educational, financial, and employment information</emphasis>\""
msgstr "\"<emphasis>政府機関が保有するあらゆる個人情報、(1)個人を特定、追跡しうるあらゆる情報、たとえば氏名、社会保障番号、出生年月日、出生地、母の旧姓、生体情報など。および、(2)個人に結びつく、結びつけられるあらゆる情報、たとえば医療、教育、金融、雇用情報など</emphasis>\""
#: ./doc/security-guide/ch065_privacy.xml10(para)
msgid ""
"Comprehensive privacy management requires significant preparation, thought "
"and investment. Additional complications are introduced when building global"
" OpenStack clouds, for example navigating the differences between U.S. and "
"more restrictive E.U. privacy laws. In addition, extra care needs to be "
"taken when dealing with sensitive PII that may include information such as "
"credit card numbers or medical records. This sensitive data is not only "
"subject to privacy laws but also regulatory and governmental regulations. By"
" deferring to established best practices, including those published by "
"governments, a holistic privacy management policy may be created and "
"practiced for OpenStack deployments."
msgstr "包括的なプライバシー管理には、十分な準備、考慮と投資が必要です。また、グローバルなOpenStackクラウドの構築時には、さらなる複雑さに気づくでしょう。米国および、それより厳しいEUのプライバシー法令の違いが良い例です。加えて、クレジットカード番号や医療情報など、機密性の高い個人情報を扱う場合にはさらなる注意が必要です。これら機密性の高い情報はプライバシー法令だけでなく、監視当局や政府規制にも関連します。政府によって発行されたものなど、ベストプラクティスに従うことで、OpenStack環境向けの総合的なプライバシー管理ポリシーが確立、実践されていくでしょう。"
#: ./doc/security-guide/ch032_networking-best-practices.xml3(title)
msgid "Networking Services"
msgstr "Networking サービス"
#: ./doc/security-guide/ch032_networking-best-practices.xml4(para)
msgid ""
"In the initial architectural phases of designing your OpenStack Network "
"infrastructure it is important to ensure appropriate expertise is available "
"to assist with the design of the physical networking infrastructure, to "
"identify proper security controls and auditing mechanisms."
msgstr "あなたの OpenStack ネットワークインフラデザインの概要設計段階では、適切なセキュリティ管理・監査機構を確認する為、物理ネットワークインフラ設計で支援する適切な専門技術が間違いなく利用できる事は重要です。"
#: ./doc/security-guide/ch032_networking-best-practices.xml5(para)
msgid ""
"OpenStack Networking adds a layer of virtualized network services - giving "
"tenants the capability to architect their own, virtual networks. These "
"virtualized services are not as currently as mature as their traditional "
"networking counterparts. It is important to be aware of the current state of"
" these virtualized services and what controls may need to be implemented at "
"the virtualized and traditional network boundary."
msgstr "OpenStack Networking は(テナントに自身の仮想ネットワークを設計する為の機能を提供する)仮想ネットワークサービスのレイヤを追加します。これらの仮想化サービスは、現時点で従来のネットワークコンポーネントのように成熟していません。これらの仮想化技術の現状と、仮想ネットワークと従来のネットワーク境界でどのコントロールを実装する必要があるだろうというを知っておく事は重要です。"
#: ./doc/security-guide/ch032_networking-best-practices.xml7(title)
msgid "L2 Isolation using VLANs and Tunneling"
msgstr "VLAN とトンネリングを使用した L2 分断"
#: ./doc/security-guide/ch032_networking-best-practices.xml8(para)
msgid ""
"OpenStack networking can employ two different mechanisms for traffic "
"segregation on a per tenant/network combination: VLANs (IEEE 802.1Q tagging)"
" or L2 tunnels using GRE encapsulation. Which method you choose for traffic "
"segregation and isolation is determined by the scope and scale of your "
"OpenStack deployment."
msgstr "OpenStack Networking はテナント/ネットワークの組合せ単位で通信を分断する為の、 VLANs (IEEE 802.1Q タギング) 又は GRE カプセル化を使用した L2 トンネルという2つの異なる機構を使用する事が出来ます。通信の分断と独立用にあなたが選択する方式は、あなたの OpenStack デプロイの範囲と規模に依存します。"
#: ./doc/security-guide/ch032_networking-best-practices.xml10(title)
msgid "VLANs"
msgstr "VLAN"
#: ./doc/security-guide/ch032_networking-best-practices.xml11(para)
msgid ""
"VLANs are realized as packets on a specific physical network containing IEEE"
" 802.1Q headers with a specific VLAN ID (VID) field value. VLAN networks "
"sharing the same physical network are isolated from each other at L2, and "
"can even have overlapping IP address spaces. Each distinct physical network "
"supporting VLAN networks is treated as a separate VLAN trunk, with a "
"distinct space of VID values. Valid VID values are 1 through 4094."
msgstr "VLAN は特別な VLAN ID (VID) フィールド値を持つ IEEE 802.1Q ヘッダを含む特別な物理ネットワーク上のパケットを実現します。同じ物理ネットワークを共有する VLAN ネットワーク群は、L2 において相互から独立しており、重複する IP アドレス空間を持つ事すら可能です。VLAN ネットワークに対応した各個別の物理ネットワークは、独自の VID 値を持つ独立した VLAN トランクとして扱われます。有効な VID 値は14094です。"
#: ./doc/security-guide/ch032_networking-best-practices.xml12(para)
msgid ""
"VLAN configuration complexity depends on your OpenStack design requirements."
" In order to allow OpenStack Networking to efficiently use VLANs, you must "
"allocate a VLAN range (one for each tenant) and turn each compute node "
"physical switch port into a VLAN trunk port."
msgstr "VLAN 設定の複雑さはあなたの OpenStack 設計要件に依存します。OpenStack Networking がVLAN を効率良く使用できるようにする為に、VLAN 範囲を (各テナントに1つ) 割り当てて、各 compute ノードの物理スイッチポートを VLAN トランクポートに変更する必要があります。"
#: ./doc/security-guide/ch032_networking-best-practices.xml14(para)
msgid ""
"NOTE: If you intend for your network to support more than 4094 tenants VLAN "
"is probably not the correct option for you as multiple 'hacks' are required "
"to extend the VLAN tags to more than 4094 tenants."
msgstr "注意あなたのネットワークを4095 以上のテナントに対応するようにしたい場合、VLAN はあなたにとって多分正しい選択肢ではありません。なぜなら、4095 以上に VLAN タグを拡張する為の複数の「改造」が必要だからです。"
#: ./doc/security-guide/ch032_networking-best-practices.xml18(title)
msgid "L2 Tunneling"
msgstr "L2 トンネリング"
#: ./doc/security-guide/ch032_networking-best-practices.xml19(para)
msgid ""
"Network tunneling encapsulates each tenant/network combination with a unique"
" \"tunnel-id\" that is used to identify the network traffic belonging to "
"that combination. The tenant's L2 network connectivity is independent of "
"physical locality or underlying network design. By encapsulating traffic "
"inside IP packets, that traffic can cross Layer-3 boundaries, removing the "
"need for preconfigured VLANs and VLAN trunking. Tunneling adds a layer of "
"obfuscation to network data traffic, reducing the visibility of individual "
"tenant traffic from a monitoring point of view."
msgstr "Network tunneling encapsulates each tenant/network combination with a unique \"tunnel-id\" \nネットワークトンネリングは、固有の「トンネルID」を用いてテナントネットワークの各組合せをカプセル化します。これは、上記の組合せに属するネットワーク通信を独立させる為に使用されます。テナントの L2 ネットワーク接続は、物理的配置や下層のネットワーク設計から独立しています。IP パケット内で通信をカプセル化する事により、通信はレイヤ境界を越える事ができ、VLAN や VLAN とランキングの事前設定の必要が無くなります。トンネリングはネットワークのデータ通信に不明瞭なレイヤを追加し、監視の観点で個々のテナント通信の可視性を低下させます。"
#: ./doc/security-guide/ch032_networking-best-practices.xml20(para)
msgid ""
"OpenStack Networking currently only supports GRE encapsulation with planned "
"future support of VXLAN due in the Havana release."
msgstr "OpenStack Networking は現在 GRE カプセル化のみサポートしており、Havana リリースで VXLAN をサポートする計画があります。"
#: ./doc/security-guide/ch032_networking-best-practices.xml21(para)
msgid ""
"The choice of technology to provide L2 isolation is dependent upon the scope"
" and size of tenant networks that will be created in your deployment. If "
"your environment has limited VLAN ID availability or will have a large "
"number of L2 networks, it is our recommendation that you utilize tunneling."
msgstr "L2 分断を提供する技術の選択は、あなたのデプロイで作成される予定のテナントネットワークの範囲とサイズに依存します。あなたの環境が VLAN ID の利用で制限がある場合や、大多数の L2 ネットワークが見込まれる場合、トンネリングの使用を推奨します。"
#: ./doc/security-guide/ch032_networking-best-practices.xml25(title)
msgid "Network Services"
msgstr "ネットワークサービス"
#: ./doc/security-guide/ch032_networking-best-practices.xml26(para)
msgid ""
"The choice of tenant network isolation affects how the network security and "
"control boundary is implemented for tenant services. The following "
"additional network services are either available or currently under "
"development to enhance the security posture of the OpenStack network "
"architecture."
msgstr "テナントネットワーク分断の選択はネットワークセキュリティと制御境界をどのように実装するかに影響します。\n以下の追加ネットワークサービスは利用可能か、OpenStack ネットワークアーキテクチャのセキュリティポーズを拡張する為の開発中かのいずれかです。"
#: ./doc/security-guide/ch032_networking-best-practices.xml28(title)
msgid "Access Control Lists"
msgstr "アクセスコントロールリスト"
#: ./doc/security-guide/ch032_networking-best-practices.xml29(para)
msgid ""
"OpenStack Compute supports tenant network traffic access controls directly "
"when deployed with the legacy nova-network service, or may defer access "
"control to the OpenStack Networking service."
msgstr "OpenStack Compute は、旧式の nova-network サービスでデプロイする場合、テナントネットワーク通信のアクセス制御を直接サポートします。又は、OpenStack Networking サービスにアクセス制御を任せる事も出来ます。"
#: ./doc/security-guide/ch032_networking-best-practices.xml30(para)
msgid ""
"Note, legacy nova-network security groups are applied to all virtual "
"interface ports on an instance using IPTables."
msgstr "注:旧式の nova-network セキュリティグループは、Iptables を使用してインスタンス上の全ての仮想インターフェースポートに適用されます。"
#: ./doc/security-guide/ch032_networking-best-practices.xml31(para)
msgid ""
"Security groups allow administrators and tenants the ability to specify the "
"type of traffic, and direction (ingress/egress) that is allowed to pass "
"through a virtual interface port. Security groups rules are stateful L2-L4 "
"traffic filters."
msgstr "セキュリティグループでは、管理者とテナントが仮想インターフェースポート通過を許可する通信のタイプと方向(内向き/外向き)を指定できるようになっています。"
#: ./doc/security-guide/ch032_networking-best-practices.xml32(para)
msgid ""
"It is our recommendation that you enable security groups via OpenStack "
"Networking."
msgstr "OpenStack Networking 経由でセキュリティグループを有効にする事をお勧めします。"
#: ./doc/security-guide/ch032_networking-best-practices.xml35(title)
msgid "L3 Routing and NAT"
msgstr "L3 ルーティングおよび NAT"
#: ./doc/security-guide/ch032_networking-best-practices.xml36(para)
msgid ""
"OpenStack Networking routers can connect multiple L2 networks, and can also "
"provide a <emphasis>gateway</emphasis> that connects one or more private L2 "
"networks to a shared <emphasis>external</emphasis> network, such as a public"
" network for access to the Internet."
msgstr "OpenStack Networking のルータは複数の L2 ネットワークを接続でき、1つ以上のプライベート L2 ネットワークを共有<emphasis>外部</emphasis>ネットワーク(インターネットアクセス用のパブリックネットワーク等)に接続する<emphasis>ゲートウェイ</emphasis>を提供する事も出来ます。"
#: ./doc/security-guide/ch032_networking-best-practices.xml37(para)
msgid ""
"The L3 router provides basic Network Address Translation (NAT) capabilities "
"on <emphasis>gateway</emphasis> ports that uplink the router to external "
"networks. This router SNATs (Static NAT) all traffic by default, and "
"supports floating IPs, which creates a static one-to-one mapping from a "
"public IP on the external network to a private IP on one of the other "
"subnets attached to the router."
msgstr "L3 ルータは、外部ネットワークへのルータに接続する<emphasis>ゲートウェイ</emphasis>ポート上の基本的なネットワークアドレス変換 (NAT) 機能を提供します。このルータはデフォルトで全てのネットワークの SNAT (静的 NAT) を行います。これは、外部ネットワーク上のパブリック IP アドレスから、ルータにアタッチされた他の1サブネットのプライベート IP アドレスへ変換する静的な1対1マッピングを作成します。"
#: ./doc/security-guide/ch032_networking-best-practices.xml38(para)
msgid ""
"It is our recommendation to leverage per tenant L3 routing and Floating IPs "
"for more granular connectivity of tenant VMs."
msgstr "テナント VM のより粒度の細かいテナント L3 ルーティングとフローティング IP 単位で設定する事をお勧めします。"
#: ./doc/security-guide/ch032_networking-best-practices.xml41(title)
msgid "Quality of Service (QoS)"
msgstr "サービス品質(QoS)"
#: ./doc/security-guide/ch032_networking-best-practices.xml42(para)
msgid ""
"The ability to set QoS on the virtual interface ports of tenant instances is"
" a current deficiency for OpenStack Networking. The application of QoS for "
"traffic shaping and rate-limiting at the physical network edge device is "
"insufficient due to the dynamic nature of workloads in an OpenStack "
"deployment and can not be leveraged in the traditional way.  QoS-"
"as-a-Service (QoSaaS) is currently in development for the OpenStack "
"Networking Havana release as an experimental feature. QoSaaS is planning to "
"provide the following services:"
msgstr "現在の OpenStack Networking にはテナントインスタンスの仮想インターフェースポート上の QoS 設定機能が欠如しています。物理ネットワークエッジデバイスにおけるトラフィックシェーピングやレートリミットの為の QoS 活用は、OpenStack デプロイ中のワークロードの動的な性質の為に実装されておらず、従来の方法では設定できません。QoS-as-a-Service (QoSaaS) は実験的な機能として現在 OpenStack Networking Havana リリース用に開発中です。QoSaaS は以下のサービスを提供する計画です。"
#: ./doc/security-guide/ch032_networking-best-practices.xml44(para)
msgid "Traffic shaping via DSCP markings"
msgstr "DSCP マーキングによるトラフィックシェーピング"
#: ./doc/security-guide/ch032_networking-best-practices.xml47(para)
msgid "Rate-limiting on a per port/network/tenant basis."
msgstr "ポート・ネットワーク・テナント単位のレートリミット"
#: ./doc/security-guide/ch032_networking-best-practices.xml50(para)
msgid "Port mirroring (via open source or third-party plugins)"
msgstr "ポートミラーリング (オープンソースのサードパーティ製プラグイン使用)"
#: ./doc/security-guide/ch032_networking-best-practices.xml53(para)
msgid "Flow analysis (via open source or third-party plugins)"
msgstr "フロー分析 (オープンソースのサードパーティプラグイン使用)"
#: ./doc/security-guide/ch032_networking-best-practices.xml56(para)
msgid ""
"Tenant traffic port mirroring or Network Flow monitoring is currently not an"
" exposed feature in OpenStack Networking. There are third-party plugin "
"extensions that do provide Port Mirroring on a per port/network/tenant "
"basis. If Open vSwitch is used on the networking hypervisor, it is possible "
"to enable sFlow and port mirroring, however it will require some operational"
" effort to implement."
msgstr "テナントトラフィックポートミラーリング又はNetwork Flow モニタリングは現在、OpenStack Networking の機能として公開されていません。ポート/ネットワーク/テナント単位でポートミラーリングを行うサードパーティ製のプラグイン拡張があります。ハイパーバイザー上で Open vSwitch を使用する場合、sFlow とポートミラーリングを有効にできますが、実装には幾つかの運用操作が必要になるでしょう。"
#: ./doc/security-guide/ch032_networking-best-practices.xml59(title)
msgid "Load Balancing"
msgstr "ロードバランシング"
#: ./doc/security-guide/ch032_networking-best-practices.xml60(para)
msgid ""
"An experimental feature in the Grizzly release of OpenStack Networking is "
"Load-Balancer-as-a-service (LBaaS). The LBaaS API gives early adopters and "
"vendors a chance to build implementations of the technology. The reference "
"implementation however, is still experimental and should likely not be run "
"in a production environment. The current reference implementation is based "
"on HA-Proxy. There are third-party plugins in development for extensions in "
"OpenStack Networking to provide extensive L4-L7 functionality for virtual "
"interface ports."
msgstr "OpenStack Networking の Grizzly リリースにおける実験的機能の1つが Load-Balancer-as-a-service (LBaaS) です。LBaaS API は、アーリーアダプターやベンダーに LBaaS 技術の実装を行う機会を提供します。しかしながら、リファレンス実装は未だ実験段階で、商用環境で使用されているという話は聞きません。現在のリファレンス実装は HAProxy をベースにしています。仮想インターフェースポート用の拡張可能な L4-L7 機能を提供する OpenStack Networking 中の拡張用に開発中のサードパーティプラグインがあります。"
#: ./doc/security-guide/ch032_networking-best-practices.xml63(title)
msgid "Firewalls"
msgstr "ファイアウォール"
#: ./doc/security-guide/ch032_networking-best-practices.xml64(para)
msgid ""
"FW-as-a-Service (FWaaS) is currently in development for the OpenStack "
"Networking Havana release as an experimental feature. FWaaS will address the"
" need to manage and leverage the rich set of security features provided by "
"typical firewall products which are typically far more comprehensive than "
"what is currently provided by security groups. There are third-party plugins"
" in development for extensions in OpenStack Networking to support this."
msgstr "FW-as-a-Service (FWaaS) は実験的機能として OpenStack Networking Havana リリースに向けて現在開発中です。FWaaS は現在セキュリティグループにより提供されるものより一般にはかなり広い典型的なファイアウォール製品により提供される豊富なセキュリティ機能を管理・設定する為に呼ばれます。現在、FWaaS をサポートするために、OpenStack ネットワーキングの拡張用サードパーティプラグインが開発されているところです。"
#: ./doc/security-guide/ch032_networking-best-practices.xml65(para)
msgid ""
"It is critical during the design of an OpenStack Networking infrastructure "
"to understand the current features and limitations of network services that "
"are available. Understanding where the boundaries of your virtual and "
"physical networks will help you add the required security controls in your "
"environment."
msgstr "利用可能なネットワークサービスの現在の機能と制限を理解する事は OpenStack Networking の設計上極めて重要です。仮想/物理ネットワークの境界がどこかを理解する事は、あなたの環境で要求されたセキュリティコントロールを追加する際の助けになるでしょう。"
#: ./doc/security-guide/ch032_networking-best-practices.xml69(title)
msgid "Network Services Extensions"
msgstr "ネットワークサービス拡張"
#: ./doc/security-guide/ch032_networking-best-practices.xml70(para)
msgid ""
"Here is a list of known plugins provided by the open source community or by "
"SDN companies that work with OpenStack Networking:"
msgstr "以下はオープンソースコミュニティ又はSDN企業によって提供された、 OpenStack Networking で動作する既知のプラグインの一覧です。"
#: ./doc/security-guide/ch032_networking-best-practices.xml71(para)
msgid ""
"Big Switch Controller Plugin, Brocade Neutron Plugin Brocade Neutron Plugin,"
" Cisco UCS/Nexus Plugin, Cloudbase Hyper-V Plugin, Extreme Networks Plugin, "
"Juniper Networks Neutron Plugin, Linux Bridge Plugin, Mellanox Neutron "
"Plugin, MidoNet Plugin, NEC OpenFlow Plugin, Nicira Network Virtualization "
"Platform (NVP) Plugin, Open vSwitch Plugin, PLUMgrid Plugin, Ruijie Networks"
" Plugin, Ryu OpenFlow Controller Plugin"
msgstr "Big Switch Controller Plugin, Brocade Neutron Plugin Brocade Neutron Plugin, Cisco UCS/Nexus Plugin, Cloudbase Hyper-V Plugin, Extreme Networks Plugin, Juniper Networks Neutron Plugin, Linux Bridge Plugin, Mellanox Neutron Plugin, MidoNet Plugin, NEC OpenFlow Plugin, Nicira Network Virtualization Platform (NVP) Plugin, Open vSwitch Plugin, PLUMgrid Plugin, Ruijie Networks Plugin, Ryu OpenFlow Controller Plugin"
#: ./doc/security-guide/ch032_networking-best-practices.xml72(para)
msgid ""
"For a more detailed comparison of all features provided by plugins as of the"
" Folsom release, see <link href=\"http://www.sebastien-"
"han.fr/blog/2012/09/28/quantum-plugin-comparison/\">Sebastien Han's "
"comparison</link>."
msgstr ""
#: ./doc/security-guide/ch032_networking-best-practices.xml75(title)
msgid "Networking Services Limitations"
msgstr "Networking サービスの制限事項"
#: ./doc/security-guide/ch032_networking-best-practices.xml76(para)
msgid "OpenStack Networking has the following known limitations:"
msgstr "OpenStack Networking は以下の制限があります。"
#: ./doc/security-guide/ch032_networking-best-practices.xml78(para)
msgid ""
"<emphasis role=\"bold\">Overlapping IP addresses</emphasis> — If nodes that "
"run either <literal>neutron-l3-agent</literal> or <literal>neutron-dhcp-"
"agent</literal> use overlapping IP addresses, those nodes must use Linux "
"network namespaces. By default, the DHCP and L3 agents use Linux network "
"namespaces. However, if the host does not support these namespaces, run the "
"DHCP and L3 agents on different hosts."
msgstr ""
#: ./doc/security-guide/ch032_networking-best-practices.xml79(para)
msgid ""
"If network namespace support is not present, a further limitation of the L3 "
"Agent is that only a single logical router is supported."
msgstr ""
#: ./doc/security-guide/ch032_networking-best-practices.xml82(para)
msgid ""
"<emphasis role=\"bold\">Multi-Host DHCP-agent</emphasis> — OpenStack "
"Networking supports multiple l3-agent and dhcp-agents with load balancing. "
"However, tight coupling of the location of the virtual machine is not "
"supported."
msgstr ""
#: ./doc/security-guide/ch032_networking-best-practices.xml85(para)
msgid ""
"<emphasis role=\"bold\">No IPv6 Support for L3 agents</emphasis> — The "
"neutron-l3-agent, used by many plugins to implement L3 forwarding, supports "
"only IPv4 forwarding."
msgstr ""
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch055_security-services-for-instances.xml47(None)
#: ./doc/security-guide/ch055_security-services-for-instances.xml50(None)
msgid ""
"@@image: 'static/filteringWorkflow1.png'; "
"md5=c144af5cbdee1bd17a7bde0bea5b5fe7"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml3(title)
msgid "Security Services for Instances"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml4(para)
msgid ""
"One of the virtues of running instances in a virtualized environments is "
"that it opens up new opportunities for security controls that are not "
"typically available when deploying onto bare metal. There are several "
"technologies that can be applied to the virtualization stack that bring "
"improved information assurance for cloud tenants."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml5(para)
msgid ""
"Deployers or users of OpenStack with strong security requirements may want "
"to consider deploying these technologies. Not all are applicable in every "
"situation, indeed in some cases technologies may be ruled out for use in a "
"cloud because of prescriptive business requirements. Similarly some "
"technologies inspect instance data such as run state which may be "
"undesirable to the users of the system."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml6(para)
msgid ""
"In this chapter we explore these technologies and describe the situations "
"where they can be used to enhance security for instances or underlying "
"instances. We also seek to highlight where privacy concerns may exist. These"
" include data pass through, introspection, or providing a source of entropy."
" In this section we highlight the following additional security services:"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml8(para)
msgid "Entropy to Instances"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml11(para)
#: ./doc/security-guide/ch055_security-services-for-instances.xml28(title)
msgid "Scheduling Instances to Nodes"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml14(para)
#: ./doc/security-guide/ch055_security-services-for-instances.xml88(title)
msgid "Trusted Images"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml17(para)
#: ./doc/security-guide/ch055_security-services-for-instances.xml153(title)
msgid "Instance Migrations"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml21(title)
msgid "Entropy To Instances"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml22(para)
msgid ""
"We consider entropy to refer to the quality and source of random data that "
"is available to an instance. Cryptographic technologies typically rely "
"heavily on randomness, requiring a high quality pool of entropy to draw "
"from. It is typically hard for a virtual machine to get enough entropy to "
"support these operations. Entropy starvation can manifest in instances as "
"something seemingly unrelated for example, slow boot times because the "
"instance is waiting for ssh key generation. Entropy starvation may also "
"motivate users to employ poor quality entropy sources from within the "
"instance, making applications running in the cloud less secure overall."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml23(para)
msgid ""
"Fortunately, a cloud architect may address these issues by providing a high "
"quality source of entropy to the cloud instances. This can be done by having"
" enough hardware random number generators (HRNG) in the cloud to support the"
" instances. In this case, \"enough\" is somewhat domain specific. For "
"everyday operations, a modern HRNG is likely to produce enough entropy to "
"support 50-100 compute nodes. High bandwidth HRNGs, such as the RdRand "
"instruction available with Intel Ivy Bridge and newer processors could "
"potentially handle more nodes. For a given cloud, an architect needs to "
"understand the application requirements to ensure that sufficient entropy is"
" available."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml24(para)
msgid ""
"Once the entropy is available in the cloud, the next step is getting that "
"entropy into the instances. Tools such as the entropy gathering daemon "
"(<link href=\"http://egd.sourceforge.net/\">EGD</link>) provide a way to "
"fairly and securely distribute entropy through a distributed system. Support"
" exists for using the EGD as an entropy source for LibVirt."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml25(para)
msgid ""
"Compute support for these features is not generally available, but it would "
"only require a moderate amount of work for implementors to integrate this "
"functionality."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml29(para)
msgid ""
"Before an instance is created, a host for the image instantiation must be "
"selected. This selection is performed by the <systemitem class=\"service"
"\">nova-scheduler</systemitem> which determines how to dispatch compute and "
"volume requests."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml30(para)
msgid ""
"The default nova scheduler in Grizzly is the Filter Scheduler, although "
"other schedulers exist (see the section <link "
"href=\"http://docs.openstack.org/trunk/config-reference/content"
"/section_compute-scheduler.html\">Scheduling</link> in the "
"<citetitle>OpenStack Configuration Reference</citetitle>). The filter "
"scheduler works in collaboration with 'filters' to decide where an instance "
"should be started. This process of host selection allows administrators to "
"fulfil many different security requirements. Depending on the cloud "
"deployment type for example, one could choose to have tenant instances "
"reside on the same hosts whenever possible if data isolation was a primary "
"concern, conversely one could attempt to have instances for a tenant reside "
"on as many different hosts as possible for availability or fault tolerance "
"reasons. The following diagram demonstrates how the filter scheduler works:"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml53(para)
msgid ""
"The use of scheduler filters may be used to segregate customers, data, or "
"even discard machines of the cloud that cannot be attested as secure. This "
"generally applies to all OpenStack projects offering a scheduler. When "
"building a cloud, you may choose to implement scheduling filters for a "
"variety of security-related purposes."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml54(para)
msgid ""
"Below we highlight a few of the filters that may be useful in a security "
"context, depending on your requirements, the full set of filter "
"documentation is documented in the <link "
"href=\"http://docs.openstack.org/trunk/config-reference/content/filter-"
"scheduler.html\">Filter Scheduler</link> section of the <citetitle>OpenStack"
" Configuration Reference</citetitle>."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml55(emphasis)
msgid "Tenant Driven Whole Host Reservation"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml56(para)
msgid ""
"There currently exists a <link "
"href=\"https://blueprints.launchpad.net/nova/+spec/whole-host-"
"allocation\">blueprint for whole host reservation</link> - This would allow "
"a tenant to exclusively reserve hosts for only it's instances, incurring "
"extra costs."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml58(title)
msgid "Host Aggregates"
msgstr "ホストアグリゲート"
#: ./doc/security-guide/ch055_security-services-for-instances.xml59(para)
msgid ""
"While not a filter in themselves, host aggregates allow administrators to "
"assign key-value pairs to groups of machines. This allows cloud "
"administrators, not users, to partition up their compute host resources. "
"Each node can have multiple aggregates (see the <link "
"href=\"http://docs.openstack.org/trunk/config-reference/content/host-"
"aggregates.html\">Host Aggregates</link> section of the <citetitle>OpenStack"
" Configuration Reference</citetitle> for more information on creating and "
"managing aggregates)."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml70(title)
msgid "AggregateMultiTenancyIsolation"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml71(para)
msgid ""
"Isolates tenants to specific host aggregates. If a host is in an aggregate "
"that has the metadata key <literal>filter_tenant_id</literal> it will only "
"create instances from that tenant (or list of tenants). A host can be in "
"multiple aggregates. If a host does not belong to an aggregate with the "
"metadata key, it can create instances from all tenants."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml74(title)
msgid "DifferentHostFilter"
msgstr "DifferentHostFilter"
#: ./doc/security-guide/ch055_security-services-for-instances.xml75(para)
msgid ""
"Schedule the instance on a different host from a set of instances. To take "
"advantage of this filter, the requester must pass a scheduler hint, using "
"<literal>different_host</literal> as the key and a list of instance uuids as"
" the value. This filter is the opposite of the "
"<literal>SameHostFilter</literal>."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml78(title)
msgid "GroupAntiAffinityFilter"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml79(para)
msgid ""
"The GroupAntiAffinityFilter ensures that each instance in a group is on a "
"different host. To take advantage of this filter, the requester must pass a "
"scheduler hint, using <literal>group</literal> as the key and a list of "
"instance uuids as the value."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml82(title)
msgid "Trusted Compute Pools"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml83(para)
msgid ""
"There exists a scheduler filter which integrates with the <link "
"href=\"https://github.com/OpenAttestation/OpenAttestation\">Open Attestation"
" Project</link> (OATS) to define scheduler behavior according to the "
"attestation of PCRs received from a system using Intel TXT."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml84(para)
msgid ""
"It is unclear if this feature is compatible with AMD's similar SEM, although"
" the OpenAttestation agent relies on the vendor-agnostic <link "
"href=\"http://trousers.sourceforge.net/\">TrouSerS library</link>."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml89(para)
msgid ""
"With regards to images, users will be working with pre-installed images or "
"images that they upload themselves. In both cases, users will want to ensure"
" that the image they are ultimately running has not been tampered with. This"
" requires some source of truth such as a checksum for the known good version"
" of an image as well as verification of the running image. This section "
"describes the current best practices around image handling, while also "
"calling out some of the existing gaps in this space."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml91(title)
msgid "Image Creation Process"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml92(para)
msgid ""
"The OpenStack Documentation provides guidance on how to create and upload an"
" image to Glance. Additionally it is assumed that you have a process by "
"which you install and harden operating systems. Thus, the following items "
"will provide additional guidance on how to ensure your images are built "
"securely prior to upload. There are a variety of options for obtaining "
"images. Each has specific steps that help validate the image's provenance."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml93(para)
msgid "The first option is to obtain boot media from a trusted source."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml103(para)
msgid ""
"The second option is to use the <link href=\"http://docs.openstack.org/trunk"
"/image-guide/content/\"><citetitle>OpenStack Virtual Maschine Image "
"Guide</citetitle></link>. In this case, you will want to follow your "
"organizations OS hardening guidelines or those provided by a trusted third-"
"party such as the <link "
"href=\"http://iase.disa.mil/stigs/os/unix/red_hat.html\">RHEL6 STIG</link>."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml104(para)
msgid ""
"The final option is to use an automated image builder. The following example"
" uses the Oz image builder. The OpenStack community has recently created a "
"newer tool worth investigating: disk-image-builder. We have not evaluated "
"this tool from a security perspective."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml105(para)
msgid ""
"Example of RHEL 6 CCE-26976-1 which will help implement NIST 800-53 Section "
"<emphasis>AC-19(d) in</emphasis> Oz."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml142(para)
msgid ""
"Note, it is the recommendation of this guide to shy away from the manual "
"image building process as it is complex and prone to error. Further, using "
"an automated system like Oz or disk-image-builder for image building, or a "
"configuration management utility like Chef or Puppet for post boot image "
"hardening gives you the ability to produce a consistent image as well as "
"track compliance of your base image to its respective hardening guidelines "
"over time."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml143(para)
msgid ""
"If subscribing to a public cloud service, you should check with the cloud "
"provider for an outline of the process used to produce their default images."
" If the provider allows you to upload your own images, you will want to "
"ensure that you are able to verify that your image was not modified before "
"you spin it up. To do this, refer to the following section on Image "
"Provenance."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml146(title)
msgid "Image Provenance and Validation"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml147(para)
msgid ""
"Unfortunately, it is not currently possible to force Compute to validate an "
"image hash immediately prior to starting an instance. To understand the "
"situation, we begin with a brief overview of how images are handled around "
"the time of image launch."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml148(para)
msgid ""
"Images come from the glance service to the nova service on a node. This "
"transfer should be protected by running over SSL. Once the image is on the "
"node, it is verified with a basic checksum and then it's disk is expanded "
"based on the size of the instance being launched. If, at a later time, the "
"same image is launched with the same instance size on this node, it will be "
"launched from the same expanded image. Since this expanded image is not re-"
"verified before launching, it could be tampered with and the user would not "
"have any way of knowing, beyond a manual inspection of the files in the "
"resulting image."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml149(para)
msgid ""
"We hope that future versions of Compute and/or the Image Service will offer "
"support for validating the image hash before each instance launch. An "
"alternative option that would be even more powerful would be allow users to "
"sign an image and then have the signature validated when the instance is "
"launched."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml154(para)
msgid ""
"OpenStack and the underlying virtualization layers provide for the Live "
"Migration of images between OpenStack nodes allowing you to seamlessly "
"perform rolling upgrades of your OpenStack Compute nodes without instance "
"downtime. However, Live Migrations also come with their fair share of risk. "
"To understand the risks involved, it is important to first understand how a "
"live migration works. The following are the high level steps preformed "
"during a live migration."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml156(para)
msgid "Start instance on destination host"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml157(para)
msgid "Transfer memory"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml158(para)
msgid "Stop the guest &amp; sync disks"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml159(para)
msgid "Transfer state"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml160(para)
msgid "Start the guest"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml163(title)
msgid "Live Migration Risks"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml164(para)
msgid ""
"At various stages of the live migration process the contents of an instances"
" run time memory and disk are transmitted over the network in plain text. "
"Thus there are several risks that need to be addressed when using live "
"migration. The following in-exhaustive list details some of these risks:"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml166(para)
msgid ""
"<emphasis>Denial of Service (DoS)</emphasis> : If something fails during the"
" migration process, the instance could be lost."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml169(para)
msgid ""
"<emphasis>Data Exposure</emphasis> : Memory or disk transfers must be "
"handled securely."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml172(para)
msgid ""
"<emphasis>Data Manipulation</emphasis> : If memory or disk transfers are not"
" handled securely, then an attacker could manipulate user data during the "
"migration."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml175(para)
msgid ""
"<emphasis>Code Injection</emphasis> : If memory or disk transfers are not "
"handled securely, then an attacker could manipulate executables, either on "
"disk or in memory, during the migration."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml180(title)
msgid "Live Migration Mitigations"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml181(para)
msgid ""
"There are several methods to mitigate some of the risk associated with live "
"migrations, the following list details some of these:"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml183(para)
#: ./doc/security-guide/ch055_security-services-for-instances.xml193(title)
msgid "Disable Live Migration"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml186(para)
msgid "Isolated Migration Network"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml189(para)
#: ./doc/security-guide/ch055_security-services-for-instances.xml204(title)
msgid "Encrypted Live Migration"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml194(para)
msgid ""
"At this time, live migration is enabled in OpenStack by default. Live "
"migrations can be disabled by adding the following lines to the nova "
"policy.json file:"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml200(title)
msgid "Migration Network"
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml201(para)
msgid ""
"As a general practice, live migration traffic should be restricted to the "
"management security domain. Indeed live migration traffic, due to its plain "
"text nature and the fact that you are transferring the contents of disk and "
"memory of a running instance, it is recommended you further separate live "
"migration traffic onto a dedicated network. Isolating the traffic to a "
"dedicated network can reduce the risk of exposure."
msgstr ""
#: ./doc/security-guide/ch055_security-services-for-instances.xml205(para)
msgid ""
"If your use case involves keeping live migration enabled, then libvirtd can "
"provide tunneled, encrypted live migrations. That said, this feature is not "
"currently exposed in OpenStack Dashboard, nor the nova-client commands and "
"can only be accessed through manual configuration of libvritd. Encrypted "
"live migration modifies the live migration process by first copying the "
"instance data from the running hypervisor to libvirtd. From there an "
"encrypted tunnel is created between the libvirtd processes on both hosts. "
"Finally, the destination libvirtd process copies the instance back to the "
"underlying hypervisor."
msgstr ""
#: ./doc/security-guide/ch061_compliance-overview.xml3(title)
msgid "Compliance Overview"
msgstr "コンプライアンス概要"
#: ./doc/security-guide/ch061_compliance-overview.xml4(para)
msgid ""
"An OpenStack deployment may require compliance activities for many purposes,"
" such as regulatory and legal requirements, customer need, privacy "
"considerations, and security best practices. Compliance, when done "
"correctly, unifies and strengthens the other security topics discussed in "
"this guide. This chapter has several objectives:"
msgstr "OpenStackの環境構築において、監督当局からの要求、法的な要件、顧客ニーズ、プライバシーへの配慮、セキュリティのベストプラクティスなど、様々な理由でコンプライアンス活動が必要となるでしょう。コンプライアンス活動を適切に実施することで、このガイドで議論した他のセキュリティトピックスは統合、強化されます。この章の目的は以下の通りです。"
#: ./doc/security-guide/ch061_compliance-overview.xml6(para)
msgid "Review common security principles."
msgstr "共通のセキュリティ原則を確認する"
#: ./doc/security-guide/ch061_compliance-overview.xml9(para)
msgid ""
"Discuss common control frameworks and certification resources to achieve "
"industry certifications or regulator attestations."
msgstr "業界認定や監督当局の認証を得るために必要な、共通コントロールフレームワークと認定リソースを説明する"
#: ./doc/security-guide/ch061_compliance-overview.xml12(para)
msgid "Act as a reference for auditors when evaluating OpenStack deployments."
msgstr "監査人がOpenStack環境を評価する際のリファレンスとなる"
#: ./doc/security-guide/ch061_compliance-overview.xml15(para)
msgid ""
"Introduce privacy considerations specific to OpenStack and cloud "
"environments."
msgstr "OpenStackおよびクラウド環境におけるプライバシーの考慮事項を説明する"
#: ./doc/security-guide/ch061_compliance-overview.xml19(title)
msgid "Security Principles"
msgstr "セキュリティ原則"
#: ./doc/security-guide/ch061_compliance-overview.xml20(para)
msgid ""
"Industry standard security principles provide a baseline for compliance "
"certifications and attestations. If these principles are considered and "
"referenced throughout an OpenStack deployment, certification activities may "
"be simplified."
msgstr "業界標準のセキュリティ原則は、コンプライアンス認証、認定のための基準を提供します。もしそれらの原則が対象のOpenStack環境で考慮、適用されていれば、認証を得る活動はシンプルになるでしょう。"
#: ./doc/security-guide/ch061_compliance-overview.xml22(para)
msgid ""
"<emphasis>Layered Defenses</emphasis>: Identify where risks exist in a cloud"
" architecture and apply controls to mitigate the risks. In areas of "
"significant concern, layered defences provide multiple complementary "
"controls to further mitigate risk. For example, to ensure adequate isolation"
" between cloud tenants, we recommend hardening QEMU, using a hypervisor with"
" SELinux support, enforcing mandatory access control policies, and reducing "
"the overall attack surface. The foundational principle is to harden an area "
"of concern with multiple layers of defense such that if any one layer is "
"compromised, other layers will exist to offer protection and minimize "
"exposure."
msgstr "<emphasis>多層防御</emphasis>: クラウドアーキテクチャ内にあるリスクの存在場所を特定し、そのリスクを緩和すべく、コントロールします。特に懸念される部分では、多層防御はさらなるリスク緩和のため、相互補完的なコントロールを提供します。たとえば、クラウド内のテナント間の十分な独立性を確保するには、QEMUの強化、SELinuxサポートのハイパーバイザーを使う、強制アクセス制御の適用、攻撃対象面の縮小、などの対応を推奨します。この基本的な原則により、懸念される部分が強化されます。なぜなら仮に、ある階層が危険にさらされても、他の階層が防御し攻撃面を最小化するからです。"
#: ./doc/security-guide/ch061_compliance-overview.xml25(para)
msgid ""
"<emphasis>Fail Securely</emphasis>: In the case of failure, systems should "
"be configured to fail into a closed secure state. For example, SSL "
"certificate verification should fail closed by severing the network "
"connection if the CNAME doesn't match the server's DNS name. Software often "
"fails open in this situation, allowing the connection to proceed without a "
"CNAME match, which is less secure and not recommended."
msgstr "<emphasis>フェイルセーフ</emphasis>: 障害が発生した際に、システムは独立、安全な状態で停止するように構成されているべきです。たとえば、SSL証明書の検証では、もしそのCNAMEがサーバーのDNS名と一致しなければ、ネットワーク接続を切断し、停止すべきでしょう。CNAMEが一致しないのに接続の継続してしまうようなソフトウェアも存在します。それが安全性が低く、好ましくない状況であるにも関わらずです。"
#: ./doc/security-guide/ch061_compliance-overview.xml28(para)
msgid ""
"<emphasis>Least Privilege</emphasis>: Only the minimum level of access for "
"users and system services is granted. This access is based upon role, "
"responsibility and job function. This security principal of least privilege "
"is written into several international government security policies, such as "
"NIST 800-53 Section AC-6 within the United States. "
msgstr "<emphasis>最小権限</emphasis>: ユーザーとシステムサービスには最小限のアクセス権限のみを付与すべきです。アクセス権限は役割、責任と職務にもとづきます。この最小権限原則は、いくつかの国際セキュリティポリシーに明記されています。たとえば米国のNIST 800-53 AC-6項が挙げられます。"
#: ./doc/security-guide/ch061_compliance-overview.xml31(para)
msgid ""
"<emphasis>Compartmentalize</emphasis>: Systems should be segregated in a "
"such way that if one machine, or system-level service, is compromised the "
"security of the other systems will remain intact. Practically, the "
"enablement and proper usage of SELinux helps accomplish this goal."
msgstr "<emphasis>コンパートメント化</emphasis>: システムは、仮にあるマシンやシステムレベルのサービスが危険にさらされたとしても、影響がない他のシステムとは分離されているべきです。SELinuxの正しい使用は、この目標を達成するのに役立ちます。"
#: ./doc/security-guide/ch061_compliance-overview.xml34(para)
msgid ""
"<emphasis>Promote Privacy</emphasis>: The amount of information that can be "
"gathered about a system and its users should be minimized."
msgstr "<emphasis>プライバシー保護の奨励</emphasis>: システムとそのユーザーに関わる、収集可能な情報量は最小限とすべきです。"
#: ./doc/security-guide/ch061_compliance-overview.xml37(para)
msgid ""
"<emphasis>Logging Capability</emphasis>: Appropriate logging is implemented "
"to monitor for unauthorized use, incident response and forensics. It is "
"highly recommended that selected audit subsystems be Common Criteria "
"certified, which provides non-attestable event records in most countries."
msgstr "<emphasis>ロギング機能</emphasis>: 適切なロギングは、不正利用の監視や障害対応、証拠収集に役立ちます。多くの国において、それを再度証明する必要が無い、Common Criteria認定をうけた監査サブシステムの採用を強くおすすめします。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml3(title)
msgid "Certification &amp; Compliance Statements"
msgstr "認証とコンプライアンスの報告書"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml4(para)
msgid ""
"Compliance and security are not exclusive, and must be addressed together. "
"OpenStack deployments are unlikely to satisfy compliance requirements "
"without security hardening. The listing below provides an OpenStack "
"architect foundational knowledge and guidance to achieve compliance against "
"commercial and government certifications and standards."
msgstr "コンプライアンスとセキュリティは排他的でなく、あわせて取り組むべきものです。OpenStack環境は、セキュリティの強化なしに、コンプライアンス要件を充足することができないでしょう。以下のリストは、OpenStackアーキテクト向けの、商業規格および政府機関の認証を得るための基本的な知識とガイダンスです。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml6(title)
msgid "Commercial Standards"
msgstr "商業規格"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml7(para)
msgid ""
"For commercial deployments of OpenStack, it is recommended that SOC 1/2 "
"combined with ISO 2700 1/2 be considered as a starting point for OpenStack "
"certification activities. The required security activities mandated by these"
" certifications facilitate a foundation of security best practices and "
"common control criteria that can assist in achieving more stringent "
"compliance activities, including government attestations and certifications."
msgstr "OpenStackの商用環境向けには、まずは開始点として、SOC 1/2とISO 27001/2の検討を推奨します。そこで要求されるセキュリティ活動を確実に実行することで、セキュリティのベストプラクティスと共通統制基準を導入を促進し、政府系認定などの、より厳格なコンプライアンス活動の取得にも役立ちます。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml8(para)
msgid ""
"After completing these initial certifications, the remaining certifications "
"are more deployment specific. For example, clouds processing credit card "
"transactions will need PCI-DSS, clouds storing health care information "
"require HIPAA, and clouds within the federal government may require "
"FedRAMP/FISMA, and ITAR, certifications. "
msgstr "これらの基本的認証を取得したのち、より環境特有の認証を検討します。たとえば、クラウドがクレジットカードのトランザクションを扱うのであればPCI-DSSが必要ですし、ヘルスケア情報を保持するならHIPPAが、連邦政府向けにはFedRAMP/FISMA、ITAR認証が必要となるでしょう。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml10(title)
msgid "SOC 1 (SSAE 16) / ISAE 3402"
msgstr "SOC 1 (SSAE 16) / ISAE 3402"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml11(para)
msgid ""
"Service Organization Controls (SOC) criteria are defined by the <link "
"href=\"http://www.aicpa.org/\">American Institute of Certified Public "
"Accountants</link> (AICPA). SOC controls assess relevant financial "
"statements and assertions of a service provider, such as compliance with the"
" Sarbanes-Oxley Act. SOC 1 is a replacement for Statement on Auditing "
"Standards No. 70 (SAS 70) Type II report. These controls commonly include "
"physical data centers in scope."
msgstr "Service Organization Controls (SOC)基準は米国公認会計士協会 - <link href=\"http://www.aicpa.org/\">American Institute of Certified Public Accountants</link> (AICPA)によって定められています。SOC統制はサービスプロバイダーの関連財務諸表と主張を評価します。たとえばSarbanes-Oxley法への準拠などです。SOC 1はStatement on Auditing Standards No. 70 (SAS 70) Type II 報告書を代替します。これらの統制は物理的なデータセンターを評価範囲に含みます。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml13(para)
msgid "There are two types of SOC 1 reports:"
msgstr "SOC 1報告書には二つの種類があります。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml15(para)
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml28(para)
msgid ""
"Type 1 report on the fairness of the presentation of managements "
"description of the service organizations system and the suitability of the "
"design of the controls to achieve the related control objectives included in"
" the description as of a specified date."
msgstr "Type 1 - サービス提供組織がその管理について説明し、その公正さをレポートします。特定時点で関連する管理対象を統制できているか、その設計の持続可能性も報告します。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml18(para)
msgid ""
"Type 2 report on the fairness of the presentation of managements "
"description of the service organizations system and the suitability of the "
"design and operating effectiveness of the controls to achieve the related "
"control objectives included in the description throughout a specified period"
msgstr "Type 2 - サービス提供組織がその管理について説明し、その公正さをレポートします。特定期間において関連する管理対象を統制できているか、その設計と運用の効率性の持続可能性も報告します。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml21(para)
msgid ""
"For more details see the <link "
"href=\"http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC1Report.aspx\">AICPA"
" Report on Controls at a Service Organization Relevant to User Entities "
"Internal Control over Financial Reporting</link>."
msgstr "詳細は<link href=\"http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC1Report.aspx\">AICPA Report on Controls at a Service Organization Relevant to User Entities Internal Control over Financial Reporting</link>を参照してください。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml24(title)
msgid "SOC 2"
msgstr "SOC 2"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml25(para)
msgid ""
"Service Organization Controls (SOC) 2 is a self attestation of controls that"
" affect the security, availability, and processing integrity of the systems "
"a service organization uses to process users' data and the confidentiality "
"and privacy of information processed by these system. Examples of users are "
"those responsible for governance of the service organization; customers of "
"the service organization; regulators; business partners; suppliers and "
"others who have an understanding of the service organization and its "
"controls."
msgstr "Service Organization Controls (SOC) 2は、サービス提供組織がユーザーデータとその情報の機密性とプライバシーを制御するために使っているシステムのセキュリティ、可用性、および処理の完全性に関する統制の自己証明です。ユーザーの例は、サービス組織を統制する人、サービス組織の顧客、監視当局、ビジネスパートナー、サプライヤー、およびサービス組織の理解者やそれを統制する人です。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml26(para)
msgid "There are two types of SOC 2 reports:"
msgstr "SOC 2報告書には二つの種類があります。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml31(para)
msgid ""
"Type 2 report on the fairness of the presentation of managements "
"description of the service organizations system and the suitability of the "
"design and operating effectiveness of the controls to achieve the related "
"control objectives included in the description throughout a specified "
"period."
msgstr "Type 2 - サービス組織が統制対象を統制するために使用するシステム、設計の持続性、および運用効率性に関する管理者の説明内容が公正かをレポートします。特定期間を通しての説明も必要です。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml34(para)
msgid ""
"For more details see the <link "
"href=\"http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC2Report.aspx\">AICPA"
" Report on Controls at a Service Organization Relevant to Security, "
"Availability, Processing Integrity, Confidentiality or Privacy</link>."
msgstr "詳細は<link href=\"http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC2Report.aspx\">AICPA Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy</link>を参照してください。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml38(title)
msgid "SOC 3"
msgstr "SOC 3"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml39(para)
msgid ""
"Service Organization Controls (SOC) 3 is a trust services report for service"
" organizations. These reports are designed to meet the needs of users who "
"want assurance on the controls at a service organization related to "
"security, availability, processing integrity, confidentiality, or privacy "
"but do not have the need for or the knowledge necessary to make effective "
"use of a SOC 2 Report. These reports are prepared using the AICPA/Canadian "
"Institute of Chartered Accountants (CICA) Trust Services Principles, "
"Criteria, and Illustrations for Security, Availability, Processing "
"Integrity, Confidentiality, and Privacy. Because they are general use "
"reports, SOC 3 Reports can be freely distributed or posted on a website as a"
" seal."
msgstr "Service Organization Controls (SOC) 3はサービス提供組織のための公的なサービス報告書です。これらのレポートはサービス組織のセキュリティ、可用性、処理の完全性、機密性、またはプライバシーに関する統制の保証を求めるユーザーニーズを満たすためのレポートです。ただし、SOC 2報告書ほどの情報は必要ありません。SOC 3報告書はAICPA/Canadian Institute of Chartered Accountants (CICA)のTrust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacyをもって作成されています。SOC 3は一般的に使われる報告書であり、Webサイト上で証明書として自由に配布できます。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml40(para)
msgid ""
"For more details see the <link "
"href=\"http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC3Report.aspx\">AICPA"
" Trust Services Report for Service Organizations</link>."
msgstr "詳細は<link href=\"http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC3Report.aspx\">AICPA Trust Services Report for Service Organizations</link>を参照してください。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml43(title)
msgid "ISO 27001/2"
msgstr "ISO 27001/2"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml44(para)
msgid ""
"The ISO/IEC 27001/2 standards replace BS7799-2, and are specifications for "
"an Information Security Management System (ISMS). An ISMS is a comprehensive"
" set of policies and processes that an organization creates and maintains to"
" manage risk to information assets.  These risks are based upon the "
"confidentiality, integrity, and availability (CIA) of user information. The "
"CIA security triad has been used as a foundation for much of the chapters in"
" this book."
msgstr "ISO/IEC 27001/2はBS7799-2の後継標準で、Information Security Management System (ISMS)の要件です。ISMSは組織が情報資産のリスクを管理するために作成、維持する、ポリシーとプロセスの包括的なセットです。それらのリスクはユーザー情報のConfidentiality - 機密性、Integrity - 完全性、および Availability - 可用性 (CIA)に深く関係しています。CIAセキュリティの三要素は、このガイドの多くの章で基本となっています。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml45(para)
msgid ""
"For more details see <link href=\"http://www.27000.org/iso-27001.htm\">ISO "
"27001</link>."
msgstr "詳細は<link href=\"http://www.27000.org/iso-27001.htm\">ISO 27001</link>を参照してください。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml48(title)
msgid "HIPAA / HITECH"
msgstr "HIPAA / HITECH"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml49(para)
msgid ""
"The Health Insurance Portability and Accountability Act (HIPAA) is a United "
"States congressional act that governs the collection, storage, use and "
"destruction of patient health records. The act states that Protected Health "
"Information (PHI) must be rendered \"unusable, unreadable, or "
"indecipherable\" to unauthorized persons and that encryption for data 'at-"
"rest' and 'inflight' should be addressed."
msgstr "Health Insurance Portability and Accountability Act (HIPAA)は米国の健康保険における可搬性と責任に関する法律で、カルテ情報の収集、保存、および廃棄に関するルールを定めています。この法律は、保護医療情報 (Protected Health Information, PHI)は、権限のない人が\"利用できない、読めない、複合できない\"ように変換されなければいけないこと、また、データが保存中でも、処理中でも、暗号化するべきであることに言及しています。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml50(para)
msgid ""
"HIPAA is not a certification, rather a guide for protecting healthcare data."
"  Similar to the PCI-DSS, the most important issues with both PCI and HIPPA "
"is that a breach of credit card information, and health data, do not occur. "
"In the instance of a breach the cloud provider will be scrutinized for "
"compliance with PCI and HIPPA controls. If proven compliant, the provider "
"can be expected to immediately implement remedial controls, breach "
"notification responsibilities, and significant expenditure on additional "
"compliance activities.  If not compliant, the cloud provider can expect on-"
"site audit teams, fines, potential loss of merchant ID (PCI), and massive "
"reputational impact."
msgstr "HIPPAは認証ではなく、カルテ情報の保護に関するガイドラインです。PCI-DSSと似ています。PCIとHIPAAの両方でもっとも重要な課題は、クレジットカード情報とカルテ情報が流出しないようにすることです。クラウドプロバイダーによる流出があった場合、PCIとHIPAAの統制下において検査されます。その内容が遵守に足るものであれば、そのプロバイダーはすみやかに是正措置の実行と情報流出の通知、およびコンプライアンス活動予算の大幅な追加を期待されます。もし足るものでなければ、現地での査察、罰金、merchant ID (PCI)の失効、および評判に大きな傷がつくことが予想されます。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml51(para)
msgid ""
"Users or organizations that possess PHI must support HIPAA requirements and "
"are HIPAA covered entities. If an entity intends to use a service, or in "
"this case, an OpenStack cloud that might use, store or have access to that "
"PHI, then a Business Associate Agreement must be signed. The BAA is a "
"contract between the HIPAA covered entity and the OpenStack service provider"
" that requires the provider to handle that PHI in accordance with HIPAA "
"requirements. If the service provider does not handle the PHI (e.g. with "
"security controls and hardening) then they are subject to HIPAA fines and "
"penalties."
msgstr "カルテ情報を所有するユーザーや組織はHIPPAの要件をサポートし、HIPAA対象事業者となる必要があります。もしこの事業者がサービスを、この場合は対象のOpenStackクラウドがカルテ情報を利用、保存、アクセスしうるのであれば、HIPAA Business Associate Agreement - BAAの締結が必要です。BAAはHIPAA対象事業者と、HIPAA要件に従ってカルテ情報を扱っているOpenStackサービスプロバイダーの間で締結されます。もしサービスプロバイダーがカルテ情報を要件通りに扱っていなければ(セキュリティ統制、強化を怠るなど)、HIPAAの罰金や罰則が適用されることがあります。 "
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml52(para)
msgid ""
"OpenStack architects interpret and respond to HIPAA statements, with data "
"encryption remaining a core practice. Currently this would require any "
"protected health information contained within an OpenStack deployment to be "
"encrypted with industry standard encryption algorithms. Potential future "
"OpenStack projects such as object encryption will facilitate HIPAA "
"guidelines for compliance with the act."
msgstr "OpenStackアーキテクトはHIPAAの条項を解釈し、対応します。データ暗号化はその中核となる活動です。現在、OpenStack環境に保存される、いかなる保護カルテ情報にも暗号化を要求され、業界標準の暗号化アルゴリズムの採用が期待されます。なお、将来予定されている、たとえばオブジェクト暗号化などのOpenStackプロジェクトは、法令遵守のためHPAAガイドラインの適用を促進するでしょう。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml53(para)
msgid ""
"For more details see the <link href=\"https://www.cms.gov/Regulations-and-"
"Guidance/HIPAA-Administrative-"
"Simplification/HIPAAGenInfo/downloads/HIPAALaw.pdf\">Health Insurance "
"Portability And Accountability Act</link>."
msgstr "詳細は<link href=\"https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/downloads/HIPAALaw.pdf\">Health Insurance Portability And Accountability Act</link>を参照してください。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml55(title)
msgid "PCI-DSS"
msgstr "PCI-DSS"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml56(para)
msgid ""
"The Payment Card Industry Data Security Standard (PCI DSS) is defined by the"
" Payment Card Industry Standards Council, and created to increase controls "
"around card holder data to reduce credit card fraud. Annual compliance "
"validation is assessed by an external Qualified Security Assessor (QSA) who "
"creates a Report on Compliance (ROC), or by a Self-Assessment Questionnaire "
"(SAQ) dependent on volume of card-holder transactions.  "
msgstr "Payment Card Industry Data Security Standard (PCI DSS)はPayment Card Industry Standards Councilで定義されました。目的は、クレジットカード不正の防止のため、カード所有者情報に関する統制度を向上することです。コンプライアンス検査は年次で、外部のコンプライアンス評価報告書(Report on Compliance, ROC)を作成する認定評価機関 (Qualified Security Assessor, QSA)、もしくは、自己評価問診票(Self-Assessment Questionnaire, SAQ)によって実施されます。これはカード所有者のトランザクション量に依存します。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml57(para)
msgid ""
"OpenStack deployments which stores, processes, or transmits payment card "
"details are in scope for the PCI-DSS. All OpenStack components that are not "
"properly segmented from systems or networks that handle payment data fall "
"under the guidelines of the PCI-DSS. Segmentation in the context of PCI-DSS "
"does not support multi-tenancy, but rather physical separation "
"(host/network). "
msgstr "カード情報を保存、処理、転送するOpenStack環境は、PCI-DSSの対象です。カード情報を扱うシステムやネットワークが正しく分離されていないすべてのOpenStackコンポーネントは、PCI-DSSのガイドラインに適合しません。PCI-DSSでいう分離は、マルチ手ナンシーを認めておらず、(サーバーおよびネットワークの)物理的な分離が必要です。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml58(para)
msgid ""
"For more details see <link "
"href=\"https://www.pcisecuritystandards.org/security_standards/\">PCI "
"security standards</link>."
msgstr "詳細は<link href=\"https://www.pcisecuritystandards.org/security_standards/\">PCI security standards</link>を参照してください。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml62(title)
msgid "Government Standards"
msgstr "政府標準"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml64(title)
msgid "FedRAMP"
msgstr "FedRAMP"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml65(para)
msgid ""
"\"The <link href=\"http://www.fedramp.gov\">Federal Risk and Authorization "
"Management Program</link> (FedRAMP) is a government-wide program that "
"provides a standardized approach to security assessment, authorization, and "
"continuous monitoring for cloud products and services\". NIST 800-53 is the "
"basis for both FISMA and FedRAMP which mandates security controls "
"specifically selected to provide protection in cloud environments. FedRAMP "
"can be extremely intensive from specificity around security controls, and "
"the volume of documentation required to meet government standards."
msgstr "\"<link href=\"http://www.fedramp.gov\">Federal Risk and Authorization Management Program</link> (FedRAMP)は米国連邦政府全体のプログラムであり、クラウド製品とサービスのセキュリティ評価、認証、および継続的モニタリングの、標準化された手順を提供します\" NIST 800-53はFISMAとRedRAMPの両方の基礎であり、特にクラウド環境における保護を提供するために選択されたセキュリティ統制を強制します。セキュリティ統制に関する具体性と政府標準を満たすための文書量を、FedRAMPは徹底しています。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml66(para)
msgid ""
"For more details see <link "
"href=\"http://www.gsa.gov/portal/category/102371\">http://www.gsa.gov/portal/category/102371</link>."
msgstr "詳細は<link href=\"http://www.gsa.gov/portal/category/102371\">http://www.gsa.gov/portal/category/102371</link>を参照してください。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml69(title)
msgid "ITAR"
msgstr "ITAR"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml70(para)
msgid ""
"The International Traffic in Arms Regulations (ITAR) is a set of United "
"States government regulations that control the export and import of defense-"
"related articles and services on the United States Munitions List (USML) and"
" related technical data. ITAR is often approached by cloud providers as an "
"\"operational alignment\" rather than a formal certification. This typically"
" involves implementing a segregated cloud environment following practices "
"based on the NIST 800-53 framework, as per FISMA requirements, complemented "
"with additional controls restricting access to \"U.S. Persons\" only and "
"background screening."
msgstr "International Traffic in Arms Regulations (ITAR)は米国政府規制の集合であり、米国軍需品リスト(United States Munitions List, USML)と関連技術情報に関係する防衛物品・サービスの輸出入を統制します。ITARは正式な認証というより、\"軍事活動支援\"の位置づけでクラウドプロバイダーから提示されます。この統制は一般的に、NIST 800-53フレームワークにもとづき、分離されたクラウド環境の実装を意味します。FISMA要件により、米国民かつ身元審査された人のみがアクセスできるよう、追加の統制で補完します。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml72(para)
msgid ""
"For more details see <link "
"href=\"http://pmddtc.state.gov/regulations_laws/itar_official.html\">http://pmddtc.state.gov/regulations_laws/itar_official.html</link>."
msgstr "詳細は<link href=\"http://pmddtc.state.gov/regulations_laws/itar_official.html\">http://pmddtc.state.gov/regulations_laws/itar_official.html</link>を参照してください。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml75(title)
msgid "FISMA"
msgstr "FISMA"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml76(para)
msgid ""
"The Federal Information Security Management Act requires that government "
"agencies create a comprehensive plan to implement numerous government "
"security standards, and was enacted within the E-Government Act of 2002. "
"FISMA outlines a process, which utilizing multiple NIST publications, "
"prepares an information system to store and process government data."
msgstr "米国連邦情報セキュリティマネジメント法 - Federal Information Security Management Act requires、FISMAは、政府機関は多数の政府セキュリティ標準を実装するために、包括的な計画を作成する必要があるとして、2002年 電子政府法 - E-Government Act of 2002 内で制定されました。FISMAは多数のNIST公表文献を活用し、政府のデータを保存、処理する情報システムを作成するためのプロセスを説明しています。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml77(para)
msgid "This process is broken apart into three primary categories:"
msgstr "このプロセスは三つの主要カテゴリに分割されています。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml79(para)
msgid ""
"<emphasis role=\"bold\">System Categorization</emphasis>The information "
"system will receive a security category as defined in Federal Information "
"Processing Standards Publication 199 (FIPS 199). These categories reflect "
"the potential impact of system compromise."
msgstr "<emphasis role=\"bold\">システムのカテゴリ分け</emphasis> 情報システムは連邦情報処理規格( Federal Information Processing Standards Publication 199, FIPS 199)で定められたセキュリティカテゴリに分類されます。これらのカテゴリはシステムの情報漏洩の潜在的な影響を反映しています。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml83(para)
msgid ""
"<emphasis role=\"bold\">Control Selection</emphasis>Based upon system "
"security category as defined in FIPS 199, an organization utilizes FIPS 200 "
"to identify specific security control requirements for the information "
"system. For example, if a system is categorized as “moderate” a requirement "
"may be introduced to mandate “secure passwords.”"
msgstr "<emphasis role=\"bold\">統制の選択</emphasis> FIPS 199で定められたシステムセキュリティのカテゴリにもとづき、組織は情報システムのための特定のセキュリティ統制要求を特定すべく、FIPS 200を活用します 。たとえば、もしシステムが\"中程度\"と分類されているのであれば、安全なパスワードの強制が求められるでしょう。"
#: ./doc/security-guide/ch064_certifications-compliance-statements.xml86(para)
msgid ""
"<emphasis role=\"bold\">Control Tailoring</emphasis>Once system security "
"controls are identified, an OpenStack architect will utilize NIST 800-53 to "
"extract tailored control selection, e.g. specification of what constitutes a"
" “secure password.”"
msgstr "<emphasis role=\"bold\">統制の適用</emphasis> システムのセキュリティが特定されれば、OpenStackアーキテクトは選択した統制を適用するために、NIST 800-53を活用します。たとえば、安全なパスワードの構成を仕様化するなど。"
#: ./doc/security-guide/ch039_case-studies-messaging.xml3(title)
msgid "Case Studies: Messaging"
msgstr "ケーススタディ: メッセージング"
#: ./doc/security-guide/ch039_case-studies-messaging.xml4(para)
msgid ""
"The message queue is a critical piece of infrastructure that supports a "
"number of OpenStack services but is most strongly associated with the "
"Compute service. Due to the nature of the message queue service, Alice and "
"Bob have similar security concerns. One of the larger concerns that remains "
"is that many systems have access to this queue and there is no way for a "
"consumer of the queue messages to verify which host or service placed the "
"messages on the queue. An attacker who is able to successfully place "
"messages on the queue is able to create and delete VM instances, attach the "
"block storage of any tenant and a myriad of other malicious actions. There "
"are a number of solutions on the horizon to fix this, with several proposals"
" for message signing and encryption making their way through the OpenStack "
"development process."
msgstr "メッセージキューは、多数の OpenStack サービスを支える重要なインフラストラクチャであり、特にコンピュートサービスと強く結びついています。メッセージキューサービスの性質上、アリスとボブが抱えるセキュリティ上の懸念はよく似ています。特に大きな残課題は、数多くのシステムがキューにアクセスしているものの、キューメッセージのコンシューマーには、キューを発行したホストやサービスを確かめる手立てがないことです。攻撃者がキューの発行に成功すると、仮想マシンの作成や削除をしたり、あらゆるテナントのブロックストレージに接続するなど、他にも無数の悪意のある攻撃が可能になってしまいます。\nこれを防ぐためのソリューションが出始めており、いくつかはメッセージへの署名と暗号化を使ったものが OpenStack の開発プロセスで進んでいます。"
#: ./doc/security-guide/ch039_case-studies-messaging.xml7(para)
msgid ""
"In this case Alice's controls mimic those Bob has deployed for the public "
"cloud."
msgstr "このケースでは、アリスの方法はボブがパブリッククラウドに展開した方法と同じものを使用します。"
#: ./doc/security-guide/ch039_case-studies-messaging.xml11(para)
msgid ""
"Bob assumes that at some point infrastructure or networks underpinning the "
"Compute service may become compromised. Due to this, he recognizes the "
"importance of locking down access to the message queue. To do this Bob "
"deploys his RabbitMQ servers with SSL and X.509 client auth for access "
"control. This in turn limits the capabilities of an attacker who has "
"compromised a system that does not have queue access."
msgstr "ボブは、コンピュートサービスを支えるインフラストラクチャとネットワークがある時点でセキュリティ侵害に会うと仮定します。そして、メッセージキューへのアクセス制限の重要性に気づきました。\nそこで、RabbitMQ サーバーに SSL と X.509 クライアントアクセス制御を適用することにします。これにより、キューアクセスを持たないシステムを乗っ取られても、攻撃者の能力を制限することができます。"
#: ./doc/security-guide/ch039_case-studies-messaging.xml12(para)
msgid ""
"Additionally, Bob adds strong network ACL rulesets to enforce which "
"endpoints can communicate with the message servers. This second control "
"provides some additional assurance should the other protections fail."
msgstr "さらにボブは、メッセージサーバーと通信できるエンドポイントを、強力なネットワークの ACL ルールセットで制限することにしました。この2個目の制限が、他の防御が失敗した場合の保険として機能します。"
#: ./doc/security-guide/ch066_case-studies-compliance.xml3(title)
msgid "Case Studies: Compliance"
msgstr "ケーススタディ: コンプライアンス"
#: ./doc/security-guide/ch066_case-studies-compliance.xml4(para)
msgid ""
"In this case study we discuss how Alice and Bob would address common "
"compliance requirements. The preceding chapter refers to a wide variety of "
"compliance certifications and standards. Alice will address compliance in a "
"private cloud, while Bob will be focused on compliance for a public cloud."
msgstr "このケーススタディでは、アリスとボブがどのように一般的なコンプライアンス要件に対応するかを説明します。これまでの章で、さまざまなコンプライアンス認証と標準について言及しました。アリスはプライベートクラウドでコンプライアンスに取り組み、いっぽうボブはパブリッククラウド向けのコンプライアンスに注力します。"
#: ./doc/security-guide/ch066_case-studies-compliance.xml7(para)
msgid ""
"Alice is building an OpenStack private cloud for the United States "
"government, specifically to provide elastic compute environments for signal "
"processing. Alice has researched government compliance requirements, and has"
" identified that her private cloud will be required to certify against FISMA"
" and follow the FedRAMP accreditation process, which is required for all "
"federal agencies, departments and contractors to become a Certified Cloud "
"Provider (CCP). In this particular scenario for signal processing, the FISMA"
" controls required will most likely be FISMA High, which indicates possible "
"\"severe or catastrophic adverse effects\" should the information system "
"become compromised. In addition to FISMA Moderate controls Alice must ensure"
" her private cloud is FedRAMP certified, as this is a requirement for all "
"agencies that currently utilize, or host federal information within a cloud "
"environment."
msgstr "アリスはOpenStackプライベートクラウドを米国政府向けに構築しています。具体的には、信号処理向けの柔軟なコンピューティング環境です。アリスは政府向けコンプライアンス要件を調査した結果、これから構築しようとしているプライベートクラウドはFISMAおよびFedRAMP認定が必要であると判断しました。これは政府系機関、行政部、および契約者、どのような立場であっても、認定クラウドプロバイダー(Certified Cloud Provider, CCP)になるために必要な手続きです。特に信号処理は、FISMAはそれを\"深刻で壊滅的な影響\"をシステムに与えうるとしているため、FISMA影響度が\"高\"となりがちです。加えてFISMA Moderateレベルにおいて、アリスはそのプライベートクラウドを確実にFedRAMP認証としなければいけません。これはクラウド内に政府の情報を保有する、全ての機関に求められてる条件です。"
#: ./doc/security-guide/ch066_case-studies-compliance.xml8(para)
msgid ""
"To meet these strict government regulations Alice undertakes a number of "
"activities. Scoping of requirements is particularly important due to the "
"volume of controls that must be implemented, which will be defined in NIST "
"Publication 800-53."
msgstr "これらの厳しい政府規制の要件を満たすため、アリスは多くの活動を行います。範囲の決定作業は、実装すべき統制の量に影響するため、特に重要です。これはNIST刊行 800-53で定められています。"
#: ./doc/security-guide/ch066_case-studies-compliance.xml9(para)
msgid ""
"All technology within her private cloud must be FIPS certified technology, "
"as mandated within NIST 800-53 and FedRAMP. As the U.S. Department of "
"Defense is involved, Security Technical Implementation Guides (STIGs) will "
"come into play, which are the configuration standards for DOD IA and IA-"
"enabled devices / systems. Alice notices a number of complications here as "
"there is no STIG for OpenStack, so she must address several underlying "
"requirements for each OpenStack service, e.g. the networking SRG and "
"Application SRG will both be applicable (<link "
"href=\"http://iase.disa.mil/srgs/index.html\">list of SRGs</link>). Other "
"critical controls include ensuring that all identities in the cloud use PKI,"
" that SELinux is enabled, that encryption exists for all wire-level "
"communications, and that continuous monitoring is in place and clearly "
"documented. Alice is not concerned with object encryption, as this will be "
"the tenants responsibility rather than the provider."
msgstr "彼女のプライベートクラウドで使われる全ての技術は、NIST 800-53とFedRAMPに従い、FIPS認証技術であることが求められます。米国国防省が関わる場合、国防省のIA - Information AssuranceおよびIA-enabled対象機器/システムの構成標準であるSecurity Technical Implementation Guides (STIGs) も関係します。OpenStack向けのSTIGが無くとも、アリスはさまざまな要素を考慮し、各OpenStackサービス毎に、いくつかの潜在的な要件を考慮しなければいけません。たとえば、networking SRG - Security Requirements GuidesとApplication SRGはどちらも対象です(<link href=\"http://iase.disa.mil/srgs/index.html\">list of SRGs</link>)。他の重要な統制として、クラウド内の全てのIDではPKIが使われ、SELinuxが有効であり、すべての全ての通信経路が暗号化でき、持続的に監視が行われ、かつ明快に文書化されていること、などが挙げられます。なお、アリスはオブジェクトの暗号化を考慮しませんでしたが、これはプロバイダーというよりは、テナントの責任であるからです。"
#: ./doc/security-guide/ch066_case-studies-compliance.xml10(para)
msgid ""
"If Alice has adequately scoped and executed these compliance activities, she"
" may begin the process to become FedRAMP compliant by hiring an approved "
"third-party auditor. Typically this process takes up to 6 months, after "
"which she will receive an Authority to Operate and can offer OpenStack cloud"
" services to the government."
msgstr "もしアリスが十分な範囲を定義し、それらのコンプライアンス活動を実施できたのであれば、次は認定外部監査人によるFedRAMP認証の取得プロセスに移ります。一般的にこのプロセスは最長6ヶ月を要します。このステップを経て、Authority to Operate - 注意影響レベル認定 を取得し、OpenStackクラウドサービスを政府に提案できるようになります。"
#: ./doc/security-guide/ch066_case-studies-compliance.xml14(para)
msgid ""
"Bob is tasked with compliance for a new OpenStack public cloud deployment, "
"that is focused on providing cloud services to both small developers and "
"startups, as well as large enterprises. Bob recognizes that individual "
"developers are not necessarily concerned with compliance certifications, but"
" to larger enterprises certifications are critical. Specifically Bob desires"
" to achieve SOC 1, SOC 2 Security, as well as ISO 27001/2 as quickly as "
"possible. Bob references the Cloud Security Alliance Cloud Control Matrix "
"(CCM) to assist in identifying common controls across these three "
"certifications (such as periodic access reviews, auditable logging and "
"monitoring services, risk assessment activities, security reviews, etc). Bob"
" then engages an experienced audit team to conduct a gap analysis on the "
"public cloud deployment, reviews the results and fills any gaps identified. "
"Bob works with other team members to ensure that these security controls and"
" activities are regularly conducted for a typical audit period (~6-12 "
"months)."
msgstr "ボブは新たなOpenStackクラウド環境のコンプライアンス活動を任されています。このクラウドは小規模の開発者やスタートアップだけでなく、大規模企業向けにも注力しています。ボブは個人開発者はコンプライアンス認証を意識することが多くないが、いっぽうで大規模企業向けには認証が重要であることを認識しています。ボブは特にSOC 1、SOC 2、およびISO 27001/2認証を早急に取得したいと考えています。そこでボブは3つの認証に共通する統制を特定するため、Cloud Security Alliance Cloud Control Matrix (CCM)を参考にしました (たとえば、定期的なアクセス検査、監査可能なロギングや監視サービス、リスク評価活動、セキュリティレビューなど)。それからボブは、パブリッククラウドのギャップ評価、結果のレビュー、そして特定されたギャップを埋めるため、経験ある監査人チームと契約します。ボブは他のチームメンバーとともに、それらのセキュリティ統制と活動が一般的な監査期間(〜6-12ヶ月)において、定期的に、確実に機能するようにします。"
#: ./doc/security-guide/ch066_case-studies-compliance.xml31(para)
msgid ""
"At the end of the audit period Bob has arranged for an external audit team "
"to review in-scope security controls at randomly sampled points of time over"
" a 6 month period. The audit team provides Bob with an official report for "
"SOC 1 and SOC 2, and separately for ISO 27001/2. As Bob has been diligent in"
" ensuring security controls are in place for his OpenStack public cloud, "
"there are no additional gaps exposed on the report. Bob can now provide "
"these official reports to his customers under NDA, and advertise that he is "
"SOC 1, SOC 2 and ISO 27001/2 compliant on his website."
msgstr "監査期間の最後にボブは外部監査人チームとの調整を行います。目的は、6ヶ月以上にわたって無作為なタイミングで実施した、セキュリティ統制のレビューです。そして、監査人チームはボブにSOC 1とSOC 2、また別途ISO 27001/2向けの公式な報告書を提供します。ボブのパブリッククラウド採用における勤勉な取り組みの結果、指摘されるような追加のギャップはありませんでした。ボブは正式な報告書を彼の顧客にNDA下で提供でき、また、SOC 1、SOC 2、およびISO 27001/2に準拠していることを彼のウェブサイトでアピールできるようになりました。"
#: ./doc/security-guide/ch021_paste-and-middleware.xml3(title)
msgid "API Endpoint Configuration Recommendations"
msgstr "APIエンドポイント構成に関する推奨事項"
#: ./doc/security-guide/ch021_paste-and-middleware.xml4(para)
msgid ""
"This chapter provides recommendations for improving the security of both "
"public and internal endpoints."
msgstr "この章では外部と内部のエンドポイントのセキュリティ向上するための推奨事項を提供します。"
#: ./doc/security-guide/ch021_paste-and-middleware.xml6(title)
msgid "Internal API Communications"
msgstr "内部API通信"
#: ./doc/security-guide/ch021_paste-and-middleware.xml7(para)
msgid ""
"OpenStack provides both public facing and private API endpoints. By default,"
" OpenStack components use the publicly defined endpoints. The recommendation"
" is to configure these components to use the API endpoint within the proper "
"security domain."
msgstr "OpenStackはパブリックとプライベート両方のAPIエンドポイントを提供します。デフォルトではOpenStackコンポーネントはパブリックとして定義されたエンドポイントを使用します。推奨はこれらのコンポーネントを適切なセキュリティドメイン内で使用するよう構成することです。"
#: ./doc/security-guide/ch021_paste-and-middleware.xml8(para)
msgid ""
"Services select their respective API endpoints based on the OpenStack "
"service catalog.  The issue here is these services may not obey the listed "
"public or internal API end point values. This can lead to internal "
"management traffic being routed to external API endpoints."
msgstr "サービスはOpenStackサービスカタログに基づいて、それぞれのAPIエンドポイントを選択します。ここでの問題は、これらのサービスがリストされた外部もしくは内部APIエンドポイントの値に従わないことがあります。これは内部管理トラフィックが外部APIエンドポイントへルーティングされる可能性があります。"
#: ./doc/security-guide/ch021_paste-and-middleware.xml10(title)
msgid "Configure Internal URLs in Identity Service Catalog"
msgstr "認証サービスのカタログ内の内部URL構成"
#: ./doc/security-guide/ch021_paste-and-middleware.xml11(para)
msgid ""
"The Identity Service catalog should be aware of your internal URLs. While "
"this feature is not utilized by default, it may be leveraged through "
"configuration. Additionally, it should be forward-compatible with expectant "
"changes once this behavior becomes the default."
msgstr ""
#: ./doc/security-guide/ch021_paste-and-middleware.xml12(para)
msgid "To register an internal URL for an endpoint:"
msgstr "エンドポイント用の内部URL登録"
#: ./doc/security-guide/ch021_paste-and-middleware.xml22(title)
msgid "Configure Applications for Internal URLs"
msgstr "内部URL用のアプリケーション構成"
#: ./doc/security-guide/ch021_paste-and-middleware.xml23(para)
msgid ""
"Some services can be forced to use specific API endpoints.  Therefore, it is"
" recommended that each OpenStack service communicating to the API of another"
" service must be explicitly configured to access the proper internal API "
"endpoint."
msgstr "いくつかのサービスは特定のAPIエンドポイントの仕様を強制することができます。従って、それぞれのOpenStackサービスと他サービスとの通信は明示的に適切な内部APIエンドポイントへアクセスするよう構成する必要があります。"
#: ./doc/security-guide/ch021_paste-and-middleware.xml24(para)
msgid ""
"Each project may present an inconsistent way of defining target API "
"endpoints. Future releases of OpenStack seek to resolve these "
"inconsistencies through consistent use of the Identity Service catalog."
msgstr "各プロジェクトで一貫性の無いAPIエンドポイントを提供しています。将来のリリースにおいてこれらの不一致を認証サービスカタログを使った一貫性で解決しようとしています。"
#: ./doc/security-guide/ch021_paste-and-middleware.xml26(title)
msgid "Configuration Example #1: Nova"
msgstr "構成例#1: Nova"
#: ./doc/security-guide/ch021_paste-and-middleware.xml37(title)
msgid "Configuration Example #2: Cinder"
msgstr "構成例#2: Cinder"
#: ./doc/security-guide/ch021_paste-and-middleware.xml44(title)
msgid "Paste and Middleware"
msgstr "Paste と ミドルウェア"
#: ./doc/security-guide/ch021_paste-and-middleware.xml45(para)
msgid ""
"Most API endpoints and other HTTP services in OpenStack utilize the Python "
"Paste Deploy library. This is important to understand from a security "
"perspective as it allows for manipulation of the request filter pipeline "
"through the application's configuration. Each element in this chain is "
"referred to as <emphasis>middleware</emphasis>. Changing the order of "
"filters in the pipeline or adding additional middleware may have "
"unpredictable security impact."
msgstr "OpenStack内のほぼ全てのAPIエンドポイントと他のHTTPサービスはPythonのPaste Deployライブラリを利用しています。これはアプリケーションの設定によってリクエストフィルターのパイプラインが操作が可能だと理解することがセキュリティの観点から重要になります。このパイプライン連鎖の中のそれぞれの要素は<emphasis>middleware</emphasis>として呼ばれています。パイプラインの中でフィルター順序を変更したり、ミドルウェアを追加すると予期しないセキュリティ上の影響が発生する可能性があります。"
#: ./doc/security-guide/ch021_paste-and-middleware.xml46(para)
msgid ""
"It is not uncommon that implementors will choose to add additional "
"middleware to extend OpenStack's base functionality. We recommend "
"implementors make careful consideration of the potential exposure introduced"
" by the addition of non-standard software components to their HTTP request "
"pipeline."
msgstr "実装者がOpenStackの基本機能を拡張するためにミドルウェアを追加することは珍しくはありません。私たちは非標準のソフトウェアコンポーネントをHTTPリクエストパイプラインへ追加することによって生じる潜在的なセキュリティについて慎重に検討する事を推奨しています。"
#: ./doc/security-guide/ch021_paste-and-middleware.xml47(para)
msgid ""
"Additional information on Paste Deploy may be found at <link "
"href=\"http://pythonpaste.org/deploy/\">http://pythonpaste.org/deploy/</link>."
msgstr "Paste Deployに関する追加情報 <link href=\"http://pythonpaste.org/deploy/\">http://pythonpaste.org/deploy/</link>"
#: ./doc/security-guide/ch021_paste-and-middleware.xml51(title)
msgid "API Endpoint Process Isolation &amp; Policy"
msgstr "APIエンドポイントのプロセス分離とポリシー"
#: ./doc/security-guide/ch021_paste-and-middleware.xml52(para)
msgid ""
"API endpoint processes, especially those that reside within the public "
"security domain should be isolated as much as possible. Where deployments "
"allow, API endpoints should be deployed on separate hosts for increased "
"isolation."
msgstr "特にパブリックなセキュリティドメインに属するAPIエンドポイントプロセスは可能な限り分離すべきです。ディプロイメント可能であれば、APIエンドポイントは分離のために増設されたホスト上に構成すべきです。"
#: ./doc/security-guide/ch021_paste-and-middleware.xml54(title)
#: ./doc/security-guide/ch038_transport-security.xml119(title)
msgid "Namespaces"
msgstr "名前空間"
#: ./doc/security-guide/ch021_paste-and-middleware.xml55(para)
msgid ""
"Many operating systems now provide compartmentalization support. Linux "
"supports namespaces to assign processes into independent domains. System "
"compartmentalization is covered in more detail in other parts of the guide."
msgstr "多くのOSは現在コンパートメント化をサポートしています。Linuxではプロセスに独立したドメインを割り当てる名前空間をサポートしています。システムのコンパートメント化についてはこのマニュアルの別の部分で詳しく説明されています。"
#: ./doc/security-guide/ch021_paste-and-middleware.xml58(title)
#: ./doc/security-guide/ch038_transport-security.xml124(title)
msgid "Network Policy"
msgstr "ネットワークポリシー"
#: ./doc/security-guide/ch021_paste-and-middleware.xml59(para)
msgid ""
"API endpoints typically bridge multiple security domains, as such particular"
" attention should be paid to the compartmentalization of the API processes."
"  See the <emphasis>Security Domain Bridging</emphasis> section for "
"additional information in this area."
msgstr "APIエンドポイントは一般的に複数のセキュリティドメインをまたがるため、APIプロセスのコンパートメント化には特別の注意を払うべきです。追加の情報に関してはこの章の<emphasis>Security Domain Bridging</emphasis> を参照してください。"
#: ./doc/security-guide/ch021_paste-and-middleware.xml60(para)
msgid ""
"With careful modeling, network ACLs and IDS technologies can be use to "
"enforce explicit point to point communication between network services. As "
"critical cross domain service, this type of explicit enforcement works well "
"for OpenStack's message queue service."
msgstr "慎重なデザインを行えば、ネットワークACLとIDS技術をネットワークサービス間の特定の通信に摘要する事が出来ます。重要なドメインをまたがるサービスとして、OpenStackのメッセージキューにこの手の明示的な強制は適しています。"
#: ./doc/security-guide/ch021_paste-and-middleware.xml61(para)
msgid ""
"Policy enforcement can be implemented through the configuration of services,"
" host-based firewalls (such as IPTables), local policy (SELinux or "
"AppArmor), and optionally enforced through global network policy."
msgstr "ポリシーの強制はホストベースのファイアウォール(例えばiptables)やローカルポリシー(SELinuxやAppArmor)、グローバルなネットワークポリシーによって設定することができます。"
#: ./doc/security-guide/ch021_paste-and-middleware.xml64(title)
#: ./doc/security-guide/ch038_transport-security.xml129(title)
#: ./doc/security-guide/ch052_devices.xml87(title)
msgid "Mandatory Access Controls"
msgstr "強制アクセス制御"
#: ./doc/security-guide/ch021_paste-and-middleware.xml65(para)
msgid ""
"API endpoint processes should be isolated from each other and other "
"processes on a machine. The configuration for those processes should be "
"restricted to those processes not only by Discretionary Access Controls, but"
" through Mandatory Access Controls. The goal of these enhanced access "
"control is to aid in the containment and escalation of API endpoint security"
" breaches.  With mandatory access controls, such breaches will severely "
"limit access to resources and provide earlier alerting on such events."
msgstr "APIエンドポイントのプロセスはマシン上の他のプロセスと分離されるべきです。これらのプロセスの構成は任意のアクセス制御方法ではなく、強制アクセス制御によって制限されるべきです。これらのアクセス制御の目的はAPIエンドポイントのセキュリティ侵害の抑制と、特権侵害の防止です。強制アクセス制御を利用する事で、禁止されたリソースへのアクセスが厳しく制限され、早期の警告が得られるようになります。"
#: ./doc/security-guide/ch041_database-backend-considerations.xml3(title)
msgid "Database Backend Considerations"
msgstr ""
#: ./doc/security-guide/ch041_database-backend-considerations.xml4(para)
msgid ""
"The choice of database server is an important consideration in the security "
"of an OpenStack deployment. While security considerations are not the only "
"basis on which a database server must be chosen, security considerations are"
" the only ones within the scope of this book. In practice, OpenStack only "
"supports two database types: PostgreSQL and MySQL."
msgstr ""
#: ./doc/security-guide/ch041_database-backend-considerations.xml5(para)
msgid ""
"PostgreSQL has a number of desirable security features such as Kerberos "
"authentication, object-level security, and encryption support. The "
"PostgreSQL community has done well to provide solid guidance, documentation,"
" and tooling to promote positive security practices."
msgstr ""
#: ./doc/security-guide/ch041_database-backend-considerations.xml6(para)
msgid ""
"MySQL has a large community, wide-spread adoption, and provides high "
"availability options. MySQL also has the ability to provide enhanced client "
"authentication by way of plug-in authentication mechanisms. Forked "
"distributions in the MySQL community provide many options for consideration."
" It is important to choose a specific implementation of MySQL based on a "
"thorough evaluation of the security posture and the level of support "
"provided for the given distribution."
msgstr ""
#: ./doc/security-guide/ch041_database-backend-considerations.xml8(title)
msgid "Security References for Database Backends"
msgstr ""
#: ./doc/security-guide/ch041_database-backend-considerations.xml9(para)
msgid ""
"Those deploying MySQL or PostgreSQL are advised to refer to existing "
"security guidance. Some references are listed below:"
msgstr ""
#: ./doc/security-guide/ch041_database-backend-considerations.xml10(para)
msgid "MySQL:"
msgstr ""
#: ./doc/security-guide/ch041_database-backend-considerations.xml12(link)
msgid "OWASP MySQL Hardening"
msgstr ""
#: ./doc/security-guide/ch041_database-backend-considerations.xml15(link)
msgid "MySQL Pluggable Authentication"
msgstr ""
#: ./doc/security-guide/ch041_database-backend-considerations.xml18(link)
msgid "Security in MySQL"
msgstr ""
#: ./doc/security-guide/ch041_database-backend-considerations.xml21(para)
msgid "PostgreSQL:"
msgstr ""
#: ./doc/security-guide/ch041_database-backend-considerations.xml23(link)
msgid "OWASP PostgreSQL Hardening"
msgstr ""
#: ./doc/security-guide/ch041_database-backend-considerations.xml26(link)
msgid "Total security in a PostgreSQL database"
msgstr ""
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml3(title)
msgid "Management Interfaces"
msgstr "管理インターフェース"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml4(para)
msgid ""
"It is necessary for administrators to perform command and control over the "
"cloud for various operational functions. It is important these command and "
"control facilities are understood and secured."
msgstr "管理者は、様々な運用機能に対してクラウドの管理統制を行う必要があります。また、これらの管理統制機能を理解して、セキュリティの確保を行うことが重要です。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml5(para)
msgid ""
"OpenStack provides several management interfaces for operators and tenants:"
msgstr "OpenStack は、オペレーターやプロジェクト向けに複数の管理インターフェースを提供しています。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml7(para)
msgid "OpenStack Dashboard (Horizon)"
msgstr "OpenStack Dashboard (Horizon)"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml10(para)
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml69(title)
msgid "OpenStack API"
msgstr "OpenStack API"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml13(para)
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml93(title)
msgid "Secure Shell (SSH)"
msgstr "セキュアシェル (SSH)"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml16(para)
msgid "OpenStack Management Utilities (nova-manage, glance-manage, etc.)"
msgstr "OpenStack 管理ユーティリティ (nova-manage、glance-manage など)"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml19(para)
msgid "Out-of-Band Management Interfaces (IPMI, etc.)"
msgstr "帯域外管理インターフェース (IPMI など)"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml24(para)
msgid ""
"The OpenStack Dashboard (Horizon) provides administrators and tenants a web-"
"based graphical interface to provision and access cloud-based resources. The"
" dashboard communicates with the back-end services via calls to the "
"OpenStack API (discussed above)."
msgstr ""
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml26(title)
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml72(title)
#: ./doc/security-guide/ch026_compute.xml13(title)
#: ./doc/security-guide/ch026_compute.xml40(title)
msgid "Capabilities"
msgstr "機能"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml28(para)
msgid ""
"As a cloud administrator, the dashboard provides an overall view of the size"
" and state of your cloud. You can create users and tenants/projects, assign "
"users to tenant/projects and set limits on the resources available for them."
msgstr "クラウド管理者として、ダッシュボードはクラウドのサイズや状態の俯瞰図を確認できます。また、ユーザーやプロジェクト (テナント) の作成、プロジェクト (テナント) へのユーザーの割り当て、ユーザーやプロジェクトで利用可能なリソースの制限設定が可能です。 "
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml31(para)
msgid ""
"The dashboard provides tenant-users a self-service portal to provision their"
" own resources within the limits set by administrators."
msgstr "ダッシュボードでは、プロジェクト/ユーザーに対して、管理者が設定した制限値内で自身のリソースをプロビジョニングするためのセルフサービスポータルを提供します。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml34(para)
msgid ""
"The dashboard provides GUI support for routers and load-balancers. For "
"example, the dashboard now implements all of the main Networking features."
msgstr ""
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml37(para)
msgid ""
"It is an extensible <glossterm>Django</glossterm> web application that "
"allows easy plug-in of third-party products and services, such as billing, "
"monitoring, and additional management tools."
msgstr "Hirozon は拡張可能な <glossterm>Django</glossterm> Web アプリケーションで、請求、監視、追加管理ツールなど、サードパーティーの製品やサービスを簡単にプラグインできるようにします。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml40(para)
msgid ""
"The dashboard can also be branded for service providers and other commercial"
" vendors."
msgstr "また、ダッシュボードはサービスプロバイダーや他の商業ベンダー向けにブランディングすることも可能です。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml47(para)
msgid ""
"The dashboard requires cookies and JavaScript to be enabled in the web "
"browser."
msgstr ""
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml50(para)
msgid ""
"The web server that hosts dashboard should be configured for SSL to ensure "
"data is encrypted."
msgstr ""
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml53(para)
msgid ""
"Both the Horizon web service and the OpenStack API it uses to communicate "
"with the back-end are susceptible to web attack vectors such as denial of "
"service and must be monitored."
msgstr "バックエンドとの対話に使用する Horizon Web サービスおよび OpenStack API はいずれも、サービス妨害 (DoS) などの Web 攻撃ベクトルからの影響を受けるため、必ず監視が必要です。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml56(para)
msgid ""
"It is now possible (though there are numerous deployment/security "
"implications) to upload an image file directly from a users hard disk to "
"Glance through Horizon. For multi-GB images it is still strongly recommended"
" that the upload be done using the Glance CLI"
msgstr "(デプロイメント/セキュリティ関連の問題は多数ありますが) Horizon でユーザーのハードディスクから Glance に直接イメージファイルをアップロードすることができるようになりました。サイズが GB レベルのイメージについては、Glace CLI を使用してイメージをアップロードするよう強く推奨しています。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml59(para)
msgid ""
"Create and manage security groups through dashboard. The security groups "
"allows L3-L4 packet filtering for security policies to protect virtual "
"machines"
msgstr "ダッシュボードからセキュリティグループを作成・管理します。セキュリティグループにより、セキュリティポリシーの L3-L4 パケットをフィルダリングして仮想マシンの保護が可能になります。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml65(citetitle)
msgid "Grizzly Release Notes"
msgstr "Grizzly リリースノート"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml70(para)
msgid ""
"The OpenStack API is a RESTful web service endpoint to access, provision and"
" automate cloud-based resources.  Operators and users typically access the "
"API through command-line utilities (i.e. Nova, Glance, etc.), language-"
"specific libraries, or third-party tools."
msgstr "OpenStack API はクラウドベースのリソースのアクセス、プロビジョニング、自動化を行う RESTful Web サービスのエンドポイントです。オペレーターやユーザーは通常、コマンドラインユーティリティ (Nova、Glance など)、言語固有のライブラリ、またはサードパーティのツールで API にアクセスします。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml74(para)
msgid ""
"To the cloud administrator the API provides an overall view of the size and "
"state of the cloud deployment and allows the creation of users, "
"tenants/projects, assigning users to tenants/projects and specifying "
"resource quotas on a per tenant/project basis."
msgstr "API はクラウド管理者がクラウドデプロイメントのサイズや状態の概要を把握できるようにするだけでなく、ユーザー、プロジェクト (テナント) の作成、プロジェクト (テナント) へのユーザーの割り当て、プロジェクト (テナント) ベースのリソースクォータの指定などができるようにします。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml77(para)
msgid ""
"The API provides a tenant interface for provisioning, managing, and "
"accessing their resources."
msgstr "API はリソースのプロビジョニング、管理、アクセスに使用するプロジェクトインターフェースを提供します。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml84(para)
msgid ""
"The API service should be configured for SSL to ensure data is encrypted."
msgstr "API サービスはデータが確実に暗号化されるように SSL の設定が必要です。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml87(para)
msgid ""
"As a web service, OpenStack API is susceptible to familiar web site attack "
"vectors such as denial of service attacks."
msgstr "Web サービスとして OpenStack API は、サービス妨害 (DoS) 攻撃など、よく知られている Web サイト攻撃ベクトルからの影響を受けます。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml94(para)
msgid ""
"It has become industry practice to use secure shell (SSH) access for the "
"management of Linux and Unix systems. SSH uses secure cryptographic "
"primitives for communication. With the scope and importance of SSH in "
"typical OpenStack deployments, it is important to understand best practices "
"for deploying SSH."
msgstr "Linux や Unix システムの管理にはセキュアシェル (SSH) を使用するのが業界の慣習となっています。SSH は通信にセキュアな暗号化プリミティブを使用します。一般的な OpenStack デプロイメントでの SSH の範囲や重要性において、SSH デプロイのベストプラクティスを把握することが重要です。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml96(title)
msgid "Host Key Fingerprints"
msgstr "ホストキーのフィンガープリント"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml97(para)
msgid ""
"Often overlooked is the need for key management for SSH hosts. As most or "
"all hosts in an OpenStack deployment will provide an SSH service, it is "
"important to have confidence in connections to these hosts. It cannot be "
"understated that failing to provide a reasonably secure and accessible "
"method to verify SSH host key fingerprints is ripe for abuse and "
"exploitation."
msgstr "頻繁に見逃されるのが SSH ホストのキー管理の必要性です。OpenStack デプロイメントホストのすべてまたは多くが SSH サービスを提供します。このようなホストへの接続の信頼性を確保することが重要です。SSH ホストキーのフィンガープリントの検証に関して比較的セキュアでアクセス可能なメソッドを提供できないと、悪用やエクスプロイトの温床となるといっても過言ではありません。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml98(para)
msgid ""
"All SSH daemons have private host keys and, upon connection, offer a host "
"key fingerprint. This host key fingerprint is the hash of an unsigned public"
" key. It is important these host key fingerprints are known in advance of "
"making SSH connections to those hosts. Verification of host key fingerprints"
" is instrumental in detecting man-in-the-middle attacks."
msgstr "SSH デーモンにはすべてプライベートのホストキーがあり、接続するとホストキーのフィンガープリントが提供されます。このホストキーのフィンガープリントは未署名のパブリックキーのハッシュです。これらのホストに SSH 接続する前に、ホストキーのフィンガープリントを把握しておくことが重要です。ホストキーのフィンガープリントの検証は中間者攻撃の検出に役立ちます。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml99(para)
msgid ""
"Typically, when an SSH daemon is installed, host keys will be generated. It "
"is necessary that the hosts have sufficient entropy during host key "
"generation. Insufficient entropy during host key generation can result in "
"the possibility to eavesdrop on SSH sessions."
msgstr "通常、SSH デーモンがインストールされると、ホストキーが生成されます。ホストキーの生成時に、ホストには十分なエントロピーが必要になります。ホストキーの生成時にエントロピーが十分にないと、SSH セッションの傍受が発生してしまう可能性があります。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml100(para)
msgid ""
"Once the SSH host key is generated, the host key fingerprint should be "
"stored in a secure and queriable location. One particularly convenient "
"solution is DNS using SSHFP resource records as defined in RFC-4255. For "
"this to be secure, it is necessary that DNSSEC be deployed."
msgstr "SSH ホストキーが生成されると、ホストキーのフィンガープリントはセキュアでクエリ可能な場所に保存されるはずです。特に有用なソリューションは、RFC-4255 で定義されていりょうに SSHFP リソースレコードを使用した DNS です。これをセキュアにするには、DNSSEC のデプロイが必要になります。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml104(title)
msgid "Management Utilities"
msgstr ""
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml105(para)
msgid ""
"The OpenStack Management Utilities are open-source Python command-line "
"clients that make API calls. There is a client for each OpenStack service "
"(nova, glance, etc.). In addition to the standard CLI client, most of the "
"services have a management command line which makes direct calls to the "
"database. These dedicated management utilities are slowly being deprecated."
msgstr "OpenStack 管理ユーテリティは、API 呼び出しを行う、オープンソースの Python のコマンドラインクライアントです。OpenStack サービス (nova、glance など) 毎にクライアントがあります。標準の CLI クライアントに加え、サービスの多くには管理コマンドラインがあり、データベースへ直接呼び出しを行います。これらの専用の管理ユーテリティは徐々に廃止予定となっています。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml115(para)
msgid ""
"The dedicated management utilities (*-manage) in some cases use the direct "
"database connection."
msgstr "場合によっては専用の管理ユーテリティ (*-manage) は直接データベースへの接続を使用することがあります。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml118(para)
msgid ""
"Ensure that the .rc file which has your credential information is secured."
msgstr "認証情報が含まれている .rc ファイルのセキュリティが確保されているようにします。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml124(para)
msgid ""
"<citetitle>OpenStack End User Guide</citetitle> section <link "
"href=\"http://docs.openstack.org/user-"
"guide/content/section_cli_overview.html\">command line clients "
"overview</link>"
msgstr "<citetitle>OpenStack エンドユーザーガイド</citetitle> の項: <link href=\"http://docs.openstack.org/user-guide/content/section_cli_overview.html\">コマンドラインクライアントの概要</link>"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml125(para)
msgid ""
"<citetitle>OpenStack End User Guide</citetitle> section <link "
"href=\"http://docs.openstack.org/user-"
"guide/content/cli_openrc.html\">Download and source the OpenStack RC "
"file</link>"
msgstr "<citetitle>OpenStack エンドユーザーガイド</citetitle> の項 <link href=\"http://docs.openstack.org/user-guide/content/cli_openrc.html\">OpenStack RC ファイルのダウンロードとソース</link>"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml129(title)
msgid "Out-of-Band Management Interface"
msgstr "帯域外管理インターフェース"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml130(para)
msgid ""
"OpenStack management relies on out-of-band management interfaces such as the"
" IPMI protocol to access into nodes running OpenStack components. IPMI is a "
"very popular specification to remotely manage, diagnose and reboot servers "
"whether the operating system is running or the system has crashed."
msgstr "OpenStack コンポーネントを実行するードにアクセスする場合、OpenStack の管理は IPMI プロトコルなどの帯域外管理インターフェースに依存します。IPMI は非常に有名な仕様で、オペレーティングシステムの実行中である場合やシステムがクラッシュした場合でもリモートでのサーバー管理、診断、リブートを行います。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml134(para)
msgid ""
"Use strong passwords and safeguard them, or use client-side SSL "
"authentication."
msgstr "強力なパスワードを使用してセーフガードするか、クライアント側の SSL 認証を使用してください。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml137(para)
msgid ""
"Ensure that the network interfaces are on their own private(management or a "
"separate) network. Segregate management domains with firewalls or other "
"network gear."
msgstr "ネットワークインターフェースはプライベート (管理または個別) ネットワークに設定されていることw確認します。管理ドメインはファイアウォールか他のネットワークギアで分離してください。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml140(para)
msgid ""
"If you use a web interface to interact with the "
"<glossterm>BMC</glossterm>/IPMI, always use the SSL interface (e.g. https or"
" port 443). This SSL interface should <emphasis role=\"bold\">NOT</emphasis>"
" use self-signed certificates, as is often default, but should have trusted "
"certificates using the correctly defined fully qualified domain names "
"(FQDNs)."
msgstr "Web インターフェースを使用して <glossterm>BMC</glossterm>/IPMI と対話する場合、常に SSL インターフェースを使用するようにしてください (例: https またはポート 443)。この SSL インターフェースは自己署名証明書を使用<emphasis role=\"bold\">しない</emphasis>ようにしてください。通常、これがデフォルトとなっていますが、正しく定義された完全修飾ドメイン名 (FQDN) を使用して信頼済みの証明書を使用するようにしてください。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml143(para)
msgid ""
"Monitor the traffic on the management network. The anomalies may be easier "
"to track than on the busier compute nodes"
msgstr "管理ネットワークのトラフィックを監視します。トラフィックの多い Compute ノードよりも例外のトラッキングが簡単になる場合があります。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml146(para)
msgid ""
"Out of band management interfaces also often include graphical machine "
"console access. It is often possible, although not necessarily default, that"
" these interfaces are encrypted. Consult with your system software "
"documentation for encrypting these interfaces."
msgstr "また、帯域外管理インターフェースはグラフィカルのコンソールアクセスが可能な場合が多くあります。デフォルトではない可能性もありますが、これらのインターフェースは暗号化されていることがあります。これらのインターフェースの暗号化については、お使いのシステムのソフトウェア文書を確認してください。"
#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml150(link)
msgid "Hacking servers that are turned off"
msgstr "オフ状態のサーバーのハッキング"
#: ./doc/security-guide/ch028_case-studies-identity-management.xml3(title)
msgid "Case Studies: Identity Management"
msgstr "ケーススタディ: ID 管理"
#: ./doc/security-guide/ch028_case-studies-identity-management.xml4(para)
msgid ""
"In this case study we discuss how Alice and Bob would address configuration "
"of OpenStack core services. These include the Keystone Identity service, "
"Dashboard, and Compute services. Alice will be concerned with integration "
"into the existing government directory services, while Bob will need to "
"provide access to the public."
msgstr "このケーススタディでは、アリスとボブが OpenStack コアサービスの設定をどのように取り扱うかを議論します。これらには、Keystone Identity Service、Dashboard、Compute Services が含まれます。アリスは既存の政府ディレクトリサービスに統合することに関心があります。ボブはパブリックにアクセス権を提供する必要があります。"
#: ./doc/security-guide/ch028_case-studies-identity-management.xml7(para)
msgid ""
"Alice's enterprise has a well-established directory service with two-factor "
"authentication for all users. She configures Keystone to support an external"
" authentication service supporting authentication with government-issued "
"access cards. She also uses an external LDAP server to provide role "
"information for the users that is integrated with the access control policy."
" Due to FedRAMP compliance requirements, Alice implements two-factor "
"authentication on the Management network for all administrator access."
msgstr "アリスの企業はすべてのユーザーに対して 2 要素認証を持つディレクトリサービスが十分に確立されています。彼女は政府発行のアクセスカードを用いた認証をサポートする外部認証サービスをサポートするよう Keystone を設定します。アクセス制御ポリシーと統合されたユーザー用ロール情報を提供するために、外部 LDAP サービスも使用します。FedRAMP コンプライアンス要件のため、アリスはすべての管理アクセスに対して管理ネットワークで 2 要素認証を導入します。"
#: ./doc/security-guide/ch028_case-studies-identity-management.xml8(para)
msgid ""
"Alice also deploys the Dashboard to manage many aspects of the cloud.  She "
"deploys the Dashboard with HSTS to ensure that only HTTPS is used.  The "
"Dashboard resides within an internal subdomain of the private network domain"
" name system."
msgstr "アリスはクラウドのさまざまな観点を管理するために Dashboard も導入します。必ず HTTPS のみを使用するために HSTS と共に Dashboard を導入します。Dashboard はプライベートネットワークの DNS の内部サブドメインの中にあります。"
#: ./doc/security-guide/ch028_case-studies-identity-management.xml9(para)
msgid ""
"Alice decides to use SPICE instead of VNC for the virtual console.  She "
"wants to take advantage of the emerging capabilities in SPICE."
msgstr "アリスは仮想コンソールに VNC の代わりに SPICE を使用することを決めました。SPICE の先進的な機能の利点を得ようと思います。"
#: ./doc/security-guide/ch028_case-studies-identity-management.xml13(para)
msgid ""
"Bob must support authentication by the general public, so he elects to use "
"provide for username / password authentication. He has concerns about brute "
"force attacks attempting to crack user passwords, so he also uses an "
"external authentication extension that throttles the number of failed login "
"attempts. Bob's Management network is separate from the other networks "
"within his cloud, but can be reached from his corporate network via ssh. As "
"recommended earlier, Bob requires administrators to use two-factor "
"authentication on the Management network to reduce the risk from compromised"
" administrator passwords."
msgstr "ボブは一般的なパブリックによる認証をサポートする必要があります。そのため、ユーザー名とパスワードによる認証を提供することを選択します。彼はユーザーのパスワードを解析しようとするブルートフォース攻撃について心配します。そのため、ログイン試行回数の失敗数を制限する外部認証拡張も使用します。ボブの管理ネットワークは彼のクラウドの中で他のネットワークと分離しています。しかし、彼の企業ネットワークから SSH 経由でアクセスできます。これまでに推奨しているとおり、ボブは管理者のパスワードが漏洩するリスクを減らすために、管理者が管理ネットワークで 2 要素認証を使用することを要求します。"
#: ./doc/security-guide/ch028_case-studies-identity-management.xml14(para)
msgid ""
"Bob also deploys the Dashboard to manage many aspects of the cloud.  He "
"deploys the Dashboard with HSTS to ensure that only HTTPS is used.  He has "
"ensured that the Dashboard is deployed on a second-level domain due to the "
"limitations of the same-origin policy. He also disables "
"HORIZON_IMAGES_ALLOW_UPLOAD to prevent resource exhaustion."
msgstr "ボブはクラウドのさまざまな観点を管理するために Dashboard も導入します。必ず HTTPS のみを使用するために HSTS と共に Dashboard を導入します。Dashboard が同一オリジンポリシーの制限のため必ず第 2 レベルドメインに導入されるようにしました。また、リソース枯渇を防ぐために HORIZON_IMAGES_ALLOW_UPLOAD を無効化します。"
#: ./doc/security-guide/ch028_case-studies-identity-management.xml15(para)
msgid ""
"Bob decides to use VNC for his virtual console for its maturity and security"
" features."
msgstr "ボブはその成熟度とセキュリティ機能から仮想コンソールに VNC を使用することを決めました。"
#: ./doc/security-guide/ch037_risks.xml3(title)
msgid "Message Queuing Architecture"
msgstr "メッセージキューアーキテクチャー"
#: ./doc/security-guide/ch037_risks.xml4(para)
msgid ""
"Inter-process communication within OpenStack is facilitated via message "
"queueing services. Today, three messaging service backends are supported:"
msgstr "OpenStack 内におけるプロセス間通信はメッセージキューイングサービスが仲介しています。現時点では、3つののメッセージングサービスバックエンドがサポートされています。"
#: ./doc/security-guide/ch037_risks.xml6(para)
msgid "RabbitMQ"
msgstr "RabbitMQ"
#: ./doc/security-guide/ch037_risks.xml9(para)
msgid "Qpid"
msgstr "Qpid"
#: ./doc/security-guide/ch037_risks.xml12(para)
msgid "ZeroMQ"
msgstr "ZeroMQ"
#: ./doc/security-guide/ch037_risks.xml15(para)
msgid ""
"Both RabbitMQ and Qpid are Advanced Message Queuing Protocol (AMQP) "
"frameworks which provide message queues for peer-to-peer communication. "
"Queue implementations are typically deployed as centralized or decentralized"
" pool of queue servers. ZeroMQ differs by communicating directly using TCP "
"sockets between peers."
msgstr "RabbitMQ と Qpid は両方とも、Advanced Message Queuing Protocol (AMQP) フレームワークであり、ピアツーピア通信にメッセージキューを提供する仕組みです。\nキューの実装は通常、キューサーバのプールを集中型か、もしくは、分散型で展開します。\nZeroMQ は TCP ソケットを使ってピア間通信が直接行われるところが異なっています。"
#: ./doc/security-guide/ch037_risks.xml16(para)
msgid ""
"Message queues effectively facilitate command and control functions across "
"OpenStack deployments. Once access to the queue is permitted no further "
"authorization checks are performed. Services accessible via the queue do "
"validate the contexts and tokens within the actual message payload. However,"
" awareness of the token's expiration value should be noted as these tokens "
"are potentially replayable and may provide authorization for other services "
"within the infrastructure."
msgstr "メッセージキューは、OpenStack コンポーネント間における指揮系統の機能を効果的に仲介します。キューへのアクセスが一度許可されると、その後の承認チェックは行なわれません。キュー経由でアクセス可能なサービス自身が、メッセージペイロード内のコンテクストとトークンの正当性チェックを行ないます。\nしかしながら、トークンは潜在的に再生可能であり、インフラ内の他サービスの承認に使われる可能性があることから、トークンの期限切れには気をつけるべきです。"
#: ./doc/security-guide/ch037_risks.xml17(para)
msgid ""
"OpenStack does not support message-level confidence (i.e., message signing)."
" Because of this, the message transport itself must be secured and "
"authentication to the queue server must be performed. For HA configurations,"
" queue to queue authentication and encryption should to be performed as "
"well."
msgstr "OpenStack はメッセージレベルのコンフィデンス (メッセージへの署名) はサポートしていません。そのため、メッセージの通信路そのものがセキュア化され、かつ、キューサーバーへのアクセスの際に認証が行なわれる必要があります。\nまた、HA 設定の際には、キュー間の認証と暗号化も同様に実施するべきです。"
#: ./doc/security-guide/ch037_risks.xml18(para)
msgid ""
"With ZeroMQ messaging, IPC sockets are used on individual machines. These "
"sockets may be vulnerable to attack for local message injection and snooping"
" unless secured by an operator."
msgstr "ZeroMQ メッセージングでは、IPC ソケットが各マシンで使用されます。これらのソケットは管理者がセキュア化しない限り、ローカルメッセージインジェクションやスヌーピングの攻撃に脆弱な可能性があります。"
#: ./doc/security-guide/ch026_compute.xml3(title)
#: ./doc/security-guide/ch004_book-introduction.xml71(title)
msgid "Compute"
msgstr "コンピュート"
#: ./doc/security-guide/ch026_compute.xml4(para)
msgid ""
"The Compute Service (Nova) is one of the more complex OpenStack services.  "
"It runs in many locations throughout the cloud and interacts with a variety "
"of internal services.  For this reason, most of our recommendations "
"regarding best practices for Compute Service configuration are distributed "
"throughout this book. We provide specific details in the sections on "
"Management, API Endpoints, Messaging, and Database."
msgstr "Compute Service (Nova) は最も複雑な OpenStack サービスの一つです。クラウドの隅々まで多くの場所で動作し、さまざまな内部サービスと通信します。この理由により、Compute Service 設定のベストプラクティスに関する推奨事項の多くは、本書を通して配布されます。管理、API エンドポイント、メッセージング、データベースのセクションで具体的な詳細を提供します。"
#: ./doc/security-guide/ch026_compute.xml6(title)
msgid "Virtual Console Selection"
msgstr "仮想コンソールの選択"
#: ./doc/security-guide/ch026_compute.xml7(para)
msgid ""
"One decision a cloud architect will need to make regarding Compute Service "
"configuration is whether to use VNC or SPICE. Below we provide some details "
"on the differences between these options."
msgstr "クラウドアーキテクトが判断する必要があることの一つは、Compute Service の設定が VNC と SPICE のどちらを使用するかです。以下は、これらの選択肢の違いに関する詳細を提供します。"
#: ./doc/security-guide/ch026_compute.xml9(title)
msgid "Virtual Network Computer (VNC)"
msgstr "Virtual Network Computer (VNC)"
#: ./doc/security-guide/ch026_compute.xml10(para)
msgid ""
"OpenStack can be configured to provide remote desktop console access to "
"instances for tenants and/or administrators using the Virtual Network "
"Computer (VNC) protocol.  "
msgstr "OpenStack は Virtual Network Computer (VNC) プロトコルを使用して、プロジェクトと管理者がインスタンスのリモートデスクトップコンソールにアクセスできるように設定できます。"
#: ./doc/security-guide/ch026_compute.xml15(para)
msgid ""
"The OpenStack Dashboard (Horizon) can provide a VNC console for instances "
"directly on the web page using the HTML5 noVNC client.  This requires the "
"<systemitem class=\"service\">nova-novncproxy</systemitem> service to bridge"
" from the public network to the management network."
msgstr "OpenStack Dashboard (Horizon) は HTML5 の非 VNC クライアントを使用して、ウェブページから直接インスタンスの VNC コンソールを提供できます。これには、<systemitem class=\"service\">nova-novncproxy</systemitem> サービスがパブリックネットワークから管理ネットワークにブリッジする必要があります。"
#: ./doc/security-guide/ch026_compute.xml18(para)
msgid ""
"The nova command line utility can return a URL for the VNC console for "
"access by the nova Java VNC client. This requires the nova-xvpvncproxy "
"service to bridge from the public network to the management network."
msgstr "nova コマンドラインユーティリティは nova Java VNC クライアントによりアクセスするための VNC の URL を返すことができます。これには、nova-xvpvncproxy サービスがパブリックネットワークから管理ネットワークにブリッジする必要があります。"
#: ./doc/security-guide/ch026_compute.xml25(para)
msgid ""
"The <systemitem class=\"service\">nova-novncproxy</systemitem>and nova-"
"xvpvncproxy services by default open public-facing ports that are token "
"authenticated."
msgstr "デフォルトのオープンなパブリックポートによる <systemitem class=\"service\">nova-novncproxy</systemitem> サービスと nova-xvpvncproxy サービスがトークン認証されます。"
#: ./doc/security-guide/ch026_compute.xml28(para)
msgid ""
"By default, the remote desktop traffic is not encrypted. Havana is expected "
"to have VNC connections secured by Kerberos."
msgstr "デフォルトで、リモートデスクトップの通信は暗号化されません。Havana は Kerberos によりセキュア化された VNC 接続を実装することが期待されています。"
#: ./doc/security-guide/ch026_compute.xml34(link)
msgid "Secure Connections to VNC ports"
msgstr "VNC ポートへのセキュアな接続"
#: ./doc/security-guide/ch026_compute.xml37(title)
msgid "Simple Protocol for Independent Computing Environments (SPICE)"
msgstr "Simple Protocol for Independent Computing Environments (SPICE)"
#: ./doc/security-guide/ch026_compute.xml38(para)
msgid ""
"As an alternative to VNC, OpenStack provides remote desktop access to guest "
"virtual machines using the Simple Protocol for Independent Computing "
"Environments (SPICE) protocol."
msgstr "VNC の代替として、OpenStack は Simple Protocol for Independent Computing Environments (SPICE) プロトコルを使用した、仮想マシンへのリモートデスクトップアクセスを提供します。"
#: ./doc/security-guide/ch026_compute.xml42(para)
msgid ""
"SPICE is supported by the OpenStack Dashboard (Horizon) directly on the "
"instance web page.  This requires the nova-spicehtml5proxy service."
msgstr "SPICE は OpenStack Dashboard (Horizon) により直接インスタンスのウェブページでサポートされます。これには nova-spicehtml5proxy サービスが必要です。"
#: ./doc/security-guide/ch026_compute.xml45(para)
msgid ""
"The nova command line utility can return a URL for SPICE console for access "
"by a SPICE-html client."
msgstr "nova コマンドラインユーティリティは SPICE-html クライアントによりアクセスするための SPICE コンソールの URL を返すことができます。"
#: ./doc/security-guide/ch026_compute.xml50(title)
msgid "Limitations"
msgstr "制限事項"
#: ./doc/security-guide/ch026_compute.xml52(para)
msgid ""
"Although SPICE has many advantages over VNC, the spice-html5 browser "
"integration currently doesn't really allow admins to take advantage of any "
"of the benefits. To take advantage of SPICE features like multi-monitor, USB"
" pass through, etc. admins are recommended to use a standalone SPICE client "
"within the Management Network."
msgstr "SPICE は VNC よりも多くの点で優れていますが、現在 spice-html5 ブラウザー統合は管理者がすべての利点を利用することができません。マルチモニター、USB パススルーなどの SPICE 機能の利点を利用するためには、管理ネットワークの中でスタンドアロン SPICE クライアントを使用することが推奨されます。"
#: ./doc/security-guide/ch026_compute.xml59(para)
msgid ""
"The nova-spicehtml5proxy service by default opens public-facing ports that "
"are token authenticated."
msgstr "デフォルトのオープンなパブリックポートによる nova-spicehtml5proxy サービスがトークン認証されます。"
#: ./doc/security-guide/ch026_compute.xml62(para)
msgid ""
"The functionality and integration are still evolving. We will access the "
"features in the next release and make recommendations."
msgstr "機能と統合は進化中です。次のリリースの機能を確認し、推奨事項を作成します。"
#: ./doc/security-guide/ch026_compute.xml65(para)
msgid ""
"As is the case for VNC, at this time we recommend using SPICE from the "
"management network in addition to limiting use to few individuals."
msgstr "VNC の場合のように、今のところ数人の利用者に制限して管理ネットワークから SPICE を使用することを推奨します。"
#: ./doc/security-guide/ch026_compute.xml71(link)
msgid "SPICE Console"
msgstr "SPICE コンソール"
#: ./doc/security-guide/ch026_compute.xml72(link)
msgid "Red Hat bug 913607"
msgstr "Red Hat bug 913607"
#: ./doc/security-guide/ch026_compute.xml73(link)
msgid "SPICE support in RDO Grizzly"
msgstr "RDO Grizzly における SPICE のサポート"
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch013_node-bootstrapping.xml14(None)
#: ./doc/security-guide/ch013_node-bootstrapping.xml17(None)
msgid ""
"@@image: 'static/node-provisioning-pxe.png'; "
"md5=51b76c5aced74f935490b37ba921dc43"
msgstr "@@image: 'static/node-provisioning-pxe.png'; md5=51b76c5aced74f935490b37ba921dc43"
#: ./doc/security-guide/ch013_node-bootstrapping.xml3(title)
msgid "Integrity Life-cycle"
msgstr "完全性ライフサイクル"
#: ./doc/security-guide/ch013_node-bootstrapping.xml4(para)
msgid ""
"We define integrity lifecycle as a deliberate process that provides "
"assurance that we are always running the expected software with the expected"
" configurations throughout the cloud. This process begins with secure "
"bootstrapping and is maintained through configuration management and "
"security monitoring. This chapter provides recommendations on how to "
"approach the integrity life-cycle process."
msgstr "OpenStack では、完全性ライフサイクルを、クラウド全体にわたって想定されているソフトウェアが想定されている設定で常に実行されることを保証する計画的なプロセスと定義しています。このプロセスは、セキュアなブートストラッピングで開始し、設定管理およびセキュリティ監視の機能により維持されます。本章では、完全性ライフサイクルプロセスのアプローチ方法について説明します。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml6(title)
msgid "Secure Bootstrapping"
msgstr "セキュアブートストラップ"
#: ./doc/security-guide/ch013_node-bootstrapping.xml7(para)
msgid ""
"Nodes in the cloud -- including compute, storage, network, service, and "
"hybrid nodes -- should have an automated provisioning process. This ensures "
"that nodes are provisioned consistently and correctly. This also facilitates"
" security patching, upgrading, bug fixing, and other critical changes. Since"
" this process installs new software that runs at the highest privilege "
"levels in the cloud, it is important to verify that the correct software is "
"installed. This includes the earliest stages of the boot process."
msgstr "クラウド内のノード (コンピュート、ストレージ、ネットワーク、サービス、およびハイブリッドのノードを含む) には、自動プロビジョニングプロセスを使用すべきです。このプロセスにより、ノードが一貫して正しくプロビジョニングされます。また、セキュリティパッチの適用、アップグレード、バグ修正、その他の重要な変更が円滑に行われます。このプロセスにより、クラウド内において最高権限で実行される新規ソフトウェアがインストールされるので、正しいソフトウェアがインストールされることを検証することが重要となります。これには、ブートプロセスの最初期段階が含まれます。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml8(para)
msgid ""
"There are a variety of technologies that enable verification of these early "
"boot stages. These typically require hardware support such as the trusted "
"platform module (TPM), Intel Trusted Execution Technology (TXT), dynamic "
"root of trust measurement (DRTM), and Unified Extensible Firmware Interface "
"(UEFI) secure boot. In this book, we will refer to all of these collectively"
" as <emphasis>secure boot technologies</emphasis>. We recommend using secure"
" boot, while acknowledging that many of the pieces necessary to deploy this "
"require advanced technical skills in order to customize the tools for each "
"environment. Utilizing secure boot will require deeper integration and "
"customization than many of the other recommendations in this guide. TPM "
"technology, while common in most business class laptops and desktops for "
"several years, and is now becoming available in servers together with "
"supporting BIOS. Proper planning is essential to a successful secure boot "
"deployment."
msgstr "このような初期ブート段階の検証を可能にするさまざまな技術があります。通常は、Trusted Platform Module (TPM)、Intel Trusted Execution Technology (TXT)、Dynamic Root of Trust Measurement (DRTM)、Unified Extensible Firmware Interface (UEFI) などによるセキュアブートのハードウェアサポートが必要です。本ガイドでは、これらを総称して<emphasis>セキュアブートテクノロジー</emphasis>と呼びます。OpenStack ではセキュアブートの使用を推奨していますが、このデプロイに必要な諸作業には、各環境用にツールをカスタマイズするための高度の技術的スキルが必要である点を認識しています。セキュアブートの活用には、本ガイドに記載しているその他多くの推奨事項よりも深い統合とカスタマイズが必要になります。TPM テクロジーはこの数年、大半のビジネスクラスのラップトップおよびデスクトップに通常搭載されていますが、BIOS のサポートとともにサーバーでも提供されるようになってきています。セキュアブートのデプロイには、適切な計画が不可欠です。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml9(para)
msgid ""
"A complete tutorial on secure boot deployment is beyond the scope of this "
"book. Instead, here we provide a framework for how to integrate secure boot "
"technologies with the typical node provisioning process. For additional "
"details, cloud architects should refer to the related specifications and "
"software configuration manuals."
msgstr "セキュアブートのデプロイに関する完全なチュートリアルは、本書の範囲外なので、その代わりとして、標準的なノードプロビジョニングプロセスにセキュアブートテクノロジーを統合する方法の枠組みを提供します。クラウドアーキテクトが更に詳しい情報を確認するには、関連する仕様およびソフトウェア設定のマニュアルを参照することをお勧めします。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml11(title)
msgid "Node Provisioning"
msgstr "ノードのプロビジョニング"
#: ./doc/security-guide/ch013_node-bootstrapping.xml12(para)
msgid ""
"Nodes should use Preboot eXecution Environment (PXE) for provisioning. This "
"significantly reduces the effort required for redeploying nodes. The typical"
" process involves the node receiving various boot stages (i.e., "
"progressively more complex software to execute) from a server."
msgstr "ノードは、プロビジョニングに Preboot eXecution Environment (PXE) を使用すべきです。これにより、ノードの再デプロイに必要な作業が大幅に軽減されます。標準的なプロセスでは、ノードがサーバーからさまざまなブート段階 (実行するソフトウェアが徐々に複雑化) を受信する必要があります。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml20(para)
msgid ""
"We recommend using a separate, isolated network within the management "
"security domain for provisioning. This network will handle all PXE traffic, "
"along with the subsequent boot stage downloads depicted above. Note that the"
" node boot process begins with two insecure operations: DHCP and TFTP. Then "
"the boot process downloads over SSL the remaining information required to "
"deploy the node. This information might include an initramfs and a kernel. "
"This concludes by downloading the remaining information needed to deploy the"
" node. This may be an operating system installer, a basic install managed by"
" <link href=\"http://www.opscode.com/chef/\">Chef</link> or <link "
"href=\"https://puppetlabs.com/\">Puppet</link>, or even a complete file "
"system image that is written directly to disk."
msgstr "プロビジョニングには、管理セキュリティドメイン内の別個の分離したネットワークを使用することを推奨します。このネットワークは、上記に示した後続のブート段階のダウンロードに加えて、すべての PXE トラフィックを処理します。 ノードのブートプロセスは、安全性の低い DHCP および TFTP の 2 つの操作で開始する点に注意してください。次にブートプロセスは、ノードのデプロイに必要な残りの情報を SSL を介してダウンロードします。この情報には、initramfs とカーネルが含まれる場合があります。このプロセスは、ノードのデプロイに必要な残りの情報のダウンロードで終了します。これは、オペレーティングシステムのインストーラー、<link href=\"http://www.opscode.com/chef/\">Chef</link> または <link href=\"https://puppetlabs.com/\">Puppet</link> によって管理される基本インストール、またはディスクに直接書き込まれた完全なファイルシステムイメージの場合もあります。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml21(para)
msgid ""
"While utilizing SSL during the PXE boot process is somewhat more "
"challenging, common PXE firmware projects (e.g., iPXE) provide this support."
" Typically this involves building the PXE firmware with knowledge of the "
"allowed SSL certificate chain(s) so that it can properly validate the server"
" certificate.  This raises the bar for an attacker by limiting the number of"
" insecure, plaintext network operations."
msgstr "PXE ブートプロセス中に SSL を活用するのは若干困難ですが、一般的な PXE ファームウェアプロジェクト (例: iPXE) はこの機能をサポートしています。通常、この作業には、サーバーの証明書を適切に検証するための許可済み SSL 証明書チェーンについての知識を活用した PXE ファームウェア構築が伴います。これにより、安全性の低いプレーンテキストのネットワーク操作数が制限されるので、攻撃者に対するセキュリティレベルが高くなります。."
#: ./doc/security-guide/ch013_node-bootstrapping.xml24(title)
msgid "Verified Boot"
msgstr "検証済みブート"
#: ./doc/security-guide/ch013_node-bootstrapping.xml25(para)
msgid ""
"In general, there are two different strategies for verifying the boot "
"process. Traditional <emphasis>secure boot</emphasis> will validate the code"
" run at each step in the process, and stop the boot if code is incorrect. "
"<emphasis>Boot attestation</emphasis> will record which code is run at each "
"step, and provide this information to another machine as proof that the boot"
" process completed as expected. In both cases, the first step is to measure "
"each piece of code before it is run. In this context, a measurement is "
"effectively a SHA-1 hash of the code, taken before it is executed.  The hash"
" is stored in a platform configuration register (PCR) in the TPM."
msgstr "ブートプロセスの検証には、通常 2 つの異なる戦略があります。従来の<emphasis>セキュアブート</emphasis>は、プロセスの各ステップに実行されるコードを検証し、コードが正しくない場合にはブートを中止します。<emphasis>ブートアテステーション</emphasis>は、どのステップでどのコードが実行されるかを記録し、ブートプロセスが想定通りに完了した証拠として、この情報を別のマシンに提供します。いずれのケースにおいても、第 1 のステップでは、実行前にコードの各要素を計測します。この場合、計測値は実質的にはコードの SHA-1 ハッシュで、実行前に取得されます。 このハッシュは、TPM 内の Platform Configuration Register (PCR) に保管されます。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml26(para)
msgid "Note: SHA-1 is used here because this is what the TPM chips support."
msgstr "注記: ここで SHA-1 を使用するのは、TPM チップが対応しているためです。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml27(para)
msgid ""
"Each TPM has at least 24 PCRs. The TCG Generic Server Specification, v1.0, "
"March 2005, defines the PCR assignments for boot-time integrity "
"measurements. The table below shows a typical PCR configuration. The context"
" indicates if the values are determined based on the node hardware "
"(firmware) or the software provisioned onto the node. Some values are "
"influenced by firmware versions, disk sizes, and other low-level "
"information. Therefore, it is important to have good practices in place "
"around configuration management to ensure that each system deployed is "
"configured exactly as desired."
msgstr "各 TPM には少なくとも 24 の PCR が含まれます。TCG Generic Server Specification ( v1.0、2005 年 3 月版) には、ブート時の完全性計測のための PCR の割り当てが定義されています。以下の表には、標準的な PCR 設定を記載しています。コンテキストには、その値がノードのハードウェア (ファームウェア) をベースに決定されるか、ノードにプロビジョニングされているソフトウェアをベースに決定されるかを示しています。一部の値は、ファームウェアのバージョンやディスクサイズ、その他の低レベルの情報によって影響を受けます。このため、設定管理の適切なプラクティスを整備し、デプロイするシステムが要望通りに設定されるようにしておくことが重要となります。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml35(emphasis)
msgid "Register"
msgstr "レジスター"
#: ./doc/security-guide/ch013_node-bootstrapping.xml36(emphasis)
msgid "What Is Measured"
msgstr "計測の対象"
#: ./doc/security-guide/ch013_node-bootstrapping.xml37(emphasis)
msgid "Context"
msgstr "コンテキスト"
#: ./doc/security-guide/ch013_node-bootstrapping.xml40(para)
msgid "PCR-00"
msgstr "PCR-00"
#: ./doc/security-guide/ch013_node-bootstrapping.xml41(para)
msgid ""
"Core Root of Trust Measurement (CRTM), Bios code, Host platform extensions"
msgstr "Core Root of Trust Measurement (CRTM)、 BIOS コード、ホストプラットフォームの拡張機能"
#: ./doc/security-guide/ch013_node-bootstrapping.xml42(para)
#: ./doc/security-guide/ch013_node-bootstrapping.xml47(para)
#: ./doc/security-guide/ch013_node-bootstrapping.xml52(para)
msgid "Hardware"
msgstr "ハードウェア"
#: ./doc/security-guide/ch013_node-bootstrapping.xml45(para)
msgid "PCR-01"
msgstr "PCR-01"
#: ./doc/security-guide/ch013_node-bootstrapping.xml46(para)
msgid "Host Platform Configuration"
msgstr "ハードウェアプラットフォームの設定"
#: ./doc/security-guide/ch013_node-bootstrapping.xml50(para)
msgid "PCR-02"
msgstr "PCR-02"
#: ./doc/security-guide/ch013_node-bootstrapping.xml51(para)
msgid "Option ROM Code "
msgstr "オプションの ROM コード"
#: ./doc/security-guide/ch013_node-bootstrapping.xml55(para)
msgid "PCR-03"
msgstr "PCR-03"
#: ./doc/security-guide/ch013_node-bootstrapping.xml56(para)
msgid "Option ROM Configuration and Data "
msgstr "オプションの ROM 設定およびデータ"
#: ./doc/security-guide/ch013_node-bootstrapping.xml57(para)
msgid "Hardware "
msgstr "ハードウェア"
#: ./doc/security-guide/ch013_node-bootstrapping.xml60(para)
msgid "PCR-04"
msgstr "PCR-04"
#: ./doc/security-guide/ch013_node-bootstrapping.xml61(para)
msgid "Initial Program Loader (IPL) Code (e.g., master boot record) "
msgstr "Initial Program Loader (IPL) コード (例: マスターブートレコード) "
#: ./doc/security-guide/ch013_node-bootstrapping.xml62(para)
#: ./doc/security-guide/ch013_node-bootstrapping.xml67(para)
#: ./doc/security-guide/ch013_node-bootstrapping.xml72(para)
#: ./doc/security-guide/ch013_node-bootstrapping.xml77(para)
#: ./doc/security-guide/ch013_node-bootstrapping.xml82(para)
#: ./doc/security-guide/ch013_node-bootstrapping.xml87(para)
#: ./doc/security-guide/ch013_node-bootstrapping.xml92(para)
msgid "Software "
msgstr "ソフトウェア"
#: ./doc/security-guide/ch013_node-bootstrapping.xml65(para)
msgid "PCR-05"
msgstr "PCR-05"
#: ./doc/security-guide/ch013_node-bootstrapping.xml66(para)
msgid "IPL Code Configuration and Data "
msgstr "IPL コードの設定およびデータ"
#: ./doc/security-guide/ch013_node-bootstrapping.xml70(para)
msgid "PCR-06"
msgstr "PCR-06"
#: ./doc/security-guide/ch013_node-bootstrapping.xml71(para)
msgid "State Transition and Wake Events "
msgstr "状態遷移とウェイクイベント"
#: ./doc/security-guide/ch013_node-bootstrapping.xml75(para)
msgid "PCR-07"
msgstr "PCR-07"
#: ./doc/security-guide/ch013_node-bootstrapping.xml76(para)
msgid "Host Platform Manufacturer Control "
msgstr "ホストプラットフォームのメーカーによる制御"
#: ./doc/security-guide/ch013_node-bootstrapping.xml80(para)
msgid "PCR-08"
msgstr "PCR-08"
#: ./doc/security-guide/ch013_node-bootstrapping.xml81(para)
msgid "Platform specific, often Kernel, Kernel Extensions, and Drivers"
msgstr "プラットフォーム固有、多くの場合はカーネル、カーネル拡張機能、ドライバー"
#: ./doc/security-guide/ch013_node-bootstrapping.xml85(para)
msgid "PCR-09"
msgstr "PCR-09"
#: ./doc/security-guide/ch013_node-bootstrapping.xml86(para)
msgid "Platform specific, often Initramfs"
msgstr "プラットフォーム固有、多くの場合は Initramfs"
#: ./doc/security-guide/ch013_node-bootstrapping.xml90(para)
msgid "PCR-10 to PCR-23"
msgstr "PCR-10 から PCR-23"
#: ./doc/security-guide/ch013_node-bootstrapping.xml91(para)
msgid "Platform specific "
msgstr "プラットフォーム固有"
#: ./doc/security-guide/ch013_node-bootstrapping.xml97(para)
msgid ""
"At the time of this writing, very few clouds are using secure boot "
"technologies in a production environment. As a result, these technologies "
"are still somewhat immature. We recommend planning carefully in terms of "
"hardware selection (e.g., ensure that you have a TPM and Intel TXT support)."
" Then verify how the node hardware vendor populates the PCR values (e.g., "
"which values will be available for validation). Typically the PCR values "
"listed under the software context in the table above are the ones that a "
"cloud architect has direct control over. But even these may change as the "
"software in the cloud is upgraded.  Configuration management should be "
"linked into the PCR policy engine to ensure that the validation is always up"
" to date."
msgstr "本ガイドの執筆時点では、実稼働環境でセキュアブートテクノロジーを使用するクラウドはほとんどありませんでした。このため、これらのテクノロジーはまだ若干未成熟な状態です。ハードウェアは、慎重に計画した上で選択することを推奨します (例: TPM および Intel TXT の対応を確認するなど)。次に、ノードのハードウェアベンダーが PCR 値をどのように事前設定しているかを検証します (例: どの値を検証できるか)。上記の表のコンテキストにソフトウェアと記載されている PCR 値は通常、クラウドアーキテクトが直接コントロールできます。ただし、これらの値は、クラウド内のソフトウェアをアップグレードすると変更される場合があります。設定管理は、PCR ポリシーエンジン内にリンクして、検証を常に最新の状態 に確保すべきです。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml98(para)
msgid ""
"Each manufacturer must provide the BIOS and firmware code for their servers."
" Different servers, hypervisors, and operating systems will choose to "
"populate different PCRs.  In most real world deployments, it will be "
"impossible to validate every PCR against a known good quantity (\"golden "
"measurement\"). Experience has shown that, even within a single vendor's "
"product line, the measurement process for a given PCR may not be consistent."
" We recommend establishing a baseline for each server and monitoring the PCR"
" values for unexpected changes. Third-party software may be available to "
"assist in the TPM provisioning and monitoring process, depending upon your "
"chosen hypervisor solution."
msgstr "各メーカーは、サーバーの BIOS とファームウェアのコードを提供する必要があります。サーバー、ハイパーバイザー、オペレーティングシステムによって、事前設定される PCR 値の選択が異なります。実際のデプロイメントではほとんどの場合、既知の適切な量 (「黄金の計測値」) と対照して各 PCR を検証することは不可能です。単一のベンダー の製品ラインの場合でも、一定の PCR の計測プロセスに一貫性がない場合があることが、経験により実証されています。各サーバーに基準値を定め、 PCR 値の予期せぬ変化を監視することを推奨します。選択したハイパーバイザーソリューションによっては、TPM プロビジョニングおよび監視プロセスを支援する サードパーティー製のソフトウェアが提供されている可能性があります。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml99(para)
msgid ""
"The initial program loader (IPL) code will most likely be the PXE firmware, "
"assuming the node deployment strategy outlined above. Therefore, the secure "
"boot or boot attestation process can measure all of the early stage boot "
"code (e.g., bios, firmware, etc), the PXE firmware, and the node kernel. "
"Ensuring that each node has the correct versions of these pieces installed "
"provides a solid foundation on which to build the rest of the node software "
"stack."
msgstr "上記のードデプロイメントの戦略を前提とすると、Initial Program Loader (IPL) コードは、PXE ファームウェアである可能性が最も高く、このため、セキュアブートまたはブートアテステーションプロセスで、すべての初期段階のブートコード (例: BIOS、ファームウェアなど)、PXE ファームウェア、およびノードのカーネルを計測することができます。各ノードにこれらの正しいバージョンがインストールされていることを確認することにより、残りのノードソフトウェアスタックを構築する土台となる強固な基盤が提供されます。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml100(para)
msgid ""
"Depending on the strategy selected, in the event of a failure the node will "
"either fail to boot or it can report the failure back to another entity in "
"the cloud. For secure boot, the node will fail to boot and a provisioning "
"service within the management security domain must recognize this and log "
"the event. For boot attestation, the node will already be running when the "
"failure is detected. In this case the node should be immediately quarantined"
" by disabling its network access. Then the event should be analyzed for the "
"root cause. In either case, policy should dictate how to proceed after a "
"failure. A cloud may automatically attempt to reprovision a node a certain "
"number of times. Or it may immediately notify a cloud administrator to "
"investigate the problem. The right policy here will be deployment and "
"failure mode specific."
msgstr "選択した戦略に応じて、障害発生時にノードがブートに失敗するか、クラウド内の別のエンティティに障害を報告することができます。セキュアブートの場合には、ノードがブートに失敗し、管理セキュリティドメイン内のプロビジョニングサービスがこの問題を認識してイベントログを記録する必要があります。ブートアテステーションの場合には、障害検出時にはノードがすでに稼働している状態です。この場合、ネットワークアクセスを無効にすることによってノードの検疫を直ちに行った後に、イベントを解析して根本原因を特定するべきです。いずれの場合も、ポリシーにより、障害発生後の対処方法を指示する必要があります。クラウドが、特定の回数、ノードの再プロビジョニングを自動的に試みるようにしたり、問題を調査するようにクラウド管理者に直ちに通知するようにすることができます。この場合に適正となるポリシーは、デプロイメントと障害のモードによって異なります。 "
#: ./doc/security-guide/ch013_node-bootstrapping.xml103(title)
msgid "Node Hardening"
msgstr "ノードのセキュリティ強化機能"
#: ./doc/security-guide/ch013_node-bootstrapping.xml104(para)
msgid ""
"At this point we know that the node has booted with the correct kernel and "
"underlying components. There are many paths for hardening a given operating "
"system deployment. The specifics on these steps are outside of the scope of "
"this book.  We recommend following the guidance from a hardening guide "
"specific to your operating system.  For example, the <link "
"href=\"http://iase.disa.mil/stigs/\">security technical implementation "
"guides</link> (STIG) and the <link "
"href=\"http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/\">NSA"
" guides</link> are useful starting places."
msgstr "この時点で、ノードが正しいカーネルと配下のコンポーネントでブートしていることが分かります。オペレーティングシステムのデプロイメントのセキュリティを強化するには、数多くの方法があります。これらの手順についての詳しい説明は本書の範囲外です。お使いのオペレーティングシステム固有のセキュリティ強化ガイドのアドバイスに従うことを推奨します。例えば、<link href=\"http://iase.disa.mil/stigs/\">security technical implementation guides</link> (STIG) や <link href=\"http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/\">NSA guides</link> を最初に参考にすると役立ちます。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml105(para)
msgid ""
"The nature of the nodes makes additional hardening possible. We recommend "
"the following additional steps for production nodes:"
msgstr "ノードはその性質上、追加のセキュリティ強化が可能です。実稼働用のノードには、次の追加手順に従うことを推奨します。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml107(para)
msgid ""
"Use a read-only file system where possible. Ensure that writeable file "
"systems do not permit execution.  This can be handled through the mount "
"options provided in <literal>/etc/fstab</literal>."
msgstr "可能な場合には、読み取り専用のファイルシステムを使用します。書き込みが可能なファイルシステムでは、実行が許可されないようにします。これは、<literal>/etc/fstab</literal> で指定するマウントオプションを使用して対処することが可能です。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml110(para)
msgid ""
"Use a mandatory access control policy to contain the instances, the node "
"services, and any other critical processes and data on the node.  See the "
"discussions on sVirt / SELinux and AppArmor below."
msgstr "強制アクセス制御ポリシーを使用して、インスタンス、ノードサービス、その他の重要なプロセスおよびノード上のデータが含まれるようにします。以下に記載の sVirt / SELinux および AppArmor についての説明を参照してください。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml113(para)
msgid ""
"Remove any unnecessary software packages. This should result in a very "
"stripped down installation because a compute node has a relatively small "
"number of dependencies."
msgstr "不要なソフトウェアパッケージは削除します。これにより、コンピュートノードの依存関係が比較的少なくなるので、インストールを小さく絞ることができます。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml116(para)
msgid ""
"Finally, the node kernel should have a mechanism to validate that the rest "
"of the node starts in a known good state. This provides the necessary link "
"from the boot validation process to validating the entire system. The steps "
"for doing this will be deployment specific. As an example, a kernel module "
"could verify a hash over the blocks comprising the file system before "
"mounting it using <link "
"href=\"https://code.google.com/p/cryptsetup/wiki/DMVerity\">dm-"
"verity</link>."
msgstr "最後に、ノードのカーネルには、残りのノードが既知の良好な状態で起動することを検証するメカニズムを取り入れるべきです。これにより、ブート検証プロセスからシステム全体の検証に至るまでの必要なリンクが提供されます。手順はデプロイメントによって異なります。例えば、カーネルモジュールは、<link href=\"https://code.google.com/p/cryptsetup/wiki/DMVerity\">dm-verity</link> を使用して、ファイルシステムをマウントする前に、そのファイルシステムを構成するブロック上のハッシュを検証することができます。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml120(title)
msgid "Runtime Verification"
msgstr "ランタイムの検証"
#: ./doc/security-guide/ch013_node-bootstrapping.xml121(para)
msgid ""
"Once the node is running, we need to ensure that it remains in a good state "
"over time. Broadly speaking, this includes both configuration management and"
" security monitoring. The goals for each of these areas are different. By "
"checking both, we achieve higher assurance that the system is operating as "
"desired. We discuss configuration management in the management section, and "
"security monitoring below."
msgstr "ノードが稼働したら、長時間にわたって良好な状態で稼働を継続するように確保する必要があります。大まかに言うと、これには設定管理とセキュリティ監視が含まれます。これらの各領域の目標は異なります。両方を確認することにより、システムが希望通りに稼働していることをより確実に保証します。設定管理については、管理のセクションおよび次のセキュリティ監視で説明します。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml123(title)
msgid "Intrusion Detection System"
msgstr "侵入検知システム"
#: ./doc/security-guide/ch013_node-bootstrapping.xml124(para)
msgid ""
"Host-based intrusion detection tools are also useful for automated "
"validation of the cloud internals. There are a wide variety of host-based "
"intrusion detection tools available. Some are open source projects that are "
"freely available, while others are commercial. Typically these tools analyze"
" data from a variety of sources and produce security alerts based on rule "
"sets and/or training. Typical capabilities include log analysis, file "
"integrity checking, policy monitoring, and rootkit detection. More advanced "
"-- often custom -- tools can validate that in-memory process images match "
"the on-disk executable and validate the execution state of a running "
"process."
msgstr "ホストベースの侵入検知ツールは、クラウド内部の検証の自動化にも役立ちます。ホストベースの侵入検知ツールにはさまざまな種類があります。オープンソースで自由に利用できるツールもあれば、商用のツールもあります。通常、これらのツールは、さまざまなソースからデータを分析し、ルールセットやトレーニングに基づいてセキュリティ警告を出します。標準的な機能には、ログ解析、ファイルの完全性チェック、ポリシー監視、ルートキット検出などがあります。また、より高度なツール (カスタムの場合が多い) を使用すると、インメモリープロセスイメージがオンディスクの実行可能ファイルと一致するかどうかを確認して、実行中のプロセスの実行状態を検証することができます。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml125(para)
msgid ""
"One critical policy decision for a cloud architect is what to do with the "
"output from a security monitoring tool. There are effectively two options. "
"The first is to alert a human to investigate and/or take corrective action. "
"This could be done by including the security alert in a log or events feed "
"for cloud administrators. The second option is to have the cloud take some "
"form of remedial action automatically, in addition to logging the event. "
"Remedial actions could include anything from re-installing a node to "
"performing a minor service configuration. However, automated remedial action"
" can be challenging due to the possibility of false positives."
msgstr "セキュリティ監視ツールの出力の処理方法は、クラウドアーキテクトにとっての重要なポリシー決定の一つです。オプションは実質的に 2 つあります。第 1 のオプションは、問題を調査して修正措置を取るように、人間に警告を発する方法です。これは、クラウド管理者向けのログまたはイベントのフィードにセキュリティ警告を組み込むことによって可能となります。第 2 のオプションは、イベントのログ記録に加えて、クラウドが何らかの形の修復措置を自動的に実行するように設定する方法です。修復措置にはノードの再インストールから、マイナーなサービス設定の実行まで含めることができます。ただし、自動修復措置は、誤検知の可能性があるため、困難となる場合があります。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml126(para)
msgid ""
"False positives occur when the security monitoring tool produces a security "
"alert for a benign event. Due to the nature of security monitoring tools, "
"false positives will most certainly occur from time to time. Typically a "
"cloud administrator can tune security monitoring tools to reduce the false "
"positives, but this may also reduce the overall detection rate at the same "
"time. These classic trade-offs must be understood and accounted for when "
"setting up a security monitoring system in the cloud."
msgstr "誤検知は、セキュリティ監視ツールが害のないイベントのセキュリティ警告を出した場合に発生します。セキュリティ警告ツールの性質上、時々誤検知が発生することは間違いありません。通常、クラウド管理者は、セキュリティ監視ツールを微調整して、誤検知を少なくすることができますが、これにより、全体的な検知率も同時に下がる場合があります。このような典型的トレードオフを理解し、クラウドにセキュリティ管理システムをセットアップする際には考慮に入れる必要があります。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml127(para)
msgid ""
"The selection and configuration of a host-based intrusion detection tool is "
"highly deployment specific. We recommend starting by exploring the following"
" open source projects which implement a variety of host-based intrusion "
"detection and file monitoring features."
msgstr "ホストベースの侵入検知ツールの選択と設定はデプロイメントによって大幅に異なります。多様なホストベースの侵入検知/ファイル監視機能を実装する以下のオープンソースプロジェクトの検討から開始することをお勧めします。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml129(link)
msgid "OSSEC"
msgstr "OSSEC"
#: ./doc/security-guide/ch013_node-bootstrapping.xml132(link)
msgid "Samhain"
msgstr "Samhain"
#: ./doc/security-guide/ch013_node-bootstrapping.xml135(link)
msgid "Tripwire"
msgstr "Tripwire"
#: ./doc/security-guide/ch013_node-bootstrapping.xml138(link)
msgid "AIDE"
msgstr "AIDE"
#: ./doc/security-guide/ch013_node-bootstrapping.xml141(para)
msgid ""
"Network intrusion detection tools complement the host-based tools. OpenStack"
" doesn't have a specific network IDS built-in, but OpenStack's networking "
"component, Neutron, provides a plugin mechanism to enable different "
"technologies via the Neutron API. This plugin architecture will allow "
"tenants to develop API extensions to insert and configure their own advanced"
" networking services like a firewall, an intrusion detection system, or a "
"VPN between the VMs."
msgstr "ネットワーク侵入検知ツールは、ホストベースのツールを補完します。OpenStack には、特定のネットワーク IDS は組み込まれていませんが、OpenStack のネットワークコンポーネントである Neutron は、Neutron API を使用して異なるテクノロジーを有効にするプラグインメカニズムを提供しています。このプラグインのアーキテクチャーにより、テナントは API 拡張機能を開発して、ファイアウォール、侵入検知システム、仮想マシン間の VPN などの独自の高度なネットワークサービスを挿入/設定することができます。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml142(para)
msgid ""
"Similar to host-based tools, the selection and configuration of a network-"
"based intrusion detection tool is deployment specific. <link "
"href=\"http://www.snort.org/\">Snort</link> is the leading open source "
"networking intrusion detection tool, and a good starting place to learn "
"more."
msgstr "ホストベースのツールと同様に、ネットワークベースの侵入検知ツールはデプロイメントによって異なります。 <link href=\"http://www.snort.org/\">Snort</link> は、先進的なオープンソースのネットワーク侵入検知ツールです。このツールを起点として、更に知識を深めてゆくとよいでしょう。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml143(para)
msgid ""
"There are a few important security considerations for network and host-based"
" intrusion detection systems."
msgstr "ネットワークおよびホストベースの侵入検知システムには、いくつかの重要なセキュリティ課題があります。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml145(para)
msgid ""
"It is important to consider the placement of the Network IDS on the cloud "
"(e.g., adding it to the network boundary and/or around sensitive networks). "
"The placement depends on your network environment but make sure to monitor "
"the impact the IDS may have on your services depending on where you choose "
"to add it. Encrypted traffic, such as SSL, cannot generally be inspected for"
" content by a Network IDS. However, the Network IDS may still provide some "
"benefit in identifying anomalous unencrypted traffic on the network."
msgstr "クラウドにネットワーク IDS の配置を検討することは重要です (例: ネットワーク境界や機密性の高いのネットワークに追加するなど)。 配置はネットワーク環境によって異なりますが、追加する場所によって IDS がサービスにもたらす可能性のある影響を確実に監視するようにしてください。通常 ネットワーク IDS は、SSL などの暗号化トラフィックを調査することはできませんが、ネットワーク上の異常な非暗号化トラフィックを特定するメリットを提供することができます。"
#: ./doc/security-guide/ch013_node-bootstrapping.xml148(para)
msgid ""
"In some deployments it may be required to add host-based IDS on sensitive "
"components on security domain bridges.  A host-based IDS may detect "
"anomalous activity by compromised or unauthorized processes on the "
"component. The IDS should transmit alert and log information on the "
"Management network."
msgstr "一部のデプロイメントでは、ホストベースの IDS をセキュリティドメインブリッジ上の機密性の高いコンポーネントに追加する必要がある場合があります。ホストベースの IDS は、そのコンポーネント上の侵害された、あるいは許可されていないプロセスによる異常なアクティビティを検知することができます。IDS は管理ネットワーク上で警告およびログ情報を伝送すべきです。"
#: ./doc/security-guide/ch038_transport-security.xml3(title)
msgid "Messaging Security"
msgstr "メッセージングのセキュリティ"
#: ./doc/security-guide/ch038_transport-security.xml4(para)
msgid ""
"This chapter discusses security hardening approaches for the three most "
"common message queuing solutions use in OpenStack: RabbitMQ, Qpid, and "
"ZeroMQ."
msgstr "この章では、OpenStack で使用される最も一般的なメッセージキュー製品である、Rabbit MQ、Qpid、ZeroMQ の堅牢化アプローチについて説明します。"
#: ./doc/security-guide/ch038_transport-security.xml6(title)
msgid "Messaging Transport Security"
msgstr "メッセージ通信路のセキュリティ"
#: ./doc/security-guide/ch038_transport-security.xml7(para)
msgid ""
"AMQP based solutions (Qpid and RabbitMQ) support transport-level security "
"using SSL. ZeroMQ messaging does not natively support SSL, but transport-"
"level security is possible using labelled IPSec or CIPSO network labels."
msgstr "AMQP ベースの製品 (Qpid, RabbitMQ) は SSL を用いた通信路レベルのセキュリティに対応しています。ZeroMQ はSSL をネイティブでサポートしていませんが、Labeled-IPSec や CIPSO ネットワークラベルを用いた通信路レベルのセキュア化に対応しています。"
#: ./doc/security-guide/ch038_transport-security.xml8(para)
msgid ""
"We highly recommend enabling transport-level cryptography for your message "
"queue. Using SSL for the messaging client connections provides protection of"
" the communications from tampering and eavesdropping in-transit to the "
"messaging server. Below is guidance on how SSL is typically configured for "
"the two popular messaging servers Qpid and RabbitMQ. When configuring the "
"trusted certificate authority (CA) bundle that your messaging server uses to"
" verify client connections, it is recommended that this be limited to only "
"the CA used for your nodes, preferably an internally managed CA. The bundle "
"of trusted CAs will determine which client certificates will be authorized "
"and pass the client-server verification step of the setting up the SSL "
"connection. Note, when installing the certificate and key files, ensure that"
" the file permissions are restricted, for example chmod 0600, and the "
"ownership is restricted to the messaging server daemon user to prevent "
"unauthorized access by other processes and users on the messaging server."
msgstr "メッセージキューには、通信路レベルでの暗号化を強く推奨します。メッセージクライアントとの接続に SSL を用いることで、メッセージサーバとの通信路における通信の改ざんや傍受を防ぐことが可能です。以下、よく使われる 2 種類のメッセージサーバ Qpid、および、RabbitMQ における一般的な SSL の設定について説明します。\nクライアント接続の正当性を保証する目的でメッセージサーバに証明機関 (CA) バンドルを設定する場合、該当ノードに限定した CA の使用を、またなるべくなら組織内部で管理している CA の使用を推奨します。\n信頼された CA バンドルは許可を与えるクライアント接続証明書を決定し、SSL 接続を張るためのクライアントサーバ検証のステップを通過させます。\n証明書とキーのファイルをインストールする際は、chmod 0600 などでファイルのパーミッションを限定させ、所有者をメッセージサーバのデーモンユーザに限定させるようにしてください。こうすることで、メッセージサーバ上の許可を与えていない他プロセスやユーザによるアクセスを防ぐことできます。"
#: ./doc/security-guide/ch038_transport-security.xml10(title)
msgid "RabbitMQ Server SSL Configuration"
msgstr "RabbitMQ サーバ SSL 設定"
#: ./doc/security-guide/ch038_transport-security.xml11(para)
msgid ""
"The following lines should be added to the system-wide RabbitMQ "
"configuration file, typically /etc/rabbitmq/rabbitmq.config:"
msgstr "下記の設定を RabbitMQ のシステム設定ファイルに追加します。通常、/etc/rabbitmq/rabbitmq.conf に保存されています。"
#: ./doc/security-guide/ch038_transport-security.xml24(para)
msgid ""
"Note, the 'tcp_listeners' option is set to '[]' to prevent it from listening"
" an on non-SSL port. 'ssl_listeners' option should be restricted to only "
"listen on the management network for the services."
msgstr "'tcp_listeners' オプションを '[]' に指定し、非 SSL ポートの接続を受け付けない設定にしていることに注意してください。 'ssl_listeners' オプションはサービスの管理ネットワークのみ受け付けるよう限定すべきです。"
#: ./doc/security-guide/ch038_transport-security.xml25(para)
msgid "For more information on RabbitMQ SSL configuration see:"
msgstr "RabbitMQ の SSL 設定に関する詳細は、以下を参照してください。"
#: ./doc/security-guide/ch038_transport-security.xml27(link)
msgid "RabbitMQ Configuration"
msgstr "RabbitMQ 設定"
#: ./doc/security-guide/ch038_transport-security.xml30(link)
msgid "RabbitMQ SSL"
msgstr "RabbitMQ SSL"
#: ./doc/security-guide/ch038_transport-security.xml35(title)
msgid "Qpid Server SSL Configuration"
msgstr "Qpid サーバ SSL 設定"
#: ./doc/security-guide/ch038_transport-security.xml36(para)
msgid "The Apache Foundation has a messaging security guide for Qpid. See:"
msgstr "Apache Foundation が Qpid のメッセージングセキュリティガイドを発行しています。"
#: ./doc/security-guide/ch038_transport-security.xml38(link)
msgid "Apache Qpid SSL"
msgstr "Apache Qpid SSL"
#: ./doc/security-guide/ch038_transport-security.xml44(title)
msgid "Queue Authentication and Access Control"
msgstr "キューの認証およびアクセス制御"
#: ./doc/security-guide/ch038_transport-security.xml45(para)
msgid ""
"RabbitMQ and Qpid offer authentication and access control mechanisms for "
"controlling access to queues. ZeroMQ offers no such mechanisms."
msgstr "RabbitMQ と Qpid はキューへのアクセス制御を目的とした、認証およびアクセス制御の仕組みを持っています。ZeroMQ にはこのような仕組みは備わっていません。"
#: ./doc/security-guide/ch038_transport-security.xml46(para)
msgid ""
"Simple Authentication and Security Layer (SASL) is a framework for "
"authentication and data security in Internet protocols. Both RabbitMQ and "
"Qpid offer SASL and other pluggable authentication mechanisms beyond simple "
"usernames and passwords that allow for increased authentication security. "
"While RabbitMQ supports SASL, support in OpenStack does not currently allow "
"for requesting a specific SASL authentication mechanism. RabbitMQ support in"
" OpenStack allows for either username and password authentication over an "
"unencrypted connection or username and password in conjunction with X.509 "
"client certificates to establish the secure SSL connection."
msgstr "Simple Authentication and Security Layer (SASL) はインターネットプロトコルにおける認証とデータセキュリティのフレームワークです。RabbitMQ と Qpid は SASL の他、プラグイン形式の認証メカニズムを提供しており、単純なユーザ名とパスワードよりもセキュアな認証が可能になっています。RabbitMQ は SASL をサポートしているものの、現在の OpenStack は特定の SASL 認証メカニズムの使用を許可していません。RabbitMQ では、非暗号化接続でのユーザ名とパスワード認証か、X.509 クライアント証明書を用いたセキュアな SSL 接続でのユーザ名とパスワード認証がサポートされています。"
#: ./doc/security-guide/ch038_transport-security.xml47(para)
msgid ""
"We recommend configuring X.509 client certificates on all the OpenStack "
"service nodes for client connections to the messaging queue and where "
"possible (currently only Qpid) perform authentication with X.509 client "
"certificates. When using usernames and passwords, accounts should be created"
" per-service and node for finer grained auditability of access to the queue."
msgstr "全ての OpenStack サービスノードにおいて、メッセージキューへのクライアント接続に X.509 クライアント証明書を設定することを推奨します。また可能なら、X.509 クライアント証明書での認証も推奨します。(現在、Qpid のみがサポート)\nユーザ名とパスワードを用いる場合、キューに対するアクセスの監査の粒度を細かくする目的で、アカウントはサービス毎、ード毎に作成するべきです。"
#: ./doc/security-guide/ch038_transport-security.xml48(para)
msgid ""
"The SSL libraries in use by these queuing servers should also be considered "
"prior to deployment. Qpid uses Mozilla's NSS library, whereas RabbitMQ uses "
"Erlang's SSL module which uses OpenSSL."
msgstr "また、キューサーバが使用する SSL ライブラリについても展開の前に考慮しておく必要があります。Qpid はMozilla の NSS ライブラリを、RabbitMQ は OpenSSL を使う Erlang の SSL モジュールを用いています。"
#: ./doc/security-guide/ch038_transport-security.xml50(title)
msgid "Authentication Configuration Example - RabbitMQ"
msgstr "認証設定例 - RabbitMQ"
#: ./doc/security-guide/ch038_transport-security.xml51(para)
msgid "On the RabbitMQ server, delete the default 'guest' user:"
msgstr "RabbitMQ サーバで、デフォルトの 'guest' ユーザを削除します。"
#: ./doc/security-guide/ch038_transport-security.xml54(para)
msgid ""
"On the RabbitMQ server, for each OpenStack service or node that communicates"
" with the message queue set up user accounts and privileges:"
msgstr "RabbitMQ サーバにて、メッセージキューを使用する各 OpenStack サービス、または、ノード毎にユーザアカウントと権限を設定します。"
#: ./doc/security-guide/ch038_transport-security.xml58(para)
msgid "For additional configuration information see:"
msgstr "追加の設定情報は以下を参照してください。"
#: ./doc/security-guide/ch038_transport-security.xml60(link)
msgid "RabbitMQ Access Control"
msgstr "RabbitMQ アクセス制御"
#: ./doc/security-guide/ch038_transport-security.xml63(link)
msgid "RabbitMQ Authentication"
msgstr "RabbitMQ 認証"
#: ./doc/security-guide/ch038_transport-security.xml66(link)
msgid "RabbitMQ Plugins"
msgstr "RabbitMQ プラグイン"
#: ./doc/security-guide/ch038_transport-security.xml69(link)
msgid "RabbitMQ SASL External Auth"
msgstr "RabbitMQ SASL 外部認証"
#: ./doc/security-guide/ch038_transport-security.xml74(title)
msgid "OpenStack Service Configuration - RabbitMQ"
msgstr "OpenStack サービス設定 - RabbitMQ"
#: ./doc/security-guide/ch038_transport-security.xml86(para)
msgid ""
"NOTE: A bug exists in the current version of OpenStack Grizzly where if "
"'kombu_ssl_version' is currently specified in the configuration file for any"
" of the OpenStack services it will cause the following python traceback "
"error: 'TypeError: an integer is required'. The current workaround is to "
"remove 'kombu_ssl_version' from the configuration file. Refer to <link "
"href=\"https://bugs.launchpad.net/oslo/+bug/1195431\">bug report "
"1195431</link> for current status."
msgstr "注意 : Grizzly バージョンでは、設定ファイルに \"kombu_ssl_version\" が定義されていると、下記の Python トレースバックエラーが発生します。\n'TypeError: an integer is required'\n\"kombu_ssl_version\" を設定ファイルから削除することで、このエラーを防ぐことが可能です。現在の状況は、bug report 1195431 https://bugs.launchpad.net/oslo/+bug/1195431 を参照してください。"
#: ./doc/security-guide/ch038_transport-security.xml89(title)
msgid "Authentication Configuration Example - Qpid"
msgstr "認証設定例 - Qpid"
#: ./doc/security-guide/ch038_transport-security.xml90(para)
msgid "For configuration information see:"
msgstr "設定情報は以下を参照してください。"
#: ./doc/security-guide/ch038_transport-security.xml92(link)
msgid "Apache Qpid Authentication"
msgstr "Apache Qpid 認証"
#: ./doc/security-guide/ch038_transport-security.xml95(link)
msgid "Apache Qpid Authorization"
msgstr "Apache Qpid 認可"
#: ./doc/security-guide/ch038_transport-security.xml100(title)
msgid "OpenStack Service Configuration - Qpid"
msgstr "OpenStack サービス設定 - Qpid"
#: ./doc/security-guide/ch038_transport-security.xml109(para)
msgid ""
"Optionally, if using SASL with Qpid specify the SASL mechanisms in use by "
"adding:"
msgstr "オプションとして Qpid で SASL を使用する場合は、下記のように SASL メカニズムを指定します。"
#: ./doc/security-guide/ch038_transport-security.xml115(title)
msgid "Message Queue Process Isolation &amp; Policy"
msgstr "メッセージキュープロセスのアイソレーションとポリシー"
#: ./doc/security-guide/ch038_transport-security.xml116(para)
msgid ""
"Each project provides a number of services which send and consume messages. "
"Each binary which sends a message is expected to consume messages, if only "
"replies, from the queue."
msgstr "各プロジェクトは多数のサービスを提供し、それぞれがメッセージを送信、消費します。メッセージを送信した各バイナリは、リプライのみの場合、該当キューからメッセージを消費するはずです。"
#: ./doc/security-guide/ch038_transport-security.xml117(para)
msgid ""
"Message queue service processes should be isolated from each other and other"
" processes on a machine."
msgstr "メッセージキューサービスのプロセスは、他のキューサービスのプロセスや、同一マシン上の他プロセスと分離すべきです。"
#: ./doc/security-guide/ch038_transport-security.xml120(para)
msgid ""
"Network namespaces are highly recommended for all services running on "
"OpenStack Compute Hypervisors. This will help prevent against the bridging "
"of network traffic between VM guests and the management network."
msgstr "ネットワーク名前空間の設定は、OpenStack コンピュートハイパーバイザを動作させる全てのサービスで強く推奨します。ネットワーク名前空間を用いることで、VM ゲストと管理ネットワークのトラフィックがブリッジングされることを防ぎます。"
#: ./doc/security-guide/ch038_transport-security.xml121(para)
msgid ""
"When using ZeroMQ messaging, each host must run at least one ZeroMQ message "
"receiver to receive messages from the network and forward messages to local "
"processes via IPC. It is possible and advisable to run an independent "
"message receiver per project within an IPC namespace, along with other "
"services within the same project."
msgstr "ZeroMQ メッセージングを使用する場合、ネットワーク経由のメッセージ受信と、IPC経由によるローカルプロセスへのメッセージ送信のために、各ホストに最低 1 つの ZeroMQ メッセージレシーバーを走らせる必要があります。IPC 名前空間内にプロジェクト毎で独立したメッセージレシーバーを構築することが可能であり望ましいです。また同様に、同一プロジェクト内でも異なるサービスごとに独立したメッセージレシーバーを構築することが望ましいです。"
#: ./doc/security-guide/ch038_transport-security.xml125(para)
msgid ""
"Queue servers should only accept connections from the management network. "
"This applies to all implementations. This should be implemented through "
"configuration of services and optionally enforced through global network "
"policy."
msgstr "キューサーバーは管理ネットワークからの接続のみを受け付けるべきであり、この方針はあらゆる実装に適用されます。サービスの設定を通して実装し、任意でグローバルネットワークポリシーを追加で実装します。"
#: ./doc/security-guide/ch038_transport-security.xml126(para)
msgid ""
"When using ZeroMQ messaging, each project should run a separate ZeroMQ "
"receiver process on a port dedicated to services belonging to that project. "
"This is equivalent to the AMQP concept of control exchanges."
msgstr "ZeroMQ を使用するのであれば、各プロジェクトで独立した専用のポート上で動作する ZeroMQ レシーバープロセスを用意すべきです。これは、AMQP のコントロール exchange の概念に相当します。"
#: ./doc/security-guide/ch038_transport-security.xml130(para)
msgid ""
"The configuration for these processes should be restricted to those "
"processes, not only by Directory Access Controls, but through Mandatory "
"Access Controls. The goal of such restrictions is to prevent isolation from "
"other processes running on the same machine(s)."
msgstr "各プロセスに行なった設定は、他プロセスに影響を与えないよう制限をかけるべきです。そのためには、ダイレクトアクセス制御のみではなく、強制アクセス制御を使用します。このような制限をかけるのは、同一マシンで動作する他プロセスとの隔離を防ぐことが目的です。"
#: ./doc/security-guide/ch044_case-studies-database.xml3(title)
msgid "Case Studies: Database"
msgstr ""
#: ./doc/security-guide/ch044_case-studies-database.xml4(para)
msgid ""
"In this case study we discuss how Alice and Bob would address database "
"selection and configuration for their respective private and public clouds."
msgstr ""
#: ./doc/security-guide/ch044_case-studies-database.xml7(para)
msgid ""
"Alice's organization has high availability concerns, so she has elected to "
"use MySQL for the database. She further places the database on the "
"Management network and uses SSL with mutual authentication among the "
"services to ensure secure access. Given there will be no external access of "
"the database, she uses certificates signed with the organization's self-"
"signed root certificate on the database and its access endpoints. Alice "
"creates separate user accounts for each database user, and configures the "
"database to use both passwords and X.509 certificates for authentication. "
"She elects not to use the <systemitem class=\"service\">nova-"
"conductor</systemitem> sub-service due to the desire for fine-grained access"
" control policies and audit support."
msgstr ""
#: ./doc/security-guide/ch044_case-studies-database.xml11(para)
msgid ""
"Bob is concerned about strong separation of his tenants' data, so he has "
"elected to use the Postgres database , known for its stronger security "
"features.  The database resides on the Management network and uses SSL with "
"mutual authentication with the services. Since the database is on the "
"Management network, the database uses certificates signed with the company's"
" self-signed root certificate. Bob creates separate user accounts for each "
"database user, and configures the database to use both passwords and X.509 "
"certificates for authentication. He elects not to use the <systemitem "
"class=\"service\">nova-conductor</systemitem> sub-service due to a desire "
"for fine-grained access control."
msgstr ""
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch001_acknowledgements.xml8(None)
#: ./doc/security-guide/ch001_acknowledgements.xml11(None)
msgid ""
"@@image: 'static/book-sprint-all-logos.png'; "
"md5=f2d97c3130c32f31412f5af41ad72d39"
msgstr "@@image: 'static/book-sprint-all-logos.png'; md5=f2d97c3130c32f31412f5af41ad72d39"
#: ./doc/security-guide/ch001_acknowledgements.xml3(title)
msgid "Acknowledgments"
msgstr "謝辞"
#: ./doc/security-guide/ch001_acknowledgements.xml4(para)
msgid ""
"The OpenStack Security Group would like to acknowledge contributions from "
"the following organizations who were instrumental in making this book "
"possible. These are:"
msgstr "OpenStack Security Group は、このドキュメントの作成を手助けしていただいた以下の組織の貢献に感謝いたします。"
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch033_securing-neutron-services.xml24(None)
#: ./doc/security-guide/ch033_securing-neutron-services.xml27(None)
msgid ""
"@@image: 'static/1aa-logical-neutron-flow.png'; "
"md5=63bd2e81863b9b381adb1c6951517498"
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml3(title)
msgid "Securing OpenStack Networking Services"
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml4(para)
msgid ""
"In order to secure OpenStack Networking, an understanding of the workflow "
"process for tenant instance creation needs to be mapped to security domains."
" "
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml5(para)
msgid ""
"There are four main services that interact with OpenStack Networking. In a "
"typical OpenStack deployment these services map to the following security "
"domains:"
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml7(para)
msgid "OpenStack Dashboard: Public and Management"
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml10(para)
msgid "OpenStack Identity: Management"
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml13(para)
msgid "OpenStack Compute Node: Management and Guest"
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml16(para)
msgid ""
"OpenStack Network Node: Management, Guest, and possibly Public depending "
"upon neutron-plugin in use."
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml19(para)
msgid ""
"SDN Services Node: Management, Guest and possibly Public depending upon "
"product used."
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml30(para)
msgid ""
"In order to isolate sensitive data communication between the OpenStack "
"Networking services and other OpenStack core services, we strongly recommend"
" that these communication channels be configured to only allow "
"communications over an isolated management network."
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml32(title)
msgid "OpenStack Networking Service Configuration"
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml34(title)
msgid "Restrict Bind Address of the API server: neutron-server"
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml35(para)
msgid ""
"To restrict the interface or IP address on which the OpenStack Networking "
"API service binds a network socket for incoming client connections, specify "
"the bind_host and bind_port in the neutron.conf file as shown:"
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml44(title)
msgid ""
"Restrict DB and RPC communication of the OpenStack Networking services:"
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml45(para)
msgid ""
"Various components of the OpenStack Networking services use either the "
"messaging queue or database connections to communicate with other components"
" in OpenStack Networking."
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml46(para)
msgid ""
"It is recommended that you follow the guidelines provided in the Database "
"Authentication and Access Control chapter in the Database section for all "
"components that require direct DB connections."
msgstr ""
#: ./doc/security-guide/ch033_securing-neutron-services.xml47(para)
msgid ""
"It is recommended that you follow the guidelines provided in the Queue "
"Authentication and Access Control chapter in the Messaging section for all "
"components that require RPC communication."
msgstr ""
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch004_book-introduction.xml64(None)
#: ./doc/security-guide/ch004_book-introduction.xml67(None)
msgid ""
"@@image: 'static/marketecture-diagram.png'; "
"md5=4ab13a64f80c210be3120abc5c7aee8a"
msgstr "@@image: 'static/marketecture-diagram.png'; md5=4ab13a64f80c210be3120abc5c7aee8a"
#: ./doc/security-guide/ch004_book-introduction.xml3(title)
msgid "Introduction to OpenStack"
msgstr "OpenStack の概要"
#: ./doc/security-guide/ch004_book-introduction.xml4(para)
msgid ""
"This guide provides security insight into OpenStack deployments. The "
"intended audience is cloud architects, deployers, and administrators. In "
"addition, cloud users will find the guide both educational and helpful in "
"provider selection, while auditors will find it useful as a reference "
"document to support their compliance certification efforts. This guide is "
"also recommended for anyone interested in cloud security."
msgstr "本ガイドは、OpenStack のデプロイメントにおける、セキュリティに関する洞察を提供します。クラウドアーキテクト、デプロイ担当者、管理者などを対象読者としています。また、クラウドユーザーが知識を高めたり、プロバイダー選択に役立つ情報を記載している一方、監査担当者が、コンプライアンス認証関連の業務を支援する参考資料としてご利用いただくことができます。本ガイドは、クラウドのセキュリティに関心を持つ読者全般にもお奨めします。"
#: ./doc/security-guide/ch004_book-introduction.xml11(para)
msgid ""
"Each OpenStack deployment embraces a wide variety of technologies, spanning "
"Linux distributions, database systems, messaging queues, OpenStack "
"components themselves, access control policies, logging services, security "
"monitoring tools, and much more. It should come as no surprise that the "
"security issues involved are equally diverse, and their in-depth analysis "
"would require several guides. We strive to find a balance, providing enough "
"context to understand OpenStack security issues and their handling, and "
"provide external references for further information. The guide could be read"
" from start to finish or sampled as necessary like a reference."
msgstr "OpenStack の各デプロイメントには、Linux ディストリビューション、データベースシステム、メッセージキュー、OpenStack のコンポーネント自体、アクセス制御ポリシー、ログサービス、セキュリティ監視ツールなどに及ぶ、多種多様なテクノロジーが採用されます。このため、デプロイに伴うセキュリティ問題が、同じように多様となることは当然です。それらの内容を奥深く分析するには、マニュアルが数冊必要となります。 本ガイドでは、OpenStack のセキュリティ問題とその対処方法を理解するために十分な情報を提供しつつ、さらなる情報の外部参照先を掲載することにより、バランスを図っています。本書は、全体を通読する方法または参考資料として必要箇所のみを参照する方法のいずれでもご利用いただくことができます。"
#: ./doc/security-guide/ch004_book-introduction.xml12(para)
msgid ""
"We briefly introduce the kinds of clouds: private, public, and hybrid before"
" presenting an overview of the OpenStack components and their related "
"security concerns in the remainder of the chapter."
msgstr "本章では、プライベート、パブリック、ハイブリッドというクラウドの各種類について簡単に説明した後、後半に OpenStack のコンポーネントおよびそれらに関連するセキュリティ課題について概説します。"
#: ./doc/security-guide/ch004_book-introduction.xml14(title)
msgid "Cloud types"
msgstr "クラウドのタイプ"
#: ./doc/security-guide/ch004_book-introduction.xml15(para)
msgid ""
"OpenStack is a key enabler in adoption of cloud technology and has several "
"common deployment use cases. These are commonly known as Public, Private, "
"and Hybrid models. The following sections use the National Institute of "
"Standards and Technology (NIST) <link "
"href=\"http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf\">definition"
" of cloud</link> to introduce these different types of cloud as they apply "
"to OpenStack."
msgstr "OpenStack は、クラウドテクロジーの導入における重要なイネーブラーであり、一般的なデプロイメントユースケースがいくつかあります。これらは、パブリック、プライベート、およびハイブリッドモデルとして一般に知られています。以下のセクションでは、National Institute of Standards and Technology (NIST) <link href=\"http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf\"> のクラウドの定義</link> を取り上げ、OpenStack に適用するクラウドの異なるタイプについて説明します。"
#: ./doc/security-guide/ch004_book-introduction.xml17(title)
msgid "Public cloud"
msgstr "パブリッククラウド"
#: ./doc/security-guide/ch004_book-introduction.xml18(para)
msgid ""
"According to NIST, a public cloud is one in which the infrastructure is open"
" to the general public for consumption. OpenStack public clouds are "
"typically run by a service provider and can be consumed by individuals, "
"corporations, or any paying customer. A public cloud provider may expose a "
"full set of features such as software defined networking, block storage, in "
"addition to multiple instance types. Due to the nature of public clouds, "
"they are exposed to a higher degree of risk. As a consumer of a public cloud"
" you should validate that your selected provider has the necessary "
"certifications, attestations, and other regulatory considerations. As a "
"public cloud provider, depending on your target customers, you may be "
"subject to one or more regulations. Additionally, even if not required to "
"meet regulatory requirements, a provider should ensure tenant isolation as "
"well as protecting management infrastructure from external attacks."
msgstr "NIST によると、パブリッククラウドは、一般市民が利用できるようにインフラストラクチャーが公開されているクラウドと定義されています。OpenStack のパブリッククラウドは、通常サービスプロバイダーによって運用され、個人、法人、または料金を支払っている顧客が利用することができます。パブリッククラウドプロバイダーは、複数のインスタンスタイプに加えて、ソフトウェア定義ネットワーク、ブロックストレージなどの各種機能を公開することができます。パブリッククラウドはその性質上、より高いレベルのリスクにさらされます。パブリッククラウドの利用者は、選択したプロバイダーが必要な認定および認証を取得しているか、その他の法規制に関する考慮事項に対応しているかなどの点を確認しておく必要があります。パブリッククラウドプロバイダーは、ターゲット顧客に応じて、1 つまたは複数の法規制の影響を受ける場合があります。また、プロバイダーは、法規制の要件を満たす必要がない場合でも、管理インフラストラクチャーを外部の攻撃から保護するために、テナントの分離を確実に行う必要があります。"
#: ./doc/security-guide/ch004_book-introduction.xml36(title)
msgid "Private cloud"
msgstr "プライベートクラウド"
#: ./doc/security-guide/ch004_book-introduction.xml37(para)
msgid ""
"At the opposite end of the spectrum is the private cloud. As NIST defines "
"it, a private cloud is provisioned for exclusive use by a single "
"organization comprising multiple consumers (e.g. business units). It may be "
"owned, managed, and operated by the organization, a third-party, or some "
"combination of them, and it may exist on or off premises. Private cloud use "
"cases are diverse, as such, their individual security concerns vary."
msgstr "パブリッククラウドの対極にあるのがプライベートクラウドです。NIST は、プライベートクラウドを、複数の利用者 (例: 事業組織) から成る単一の組織の専用使用のために提供されるクラウドと定義しています。プライベートクラウドの所有、管理、および運用は、その組織、第三者、もしくはそれらの組み合わせにより行われ、存在場所としては、その組織の施設内または外部の場合があります。プライベートクラウドのユースケースは多様であるため、セキュリティ課題もそれぞれで異なります。"
#: ./doc/security-guide/ch004_book-introduction.xml47(title)
msgid "Community cloud"
msgstr "コミュニティクラウド"
#: ./doc/security-guide/ch004_book-introduction.xml48(para)
msgid ""
"NIST defines a community cloud as one whose  infrastructure is provisioned "
"for the exclusive use by a specific community of consumers from "
"organizations that have shared concerns (e.g., mission, security "
"requirements, policy, and compliance considerations). It may be owned, "
"managed, and operated by one or more of the organizations in the community, "
"a third-party, or some combination of them, and it may exist on or off "
"premises."
msgstr "NIST では、コミュニティクラウドを、共通の関心事 (例: 任務、セキュリティ要件、ポリシー、法令順守に関わる考慮事項) を持つ複数の組織から成る特定の利用者の共同体の専用使用のために提供されるクラウドと定義しています。コミュニティクラウドの所有、管理、および運用は、共同体内の 1 つまたは複数の組織、第三者、もしくはそれらの組み合わせにより行われ、存在場所はその組織の施設内または外部の場合があります。"
#: ./doc/security-guide/ch004_book-introduction.xml51(title)
msgid "Hybrid cloud"
msgstr "ハイブリッドクラウド"
#: ./doc/security-guide/ch004_book-introduction.xml52(para)
msgid ""
"A hybrid cloud is defined by NIST as a composition of two or more distinct "
"cloud infrastructures (private, community, or public) that remain unique "
"entities, but are bound together by standardized or proprietary technology "
"that enables data and application portability (e.g., cloud bursting for load"
" balancing between clouds). For example an online retailer may have their "
"advertising and catalogue presented on a public cloud that allows for "
"elastic provisioning. This would enable them to handle seasonal loads in a "
"flexible, cost-effective fashion. Once a customer begins to process their "
"order, they are transferred to the more secure private cloud backend that is"
" PCI compliant."
msgstr "NIST では、ハイブリッドクラウドを、2 つ以上の異なるクラウドインフラストラクチャー (プライベート、コミュニティ、パブリック) を組み合わせたクラウドと定義しています。各クラウドは、依然として独自のエンティティですが、データおよびアプリケーションの移植性を可能にする標準化された技術あるいは専有技術 (例: クラウド間の負荷分散のためのクラウドバーストなど) により結合されます。例えば、オンライン小売業者は、柔軟なプロビジョニングが可能なパブリッククラウドに広告やカタログを掲示している場合があります。これにより、柔軟かつ費用対効果の高い方法で季節的な負荷に対応することが可能となります。顧客が発注処理を開始すると、よりセキュアなプライベートクラウドのバックエンドに転送されます。"
#: ./doc/security-guide/ch004_book-introduction.xml53(para)
msgid ""
"For the purposes of this document, we treat Community and Hybrid similarly, "
"dealing explicitly only with the extremes of Public and Private clouds from "
"a security perspective. Your security measures depend where your deployment "
"falls upon the private public continuum."
msgstr "本ガイドにおいては、コミュニティクラウドとハイブリッドクラウドを同様に扱い、パブリッククラウドとプライベートクラウドの両極のみをセキュリティ面から明確に説明します。セキュリティ対策は、デプロイメントがプライベート/パブリッククラウドの連続体のどこに位置するかによって異なります。"
#: ./doc/security-guide/ch004_book-introduction.xml61(title)
msgid "OpenStack service overview"
msgstr "OpenStack サービスの概観"
#: ./doc/security-guide/ch004_book-introduction.xml62(para)
msgid ""
"OpenStack embraces a modular architecture to provide a set of core services "
"that facilitates scalability and elasticity as core design tenets. This "
"chapter briefly reviews OpenStack components, their use cases and security "
"considerations."
msgstr "OpenStack は、モジュール型アーキテクチャーを採用し、中核的な設計理念としてスケーラビリティと柔軟性を促進する一式のコアサービスを提供します。本章では、OpenStack のコンポーネントとそれらのユースケースおよびセキュリティに関する考慮事項を簡単に説明します。"
#: ./doc/security-guide/ch004_book-introduction.xml72(para)
msgid ""
"OpenStack Compute Service (Nova) provides services to support the management"
" of virtual machine instances at scale, instances that host multi-tiered "
"applications, dev/test environments, \"Big Data\" crunching Hadoop clusters,"
" and/or high performance computing."
msgstr ""
#: ./doc/security-guide/ch004_book-introduction.xml73(para)
msgid ""
"The Compute Service facilitates this management through an abstraction layer"
" that interfaces with supported hypervisors, which we address later on in "
"more detail."
msgstr ""
#: ./doc/security-guide/ch004_book-introduction.xml74(para)
msgid ""
"Later in the guide, we focus generically on the virtualization stack as it "
"relates to hypervisors."
msgstr "本ガイドの後半では、ハイパーバイザーと関連する仮想化スタックに焦点をあてて、包括的に解説します。"
#: ./doc/security-guide/ch004_book-introduction.xml76(para)
msgid ""
"For information about the current state of feature support, see <link "
"href=\"https://wiki.openstack.org/wiki/HypervisorSupportMatrix\">OpenStack "
"Hypervisor Support Matrix</link>."
msgstr "機能サポートの現在の状況に関する情報は、 <link href=\"https://wiki.openstack.org/wiki/HypervisorSupportMatrix\">OpenStack Hypervisor Support Matrix</link> を参照してください。"
#: ./doc/security-guide/ch004_book-introduction.xml80(para)
msgid ""
"The security of Compute is critical for an OpenStack deployment. Hardening "
"techniques should include support for strong instance isolation, secure "
"communication between Compute sub-components, and resiliency of public-"
"facing <glossterm>API</glossterm> endpoints."
msgstr ""
#: ./doc/security-guide/ch004_book-introduction.xml83(title)
#: ./doc/security-guide/ch027_storage.xml3(title)
msgid "Object Storage"
msgstr "オブジェクトストレージ"
#: ./doc/security-guide/ch004_book-introduction.xml84(para)
msgid ""
"The OpenStack Object Storage Service (Swift) provides support for storing "
"and retrieving arbitrary data in the cloud. The Object Storage Service "
"provides both a native API and an Amazon Web Services S3 compatible API. The"
" service provides a high degree of resiliency through data replication and "
"can handle petabytes of data."
msgstr ""
#: ./doc/security-guide/ch004_book-introduction.xml85(para)
msgid ""
"It is important to understand that object storage differs from traditional "
"file system storage. It is best used for static data such as media files "
"(MP3s, images, videos), virtual machine images, and backup files."
msgstr "オブジェクトストレージは、従来のファイルシステムストレージと異なる点を理解しておくことが重要です。メディアファイル (MP3、画像、ビデオ) や仮想マシンイメージ、バックアップファイルなどの静的データに使用するのに最適です。"
#: ./doc/security-guide/ch004_book-introduction.xml86(para)
msgid ""
"Object security should focus on access control and encryption of data in "
"transit and at rest. Other concerns may relate to system abuse, illegal or "
"malicious content storage, and cross authentication attack vectors."
msgstr "オブジェクトのセキュリティは、アクセス制御と、伝送中および静止中のデータの暗号化に重点を置くべきです。その他の懸念事項には、システムの悪用、不法または悪意のあるコンテンツの保管、クロス認証の攻撃ベクトルなどに関する問題があげられます。"
#: ./doc/security-guide/ch004_book-introduction.xml89(title)
msgid "Block Storage"
msgstr "ブロックストレージ"
#: ./doc/security-guide/ch004_book-introduction.xml90(para)
msgid ""
"The OpenStack Block Storage service (Cinder) provides persistent block "
"storage for compute instances. The Block Storage Service is responsible for "
"managing the life-cycle of block devices, from the creation and attachment "
"of volumes to instances, to their release."
msgstr ""
#: ./doc/security-guide/ch004_book-introduction.xml95(para)
msgid ""
"Security considerations for block storage are similar to that of object "
"storage."
msgstr "ブロックストレージのセキュリティ課題は、オブジェクトストレージの場合と同様です。"
#: ./doc/security-guide/ch004_book-introduction.xml98(title)
msgid "OpenStack Networking"
msgstr "OpenStack Networking"
#: ./doc/security-guide/ch004_book-introduction.xml99(para)
msgid ""
"The OpenStack Networking Service (Neutron, previously called Quantum) "
"provides various networking services to cloud users (tenants) such as IP "
"address management, <glossterm>DNS</glossterm>, <glossterm>DHCP</glossterm>,"
" load balancing, and security groups (network access rules, like firewall "
"policies). It provides a framework for software defined networking (SDN) "
"that allows for pluggable integration with various networking solutions."
msgstr ""
#: ./doc/security-guide/ch004_book-introduction.xml100(para)
msgid ""
"OpenStack Networking allows cloud tenants to manage their guest network "
"configurations. Security concerns with the networking service include "
"network traffic isolation, availability, integrity and confidentiality."
msgstr "OpenStack Networking により、クラウドテナントはゲストのネットワーク設定を管理することができます。ネットワークサービスに伴うセキュリティ上の問題には、 ネットワークトラフィックの隔離、可用性、完全性、機密性などがあげられます。"
#: ./doc/security-guide/ch004_book-introduction.xml104(para)
msgid ""
"The OpenStack Dashboard Service (Horizon) provides a web-based interface for"
" both cloud administrators and cloud tenants. Through this interface "
"administrators and tenants can provision, manage, and monitor cloud "
"resources. Horizon is commonly deployed in a public facing manner with all "
"the usual security concerns of public web portals."
msgstr ""
#: ./doc/security-guide/ch004_book-introduction.xml107(title)
msgid "Identity Service"
msgstr "Identity サービス"
#: ./doc/security-guide/ch004_book-introduction.xml108(para)
msgid ""
"The OpenStack Identity Service (Keystone) is a <emphasis "
"role=\"bold\">shared service</emphasis> that provides authentication and "
"authorization services throughout the entire cloud infrastructure. The "
"Identity Service has pluggable support for multiple forms of authentication."
msgstr ""
#: ./doc/security-guide/ch004_book-introduction.xml109(para)
msgid ""
"Security concerns here pertain to trust in authentication, management of "
"authorization tokens, and secure communication."
msgstr "ここでのセキュリティ課題には、認証の信頼、承認トークンの管理、セキュリティ保護された通信などがあげられます。"
#: ./doc/security-guide/ch004_book-introduction.xml112(title)
msgid "Image Service"
msgstr "Image Service"
#: ./doc/security-guide/ch004_book-introduction.xml113(para)
msgid ""
"The OpenStack Image Service (Glance) provides disk image management "
"services. The Image Service provides image discovery, registration, and "
"delivery services to Compute, the compute service, as needed."
msgstr ""
#: ./doc/security-guide/ch004_book-introduction.xml114(para)
msgid ""
"Trusted processes for managing the life cycle of disk images are required, "
"as are all the previously mentioned issues with respect to data security."
msgstr "前述したデータセキュリティに関する問題と同様に、ディスクイメージのライフサイクル管理には信頼されたプロセスが必要です。"
#: ./doc/security-guide/ch004_book-introduction.xml117(title)
msgid "Other supporting technology"
msgstr "その他の支援技術"
#: ./doc/security-guide/ch004_book-introduction.xml118(para)
msgid ""
"OpenStack relies on messaging for internal communication between several of "
"its services. By default, OpenStack uses message queues based on the "
"Advanced Message Queue Protocol (<glossterm>AMQP</glossterm>). Similar to "
"most OpenStack services, it supports pluggable components. Today the "
"implementation backend could be <glossterm>RabbitMQ</glossterm>, "
"<glossterm>Qpid</glossterm>, or <glossterm>ZeroMQ</glossterm>."
msgstr "OpenStack は、メッセージングに依存して、複数のサービス間の内部通信を行います。デフォルトでは、OpenStack は Advanced Message Queue Protocol (<glossterm>AMQP</glossterm>) をベースとするメッセージキューを使用します。これは、大半の OpenStack サービスと同様に、プラグ可能なコンポーネントをサポートしています。現在は、<glossterm>RabbitMQ</glossterm>、 <glossterm>Qpid</glossterm>、または <glossterm>ZeroMQ</glossterm> を実装バックエンドにすることができます。"
#: ./doc/security-guide/ch004_book-introduction.xml119(para)
msgid ""
"As most management commands flow through the message queueing system, it is "
"a primary security concern for any OpenStack deployment. Message queueing "
"security is discussed in detail later in this guide."
msgstr "メッセージキューシステムは、大半の管理コマンドが通過するので、OpenStack のデプロイメントにおける重要なセキュリティ課題です。メッセージキューのセキュリティについては、本ガイドの後半で詳述します。"
#: ./doc/security-guide/ch004_book-introduction.xml120(para)
msgid ""
"Several of the components use databases though it is not explicitly called "
"out. Securing the access to the databases and their contents is yet another "
"security concern, and consequently discussed in more detail later in this "
"guide."
msgstr "一部のコンポーネントは、データベースを明示的に呼び出さずに使用します。データベースおよびそのコンテンツへのアクセスのセキュリティ保護は、もう一つのセキュリティ課題であるため、本ガイドの後半でさらに詳しく説明します。"
#: ./doc/security-guide/ch063_compliance-activities.xml3(title)
msgid "Compliance Activities"
msgstr "コンプライアンス活動"
#: ./doc/security-guide/ch063_compliance-activities.xml4(para)
msgid ""
"There are a number of standard activities that will greatly assist with the "
"compliance process. In this chapter we outline some of the most common "
"compliance activities. These are not specific to OpenStack, however we "
"provide references to relevant sections in this book as useful context."
msgstr "コンプライアンスのプロセスを大きく推進する、標準的な活動は数多くあります。この章ではいくつかの代表的なコンプライアンス活動を紹介します。これらはOpenStack固有ではありませんが、関係がわかるよう、このガイドの関連する節への参照も記載します。"
#: ./doc/security-guide/ch063_compliance-activities.xml6(title)
msgid "Information Security Management System (ISMS)"
msgstr "Information Security Management System (ISMS)"
#: ./doc/security-guide/ch063_compliance-activities.xml7(para)
msgid ""
"An Information Security Management System (ISMS) is a comprehensive set of "
"policies and processes that an organization creates and maintains to manage "
"risk to information assets. The most common ISMS for cloud deployments is "
"<link href=\"http://www.27000.org/iso-27001.htm\">ISO/IEC 27001/2</link>, "
"which creates a solid foundation of security controls and practices for "
"achieving more stringent compliance certifications."
msgstr "Information Security Management System (ISMS)は包括的なポリシーとポロセスの集合です。組織が情報資産に関するリスクを管理するため、作成、維持します。もっとも一般的なクラウド向けISMSは<link href=\"http://www.27000.org/iso-27001.htm\">ISO/IEC 27001/2</link>です。より厳格なコンプライアンス認証取得に向けて、セキュリティ統制と実践の確かな基盤を構築します。 "
#: ./doc/security-guide/ch063_compliance-activities.xml10(title)
msgid "Risk Assessment"
msgstr "リスク評価"
#: ./doc/security-guide/ch063_compliance-activities.xml11(para)
msgid ""
"A Risk Assessment framework identifies risks within an organization or "
"service, and specifies ownership of these risks, along with implementation "
"and mitigation strategies. Risks apply to all areas of the service, from "
"technical controls to environmental disaster scenarios and human elements, "
"for example a malicious insider (or rogue employee). Risks can be rated "
"using a variety of mechanisms, for example likelihood vs impact. An "
"OpenStack deployment risk assessment can include control gaps that are "
"described in this book."
msgstr "リスク評価フレームワークは、組織やサービス内のリスクを特定します。また、それらのリスクと実装、緩和戦略それぞれの責任者を明確にします。リスクは全てのサービスで特定されるべきで、その範囲は技術統制から環境災害、人的要因など多岐にわたります。人的要因の例は、悪意ある内部監視者(や不良社員)などです。リスクは発生確率や影響度など、多様な指標を使って評価されます。OpenStack環境のリスク評価は、,このガイドで触れられている統制のギャップを含みます。"
#: ./doc/security-guide/ch063_compliance-activities.xml14(title)
msgid "Access &amp; Log Reviews"
msgstr "アクセスとログの検査"
#: ./doc/security-guide/ch063_compliance-activities.xml15(para)
msgid ""
"Periodic access and log reviews are required to ensure authentication, "
"authorization, and accountability in a service deployment. Specific guidance"
" for OpenStack on these topics are discussed in-depth in the logging "
"section."
msgstr "定期的なアクセスとログの検査は、認証、認可とサービス配備における責任を明確にするため、必要です。これらのトピックに関するOpenStack向けのガイダンスは、ロギングの節で詳細に説明します。"
#: ./doc/security-guide/ch063_compliance-activities.xml18(title)
msgid "Backup and Disaster Recovery"
msgstr "バックアップと災害対策"
#: ./doc/security-guide/ch063_compliance-activities.xml19(para)
msgid ""
"Disaster Recovery (DR) and Business Continuity Planning (BCP) plans are "
"common requirements for ISMS and compliance activities. These plans must be "
"periodically tested as well as documented. In OpenStack key areas are found "
"in the management security domain, and anywhere that single points of "
"failure (SPOFs) can be identified. See the section on secure backup and "
"recovery for additional details."
msgstr "災害対策(Disaster Recovery, DR)とビジネス継続計画(Business Continuity Planning, BCP)はISMSとコンプライアンス活動で共通の要件です。それらの計画は定期的な検査と文書化が必要とします。OpenStackの主要領域はマネジメントセキュリティ領域にあたり、すべての単一障害点(Single Point of Failures, SPOFs)が特定されなければいけません。詳細は、安全なバックアップとリカバリーの節を参照してください。"
#: ./doc/security-guide/ch063_compliance-activities.xml22(title)
msgid "Security Training"
msgstr "セキュリティトレーニング"
#: ./doc/security-guide/ch063_compliance-activities.xml23(para)
msgid ""
"Annual, role-specific, security training is a mandatory requirement for "
"almost all compliance certifications and attestations. To optimise the "
"effectiveness of security training, a common method is to provide role "
"specific training, for example to developers, operational personnel, and "
"non-technical employees. Additional cloud security or OpenStack security "
"training based on this hardening guide would be ideal."
msgstr "年次でのロール別セキュリティトレーニングは、ほぼすべてのコンプライアンス認証、認定で必須の要件です。セキュリティトレーニングの効果を最適化するため、一般的にはロール別に実施します。たとえば開発者、運用担当者、非技術者別、などです。加えて、このガイドにもとづくクラウド、OpenStackセキュリティに関するトレーニングの実施が理想的でしょう。"
#: ./doc/security-guide/ch063_compliance-activities.xml26(title)
msgid "Security Reviews"
msgstr "セキュリティの検査"
#: ./doc/security-guide/ch063_compliance-activities.xml27(para)
msgid ""
"As OpenStack is a popular open source project, much of the codebase and "
"architecture has been scrutinized by individual contributors, organizations "
"and enterprises. This can be advantageous from a security perspective, "
"however the need for security reviews is still a critical consideration for "
"service providers, as deployments vary, and security is not always the "
"primary concern for contributors. A comprehensive security review process "
"may include architectural review, threat modelling, source code analysis and"
" penetration testing. There are many techniques and recommendations for "
"conducting security reviews that can be found publicly posted. A well-tested"
" example is the <link "
"href=\"http://www.microsoft.com/security/sdl/process/release.aspx\">Microsoft"
" SDL</link>, created as part of the Microsoft Trustworthy Computing "
"Initiative."
msgstr "OpenStackは人気のあるオープンソースプロジェクトです。多くのソースコードとアーキテクチャーはデベロッパー、組織、企業によって精査されています。これはセキュリティの観点から大きな利点ですが、セキュリティ検査はサービスプロバイダーにとって、それでもなお重大な懸念事項です。環境は変化しつづけますが、セキュリティは必ずしも開発者の一番の関心事ではないからです。包括的なセキュリティ検査プロセスとして、アーキテクチャー検査、脅威のモデリング、ソースコード分析と侵入テストなどが挙げられます。そして、セキュリティ検査には広く公開されている多くのテクニックと推奨があります。よくテストされた例として、Microsoft Trustworthy Computing Initiativeのとりくみとして作成された、<link href=\"http://www.microsoft.com/security/sdl/process/release.aspx\">Microsoft SDL</link>があります。"
#: ./doc/security-guide/ch063_compliance-activities.xml44(para)
msgid ""
"Security updates are critical to any IaaS deployment, whether private or "
"public. Vulnerable systems expand attack surfaces, and are obvious targets "
"for attackers. Common scanning technologies and vulnerability notification "
"services can help mitigate this threat. It is important that scans are "
"authenticated and that mitigation strategies extend beyond simple perimeter "
"hardening. Multi-tenant architectures such as OpenStack are particularly "
"prone to hypervisor vulnerabilities, making this a critical part of the "
"system for vulnerability management. See the section on instance isolation "
"for additional details."
msgstr "セキュリティアップデートはプライベート、パブリックを問わず、あらゆるIaaS環境において重要です。脆弱なシステムは攻撃面を広げ、攻撃者にターゲットをさらしてしまいます。一般的なスキャニング技術と脆弱性検知サービスはこの脅威を和らげるのに役立ちます。スキャンが認証されたものであり、その緩和戦略が単なる境界線の防御力向上にとどまらないことが重要です。OpenStackのようなマルチテナントアーキテクチャーは特にハイパーバイザーの脆弱性に影響されやすく、それはシステムの脆弱性管理の重点項目です。詳細はインスタンス隔離の節を参照してください。"
#: ./doc/security-guide/ch063_compliance-activities.xml47(title)
msgid "Data Classification"
msgstr "データの分類"
#: ./doc/security-guide/ch063_compliance-activities.xml48(para)
msgid ""
"Data Classification defines a method for classifying and handling "
"information, often to protect customer information from accidental or "
"deliberate theft, loss, or inappropriate disclosure. Most commonly this "
"involves classifying information as sensitive or non-sensitive, or as "
"personally identifiable information (PII). Depending on the context of the "
"deployment various other classifying criteria may be used (government, "
"health-care etc). The underlying principle is that data classifications are "
"clearly defined and in-use. The most common protective mechanisms include "
"industry standard encryption technologies. See the data security section for"
" additional details."
msgstr "データの分類作業は、多くの場合、顧客情報を事故、故意の窃盗、損失、不適切な公開から保護するため、情報の分類と扱いの方法を定義します。一般的にこの作業は、情報を機密性の有無、個人識別の可不可(Personally Identifiable Information, PII)による分類を含みます。使用される基準はその環境、背景によって様々です(政府、ヘルスケアなど)。そして根本的な原則は、そのデータ分類が明確に定義され、通常利用されていることです。もっとも一般的な保護メカニズムには、業界標準の暗号化技術が挙げられます。詳細はデータセキュリティの節を参照してください。"
#: ./doc/security-guide/ch063_compliance-activities.xml51(title)
msgid "Exception Process"
msgstr "例外プロセス"
#: ./doc/security-guide/ch063_compliance-activities.xml52(para)
msgid ""
"An exception process is an important component of an ISMS. When certain "
"actions are not compliant with security policies that an organization has "
"defined, they must be logged. Appropriate justification, description and "
"mitigation details need to be included, and signed off by appropriate "
"authorities. OpenStack default configurations may vary in meeting various "
"compliance criteria, areas that fail to meet compliance requirements should "
"be logged, with potential fixes considered for contribution to the "
"community."
msgstr "例外プロセスはISMSの重要な要素です。とある行動が組織の定義したセキュリティポリシーに準拠していない場合、それは記録されなければいけません。適正な理由と緩和策の詳細が含まれ、関係当局に認められる必要があります。OpenStackのデフォルト構成は、様々なコンプライアンス基準、記録されるべきコンプライアンス基準を満たすべく、変化していくでしょう。またそれは、コミュニティへの貢献によって修正されていく可能性があります。"
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch027_storage.xml37(None)
msgid ""
"@@image: 'static/swift_network_diagram-1.png'; "
"md5=83c094bb051cbe5e6161d3f7442f6136"
msgstr "@@image: 'static/swift_network_diagram-1.png'; md5=83c094bb051cbe5e6161d3f7442f6136"
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch027_storage.xml90(None)
#: ./doc/security-guide/ch027_storage.xml96(None)
msgid ""
"@@image: 'static/swift_network_diagram-2.png'; "
"md5=69f8effe3f5d0f3cbccfb8c5a5dd299e"
msgstr "@@image: 'static/swift_network_diagram-2.png'; md5=69f8effe3f5d0f3cbccfb8c5a5dd299e"
#: ./doc/security-guide/ch027_storage.xml4(para)
msgid ""
"OpenStack Object Storage (Swift) is a service that provides storage and "
"retrieval of data over HTTP. Objects (blobs of data) are stored in an "
"organizational hierarchy that offers anonymous read-only access or ACL "
"defined access based on the authentication mechanism."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml9(para)
msgid ""
"A consumer can store objects, modify them, or access them using the HTTP "
"protocol and REST APIs. Backend components of Object Storage use different "
"protocols for keeping the information synchronized in a redundant cluster of"
" services. For more details on the API and the backend components see the "
"<link href=\"http://docs.openstack.org/api/openstack-object-"
"storage/1.0/content/\">OpenStack Storage documentation</link>."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml15(para)
msgid ""
"For this document the components will be grouped into the following primary "
"groups:"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml19(para)
msgid "Proxy services"
msgstr "プロキシサービス"
#: ./doc/security-guide/ch027_storage.xml20(para)
msgid "Auth services"
msgstr "認証サービス"
#: ./doc/security-guide/ch027_storage.xml23(para)
#: ./doc/security-guide/ch027_storage.xml140(td)
msgid "Account service"
msgstr "アカウントサービス"
#: ./doc/security-guide/ch027_storage.xml24(para)
#: ./doc/security-guide/ch027_storage.xml145(td)
msgid "Container service"
msgstr "コンテナーサービス"
#: ./doc/security-guide/ch027_storage.xml25(para)
#: ./doc/security-guide/ch027_storage.xml150(td)
msgid "Object service"
msgstr "オブジェクトサービス"
#: ./doc/security-guide/ch027_storage.xml21(para)
msgid "Storage services <placeholder-1/>"
msgstr "ストレージサービス <placeholder-1/>"
#: ./doc/security-guide/ch027_storage.xml31(title)
msgid ""
"An example diagram from the OpenStack Object Storage Administration Guide "
"(2013)"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml42(para)
msgid ""
"An Object Storage environment does not have to necessarily be on the "
"Internet and could also be a private cloud with the \"Public Switch\" being "
"part of the organizations internal network infrastructure."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml50(title)
msgid "First thing to secure the network"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml51(para)
msgid ""
"The first aspect of a secure architecture design for Object Storage is in "
"the networking component. The Storage service nodes use rsync between each "
"other for copying data to provide replication and high availability. In "
"addition, the proxy service communicates with the Storage service when "
"relaying data back and forth between the end-point client and the cloud "
"environment."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml58(para)
msgid ""
"None of these use any type of encryption or authentication at this "
"layer/tier."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml60(para)
msgid ""
"This is why you see a \"Private Switch\" or private network ([V]LAN) in "
"architecture diagrams. This data domain should be separate from other "
"OpenStack data networks as well. For further discussion on security domains "
"please see <xref linkend=\"ch005_security-domains\"/>."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml66(para)
msgid ""
"<emphasis>Rule:</emphasis> Use a private (V)LAN network segment for your "
"Storage services in the data domain."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml69(para)
msgid ""
"This necessitates that the Proxy service nodes have dual interfaces "
"(physical or virtual):"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml72(para)
msgid "One as a \"public\" interface for consumers to reach"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml74(para)
msgid "Another as a \"private\" interface with access to the storage nodes"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml77(para)
msgid "The following figure demonstrates one possible network architecture."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml82(title)
msgid "Object storage network architecture with a management node (OSAM)"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml103(title)
msgid "Securing services general"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml105(title)
msgid "Service runas user"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml106(para)
msgid ""
"It is recommended that you configure each service to run under a non-root "
"(UID 0) service account. One recommendation is the username \"swift\" with "
"primary group \"swift.\""
msgstr ""
#: ./doc/security-guide/ch027_storage.xml112(title)
msgid "File permissions"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml113(para)
msgid ""
"/etc/swift contains information about the ring topology and environment "
"configuration. The following permissions are recommended:"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml121(para)
msgid ""
"This restricts only root to be able to modify configuration files while "
"allowing the services to read them via their group membership in \"swift.\""
msgstr ""
#: ./doc/security-guide/ch027_storage.xml127(title)
msgid "Securing storage services"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml128(para)
msgid ""
"The following are the default listening ports for the various storage "
"services:"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml133(td)
msgid "Service Name"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml134(td)
msgid "Port"
msgstr "ポート"
#: ./doc/security-guide/ch027_storage.xml135(td)
msgid "Type"
msgstr "種別"
#: ./doc/security-guide/ch027_storage.xml141(td)
msgid "6002"
msgstr "6002"
#: ./doc/security-guide/ch027_storage.xml142(td)
#: ./doc/security-guide/ch027_storage.xml147(td)
#: ./doc/security-guide/ch027_storage.xml152(td)
#: ./doc/security-guide/ch027_storage.xml157(td)
msgid "TCP"
msgstr "TCP"
#: ./doc/security-guide/ch027_storage.xml146(td)
msgid "6001"
msgstr "6001"
#: ./doc/security-guide/ch027_storage.xml151(td)
msgid "6000"
msgstr "6000"
#: ./doc/security-guide/ch027_storage.xml155(td)
msgid "Rsync"
msgstr "Rsync"
#: ./doc/security-guide/ch027_storage.xml156(td)
msgid "873"
msgstr "873"
#: ./doc/security-guide/ch027_storage.xml161(para)
msgid ""
"Authentication does not happen at this level in Object Storage. If someone "
"was able to connect to a Storage service node on one of these ports they "
"could access or modify data without authentication. In order to secure "
"against this issue you should follow the recommendations given previously "
"about using a private storage network."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml168(title)
msgid "Object storage \"account\" terminology"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml169(para)
msgid ""
"An Object Storage \"Account\" is not a user account or credential. The "
"following explains the relations:"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml174(td)
msgid "OpenStack Object Storage Account"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml175(td)
msgid ""
"Collection of containers; not user accounts or authentication. Which users "
"are associated with the account and how they may access it depends on the "
"authentication system used. See authentication systems later. Referred to in"
" this document as OSSAccount."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml184(td)
msgid "OpenStack Object Storage Containers"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml185(td)
msgid ""
"Collection of objects. Metadata on the container is available for ACLs. The "
"meaning of ACLs is dependent on the authentication system used."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml191(td)
msgid "OpenStack Object Storage Objects"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml192(td)
msgid ""
"The actual data objects. ACLs at the object level are also possible with "
"metadata. It is dependent on the authentication system used."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml200(para)
msgid ""
"<?dbhtml bgcolor=\"#DDFADE\" ?><?dbfo bgcolor=\"#DDFADE\" ?> Another way of "
"thinking about the above would be: A single shelf (Account) holds zero or "
"more -&gt; buckets (Containers) which each hold zero or more -&gt; objects. "
"A garage (Object Storage cloud environment) may have multiple shelves "
"(Accounts) with each shelf belonging to zero or more users."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml210(para)
msgid ""
"At each level you may have ACLs that dictate who has what type of access. "
"ACLs are interpreted based on what authentication system is in use. The two "
"most common types of authentication providers used are Keystone and SWAuth. "
"Custom authentication providers are also possible. Please see the Object "
"Storage Authentication section for more information."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml220(title)
msgid "Securing proxy services"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml221(para)
msgid ""
"A Proxy service node should have at least two interfaces (physical or "
"virtual): one public and one private. The public interface may be protected "
"via firewalls or service binding. The public facing service is an HTTP web "
"server that processes end-point client requests, authenticates them, and "
"performs the appropriate action. The private interface does not require any "
"listening services but is instead used to establish outgoing connections to "
"storage service nodes on the private storage network."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml231(title)
msgid "Use SSL/TLS"
msgstr "SSL/TLS の使用"
#: ./doc/security-guide/ch027_storage.xml232(para)
msgid ""
"The built-in or included web server that comes with Swift supports SSL, but "
"it does not support transmission of the entire SSL certificate chain. This "
"causes issues when you use a third party trusted and signed certificate (ex:"
" Verisign) for your cloud. The current work around is to not use the built-"
"in web server but an alternative web server instead that supports sending "
"both the public server certificate as well as the CA signing authorities "
"intermediate certificate(s). This allows for end-point clients that have the"
" CA root certificate in their trust store to be able to successfully "
"validate your cloud environments SSL certificate and chain. An example of "
"how to do this with mod_wsgi and Apache is given below. Also consult the "
"<link "
"href=\"http://docs.openstack.org/developer/swift/apache_deployment_guide.html\">Apache"
" Deployment Guide</link>"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml248(para)
msgid "Modify file <filename>/etc/apache2/envvars</filename> with"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml254(para)
msgid "An alternative is to modify your Apache conf file with"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml260(para)
msgid "Create a \"swift\" directory in your Apache document root:"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml263(para)
msgid ""
"Create the file <filename>$YOUR_APACHE_DOC_ROOT/swift/proxy-"
"server.wsgi</filename>:"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml269(title)
msgid "HTTP listening port"
msgstr "HTTP リッスンポート"
#: ./doc/security-guide/ch027_storage.xml270(para)
msgid ""
"You should run your Proxy service web server as a non-root (no UID 0) user "
"such as \"swift\" mentioned before. The use of a port greater than 1024 is "
"required to make this easy and avoid running any part of the web container "
"as root. Doing so is not a burden as end-point clients are not typically "
"going to type in the URL manually into a web browser to browse around in the"
" object storage. Additionally, for clients using the HTTP REST API and "
"performing authentication they will normally automatically grab the full "
"REST API URL they are to use as provided by the authentication response. "
"OpenStacks REST API allows for a client to authenticate to one URL and then"
" be told to use a completely different URL for the actual service. Example: "
"Client authenticates to "
"<uri>https://identity.cloud.example.org:55443/v1/auth</uri> and gets a "
"response with their authentication key and Storage URL (the URL of the proxy"
" nodes or load balancer) of "
"<uri>https://swift.cloud.example.org:44443/v1/AUTH_8980</uri>."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml291(para)
msgid ""
"The method for configuring your web server to start and run as a non-root "
"user varies by web server and OS."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml296(title)
msgid "Load balancer"
msgstr "負荷分散装置"
#: ./doc/security-guide/ch027_storage.xml297(para)
msgid ""
"If the option of using Apache is not feasible or for performance you wish to"
" offload your SSL work you may employ a dedicated network device load "
"balancer. This is also the common way to provide redundancy and load "
"balancing when using multiple proxy nodes."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml302(para)
msgid ""
"If you choose to offload your SSL ensure that the network link between the "
"load balancer and your proxy nodes is on a private (V)LAN segment such that "
"other nodes on the network (possibly compromised) cannot wiretap (sniff) the"
" unencrypted traffic. If such a breach were to occur the attacker could gain"
" access to end-point client or cloud administrator credentials and access "
"the cloud data."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml310(para)
msgid ""
"The authentication service you use (e.g. Keystone, SWAuth) will determine "
"how you configure a different URL in the responses to end-clients so they "
"use your load balancer instead of an individual Proxy service node."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml318(title)
msgid "Object storage authentication"
msgstr ""
#: ./doc/security-guide/ch027_storage.xml319(para)
msgid ""
"Object Storage uses wsgi to provide a middleware for authentication of end-"
"point clients. The authentication provider defines what roles and user types"
" exist. Some use traditional username and password credentials while others "
"may leverage API key tokens or even client-side x.509 SSL certificates. "
"Custom providers can be integrated in using the wsgi model."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml327(title)
msgid "Keystone"
msgstr "Keystone"
#: ./doc/security-guide/ch027_storage.xml328(para)
msgid ""
"Keystone is the commonly used Identity provider in OpenStack. It may also be"
" used for authentication in Object Storage. Coverage of securing Keystone is"
" already provided in <xref linkend=\"ch024_authentication\"/>."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml334(title)
msgid "SWAuth"
msgstr "SWAuth"
#: ./doc/security-guide/ch027_storage.xml335(para)
msgid ""
"SWAuth is another alternative to Keystone. In contrast to Keystone it stores"
" the user accounts, credentials, and metadata in object storage itself. More"
" information can be found on the SWAuth website at <link "
"href=\"http://gholt.github.io/swauth/\">http://gholt.github.io/swauth/</link>."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml344(title)
msgid "Other notable items"
msgstr "他の重要事項"
#: ./doc/security-guide/ch027_storage.xml345(para)
msgid ""
"In /etc/swift/swift.conf on every service node there is a "
"\"swift_hash_path_suffix\" setting. This is provided to reduce the chance of"
" hash collisions for objects being stored and avert one user overwriting the"
" data of another user."
msgstr ""
#: ./doc/security-guide/ch027_storage.xml350(para)
msgid ""
"This value should be initially set with a cryptographically secure random "
"number generator and consistent across all service nodes. Ensure that it is "
"protected with proper ACLs and that you have a backup copy to avoid data "
"loss."
msgstr ""
#: ./doc/security-guide/ch006_introduction-to-case-studies.xml3(title)
msgid "Introduction to Case Studies"
msgstr "事例の概要"
#: ./doc/security-guide/ch006_introduction-to-case-studies.xml4(para)
msgid ""
"Throughout this guide we will refer to two running case studies. We "
"introduce them here and will return to them at the end of each chapter."
msgstr "本ガイドでは、全体を通して、2 つの運用事例を参照しています。これら 2 つの事例は、本セクションで説明した後、各章の最後で再度取り上げます。"
#: ./doc/security-guide/ch006_introduction-to-case-studies.xml6(title)
msgid "Case Study : Alice the private cloud builder"
msgstr "事例: プライベートクラウドビルダーのアリス"
#: ./doc/security-guide/ch006_introduction-to-case-studies.xml7(para)
msgid ""
"Alice is deploying a private cloud for use by a government department in the"
" US. The cloud must comply with relevant standards such as FedRAMP. The "
"security paperwork requirements for this cloud are very high. It will have "
"no direct access to the internet: its API endpoints, compute instances and "
"other resources will be exposed only to systems within the department's "
"network which is entirely air-gapped from all other networks. The cloud can "
"access other network services on the Organization's Intranet e.g. the "
"authentication and logging services."
msgstr "アリスは、米国のある政府機関で使用するクラウドをデプロイしています。このクラウドは、FedRAMP などの関連基準に準拠する必要があり、またセキュリティ関連の文書業務を行う必要性が非常に高くなっています。クラウドは、インターネットには直接アクセスできません。API エンドポイント、コンピュートインスタンス、およびその他のリソースは、その政府機関のネットワーク内のシステムに対してのみ公開されます。このネットワークは、他の全ネットワークから完全に隔離されています。クラウドは、この政府機関のイントラネット上で、認証/ロギングサービスなどの他のネットワークサービスにアクセスすることが可能です。"
#: ./doc/security-guide/ch006_introduction-to-case-studies.xml10(title)
msgid "Case Study : Bob the public cloud provider"
msgstr "事例: パブリッククラウドプロバイダーのボブ"
#: ./doc/security-guide/ch006_introduction-to-case-studies.xml11(para)
msgid ""
"Bob is a lead architect for a company deploying a large greenfield public "
"cloud. This cloud will provide IaaS for the masses, allowing any consumer "
"with a valid credit card access to utility computing and storage but the "
"primary focus is enterprise customers. Data privacy concerns are a big "
"priority for Bob as they are seen as a major barrier to large-scale adoption"
" of the cloud by organizations."
msgstr "ボブは、新規展開する大規模なパブリッククラウドのデプロイを行う会社のリードアーキテクトです。このクラウドは、有効なクレジットカードを持つ消費者が、ユーティリティコンピューティングやストレージに使用できる一般大衆向けの IaaS を提供しますが、第 1 のターゲットは 企業顧客です。企業の間では、データプライバシー問題は、大規模なクラウド導入の大きな障害と見なされているため、ボブにとって優先課題となっています。"
#: ./doc/security-guide/ch030_state-of-networking.xml3(title)
msgid "State of Networking"
msgstr "ネットワークの状態"
#: ./doc/security-guide/ch030_state-of-networking.xml4(para)
msgid ""
"OpenStack Networking in the Grizzly release enables the end-user or tenant "
"to define, utilize, and consume networking resources in new ways that had "
"not been possible in previous OpenStack Networking releases. OpenStack "
"Networking provides a tenant-facing API for defining network connectivity "
"and IP addressing for instances in the cloud in addition to orchestrating "
"the network configuration. With the transition to an API-centric networking "
"service, cloud architects and administrators should take into consideration "
"best practices to secure physical and virtual network infrastructure and "
"services."
msgstr "Grizzly リリースの OpenStack Networking により、エンドユーザーまたはテナントは、以前の OpenStack Networking リリースではできなかった新しい方法でネットワークリソースを定義、利用、消費することが可能です。OpenStack Networking は、ネットワーク設定のオーケストレーションに加えて、クラウド内のインスタンスを対象としたネットワーク接続の定義と IP アドレス指定用の対テナント API を提供します。API 中心のネットワークサービスへの移行にあたっては、クラウドのアーキテクトや管理者が、物理/仮想ネットワークのインフラストラクチャーとサービスをセキュリティ保護するためのベストプラクティスを考慮すべきです。"
#: ./doc/security-guide/ch030_state-of-networking.xml5(para)
msgid ""
"OpenStack Networking was designed with a plug-in architecture that provides "
"extensibility of the API via open source community or third-party services. "
"As you evaluate your architectural design requirements, it is important to "
"determine what features are available in OpenStack Networking core services,"
" any additional services that are provided by third-party products, and what"
" supplemental services are required to be implemented in the physical "
"infrastructure."
msgstr "OpenStack Networking は、オープンソースコミュニティやサードパーティーのサービスによる API の拡張性を提供するプラグインアーキテクチャーで設計されました。アーキテクチャーの設計要件を評価するにあたっては、OpenStack Networking のコアサービスではどのような機能が提供されているか、サードパーティの製品によって提供される追加のサービスがあるかどうか、物理インフラストラクチャーにはどのような補足サービスを実装する必要があるかを判断することが重要です。"
#: ./doc/security-guide/ch030_state-of-networking.xml6(para)
msgid ""
"This section is a high-level overview of what processes and best practices "
"should be considered when implementing OpenStack Networking. We will talk "
"about the current state of services that are available, what future services"
" will be implemented, and the current limitations in this project."
msgstr "本項には、OpenStack Networking を実装する際に検討すべきプロセスとベストプラクティスについての大まかな概要をまとめています。提供されているサービスの現在の状況 、将来実装されるサービス、本プロジェクトにおける現在の制限事項などについて説明します。"
#: ./doc/security-guide/ch043_database-transport-security.xml3(title)
msgid "Database Transport Security"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml4(para)
msgid ""
"This chapter covers issues related to network communications to and from the"
" database server. This includes IP address bindings and encrypting network "
"traffic with SSL."
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml6(title)
msgid "Database Server IP Address Binding"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml7(para)
msgid ""
"To isolate sensitive database communications between the services and the "
"database, we strongly recommend that the database server(s) be configured to"
" only allow communications to and from the database over an isolated "
"management network. This is achieved by restricting the interface or IP "
"address on which the database server binds a network socket for incoming "
"client connections."
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml9(title)
msgid "Restricting Bind Address for MySQL"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml10(para)
#: ./doc/security-guide/ch043_database-transport-security.xml33(para)
msgid "In my.cnf:"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml17(title)
msgid "Restricting Listen Address for PostgreSQL"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml18(para)
msgid "In postgresql.conf:"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml24(title)
msgid "Database Transport"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml25(para)
msgid ""
"In addition to restricting database communications to the management "
"network, we also strongly recommend that the cloud administrator configure "
"their database backend to require SSL. Using SSL for the database client "
"connections  protects the communications from tampering and eavesdropping. "
"As will be discussed in the next section, using SSL also provides the "
"framework for doing database user authentication via X.509 certificates "
"(commonly referred to as PKI). Below is guidance on how SSL is typically "
"configured for the two popular database backends MySQL and PostgreSQL."
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml27(para)
msgid ""
"NOTE: When installing the certificate and key files, ensure that the file "
"permissions are restricted, for example <literal>chmod 0600</literal>, and "
"the ownership is restricted to the database daemon user to prevent "
"unauthorized access by other processes and users on the database server."
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml31(title)
msgid "MySQL SSL Configuration"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml32(para)
msgid ""
"The following lines should be added in the system-wide MySQL configuration "
"file:"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml40(para)
#: ./doc/security-guide/ch043_database-transport-security.xml50(para)
msgid ""
"Optionally, if you wish to restrict the set of SSL ciphers used for the "
"encrypted connection. See <link "
"href=\"http://www.openssl.org/docs/apps/ciphers.html\">http://www.openssl.org/docs/apps/ciphers.html</link>"
" for a list of ciphers and the syntax for specifying the cipher string:"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml46(title)
msgid "PostgreSQL SSL Configuration"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml47(para)
msgid ""
"The following lines should be added in the system-wide PostgreSQL "
"configuration file, <literal>postgresql.conf</literal>."
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml53(para)
msgid ""
"The server certificate, key, and certificate authority (CA) files should be "
"placed in the $PGDATA directory in the following files:"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml55(para)
msgid "$PGDATA/server.crt - Server certificate"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml58(para)
msgid "$PGDATA/server.key - Private key corresponding to server.crt"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml61(para)
msgid "$PGDATA/root.crt - Trusted certificate authorities"
msgstr ""
#: ./doc/security-guide/ch043_database-transport-security.xml64(para)
msgid "$PGDATA/root.crl - Certificate revocation list"
msgstr ""
#: ./doc/security-guide/ch048_key-management.xml3(title)
msgid "Key Management"
msgstr ""
#: ./doc/security-guide/ch048_key-management.xml4(para)
msgid ""
"To address the often mentioned concern of tenant data privacy and limiting "
"cloud provider liability, there is greater interest within the OpenStack "
"community to make data encryption more ubiquitous. It is relatively easy for"
" an end-user to encrypt their data prior to saving it to the cloud, and this"
" is a viable path for tenant objects such as media files, database archives "
"among others. However, when client side encryption is used for virtual "
"machine images, block storage etc, client intervention is necessary in the "
"form of presenting keys to unlock the data for further use. To seamlessly "
"secure the data and yet have it accessible without burdening the client with"
" having to manage their keys and interactively provide them calls for a key "
"management service within OpenStack. Providing encryption and key management"
" services as part of OpenStack eases data-at-rest security adoption, "
"addresses customer concerns about the privacy and misuse of their data with "
"the added advantage of limiting cloud provider liability. Provider liability"
" is of concern in multi-tenant public clouds with respect to handing over "
"tenant data during a misuse investigation."
msgstr ""
#: ./doc/security-guide/ch048_key-management.xml5(para)
msgid ""
"A key management service is in the early stages of being developed and has a"
" way to go before becoming an official component of OpenStack. Refer to "
"<link "
"href=\"https://github.com/cloudkeep/barbican/wiki/_pages\">https://github.com/cloudkeep/barbican/wiki/_pages</link>"
" for details."
msgstr ""
#: ./doc/security-guide/ch048_key-management.xml6(para)
msgid ""
"It shall support the creation of keys, and their secure saving (with a "
"service master-key). Some of the design questions still being debated are "
"how much of the Key Management Interchange Protocol (KMIP) to support, key "
"formats, and certificate management.  The key manager will be pluggable to "
"facilitate deployments that need a third-party Hardware Security Module "
"(HSM)."
msgstr ""
#: ./doc/security-guide/ch048_key-management.xml7(para)
msgid ""
"OpenStack Block Storage, Cinder, is the first service looking to integrate "
"with the key manager to provide volume encryption."
msgstr ""
#: ./doc/security-guide/ch048_key-management.xml9(title)
msgid "References:"
msgstr ""
#: ./doc/security-guide/ch048_key-management.xml11(link)
msgid "Barbican"
msgstr ""
#: ./doc/security-guide/ch048_key-management.xml14(link)
msgid "KMIP"
msgstr ""
#: ./doc/security-guide/ch009_case-studies.xml3(title)
msgid "Case Studies: System Documentation"
msgstr ""
#: ./doc/security-guide/ch009_case-studies.xml4(para)
msgid ""
"In this case study we discuss how Alice and Bob would address their system "
"documentation requirements. The documentation suggested above includes "
"hardware and software records, network diagrams, and system configuration "
"details."
msgstr "今回のケーススタディでは、アリスとボブがシステムの文書要件にどのように対処していくか見ていきます。上記で述べた文書には、ハードウェアおよびソフトウェア記録、ネットワーク図、システム設定の詳細などが含まれます。"
#: ./doc/security-guide/ch009_case-studies.xml7(para)
msgid ""
"Alice needs detailed documentation to satisfy FedRamp requirements.  She "
"sets up a configuration management database (CMDB) to store information "
"regarding all of the hardware, firmware, and software versions used "
"throughout the cloud. She also creates a network diagram detailing the cloud"
" architecture, paying careful attention to the security domains and the "
"services that span multiple security domains."
msgstr "アリスは、FedRam 要件を満たす詳細文書が必要です。構成管理データベース (CMDB) を設定して、クラウド全体で使用されるハードウェア、ファームウェア、ソフトウェアバージョンの情報を格納していきます。また、セキュリティドメインや、複数のセキュリティドメインにまたがるサービスに細心の注意を払い、クラウドアーキテクチャーの詳細を示したネットワーク図も作成します。"
#: ./doc/security-guide/ch009_case-studies.xml8(para)
msgid ""
"Alice also needs to record each network service running in the cloud, what "
"interfaces and ports it binds to, the security domains for each service, and"
" why the service is needed. Alice decides to build automated tools to log "
"into each system in the cloud over secure shell (SSH) using the <link "
"href=\"http://fabfile.org\">Python Fabric library</link>. The tools collect "
"and store the information in the CMDB, which simplifies the audit process."
msgstr "アリスは、クラウドで実行中の各ネットワークサービス、バインド先のインターフェースやポート、各サービスに対するセキュリティドメイン、そのサービスが必要な理由を記録する必要があります。 <link href=\"http://fabfile.org\">Python Fabric ライブラリ</link>を使用して、セキュアシェル (SSH) でクラウド内の各システムにログインする自動化ツールを構築することにしました。このツールは、CMDB の情報を収集・格納して監査プロセスを簡素化します。"
#: ./doc/security-guide/ch009_case-studies.xml12(para)
msgid "In this case, Bob will approach these steps the same as Alice."
msgstr "今回のケーススタディでは、ボブはアリスと同様の手段を取ります。"
#: ./doc/security-guide/ch056_case-studies-instance-management.xml3(title)
msgid "Case Studies: Instance Management"
msgstr ""
#: ./doc/security-guide/ch056_case-studies-instance-management.xml4(para)
msgid ""
"In this case study we discuss how Alice and Bob would architect their clouds"
" with respect to instance entropy, scheduling instances, trusted images, and"
" instance migrations."
msgstr ""
#: ./doc/security-guide/ch056_case-studies-instance-management.xml7(para)
msgid ""
"Alice has a need for lots of high quality entropy in the instances. For this"
" reason, she decides to purchase hardware with Intel Ivy Bridge chip sets "
"that support the RdRand instruction on each compute node. Using the entropy "
"gathering daemon (EGD) and LibVirt's EGD support, Alice ensures that this "
"entropy pool is distributed to the instances on each compute node."
msgstr ""
#: ./doc/security-guide/ch056_case-studies-instance-management.xml8(para)
msgid ""
"For instance scheduling, Alice uses the trusted compute pools to ensure that"
" all cloud workloads are deployed to nodes that presented a proper boot time"
" attestation. Alice decides to disable user permissions for image uploading "
"to help ensure that the images used in the cloud are generated in a known "
"and trusted manner by the cloud administrators."
msgstr ""
#: ./doc/security-guide/ch056_case-studies-instance-management.xml9(para)
msgid ""
"Finally, Alice disables instance migrations as this feature is less critical"
" for the high performance application workloads expected to run in this "
"cloud. This helps avoid the various security concerns related to instance "
"migrations."
msgstr ""
#: ./doc/security-guide/ch056_case-studies-instance-management.xml13(para)
msgid ""
"Bob is aware that entropy will be a concern for some of his customers, such "
"as those in the financial industry. However, due to the added cost and "
"complexity, Bob has decided to forgo integrating hardware entropy into the "
"first iteration of his cloud. He adds hardware entropy as a fast-follow to "
"do for a later improvement for the second generation of his cloud "
"architecture."
msgstr ""
#: ./doc/security-guide/ch056_case-studies-instance-management.xml14(para)
msgid ""
"Bob is interested in ensuring that customers receive a high quality of "
"service. He is concerned that providing too much explicit user control over "
"instance scheduling could negatively impact the quality of service. So he "
"disables this feature. Bob provides images in the cloud from a known trusted"
" source for users to use. Additionally, he also allows users to upload their"
" own images. However, users cannot generally share their images. This helps "
"prevent a user from sharing a malicious image, which could negatively impact"
" the security of other users in the cloud."
msgstr ""
#: ./doc/security-guide/ch056_case-studies-instance-management.xml15(para)
msgid ""
"For migrations, Bob wants to enable secure instance migrations in order to "
"support rolling upgrades with minimal user downtime. Bob ensures that all "
"migrations occur on an isolated VLAN. He plans to defer implementing "
"encrypted migrations until this is better supported in Nova client tools. "
"However, he makes a note to track this carefully and switch to encrypted "
"migrations as soon as possible."
msgstr ""
#: ./doc/security-guide/ch_preface.xml10(title)
msgid "Preface"
msgstr "はじめに"
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch008_system-roles-types.xml43(None)
#: ./doc/security-guide/ch008_system-roles-types.xml46(None)
msgid ""
"@@image: 'static/services-protocols-ports.png'; "
"md5=fb1e9f47d969127b7a5ca683d38cfe20"
msgstr "@@image: 'static/services-protocols-ports.png'; md5=fb1e9f47d969127b7a5ca683d38cfe20"
#: ./doc/security-guide/ch008_system-roles-types.xml3(title)
msgid "System Documentation Requirements"
msgstr "システムの文書化要件"
#: ./doc/security-guide/ch008_system-roles-types.xml4(para)
msgid ""
"The system documentation for an OpenStack cloud deployment should follow the"
" templates and best practices for the Enterprise Information Technology "
"System in your organization. Organizations often have compliance "
"requirements which may require an overall System Security Plan to inventory "
"and document the architecture of a given system. There are common challenges"
" across the industry related to documenting the dynamic cloud infrastructure"
" and keeping the information up-to-date."
msgstr "OpenStack クラウドデプロイメントのシステム文書化は、その組織のエンタープライズ IT システムを対象とするテンプレートとベストプラクティスに従って行うべきです。組織には大抵、コンプライアンス要件が設定されており、それによって対象システムのインベントリ作成とアーキテクチャーの文書化を行う全体的なシステムセキュリティ計画が義務付けられている場合があります。動的なクラウドインフラストラクチャーを文書化し、情報を最新の状態に維持するのあたっては、業界全体の共通課題があります。 "
#: ./doc/security-guide/ch008_system-roles-types.xml6(title)
msgid "System Roles &amp; Types"
msgstr "システムのロールとタイプ"
#: ./doc/security-guide/ch008_system-roles-types.xml7(para)
msgid ""
"It is necessary to describe the two broadly defined types of nodes that "
"generally make up an OpenStack installation."
msgstr "通常 OpenStack のインストールを構成する、広く定義された 2 つのノードタイプについて説明しておく必要があります。"
#: ./doc/security-guide/ch008_system-roles-types.xml9(para)
msgid ""
"Infrastructure nodes, or the nodes that run the cloud related services such "
"as the OpenStack Identity service, the message queuing service, storage, "
"networking, and other services required to support the operation of the "
"cloud."
msgstr "その 1 つのードタイプは、インフラストラクチャーードです。これは、OpenStack のアイデンティティサービス、メッセージキューサービス、ストレージ、ネットワーク、およびクラウドの運用をサポートするために必要なその他のサービスなどのクラウド関連サービスを実行するノードです。"
#: ./doc/security-guide/ch008_system-roles-types.xml12(para)
msgid ""
"The other type of nodes are compute, storage, or other resource nodes, those"
" that provide storage capacity or virtual machines for your cloud."
msgstr "もう 1 つのノードタイプは、ストレージ容量やクラウド用の仮想マシンを提供する、コンピュート、ストレージ、その他のリソースのノードです。"
#: ./doc/security-guide/ch008_system-roles-types.xml17(title)
msgid "System Inventory"
msgstr "システムインベントリ"
#: ./doc/security-guide/ch008_system-roles-types.xml18(para)
msgid ""
"Documentation should provide a general description of the OpenStack "
"environment and cover all systems used (production, development, test, "
"etc.). Documenting system components, networks, services, and software often"
" provides the bird's-eye view needed to thoroughly cover and consider "
"security concerns, attack vectors and possible security domain bridging "
"points.  A system inventory may need to capture ephemeral resources such as "
"virtual machines or virtual disk volumes that would otherwise be persistent "
"resources in a traditional IT system."
msgstr "文書には、OpenStack 環境の概要を記載し、使用する全システム (実稼働、開発、テストなど) を対象とするべきです。多くの場合、システムコンポーネント、ネットワーク、サービス、およびソフトウェアについて文書化することにより、セキュリティ課題、攻撃ベクトル、考えられるセキュリティドメインのブリッジングポイントを完全に網羅して検討するにあたって必要な概観が提供されます。システムインベントリには、従来の IT システムでは永続的なリソースとされている、仮想マシンや仮想ディスクボリュームなどの一時的なリソースを取り込む必要がある場合があります。"
#: ./doc/security-guide/ch008_system-roles-types.xml20(title)
msgid "Hardware Inventory"
msgstr "ハードウェアインベントリ"
#: ./doc/security-guide/ch008_system-roles-types.xml21(para)
msgid ""
"Clouds without stringent compliance requirements for written documentation "
"may at least benefit from having a Configuration Management Database "
"(<glossterm>CMDB</glossterm>). CMDB's are normally used for hardware asset "
"tracking and overall life-cycle management. By leveraging a CMDB, an "
"organization can quickly identify cloud infrastructure hardware (e.g. "
"compute nodes, storage nodes, and network devices) that exists on the "
"network but may not be adequately protected and/or forgotten. OpenStack "
"provisioning system may provide some CMDB-like functions especially if auto-"
"discovery features of hardware attributes are available."
msgstr "文書化に対する厳密なコンプライアンス要件のないクラウドの場合は、少なくとも Configuration Management Database (<glossterm>CMDB</glossterm>) を使用することによってメリットが得られます。CMDB は通常、ハードウェア資産の追跡や全般的なライフサイクル管理に使用されます。CMDB を活用することにより、組織はネットワーク上に存在するクラウドインフラストラクチャーハードウェア (例: コンピュートノード、ストレージノード、ネットワークデバイスなど) の中で適切に保護されていないハードウェアや忘れられているハードウェアを迅速に特定することができます。OpenStack のプロビジョニングシステムは、ハードウェア属性の自動検出機能が利用できる場合は特に、CMDB のような機能を一部提供することが可能です。"
#: ./doc/security-guide/ch008_system-roles-types.xml24(title)
msgid "Software Inventory"
msgstr "ソフトウェアインベントリ"
#: ./doc/security-guide/ch008_system-roles-types.xml25(para)
msgid ""
"Just as with hardware, all software components within the OpenStack "
"deployment should be documented. Components here should include system "
"databases; OpenStack software components and supporting sub-components; and,"
" supporting infrastructure software such as load-balancers, reverse proxies,"
" and network address translators. Having an authoritative list like this may"
" be critical toward understanding total system impact due to a compromise or"
" vulnerability of a specific class of software."
msgstr "ハードウェアと同様に、OpenStack デプロイメント内のソフトウェアコンポーネントはすべて文書化しておくべきです。このコンポーネントには、システムデータベース、OpenStack ソフトウェアコンポーネントおよびサポートサブコンポーネント、ロードバランサー/リバースプロキシ/ネットワークアドレストランスレーターなどのサポートインフラストラクチャーソフトウェアなどが含まれます。このような信頼できる一覧を用意しておくことは、ソフトウェアの特定のクラスの侵害や脆弱性によってシステムが受ける全体的な影響を把握するために極めて重要となります。"
#: ./doc/security-guide/ch008_system-roles-types.xml29(title)
msgid "Network Topology"
msgstr "ネットワークトポロジー"
#: ./doc/security-guide/ch008_system-roles-types.xml30(para)
msgid ""
"A Network Topology should be provided with highlights specifically calling "
"out the data flows and bridging points between the security domains. Network"
" ingress and egress points should be identified along with any OpenStack "
"logical system boundaries. Multiple diagrams may be needed to provide "
"complete visual coverage of the system.  A network topology document should "
"include virtual networks created on behalf of tenants by the system along "
"with virtual machine instances and gateways created by OpenStack."
msgstr "ネットワークトポロジーは、セキュリティドメイン間のデータフローとブリッジングポイントをはっきりと識別して強調するようにして作成すべきです。OpenStack の論理的なシステム境界とともに、ネットワークの受信および送信ポイントを明確にすることを推奨します。システムを完全に視覚的に網羅するには、図を複数作成する必要がある場合があります。また、ネットワークトポロジーの文書には、テナントに代わってシステムが作成した仮想ネットワークや、OpenStack によって作成された仮想マシンインスタンスとゲートウェイを含めるべきです。"
#: ./doc/security-guide/ch008_system-roles-types.xml33(title)
msgid "Services, Protocols and Ports"
msgstr "サービス、プロトコル、ポート"
#: ./doc/security-guide/ch008_system-roles-types.xml34(para)
msgid ""
"The Service, Protocols and Ports table provides important additional detail "
"of an OpenStack deployment. A table view of all services running within the "
"cloud infrastructure can immediately inform, guide, and help check security "
"procedures. Firewall configuration, service port conflicts, security "
"remediation areas, and compliance requirements become easier to manage when "
"you have concise information available. E.g. tabular information as shown "
"below."
msgstr "サービス、プロトコル、ポートの表には OpenStack デプロイメントの重要な追加情報を記載します。クラウドインフラストラクチャー内で稼働中の全サービスを表にまとめると、情報や指針を直ちに確認することができ、セキュリティプロシージャーをチェックするのに役立ちます。以下に示す表形式の情報のように、簡潔な情報が提供されると、ファイアウォールの設定やサービスポートの競合、セキュリティ修復領域、コンプライアンス要件をより容易に管理できるようになります。 "
#: ./doc/security-guide/ch008_system-roles-types.xml49(para)
msgid ""
"Referencing a table of services, protocols and ports can help in "
"understanding the relationship between OpenStack components. It is highly "
"recommended that OpenStack deployments have information similar to this on "
"record."
msgstr "サービス、プロトコル、ポートの表を参照すると、OpenStack のコンポーネント間の関係を理解するのに役立ちます。OpenStack のデプロイメントには、これと同様の情報を記録することを強く推奨します。"
#: ./doc/security-guide/ch025_web-dashboard.xml4(para)
msgid ""
"Horizon is the OpenStack dashboard, providing access to a majority of the "
"capabilities available in OpenStack. These include provisioning users, "
"defining instance flavors, uploading VM images, managing networks, setting "
"up security groups, starting instances, and accessing the instances via a "
"console."
msgstr "Horizon は OpenStack のダッシュボードです。OpenStack で利用可能なほとんどの機能にアクセスできます。これらには、ユーザーの管理、インスタンスのフレーバーの定義、仮想マシンイメージのアップロード、ネットワークの管理、セキュリティグループのセットアップ、インスタンスの起動、インスタンスへのコンソール経由のアクセスなどがあります。"
#: ./doc/security-guide/ch025_web-dashboard.xml5(para)
msgid ""
"The dashboard is based on the Django web framework, therefore secure "
"deployment practices for Django apply directly to Horizon. This guide "
"provides a popular set of Django security recommendations, further "
"information can be found by reading the <link "
"href=\"https://docs.djangoproject.com/en/1.5/#security\">Django deployment "
"and security documentation</link>."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml6(para)
msgid ""
"The dashboard ships with reasonable default security settings, and has good "
"<link "
"href=\"http://docs.openstack.org/developer/horizon/topics/deployment.html\">deployment"
" and configuration documentation</link>."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml8(title)
msgid "Basic Web Server Configuration"
msgstr "基本的なウェブサーバーの設定"
#: ./doc/security-guide/ch025_web-dashboard.xml9(para)
msgid ""
"The dashboard should be deployed as a Web Services Gateway Interface (WSGI) "
"application behind an HTTPS proxy such as Apache or nginx. If Apache is not "
"already in use, we recommend nginx since it is lighter weight and easier to "
"configure correctly."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml10(para)
msgid ""
"When using nginx, we recommend <link "
"href=\"http://docs.gunicorn.org/en/latest/deploy.html\">gunicorn</link> as "
"the wsgi host with an appropriate number of synchronous workers. We strongly"
" advise against deployments using fastcgi, scgi, or uWSGI. We strongly "
"advise against the use of synthetic performance benchmarks when choosing a "
"wsgi server."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml11(para)
msgid ""
"When using Apache, we recommend <link "
"href=\"https://docs.djangoproject.com/en/1.5/howto/deployment/wsgi/modwsgi/\">mod_wsgi</link>"
" to host dashboard."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml14(title)
msgid "HTTPS"
msgstr "HTTPS"
#: ./doc/security-guide/ch025_web-dashboard.xml15(para)
msgid ""
"The dashboard should be deployed behind a secure HTTPS server using a valid,"
" trusted certificate from a recognized certificate authority (CA). Private "
"organization-issued certificates are only appropriate when the root of trust"
" is pre-installed in all user browsers."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml16(para)
msgid ""
"HTTP requests to the dashboard domain should be configured to redirect to "
"the fully qualified HTTPS URL."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml19(title)
msgid "HTTP Strict Transport Security (HSTS)"
msgstr "HTTP Strict Transport Security (HSTS)"
#: ./doc/security-guide/ch025_web-dashboard.xml20(para)
msgid "It is highly recommended to use HTTP Strict Transport Security (HSTS)."
msgstr "HTTP Strict Transport Security (HSTS) を使用することが強く推奨されます。"
#: ./doc/security-guide/ch025_web-dashboard.xml21(para)
msgid ""
"NOTE: If you are using an HTTPS proxy in front of your web server, rather "
"than using an HTTP server with HTTPS functionality, follow the <link "
"href=\"https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-"
"header\">Django documentation on modifying the SECURE_PROXY_SSL_HEADER "
"variable</link>."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml22(para)
msgid ""
"See the chapter on PKI/SSL Everywhere for more specific recommendations and "
"server configurations for HTTPS configurations, including the configuration "
"of HSTS."
msgstr "HSTS の設定を含め、HTTPS の設定に関するより具体的な推奨事項とサーバー設定は、PKI/SSL の章全体を参照してください。"
#: ./doc/security-guide/ch025_web-dashboard.xml25(title)
msgid "Frontend Caching"
msgstr "フロントエンドキャッシュ"
#: ./doc/security-guide/ch025_web-dashboard.xml26(para)
msgid ""
"Since dashboard is rendering dynamic content passed directly from OpenStack "
"API requests, we do not recommend frontend caching layers such as varnish. "
"In Django, static media is directly served from Apache or nginx and already "
"benefits from web host caching."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml29(title)
msgid "Domain Names"
msgstr "ドメイン名"
#: ./doc/security-guide/ch025_web-dashboard.xml30(para)
msgid ""
"Many organizations typically deploy web applications at subdomains of an "
"overarching organization domain. It is natural for users to expect a domain "
"of the form openstack.example.org. In this context, there are often many "
"other applications deployed in the same second-level namespace, often "
"serving user-controlled content. This name structure is convenient and "
"simplifies nameserver maintenance."
msgstr "多くの組織は一般的に、組織全体のドメインのサブドメインにウェブアプリケーションを配備します。ユーザーが openstack.example.org 形式のドメインを期待することは自然です。これに関連して、しばしば同じ第 2 レベルの名前空間に配備された、ユーザーが管理できるコンテンツを取り扱う他の多くのアプリケーションがあります。この名前の構造は便利であり、ネームサーバーのメンテナンスを簡単にします。"
#: ./doc/security-guide/ch025_web-dashboard.xml31(para)
msgid ""
"We strongly recommend deploying horizon to a <emphasis>second-level "
"domain</emphasis>, for example <uri>https://example.com</uri>, and advise "
"against deploying horizon on a<emphasis> shared subdomain</emphasis> of any "
"level, for example <uri>https://openstack.example.org</uri> or "
"<uri>https://horizon.openstack.example.org</uri>. We also advise against "
"deploying to bare internal domains like <uri>https://horizon/</uri>."
msgstr "Horizon を<emphasis>第 2 レベルドメイン</emphasis>に導入することを強く推奨します。たとえば、<uri>https://example.com</uri> です。また、Horizon を<emphasis>共有サブドメイン</emphasis>に導入しないことをお奨めします。たとえば、<uri>https://openstack.example.org</uri> や <uri>https://horizon.openstack.example.org</uri> です。<uri>https://horizon/</uri> のようなそのままの内部ドメインに導入しないこともお奨めします。"
#: ./doc/security-guide/ch025_web-dashboard.xml32(para)
msgid ""
"This recommendation is based on the limitations browser same-origin-policy. "
"The recommendations in this guide cannot effectively protect users against "
"known attacks if dashboard is deployed on a domain which also hosts user-"
"generated content (e.g. scripts, images, uploads of any kind) even if the "
"user-generated content is on a different subdomain. This approach is used by"
" most major web presences (e.g. googleusercontent.com, fbcdn.com, github.io,"
" twimg.com) to ensure that user generated content stays separate from "
"cookies and security tokens."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml33(para)
msgid ""
"Additionally, if you decline to follow this recommendation above about "
"second-level domains, it is vital that you avoid the cookie backed session "
"store and employ HTTP Strict Transport Security (HSTS). When deployed on a "
"subdomain, dashboard's security is only as strong as the weakest application"
" deployed on the same second-level domain."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml36(title)
msgid "Static Media"
msgstr "静的メディア"
#: ./doc/security-guide/ch025_web-dashboard.xml37(para)
msgid ""
"Dashboard's static media should be deployed to a subdomain of the dashboard "
"domain and served by the web server. The use of an external content delivery"
" network (CDN) is also acceptable. This subdomain should not set cookies or "
"serve user-provided content. The media should also be served with HTTPS."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml38(para)
msgid ""
"Django media settings are documented at <link "
"href=\"https://docs.djangoproject.com/en/1.5/ref/settings/#static-"
"root\">https://docs.djangoproject.com/en/1.5/ref/settings/#static-"
"root</link>."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml39(para)
msgid ""
"Dashboard's default configuration uses <link href=\"http://django-"
"compressor.readthedocs.org/\">django_compressor</link> to compress and "
"minify css and JavaScript content before serving it. This process should be "
"statically done before deploying dashboard, rather than using the default "
"in-request dynamic compression and copying the resulting files along with "
"deployed code or to the CDN server. Compression should be done in a non-"
"production build environment. If this is not practical, we recommend "
"disabling resource minification entirely. Online compression dependencies "
"(less, nodejs) should not be installed on production machines."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml42(title)
msgid "Secret Key"
msgstr "シークレットキー"
#: ./doc/security-guide/ch025_web-dashboard.xml43(para)
msgid ""
"Dashboard depends on a shared SECRET_KEY setting for some security "
"functions. It should be a randomly generated string at least 64 characters "
"long. It must be shared across all active Horizon instances. Compromise of "
"this key may allow a remote attacker to execute arbitrary code. Rotating "
"this key invalidates existing user sessions and caching. Do not commit this "
"key to public repositories."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml46(title)
msgid "Session Backend"
msgstr "セッションバックエンド"
#: ./doc/security-guide/ch025_web-dashboard.xml47(para)
msgid ""
"Horizon's default session backend "
"(<emphasis>django.contrib.sessions.backends.signed_cookies</emphasis>) "
"stores user data in <emphasis>signed</emphasis> but <emphasis>unencrypted "
"</emphasis>cookies stored in the browser. This approach allows the most "
"simple session backend scaling since each Horizon instance is stateless, but"
" it comes at the cost of <emphasis>storing sensitive access tokens in the "
"client browser</emphasis> and transmitting them with every request. This "
"backend ensures that session data has not been tampered with, but the data "
"itself is not encrypted other than the encryption provided by HTTPS."
msgstr "Horizon の標準のセッションバックエンド (<emphasis>django.contrib.sessions.backends.signed_cookies</emphasis>) は、ブラウザに保存される、<emphasis>署名付き</emphasis>ですが<emphasis>暗号化されていない</emphasis>クッキーにユーザーデータを保存します。この方法により、各 Horizon インスタンスがステートレスになるため、最も簡単なセッションバックエンドがスケールできるようになります。しかし、<emphasis>機微なアクセストークンをクライアントのブラウザーに保存</emphasis>し、それらをリクエストごとに送信するという犠牲を払うことになります。このバックエンドは、セッションデータが改ざんされていないことを保証しますが、データ自身は HTTPS で提供されるような暗号化以外には暗号化されていません。"
#: ./doc/security-guide/ch025_web-dashboard.xml48(para)
msgid ""
"If your architecture allows it, we recommend using "
"<emphasis>django.contrib.sessions.backends.cache</emphasis> as your session "
"backend with memcache as the cache. Memcache must not be exposed publicly, "
"and should communicate over a secured private channel. If you choose to use "
"the signed cookies backend, refer to the Django documentation understand the"
" security tradeoffs."
msgstr "お使いのアーキテクチャーが許容できる場合、セッションバックエンドとして <emphasis>django.contrib.sessions.backends.cache</emphasis> を、キャッシュとして memcache を一緒に使用することを推奨します。memcache はパブリックにアクセスされてはいけません。セキュアなプライベートチャネル経由で通信すべきです。署名付きクッキーバックエンドを使用することにした場合、セキュリティのトレードオフを理解するために Django のドキュメントを参照してください。"
#: ./doc/security-guide/ch025_web-dashboard.xml49(para)
msgid ""
"For further details, consult the <link "
"href=\"https://docs.djangoproject.com/en/1.5/topics/http/sessions"
"/#configuring-the-session-engine\">Django session backend "
"documentation</link>."
msgstr "さらなる詳細は <link href=\"https://docs.djangoproject.com/en/1.5/topics/http/sessions/#configuring-the-session-engine\">Django session backend documentation</link> を参照してください。"
#: ./doc/security-guide/ch025_web-dashboard.xml52(title)
msgid "Allowed Hosts"
msgstr "許可されたホスト"
#: ./doc/security-guide/ch025_web-dashboard.xml53(para)
msgid ""
"Configure the ALLOWED_HOSTS setting with the domain or domains where Horizon"
" is available. Failure to configure this setting (especially if not "
"following the recommendation above regarding second level domains) opens "
"Horizon to a number of serious attacks. Wildcard domains should be avoided."
msgstr "Horizon が利用可能なドメインを ALLOWED_HOSTS に設定します。この設定を失敗すると (とくに第 2 レベルドメインに関する上の推奨に従わなかった場合)、Horizon がさまざまな深刻な攻撃にさらされます。ワイルドカードドメインは避けるべきです。"
#: ./doc/security-guide/ch025_web-dashboard.xml54(para)
msgid ""
"For further details, see the <link "
"href=\"https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-"
"hosts\">Django documentation on settings</link>."
msgstr "さらなる詳細は <link href=\"https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts\">Django documentation on settings</link> を参照してください。"
#: ./doc/security-guide/ch025_web-dashboard.xml57(title)
msgid "Cookies"
msgstr "クッキー"
#: ./doc/security-guide/ch025_web-dashboard.xml58(para)
msgid "Session Cookies should be set to HTTPONLY:"
msgstr "セッションクッキーは HTTPONLY に設定すべきです。"
#: ./doc/security-guide/ch025_web-dashboard.xml61(para)
msgid ""
"Never configure CSRF or session cookies to have a wildcard domain with a "
"leading dot. Horizon's session and CSRF cookie should be secured when "
"deployed with HTTPS:"
msgstr "ドットから始まるワイルドカードドメインを持つよう、CSRF やセッションクッキーを設定してはいけません。Horizon のセッションクッキーと CSRF クッキーは HTTPS を使用した環境のときにセキュア化すべきです。"
#: ./doc/security-guide/ch025_web-dashboard.xml67(title)
msgid "Password Auto Complete"
msgstr "パスワード自動補完"
#: ./doc/security-guide/ch025_web-dashboard.xml68(para)
msgid ""
"We recommend that implementers do not change the default password "
"autocomplete behavior. Users choose stronger passwords in environments that "
"allow them to use the secure browser password manager. Organizations which "
"forbid the browser password manager should enforce this policy at the "
"desktop level."
msgstr "実装者は標準のパスワードオートコンプリート機能を変更しないことを推奨します。ユーザーはセキュアなブラウザのパスワードマネージャーを使用できる環境で、より強力なパスワードを選択します。ブラウザのパスワードマネージャーを禁止している組織は、デスクトップレベルでこのポリシーを強制すべきです。"
#: ./doc/security-guide/ch025_web-dashboard.xml71(title)
msgid "Cross Site Request Forgery (CSRF)"
msgstr "クロスサイトリクエストフォージェリ (CSRF)"
#: ./doc/security-guide/ch025_web-dashboard.xml72(para)
msgid ""
"Django has a dedicated middleware for <link "
"href=\"https://docs.djangoproject.com/en/1.5/ref/contrib/csrf/#how-it-works"
"\">cross-site request forgery</link> (CSRF)."
msgstr "Django は<link href=\"https://docs.djangoproject.com/en/1.5/ref/contrib/csrf/#how-it-works\">cross-site request forgery</link> (CSRF) 用の専用ミドルウェアを持ちます。"
#: ./doc/security-guide/ch025_web-dashboard.xml73(para)
msgid ""
"Dashboard is designed to discourage developers from introducing cross-site "
"scripting vulnerabilities with custom dashboards. However, it is important "
"to audit custom dashboards, especially ones that are javascript-heavy for "
"inappropriate use of the @csrf_exempt decorator. Dashboards which do not "
"follow these recommended security settings should be carefully evaluated "
"before restrictions are relaxed."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml76(title)
msgid "Cross Site Scripting (XSS)"
msgstr "クロスサイトスクリプティング (XSS)"
#: ./doc/security-guide/ch025_web-dashboard.xml77(para)
msgid ""
"Unlike many similar systems, OpenStack dashboard allows the entire unicode "
"character set in most fields. This means developers have less latitude to "
"make escaping mistakes that open attack vectors for cross-site scripting "
"(XSS)."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml78(para)
msgid ""
"Dashboard provides tools for developers to avoid creating XSS "
"vulnerabilities, but they only work if developers use them correctly. Audit "
"any custom dashboards, paying particular attention to use of the mark_safe "
"function, use of is_safe with custom template tags, the safe template tag, "
"anywhere autoescape is turned off, and any javascript which might evaluate "
"improperly escaped data."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml81(title)
msgid "Cross Origin Resource Sharing (CORS)"
msgstr "クロスオリジンリソースシェアリング (CORS)"
#: ./doc/security-guide/ch025_web-dashboard.xml82(para)
msgid ""
"Configure your web server to send a restrictive CORS header with each "
"response, allowing only the Horizon domain and protocol:"
msgstr "ウェブブラウザが各レスポンスに限定的な CORS ヘッダーを付けて送信するよう設定します。Horizon のドメインとプロトコルのみを許可します。"
#: ./doc/security-guide/ch025_web-dashboard.xml85(para)
msgid "Never allow the wildcard origin."
msgstr "ワイルドカードオリジンを許可してはいけません。"
#: ./doc/security-guide/ch025_web-dashboard.xml88(title)
msgid "Horizon Image Upload"
msgstr "Horizon のイメージのアップロード"
#: ./doc/security-guide/ch025_web-dashboard.xml89(para)
msgid ""
"We recommend that implementers <link "
"href=\"http://docs.openstack.org/developer/horizon/topics/deployment.html"
"#file-uploads\">disable HORIZON_IMAGES_ALLOW_UPLOAD</link> unless they have "
"implemented a plan to prevent resource exhaustion and denial of service."
msgstr "導入者はリソース枯渇とサービス妨害を防ぐ計画を実装していなければ、<link href=\"http://docs.openstack.org/developer/horizon/topics/deployment.html#file-uploads\">HORIZON_IMAGES_ALLOW_UPLOAD を無効化</link> することを強く推奨します。"
#: ./doc/security-guide/ch025_web-dashboard.xml92(title)
msgid "Upgrading"
msgstr "アップグレード"
#: ./doc/security-guide/ch025_web-dashboard.xml93(para)
msgid ""
"Django security releases are generally well tested and aggressively "
"backwards compatible. In almost all cases, new major releases of Django are "
"also fully backwards compatible with previous releases. Dashboard "
"implementers are strongly encouraged to run the latest stable release of "
"Django with up-to-date security releases."
msgstr ""
#: ./doc/security-guide/ch025_web-dashboard.xml96(title)
msgid "Debug"
msgstr "デバッグ"
#: ./doc/security-guide/ch025_web-dashboard.xml97(para)
msgid ""
"Make sure DEBUG is set to False in production. In Django, DEBUG displays "
"stack traces and sensitive web server state information on any exception."
msgstr "本番環境で DEBUG が False に設定されていることを確認します。Django では DEBUG により、あらゆる例外の発生時にスタックトレースと機微なウェブサーバーの状態情報が表示されます。"
#: ./doc/security-guide/ch022_case-studies-api-endpoints.xml3(title)
msgid "Case Studies: API Endpoints"
msgstr ""
#: ./doc/security-guide/ch022_case-studies-api-endpoints.xml4(para)
msgid ""
"In this case study we discuss how Alice and Bob would address endpoint "
"configuration to secure their private and public clouds. Alice's cloud is "
"not publicly accessible, but she is still concerned about securing the "
"endpoints against improper use.  Bob's cloud, being public, must take "
"measures to reduce the risk of attacks by external adversaries."
msgstr "このケーススタディでは、アリスとボブがどうやってプライベートクラウドとパブリッククラウドのエンドポイント設定を堅牢化するかについて議論します。\nアリスのプライベートクラウドは公開されたものではありませんが、不適切な使い方によるエンドポイント侵害を憂慮しています。ボブのパブリッククラウドは、外部からの攻撃に対してリスクを低減する措置を講じなければいけません。"
#: ./doc/security-guide/ch022_case-studies-api-endpoints.xml7(para)
msgid ""
"Alice's organization requires that the security architecture protect the "
"access to the public and private endpoints, so she elects to use the Apache "
"SSL proxy on both public and internal services. Alice's organization has "
"implemented its own certificate authority. Alice contacts the PKI office in "
"her agency that manages her PKI and certificate issuance. Alice obtains "
"certificates issued by this CA and configures the services within both the "
"public and management security domains to use these certificates. Since "
"Alice's OpenStack deployment exists entirely on a disconnected from the "
"Internet network, she makes sure to remove all default CA bundles that "
"contain external public CA providers to ensure the OpenStack services only "
"accept client certificates issued by her agency's CA. Alice has registered "
"all of the services in the Keystone Services Catalog, using the internal "
"URLs for access by internal services. She has installed host-based intrusion"
" detection on all of the API endpoints."
msgstr "アリスが所属する組織では、パブリックとプライベートのエンドポイントへのアクセスに対してセキュリティ対策を講じることが義務付けられています。そこで彼女は、パブリックとプライベートのサービスに対して Apache SSL Proxy を構築しました。\nまた、アリスの組織では自前の認証局を用意しています。アリスは、公開鍵暗号基盤の管理と証明書を発行する部署からもらった証明書を、パブリック側と管理側のセキュリティドメイン両方に設定しました。\nアリスの OpenStack 環境はインターネットからは完全に隔絶されているため、証明書から外部の公開認証局を含む CA バンドルを削除しました。これにより、アリスの OpenStack 環境が受け付ける証明書は、組織の認証局が発行したクライアント証明書のみになります。\nアリスは内部アクセス用の Internal URL 越しに、全サービスを Keystone サービスカタログに登録し、また、ホストベースの侵入検知システムを全 API エンドポイントに設定しました。"
#: ./doc/security-guide/ch022_case-studies-api-endpoints.xml11(para)
msgid ""
"Bob must also protect the access to the public and private endpoints, so he "
"elects to use the Apache SSL proxy on both public and internal services. On "
"the public services, he has configured the certificate key files with "
"certificates signed by a well-known Certificate Authority. He has used his "
"organization's self-signed CA to sign certificates in the internal services "
"on the Management network. Bob has registered his services in the Keystone "
"Services Catalog, using the internal URLs for access by internal services. "
"Bob's public cloud runs services on SELinux, which he has configured with a "
"mandatory access control policy to reduce the impact of any publicly "
"accessible services that may be compromised. He has also configured the "
"endpoints with a host-based IDS."
msgstr "ボブもまた、パブリックとプライベートエンドポイントを守る必要があるため、 Apache SSL proxy をパブリックサービスと内部サービスの両方に使います。\nパブリックサービス側には、よく知られている認証局が署名した証明書キーファイルを、内部サービス側には、自組織が発行した自己署名証明書を管理ネットワーク上のサービスに設定しました。\nサービスの登録は、内部アクセス用の Internal URL 越しに、Keystone サービスカタログに登録してあります。\nまた、ボブのパブリッククラウドサービスは、強制アクセス制御のポリシーで設定した SELinux 上で動かしています。これにより万が一、公開サービスが攻撃されても、セキュリティ侵害による影響を減らすことができます。\nさらに、ホストベースの侵入検知システムをエンドポイントに設定しました。"
#: ./doc/security-guide/ch046_data-residency.xml3(title)
msgid "Data Privacy Concerns"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml4(para)
msgid ""
"OpenStack is designed to support multitenancy and those tenants will most "
"probably have different data requirements. As a cloud builder and operator "
"you need to ensure your OpenStack environment can address various data "
"privacy concerns and regulations. In this chapter we will address the "
"following topics around Data Privacy as it pertains to OpenStack "
"implementations:"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml6(para)
#: ./doc/security-guide/ch046_data-residency.xml13(title)
msgid "Data Residency"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml9(para)
#: ./doc/security-guide/ch046_data-residency.xml64(title)
msgid "Data Disposal"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml14(para)
msgid ""
"The privacy and isolation of data has consistently been cited as the primary"
" barrier to cloud adoption over the past few years. Concerns over who owns "
"data in the cloud and whether the cloud operator can be ultimately trusted "
"as a custodian of this data have been significant issues in the past."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml15(para)
msgid ""
"Numerous OpenStack services maintain data and metadata belonging to tenants "
"or reference tenant information."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml16(para)
msgid ""
"Tenant data stored in an OpenStack cloud may include the following items:"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml18(para)
msgid "Swift objects"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml21(para)
msgid "Compute instance ephemeral filesystem storage"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml24(para)
msgid "Compute instance memory"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml27(para)
#: ./doc/security-guide/ch046_data-residency.xml113(title)
msgid "Cinder volume data"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml30(para)
msgid "Public keys for Compute Access"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml33(para)
msgid "Virtual Machine Images in Glance"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml36(para)
msgid "Machine snapshots"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml39(para)
msgid "Data passed to OpenStack Compute's configuration-drive extension"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml42(para)
msgid ""
"Metadata stored by an OpenStack cloud includes the following non-exhaustive "
"items:"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml44(para)
msgid "Organization name"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml47(para)
msgid "User's \"Real Name\""
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml50(para)
msgid ""
"Number or size of running instances, buckets, objects, volumes, and other "
"quota-related items"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml53(para)
msgid "Number of hours running instances or storing data"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml56(para)
msgid "IP addresses of users"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml59(para)
msgid "Internally generated private keys for compute image bundling"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml65(para)
msgid ""
"OpenStack operators should strive to provide a certain level of tenant data "
"disposal assurance. Best practices suggest that the operator sanitize cloud "
"system media (digital and non-digital) prior to disposal, release out of "
"organization control or release for reuse. Sanitization methods should "
"implement an appropriate level of strength and integrity given the specific "
"security domain and sensitivity of the information."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml67(para)
msgid ""
"\"Sanitization is the process used to remove information from system media "
"such that there is reasonable assurance that the information cannot be "
"retrieved or reconstructed. Sanitization techniques, including clearing, "
"purging, and destroying media information, prevent the disclosure of "
"organizational information to unauthorized individuals when such media is "
"reused or released for disposal.\" [NIST Special Publication 800-53 Revision"
" 3]"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml69(para)
msgid ""
"General data disposal and sanitization guidelines as adopted from NIST "
"recommended security controls. Cloud Operators should:"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml71(para)
msgid "Track, document and verify media sanitization and disposal actions."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml74(para)
msgid "Test sanitation equipment and procedures to verify proper performance."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml78(para)
msgid ""
"Sanitize portable, removable storage devices prior to connecting such "
"devices to the cloud infrastructure."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml81(para)
msgid "Destroy cloud system media that cannot be sanitized."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml84(para)
msgid "In an OpenStack deployment you will need to address the following:"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml86(para)
msgid "Secure data erasure"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml89(para)
#: ./doc/security-guide/ch046_data-residency.xml106(title)
msgid "Instance memory scrubbing"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml92(para)
msgid "Block Storage volume data"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml95(para)
#: ./doc/security-guide/ch046_data-residency.xml119(title)
msgid "Compute instance ephemeral storage"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml98(para)
#: ./doc/security-guide/ch046_data-residency.xml126(title)
msgid "Bare metal server sanitization"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml102(title)
msgid "Data not securely erased"
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml103(para)
msgid ""
"Within OpenStack some data may be deleted, but not securely erased in the "
"context of the NIST standards outlined above. This is generally applicable "
"to most or all of the above-defined metadata and information stored in the "
"database. This may be remediated with database and/or system configuration "
"for auto vacuuming and periodic free-space wiping."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml107(para)
msgid ""
"Specific to various hypervisors is the treatment of instance memory. This "
"behavior is not defined in OpenStack Compute, although it is generally "
"expected of hypervisors that they will make a best effort to scrub memory "
"either upon deletion of an instance, upon creation of an instance, or both."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml108(para)
msgid ""
"Xen explicitly assigns dedicated memory regions to instances and scrubs data"
" upon the destruction of instances (or domains in Xen parlance). KVM depends"
" more greatly on Linux page management; A complex set of rules related to "
"KVM paging is defined in the <link href=\"http://www.linux-"
"kvm.org/page/Memory\">KVM documentation</link>."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml109(para)
msgid ""
"It is important to note that use of the Xen memory balloon feature is likely"
" to result in information disclosure. We strongly recommended to avoid use "
"of this feature."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml110(para)
msgid ""
"For these and other hypervisors, we recommend referring to hypervisor-"
"specific documentation."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml114(para)
msgid ""
"Plugins to OpenStack Block Storage will store data in a variety of ways. "
"Many plugins are specific to a vendor or technology, whereas others are more"
" DIY solutions around filesystems such as LVM or ZFS. Methods to securely "
"destroy data will vary from one plugin to another, from one vendor's "
"solution to another, and from one filesystem to another."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml115(para)
msgid ""
"Some backends such as ZFS will support copy-on-write to prevent data "
"exposure. In these cases, reads from unwritten blocks will always return "
"zero. Other backends such as LVM may not natively support this, thus the "
"Cinder plugin takes the responsibility to override previously written blocks"
" before handing them to users. It is important to review what assurances "
"your chosen volume backend provides and to see what mediations may be "
"available for those assurances not provided."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml116(para)
msgid ""
"Finally, while not a feature of OpenStack, vendors and implementors may "
"choose to add or support encryption of volumes. In this case, destruction of"
" data is as simple as throwing away the key."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml120(para)
msgid ""
"The creation and destruction of ephemeral storage will be somewhat dependent"
" on the chosen hypervisor and the OpenStack Compute plugin."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml121(para)
msgid ""
"The libvirt plugin for compute may maintain ephemeral storage directly on a "
"filesystem, or in LVM. Filesystem storage generally will not overwrite data "
"when it is removed, although there is a guarantee that dirty extents are not"
" provisioned to users."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml122(para)
msgid ""
"When using LVM backed ephemeral storage, which is block-based, it is "
"necessary that the OpenStack Compute software securely erases blocks to "
"prevent information disclosure. There have in the past been information "
"disclosure vulnerabilities related to improperly erased ephemeral block "
"storage devices."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml123(para)
msgid ""
"Filesystem storage is a more secure solution for ephemeral block storage "
"devices than LVM as dirty extents cannot be provisioned to users. However, "
"it is important to be mindful that user data is not destroyed, so it is "
"suggested to encrypt the backing filesystem."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml127(para)
msgid ""
"A bare metal server driver for Nova was under development and has since "
"moved into a separate project called <link "
"href=\"https://wiki.openstack.org/wiki/Ironic\">Ironic</link>. At the time "
"of this writing, Ironic does not appear to address sanitization of tenant "
"data resident the physical hardware."
msgstr ""
#: ./doc/security-guide/ch046_data-residency.xml128(para)
msgid ""
"Additionally, it is possible for tenants of a bare metal system to modify "
"system firmware. TPM technology, described in ##link:Management/Node "
"Bootstrapping##, provides a solution for detecting unauthorized firmware "
"changes."
msgstr ""
#: ./doc/security-guide/ch062_audit-guidance.xml3(title)
msgid "Understanding the Audit Process"
msgstr "監査プロセスを理解する"
#: ./doc/security-guide/ch062_audit-guidance.xml4(para)
msgid ""
"Information system security compliance is reliant on the completion of two "
"foundational processes:"
msgstr "情報システムのセキュリティコンプライアンスは、二つの基本的なプロセスの完了を前提としています。"
#: ./doc/security-guide/ch062_audit-guidance.xml6(para)
msgid ""
"<emphasis role=\"bold\">Implementation and Operation of Security "
"Controls</emphasis>Aligning the information system with in-scope standards "
"and regulations involves internal tasks which must be conducted before a "
"formal assessment. Auditors may be involved at this state to conduct gap "
"analysis, provide guidance, and increase the likelihood of successful "
"certification."
msgstr "<emphasis role=\"bold\">セキュリティコントロールの実装と運用</emphasis> 情報システムを標準と規制の範囲内で運用しつづけること、それは、正式なアセスメント前でも行うべき内部活動です。なお監査人はこの時点で、ギャップ分析、助言、認証取得の可能性向上のために関与することがあります。"
#: ./doc/security-guide/ch062_audit-guidance.xml9(para)
msgid ""
"<emphasis role=\"bold\">Independent Verification and "
"Validation</emphasis>Demonstration to a neutral third-party that system "
"security controls are implemented and operating effectively, in compliance "
"with in-scope standards and regulations, is required before many information"
" systems achieve certified status. Many certifications require periodic "
"audits to ensure continued certification, considered part of an overarching "
"continuous monitoring practice.  "
msgstr "<emphasis role=\"bold\">独立した検査と検証</emphasis> システムのセキュリティコントロールが標準と規制の範囲に従って実装され、効率的に運用されているか。これを中立的な第三者へ、認証を得る以前に証明しなければなりません。多くの認証はその継続を保証するため、包括的な継続監視の一部として、定期的な監査を必要とします。"
#: ./doc/security-guide/ch062_audit-guidance.xml13(title)
msgid "Determining Audit Scope"
msgstr "監査の範囲を決める"
#: ./doc/security-guide/ch062_audit-guidance.xml14(para)
msgid ""
"Determining audit scope, specifically what controls are needed and how to "
"design or modify an OpenStack deployment to satisfy them, should be the "
"initial planning step."
msgstr "何をコントロールするのか、OpenStack環境をいかにデザイン、変更していくかを明確にするため、監査範囲は初期の計画段階で決定すべきです。"
#: ./doc/security-guide/ch062_audit-guidance.xml15(para)
msgid ""
"When scoping OpenStack deployments for compliance purposes, consider "
"prioritizing controls around sensitive services, such as command and control"
" functions and the base virtualization technology. Compromises of these "
"facilities may impact an OpenStack environment in its entirety."
msgstr "OpenStack環境の範囲をコンプライアンス目的で明確化する際は、制御機能や仮想化技術など、慎重に扱うべきサービスの周辺を優先するよう、考慮すべきです。それらを妥協することは、OpenStack環境全体に影響を与えかねません。"
#: ./doc/security-guide/ch062_audit-guidance.xml16(para)
msgid ""
"Scope reduction helps ensure OpenStack architects establish high quality "
"security controls which are tailored to a particular deployment, however it "
"is paramount to ensure these practices do not omit areas or features from "
"security hardening. A common example is applicable to PCI-DSS guidelines, "
"where payment related infrastructure may be scrutinized for security issues,"
" but supporting services are left ignored, and vulnerable to attack."
msgstr "範囲を限定することで、限定された環境に対し、OpenStackの設計者は高いセキュリティ品質を確立しやすくなります。しかしその取り組みの中で、セキュリティ強化の範囲や機能を不当に省かないことが重要です。典型的な例はPCI-DSSガイドラインです。決済に関わるインフラはセキュリティを精査されるでしょう。が、その影でその周辺サービスが放置されれば、そこが攻撃に対し無防備となります。"
#: ./doc/security-guide/ch062_audit-guidance.xml17(para)
msgid ""
"When addressing compliance, you can increase efficiency and reduce work "
"effort by identifying common areas and criteria that apply across multiple "
"certifications. Much of the audit principles and guidelines discussed in "
"this book will assist in identifying these controls, additionally a number "
"of external entities provide comprehensive lists. The following are some "
"examples:"
msgstr "コンプライアンスに取り組む際、複数の認証で共通の領域と基準を明確にできれば、効率的に手間を減らすことができます。この本で取り上げている監査原則とガイドラインの多くは、それらを特定するのに役立ちます。加えて、総合的なリストを提供するガイドラインが多くあります。以下に例を挙げます。"
#: ./doc/security-guide/ch062_audit-guidance.xml18(para)
msgid ""
"The <link href=\"https://cloudsecurityalliance.org/research/ccm/\">Cloud "
"Security Alliance Cloud Controls Matrix</link> (CCM) assists both cloud "
"providers and consumers in assessing the overall security of a cloud "
"provider. The CSA CMM provides a controls framework that map to many "
"industry-accepted standards and regulations including the ISO 27001/2, "
"ISACA, COBIT, PCI, NIST, Jericho Forum and NERC CIP."
msgstr "<link href=\"https://cloudsecurityalliance.org/research/ccm/\">Cloud Security Alliance Cloud Controls Matrix</link> (CCM)はクラウドプロバイダーのセキュリティを総合的に評価するにあたって、プロバイダーとユーザーの両方に役立ちます。CSA CCMはISO 27001/2、ISACA、COBIT、PIC、NIST、Jericho Forum、NERC CIPといった、多くの業界で認められた標準、規制をひも付けた統制フレームワークを提供します。"
#: ./doc/security-guide/ch062_audit-guidance.xml19(para)
msgid ""
"The <link href=\"https://fedorahosted.org/scap-security-guide/\">SCAP "
"Security Guide</link> is another useful reference. This is still an emerging"
" source, but we anticipate that this will grow into a tool with controls "
"mappings that are more focused on the US federal government certifications "
"and recommendations. For example, the SCAP Security Guide currently has some"
" mappings for security technical implementation guides (STIGs) and "
"NIST-800-53."
msgstr "<link href=\"https://fedorahosted.org/scap-security-guide/\">SCAP Security Guide</link>はもうひとつの有用なリファレンスです。まだ出来たばかりですが、米国連邦政府の認証、推奨への対応に重点を絞ったツールとして普及すると予想されます。たとえば、SCAP Security Guideは現在、security technical implementation guides (STIGs)とNIST-800-53にある程度対応しています。"
#: ./doc/security-guide/ch062_audit-guidance.xml20(para)
msgid ""
"These control mappings will help identify common control criteria across "
"certifications, and provide visibility to both auditors and auditees on "
"problem areas within control sets for particular compliance certifications "
"and attestations."
msgstr "これらのコントロールマッピングは、認証間で共通の統制基準を特定します。また、監査人と被監査者両方にとって問題となる、特定のコンプライアンス認証、認定に必要なコントロールセットを可視化するのに役立ちます。"
#: ./doc/security-guide/ch062_audit-guidance.xml23(title)
msgid "Internal Audit"
msgstr "内部監査"
#: ./doc/security-guide/ch062_audit-guidance.xml24(para)
msgid ""
"Once a cloud is deployed, it is time for an internal audit. This is the time"
" compare the controls you identified above with the design, features, and "
"deployment strategies utilized in your cloud. The goal is to understand how "
"each control is handled and where gaps exist. Document all of the findings "
"for future reference."
msgstr "クラウドが導入されたのであれば、内部監査が必要です。あなたが採用を決めた統制基準と、あなたのクラウドの設計、機能、配備戦略を比較する時です。目的はそれぞれの統制がどのように扱われているか、ギャップがどこに存在するか、理解することです。そして、その全てを将来のために文書化します。"
#: ./doc/security-guide/ch062_audit-guidance.xml25(para)
msgid ""
"When auditing an OpenStack cloud it is important to appreciate the multi-"
"tenant environment inherent in the OpenStack architecture. Some critical "
"areas for concern include data disposal, hypervisor security, node "
"hardening, and authentication mechanisms."
msgstr "OpenStackクラウドを監査するとき、OpenStackアーキテクチャー固有のマルチテナント環境を理解することが重要です。データの廃棄、ハイパーバイザーのセキュリティ、ードの強化、および認証メカニズムなど、いくつか重要な部分があります。"
#: ./doc/security-guide/ch062_audit-guidance.xml28(title)
msgid "Prepare for External Audit"
msgstr "外部監査に備える"
#: ./doc/security-guide/ch062_audit-guidance.xml29(para)
msgid ""
"Once the internal audit results look good, it is time to prepare for an "
"external audit. There are several key actions to take at this stage, these "
"are outlined below:"
msgstr "内部監査の結果が良好であれば、いよいよ外部監査の準備です。この段階では、いくつかの鍵となる活動があります。概要は以下です。"
#: ./doc/security-guide/ch062_audit-guidance.xml31(para)
msgid ""
"Maintain good records from your internal audit. These will prove useful "
"during the external audit so you can be prepared to answer questions about "
"mapping the compliance controls to a particular deployment."
msgstr "内部監査での良好な状態を維持してください。それらは外部監査の実施期間に証明として役立ちます。またそれは、コンプライアンス統制に関する詳細な質疑応答の備えとなります。"
#: ./doc/security-guide/ch062_audit-guidance.xml34(para)
msgid ""
"Deploy automated testing tools to ensure that the cloud remains compliant "
"over time."
msgstr "クラウドがコンプライアンスを維持し続けるために、自動テストツールを導入してください。"
#: ./doc/security-guide/ch062_audit-guidance.xml37(para)
msgid "Select an auditor."
msgstr "監査人を選ぶ"
#: ./doc/security-guide/ch062_audit-guidance.xml40(para)
msgid ""
"Selecting an auditor can be challenging. Ideally, you are looking for "
"someone with experience in cloud compliance audits. OpenStack experience is "
"another big plus. Often it is best to consult with people who have been "
"through this process for referrals. Cost can vary greatly depending on the "
"scope of the engagement and the audit firm considered."
msgstr "監査人の選定は困難を伴うことがあります。クラウドのコンプライアンス監査経験がある人を見つけてくるのが理想です。OpenStackの経験があれば、なお良しです。このプロセスを経験している人に相談するのがベストでしょう。なお、費用は契約の範囲と監査法人に大きく依存します。"
#: ./doc/security-guide/ch062_audit-guidance.xml43(title)
msgid "External Audit"
msgstr "外部監査"
#: ./doc/security-guide/ch062_audit-guidance.xml44(para)
msgid ""
"This is the formal audit process. Auditors will test security controls in "
"scope for a specific certification, and demand evidentiary requirements to "
"prove that these controls were also in place for the audit window (for "
"example SOC 2 audits generally evaluate security controls over a 6-12 months"
" period).  Any control failures are logged, and will be documented in the "
"external auditors final report.  Dependent on the type of OpenStack "
"deployment, these reports may be viewed by customers, so it is important to "
"avoid control failures. This is why audit preparation is so important."
msgstr "これが正式な監査プロセスです。監査人は、特定の認定向けのセキュリティ統制を確認し、これらの統制が監査期間において実行されていたか、その証明を求めます (たとえば、SOC 2監査は一般的に6-12ヶ月のセキュリティ統制を評価します)。どのような統制上の不具合も記録され、外部監査の最終報告書で文書化されます。OpenStack環境のタイプに依存しますが、これらの報告書を顧客はあとから見ることができます。それゆえ統制上の不具合を避けることは重要です。これが監査への準備が重要である理由です。"
#: ./doc/security-guide/ch062_audit-guidance.xml47(title)
msgid "Compliance Maintenance"
msgstr "コンプライアンスの維持"
#: ./doc/security-guide/ch062_audit-guidance.xml48(para)
msgid ""
"The process doesn't end with a single external audit. Most certifications "
"require continual compliance activities which means repeating the audit "
"process periodically.  We recommend integrating automated compliance "
"verification tools into a cloud to ensure that it is compliant at all times."
" This should be in done in addition to other security monitoring tools. "
"Remember that the goal is both security <emphasis>and</emphasis> compliance."
" Failing on either of these fronts will significantly complicate future "
"audits."
msgstr "このプロセスは一度の外部監査で終わることがありません。多くの認証は継続的なコンプライアンス活動、すなわち、定期的な監査を要求します。常に遵守を確実とするため、自動化されたコンプライアンス検証ツールをクラウド内に作ることをおすすめします。これは他のセキュリティ監視ツールに加えて実装されるべきです。このゴールがセキュリティ<emphasis>および</emphasis>コンプライアンスであることを忘れないでください。これらのどちらかに不具合があれば、将来の監査で非常に面倒なことになります。"
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch042_database-overview.xml13(None)
#: ./doc/security-guide/ch042_database-overview.xml16(None)
msgid ""
"@@image: 'static/databaseusername.png'; md5=a6a5dadedbc1517069ca388c7ac5940a"
msgstr ""
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch042_database-overview.xml37(None)
#: ./doc/security-guide/ch042_database-overview.xml40(None)
msgid ""
"@@image: 'static/databaseusernamessl.png'; "
"md5=9c43242c47eb159b6f61ac41f3d8bced"
msgstr ""
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch042_database-overview.xml101(None)
#: ./doc/security-guide/ch042_database-overview.xml104(None)
msgid ""
"@@image: 'static/novaconductor.png'; md5=dbc1ba139bd1af333f0415bb48704843"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml3(title)
msgid "Database Access Control"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml4(para)
msgid ""
"Each of the core OpenStack services (Compute, Identity, Networking, Block "
"Storage) store state and configuration information in databases. In this "
"chapter, we discuss how databases are used currently in OpenStack. We also "
"explore security concerns, and the security ramifications of database "
"backend choices."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml6(title)
msgid "OpenStack Database Access Model"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml7(para)
msgid ""
"All of the services within an OpenStack project access a single database. "
"There are presently no reference policies for creating table or row based "
"access restrictions to the database."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml8(para)
msgid ""
"There are no general provisions for granular control of database operations "
"in OpenStack. Access and privileges are granted simply based on whether a "
"node has access to the database or not.  In this scenario, nodes with access"
" to the database may have full privileges to DROP, INSERT, or UPDATE "
"functions."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml10(title)
msgid "Granular Access Control"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml11(para)
msgid ""
"By default, each of the OpenStack services and their processes access the "
"database using a shared set of credentials. This makes auditing database "
"operations and revoking access privileges from a service and its processes "
"to the database particularly difficult."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml21(title)
#: ./doc/security-guide/ch042_database-overview.xml96(title)
msgid "Nova Conductor"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml22(para)
msgid ""
"The compute nodes are the least trusted of the services in OpenStack because"
" they host tenant instances. The <systemitem class=\"service\">nova-"
"conductor</systemitem> service has been introduced to serve as a database "
"proxy, acting as an intermediary between the compute nodes and the database."
" We discuss its ramifications later in this chapter."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml23(para)
msgid "We strongly recommend:"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml25(para)
msgid "All database communications be isolated to a management network"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml28(para)
msgid "Securing communications using SSL"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml31(para)
msgid ""
"Creating unique database user accounts per OpenStack service endpoint "
"(illustrated below)"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml47(title)
msgid "Database Authentication and Access Control"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml48(para)
msgid ""
"Given the risks around access to the database, we strongly recommend that "
"unique database user accounts be created per node needing access to the "
"database. Doing this facilitates better analysis and auditing for ensuring "
"compliance or in the event of a compromise of a node allows you to isolate "
"the compromised host by removing access for that node to the database upon "
"detection. When creating these per service endpoint database user accounts, "
"care should be taken to ensure that they are configured to require SSL.  "
"Alternatively, for increased security it is recommended that the database "
"accounts be configured using X.509 certificate authentication in addition to"
" usernames and passwords."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml50(title)
msgid "Privileges"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml51(para)
msgid ""
"A separate database administrator (DBA) account should be created and "
"protected that has full privileges to create/drop databases, create user "
"accounts, and update user privileges. This simple means of separation of "
"responsibility helps prevent accidental misconfiguration, lowers risk and "
"lowers scope of compromise."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml52(para)
msgid ""
"The database user accounts created for the OpenStack services and for each "
"node should have privileges limited to just the database relevant to the "
"service where the node is a member."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml56(title)
msgid "Require User Accounts to Require SSL Transport"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml58(title)
#: ./doc/security-guide/ch042_database-overview.xml75(title)
msgid "Configuration Example #1: (MySQL)"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml63(title)
#: ./doc/security-guide/ch042_database-overview.xml82(title)
msgid "Configuration Example #2: (PostgreSQL)"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml64(para)
msgid "In file pg_hba.conf:"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml67(para)
msgid ""
"Note this command only adds the ability to communicate over SSL and is non-"
"exclusive. Other access methods that may allow unencrypted transport should "
"be disabled so that SSL is the sole access method."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml68(para)
msgid ""
"The 'md5' parameter defines the authentication method as a hashed password. "
"We provide a secure authentication example in the section below."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml72(title)
msgid "Authentication with X.509 Certificates"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml73(para)
msgid ""
"Security may be enhanced by requiring X.509 client certificates for "
"authentication.  Authenticating to the database in this manner provides "
"greater identity assurance of the client making the connection to the "
"database and ensures that the communications are encrypted."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml88(title)
msgid "OpenStack Service Database Configuration"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml89(para)
msgid ""
"If your database server is configured to require X.509 certificates for "
"authentication you will need to specify the appropriate SQLAlchemy query "
"parameters for the database backend. These parameters specify the "
"certificate, private key, and certificate authority information for use with"
" the initial connection string."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml90(para)
msgid ""
"Example of an <literal>:sql_connection</literal> string for X.509 "
"certificate authentication to MySQL:"
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml97(para)
msgid ""
"OpenStack Compute offers a sub-service called <systemitem class=\"service"
"\">nova-conductor</systemitem> which proxies database connections, with the "
"primary purpose of having the nova compute nodes interfacing with "
"<systemitem class=\"service\">nova-conductor</systemitem> to meet data "
"persistence needs as opposed to directly communicating with the database."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml98(para)
msgid ""
"Nova-conductor receives requests over RPC and performs actions on behalf of "
"the calling service without granting granular access to the database, its "
"tables, or data within. Nova-conductor essentially abstracts direct database"
" access away from compute nodes."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml99(para)
msgid ""
"This abstraction offers the advantage of restricting services to executing "
"methods with parameters, similar to stored procedures, preventing a large "
"number of systems from directly accessing or modifying database data. This "
"is accomplished without having these procedures stored or executed within "
"the context or scope of the database itself, a frequent criticism of typical"
" stored procedures."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml107(para)
msgid ""
"Unfortunately, this solution complicates the task of more fine-grained "
"access control and the ability to audit data access. Because the <systemitem"
" class=\"service\">nova-conductor</systemitem> service receives requests "
"over RPC, it highlights the importance of improving the security of "
"messaging. Any node with access to the message queue may execute these "
"methods provided by the <systemitem class=\"service\">nova-"
"conductor</systemitem> and effectively modifying the database."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml108(para)
msgid ""
"Finally, it should be noted that as of the Grizzly release, gaps exist where"
" <systemitem class=\"service\">nova-conductor</systemitem> is not used "
"throughout OpenStack Compute. Depending on one's configuration, the use of "
"<systemitem class=\"service\">nova-conductor</systemitem> may not allow "
"deployers to avoid the necessity of providing database GRANTs to individual "
"compute host systems."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml109(para)
msgid ""
"Note, as <systemitem class=\"service\">nova-conductor</systemitem> only "
"applies to OpenStack Compute, direct database access from compute hosts may "
"still be necessary for the operation of other OpenStack components such as "
"Telemetry (Ceilometer), Networking, and Block Storage."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml110(para)
msgid ""
"Implementors should weigh the benefits and risks of both configurations "
"before enabling or disabling the <systemitem class=\"service\">nova-"
"conductor</systemitem> service. We are not yet prepared to recommend the use"
" of <systemitem class=\"service\">nova-conductor</systemitem> in the Grizzly"
" release. However, we do believe that this recommendation will change as "
"additional features are added into OpenStack."
msgstr ""
#: ./doc/security-guide/ch042_database-overview.xml111(para)
msgid ""
"To disable the <systemitem class=\"service\">nova-conductor</systemitem>, "
"place the following into your <filename>nova.conf</filename> file (on your "
"compute hosts):"
msgstr ""
#: ./doc/security-guide/ch024_authentication.xml3(title)
msgid "Identity"
msgstr "Identity"
#: ./doc/security-guide/ch024_authentication.xml4(para)
msgid ""
"The OpenStack Identity Service (Keystone) supports multiple methods of "
"authentication, including username &amp; password, LDAP, and external "
"authentication methods.  Upon successful authentication, The Identity "
"Service provides the user with an authorization token used for subsequent "
"service requests."
msgstr "OpenStack Identity Service (Keystone) は、ユーザー名・パスワード、LDAP、外部認証方式など、複数の認証方式をサポートします。認証に成功すると、Identity Service は後続のサービスリクエストに使用する認可トークンをユーザーに返します。"
#: ./doc/security-guide/ch024_authentication.xml5(para)
msgid ""
"Transport Layer Security TLS/SSL provides authentication between services "
"and persons using X.509 certificates.  Although the default mode for SSL is "
"server-side only authentication, certificates may also be used for client "
"authentication."
msgstr "Transport Layer Security TLS/SSL は、サービスと人の間で X.509 を使用した認証を提供します。SSL の規定のモードはサーバーのみを認証しますが、証明書はクライアントを認証するためにも使用されるかもしれません。"
#: ./doc/security-guide/ch024_authentication.xml7(title)
msgid "Authentication"
msgstr "認証"
#: ./doc/security-guide/ch024_authentication.xml9(title)
msgid "Invalid Login Attempts"
msgstr "無効なログイン試行"
#: ./doc/security-guide/ch024_authentication.xml10(para)
msgid ""
"The Identity Service does not provide a method to limit access to accounts "
"after repeated unsuccessful login attempts. Repeated failed login attempts "
"are likely brute-force attacks (Refer figure Attack-types). This is a more "
"significant issue in Public clouds."
msgstr "Identity Service は、ログイン試行が連続して失敗した後に、アカウントへのアクセスを制限する方法を提供していません。何度も失敗するログイン試行はブルートフォース攻撃 (図「攻撃の種類」参照) のようなものです。これは、パブリッククラウドでは、より重要な問題です。"
#: ./doc/security-guide/ch024_authentication.xml11(para)
msgid ""
"Prevention is possible by using an external authentication system that "
"blocks out an account after some configured number of failed login attempts."
" The account then may only be unlocked with further side-channel "
"intervention."
msgstr "ログイン試行を指定した回数だけ失敗すると、アカウントをブロックするような外部認証システムを使用することにより、防止することができます。アカウントは、別の連絡手段を介してのみ、ロック解除するようにできます。"
#: ./doc/security-guide/ch024_authentication.xml12(para)
msgid ""
"If prevention is not an option, detection can be used to mitigate "
"damage.Detection involves frequent review of access control logs to identify"
" unauthorized attempts to access accounts. Possible remediation would "
"include reviewing the strength of the user password, or blocking the network"
" source of the attack via firewall rules. Firewall rules on the keystone "
"server that restrict the number of connections could be used to reduce the "
"attack effectiveness, and thus dissuade the attacker."
msgstr "もし防止することが選択肢になければ、被害を減らすために、検知することができます。検知は、アカウントへの権限のないアクセスを特定するために、アクセス制御ログを頻繁にレビューすることを意味します。その他の改善法としては、ユーザーパスワードの強度のレビュー、ファイアウォールルールで攻撃のネットワーク送信元のブロックなどがあります。接続数を制限するという、Keystone サーバのファイアウォールルールは、攻撃の効率を悪くし、攻撃者をあきらめさせるために使用できます。"
#: ./doc/security-guide/ch024_authentication.xml13(para)
msgid ""
"In addition, it is useful to examine account activity for unusual login "
"times and suspicious actions, with possibly disable the account. Often times"
" this approach is taken by credit card providers for fraud detection and "
"alert."
msgstr "さらに、普通でないログイン回数や疑わしいアクションに対して、アカウントの活動状況を確認することは有用です。可能ならば、アカウントを無効化します。しばしば、このアプローチはクレジットカード提供者により、詐欺の検出や警告のために使用されます。"
#: ./doc/security-guide/ch024_authentication.xml16(title)
msgid "Multi-factor Authentication"
msgstr "多要素認証"
#: ./doc/security-guide/ch024_authentication.xml17(para)
msgid ""
"Employ multi-factor authentication for network access to privileged user "
"accounts. The Identity Service supports external authentication services "
"through the Apache web server that can provide this functionality. Servers "
"may also enforce client-side authentication using certificates."
msgstr "権限のあるユーザーアカウントにネットワークアクセス用の多要素認証を使用します。Identity Service はこの機能を提供できる Apache Web サーバーを通して外部認証サービスをサポートします。サーバーは証明書を使用したクライアント認証を強制することもできます。"
#: ./doc/security-guide/ch024_authentication.xml18(para)
msgid ""
"This recommendation provides insulation from brute force, social "
"engineering, and both spear and mass phishing attacks that may compromise "
"administrator passwords."
msgstr "この推奨事項は、管理者パスワードを流出させる可能性のある、ブルートフォース、ソーシャルエンジニアリング、標的型と無差別のフィッシング攻撃に対する防御になります。"
#: ./doc/security-guide/ch024_authentication.xml22(title)
msgid "Authentication Methods"
msgstr "認証方式"
#: ./doc/security-guide/ch024_authentication.xml24(title)
msgid "Internally Implemented Authentication Methods"
msgstr "内部実装認証方式"
#: ./doc/security-guide/ch024_authentication.xml25(para)
msgid ""
"The Identity Service can store user credentials in an SQL Database, or may "
"use an LDAP-compliant directory server. The Identity database may be "
"separate from databases used by other OpenStack services to reduce the risk "
"of a compromise of the stored credentials."
msgstr "Identity Service はユーザーのクレデンシャルを SQL データベースに保存できます。または、LDAP 対応のディレクトリサーバーを使用できます。Identity Service のデータベースは、保存されているクレデンシャルが漏洩するリスクを減らすために、他の OpenStack サービスが使用するデータベースと分離することもできます。"
#: ./doc/security-guide/ch024_authentication.xml26(para)
msgid ""
"When authentication is provided via username and password, the Identity "
"Service does not enforce policies on password strength, expiration, or "
"failed authentication attempts as recommended by NIST Special Publication "
"800-118 (draft). Organizations that desire to enforce stronger password "
"policies should consider using Keystone Identity Service Extensions or "
"external authentication services."
msgstr "認証がユーザー名とパスワードで行われている場合、Identity Service は NIST Special Publication 800-118 (draft) により推奨されている、パスワード強度、有効期限、ログイン試行回数制限に関するポリシーを強制できません。より強固なパスワードポリシーを強制したい組織は、Keystone Identity Service 拡張や外部認証サービスの使用を検討すべきです。"
#: ./doc/security-guide/ch024_authentication.xml27(para)
msgid ""
"LDAP simplifies integration of Identity authentication into an "
"organization's existing directory service and user account management "
"processes."
msgstr "LDAP により、組織の既存のディレクトリサービスやユーザーアカウント管理プロセスに Identity 認証を統合することをシンプルにできます。"
#: ./doc/security-guide/ch024_authentication.xml28(para)
msgid ""
"Authentication and authorization policy in OpenStack may be delegated to an "
"external LDAP server. A typical use case is an organization that seeks to "
"deploy a private cloud and already has a database of employees, the users. "
"This may be in an LDAP system. Using LDAP as a source of authority "
"authentication, requests to Identity Service are delegated to the LDAP "
"service, which will authorize or deny requests based on locally set "
"policies. A token is generated on successful authentication."
msgstr "OpenStack の認証と認可のポリシーは、外部 LDAP サーバーに権限委譲することができます。一般的なユースケースは、プライベートクラウドの導入を検討していて、すでに従業員とユーザーのデーターベースを持っている組織です。これは LDAP システムにあるかもしれません。権限のある認証のソースとして LDAP を使用することが、LDAP サービスに権限委譲している Identity Service に要求されます。このサービスがローカルに設定されたポリシーに基づいて認可または拒否します。トークンは認証が成功した場合に生成されます。"
#: ./doc/security-guide/ch024_authentication.xml29(para)
msgid ""
"Note that if the LDAP system has attributes defined for the user such as "
"admin, finance, HR etc, these must be mapped into roles and groups within "
"Identity for use by the various OpenStack services. The "
"<emphasis>etc/keystone.conf</emphasis> file provides the mapping from the "
"LDAP attributes to Identity attributes."
msgstr "LDAP システムがユーザーに対して定義された、幹部社員、経理、人事などのような属性を持っている場合、これらはさまざまな OpenStack サービスにより使用するために Identity の中でロールとグループにマッピングされる必要があります。"
#: ./doc/security-guide/ch024_authentication.xml30(para)
msgid ""
"The Identity Service <emphasis role=\"bold\">MUST NOT</emphasis> be allowed "
"to write to LDAP services used for authentication outside of the OpenStack "
"deployment as this would allow a sufficiently privileged keystone user to "
"make changes to the LDAP directory. This would allow privilege escalation "
"within the wider organization or facilitate unauthorized access to other "
"information and resources. In such a deployment, user provisioning would be "
"out of the realm of the OpenStack deployment."
msgstr "Identity Service は OpenStack の外部にある認証用 LDAP サービスに書き込みを許可<emphasis role=\"bold\">してはいけません</emphasis>。十分な権限を持つ keystone ユーザーが LDAP ディレクトリに変更を加えられるようになるからです。これにより、より広い範囲の組織に権限が増えたり、他の情報やリソースに権限のアクセスが容易になったりするかもしれません。このような環境では、ユーザーの払い出しが OpenStack 環境のレルムの範囲外になるかもしれません。"
#: ./doc/security-guide/ch024_authentication.xml32(para)
msgid ""
"There is an <link "
"href=\"https://bugs.launchpad.net/ossn/+bug/1168252\">OpenStack Security "
"Note (OSSN) regarding keystone.conf permissions</link>."
msgstr "<link href=\"https://bugs.launchpad.net/ossn/+bug/1168252\">keystone.conf のパーミッションに関する OpenStack Security Note (OSSN)</link> があります。"
#: ./doc/security-guide/ch024_authentication.xml33(para)
msgid ""
"There is an <link "
"href=\"https://bugs.launchpad.net/ossn/+bug/1155566\">OpenStack Security "
"Note (OSSN) regarding potential DoS attacks</link>."
msgstr ""
#: ./doc/security-guide/ch024_authentication.xml37(title)
msgid "External Authentication Methods"
msgstr "外部認証方式"
#: ./doc/security-guide/ch024_authentication.xml38(para)
msgid ""
"Organizations may desire to implement external authentication for "
"compatibility with existing authentication services or to enforce stronger "
"authentication policy requirements. Although passwords are the most common "
"form of authentication, they can be compromised through numerous methods, "
"including keystroke logging and password compromise. External authentication"
" services can provide alternative forms of authentication that minimize the "
"risk from weak passwords."
msgstr "組織は、既存の認証サービスとの互換性のために外部認証を実装したいかもしれません。または、より強固な認証ポリシー要件を強制するためかもしれません。パスワードが認証のもっとも一般的な形式ですが、キー入力ロギングやパスワード推測など、さまざまな方法で破られる可能性があります。外部認証サービスにより、弱いパスワードのリスクを最小化する他の認証形式を提供できます。"
#: ./doc/security-guide/ch024_authentication.xml39(para)
msgid "These include:"
msgstr "これらは以下のものが含まれます。"
#: ./doc/security-guide/ch024_authentication.xml41(para)
msgid ""
"Password Policy Enforcement: Requires user passwords to conform to minimum "
"standards for length, diversity of characters, expiration, or failed login "
"attempts."
msgstr "パスワードポリシー強制: ユーザーパスワードが、長さ、文字種の量、有効期限、失敗試行回数の最低基準を満たしていることを要求します。"
#: ./doc/security-guide/ch024_authentication.xml44(para)
msgid ""
"Multi-factor authentication: The authentication service requires the user to"
" provide information based on something they have (e.g., a one-time password"
" token or X.509 certificate) and something they know (e.g., a password)."
msgstr "多要素認証: 認証サービスが、ユーザーが持っているもの (例: ワンタイムパスワードトークン、X.509 証明書) と知っていること (例: パスワード) に基づいた情報を提示するよう要求します。"
#: ./doc/security-guide/ch024_authentication.xml47(para)
msgid "Kerberos"
msgstr "Kerberos"
#: ./doc/security-guide/ch024_authentication.xml53(title)
msgid "Authorization"
msgstr "認可"
#: ./doc/security-guide/ch024_authentication.xml54(para)
msgid ""
"The Identity Service supports the notion of groups and roles. Users belong "
"to groups. A group has a list of roles. OpenStack services reference the "
"roles of the user attempting to access the service. The OpenStack policy "
"enforcer middleware takes into consideration the policy rule associated with"
" each resource and the user's group/roles and tenant association to "
"determine if he/she has access to the requested resource."
msgstr "Identity Service はグループとロールの概念をサポートします。ユーザーはグループに所属します。グループはロールの一覧を持ちます。OpenStack サービスはユーザーがサービスにアクセスしようとしているロールを参照します。OpenStack ポリシー判定ミドルウェアにより、各リソースに関連付けられたポリシールール、ユーザーのグループとロール、テナント割り当てを考慮して、要求されたリソースへのアクセスが判断されます。"
#: ./doc/security-guide/ch024_authentication.xml55(para)
msgid ""
"The Policy enforcement middleware enables fine-grained access control to "
"OpenStack resources. Only admin users can provision new users and have "
"access to various management functionality. The cloud tenant would be able "
"to only spin up instances, attach volumes, etc."
msgstr "ポリシー強制ミドルウェアにより OpenStack リソースに細かなアクセス制御を実現できます。管理ユーザーのみが新しいユーザーを作成でき、さまざまな管理機能にアクセスできます。クラウドのテナントはインスタンスの稼動、ボリュームの接続などのみが実行できます。"
#: ./doc/security-guide/ch024_authentication.xml57(title)
msgid "Establish Formal Access Control Policies"
msgstr "公式なアクセス制御ポリシーの確立"
#: ./doc/security-guide/ch024_authentication.xml58(para)
msgid ""
"Prior to configuring roles, groups, and users, document your required access"
" control policies for the OpenStack installation. The policies should be "
"consistent with any regulatory or legal requirements for the organization. "
"Future modifications to access control configuration should be done "
"consistently with the formal policies. The policies should include the "
"conditions and processes for creating, deleting, disabling, and enabling "
"accounts, and for assigning privileges to the accounts. Periodically review "
"the policies and ensure that configuration is in compliance with approved "
"policies."
msgstr "ロール、グループ、ユーザーを設定する前に、OpenStack に必要なアクセス制御ポリシーをドキュメント化します。ポリシーは組織に対するあらゆる規制や法令の要求事項に沿っているべきです。アクセス制御設定のさらなる変更は公式なポリシーに従って実行されるべきです。ポリシーは、アカウントの作成、削除、無効化、有効化、および権限の割り当てに関する条件とプロセスを含めるべきです。定期的にポリシーをレビューし、設定が承認されたポリシーに従っていることを確認します。"
#: ./doc/security-guide/ch024_authentication.xml61(title)
msgid "Service Authorization"
msgstr "サービス認可"
#: ./doc/security-guide/ch024_authentication.xml62(para)
msgid ""
"As described in the <link href=\"http://docs.openstack.org/admin-guide-"
"cloud/content/index.html\"><citetitle>OpenStack Cloud Administrator "
"Guide</citetitle></link>, cloud administrators must define a user for each "
"service, with a role of Admin. This service user account provides the "
"service with the authorization to authenticate users."
msgstr "<link href=\"http://docs.openstack.org/admin-guide-cloud/content/index.html\"><citetitle>OpenStack Cloud Administrator Guide</citetitle></link> に記載されているとおり、クラウド管理者は各サービスに対して Admin ロールを持つユーザーを定義する必要があります。このサービスユーザーアカウントは、サービスがユーザーを認証するための権限を提供します。"
#: ./doc/security-guide/ch024_authentication.xml63(para)
msgid ""
"The Compute and Object Storage services can be configured to use either the "
"\"tempAuth\" file or Identity Service to store authentication information. "
"The \"tempAuth\" solution MUST NOT be deployed in a production environment "
"since it stores passwords in plain text."
msgstr "Nova と Swift のサービスは認証情報を保存するために \"tempAuth\" ファイルと Identity Service を使用するよう設定できます。\"tempAuth\" ソリューションは、パスワードを平文で保存するため、本番環境で使用してはいけません。"
#: ./doc/security-guide/ch024_authentication.xml64(para)
msgid ""
"The Identity Service supports client authentication for SSL which may be "
"enabled. SSL client authentication provides an additional authentication "
"factor, in addition to the username / password, that provides greater "
"reliability on user identification. It reduces the risk of unauthorized "
"access when usernames and passwords may be compromised.  However, there is "
"additional administrative overhead and cost to issue certificates to users "
"that may not be feasible in every deployment."
msgstr "Identity Service は SSL のクライアント認証を有効化していると、それをサポートします。SSL クライアント認証はユーザー名、パスワードに加えて、ユーザー識別により信頼性を与えるために追加の認証要素を提供します。ユーザー名とパスワードが漏えいした場合に、権限のないアクセスのリスクを減らすことができます。しかしながら、証明書をユーザーに発行する追加の管理作業とコストが発生します。これはすべての環境で実現できるとは限りません。"
#: ./doc/security-guide/ch024_authentication.xml66(para)
msgid ""
"We recommend that you use client authentication with SSL for the "
"authentication of services to the Identity Service."
msgstr ""
#: ./doc/security-guide/ch024_authentication.xml68(para)
msgid ""
"The cloud administrator should protect sensitive configuration files for "
"unauthorized modification. This can be achieved with mandatory access "
"control frameworks such as SELinux, including "
"<literal>/etc/keystone.conf</literal> and X.509 certificates."
msgstr "クラウド管理者は権限のない変更から重要な設定ファイルを保護すべきです。これは SELinux のような強制アクセス制御のフレームワークで実現できます。これらには <literal>/etc/keystone.conf</literal> や X.509 証明書などがあります。"
#: ./doc/security-guide/ch024_authentication.xml70(para)
msgid ""
"For client authentication with SSL, you need to issue certificates. These "
"certificates can be signed by an external authority or by the cloud "
"administrator. OpenStack services by default check the signatures of "
"certificates and connections fail if the signature cannot be checked. If the"
" administrator uses self-signed certificates, the check might need to be "
"disabled. To disable these certificates, set <code>insecure=False</code> in "
"the <code>[filter:authtoken]</code> section in the "
"<filename>/etc/nova/api.paste.ini</filename> file. This setting also "
"disables certificates for other components."
msgstr ""
#: ./doc/security-guide/ch024_authentication.xml84(title)
msgid "Administrative Users"
msgstr "管理ユーザー"
#: ./doc/security-guide/ch024_authentication.xml85(para)
msgid ""
"We recommend that admin users authenticate using Identity Service and an "
"external authentication service that supports 2-factor authentication, such "
"as a certificate.  This reduces the risk from passwords that may be "
"compromised. This recommendation is in compliance with NIST 800-53 IA-2(1) "
"guidance in the use of multifactor authentication for network access to "
"privileged accounts."
msgstr "管理ユーザーは Identity Service や証明書のような 2 要素認証をサポートする外部認証サービスを使用して認証することを推奨します。これにより、パスワード推測によるリスクを減らすことができます。この推奨事項は特権アカウントへのネットワークアクセスに多要素認証を使用するという NIST 800-53 IA-2(1) ガイドに適合しています。"
#: ./doc/security-guide/ch024_authentication.xml88(title)
msgid "End Users"
msgstr "エンドユーザー"
#: ./doc/security-guide/ch024_authentication.xml89(para)
msgid ""
"The Identity Service can directly provide end-user authentication, or can be"
" configured to use external authentication methods to conform to an "
"organization's security policies and requirements."
msgstr "Identity Service は直接エンドユーザー認証を提供できます。または、組織のセキュリティポリシーや要求事項を確認するために外部認証方式を使用するよう設定できます。"
#: ./doc/security-guide/ch024_authentication.xml93(title)
msgid "Policies"
msgstr "ポリシー"
#: ./doc/security-guide/ch024_authentication.xml94(para)
msgid ""
"Each OpenStack service has a policy file in json format, called <emphasis "
"role=\"bold\">policy.json</emphasis>. The policy file specifies rules, and "
"the rule that governs each resource. A resource could be API access, the "
"ability to attach to a volume, or to fire up instances."
msgstr "各 OpenStack サービスは <emphasis role=\"bold\">policy.json</emphasis> という JSON 形式のポリシーファイルを持ちます。ポリシーファイルはルールを指定します。ルールは各リソースを決定します。リソースは API アクセスできます。ボリュームの接続やインスタンスの起動などです。"
#: ./doc/security-guide/ch024_authentication.xml95(para)
msgid ""
"The policies can be updated by the cloud administrator to further control "
"access to the various resources. The middleware could also be further "
"customized. Note that your users must be assigned to groups/roles that you "
"refer to in your policies."
msgstr "さまざまなリソースへのアクセス権をさらに制御するために、クラウド管理者がポリシーを更新できます。ミドルウェアによりさらにカスタマイズすることもできます。そのポリシーを参照しているグループやロールにユーザーを割り当てる必要があることに注意してください。"
#: ./doc/security-guide/ch024_authentication.xml96(para)
msgid "Below is a snippet of the Block Storage service policy.json file."
msgstr "以下は Block Storage Service の policy.json ファイルの抜粋です。"
#: ./doc/security-guide/ch024_authentication.xml115(para)
msgid ""
"Note the <emphasis role=\"bold\">default</emphasis> rule specifies that the "
"user must be either an admin or the owner of the volume. It essentially says"
" only the owner of a volume or the admin may create/delete/update volumes. "
"Certain other operations such as managing volume types are accessible only "
"to admin users."
msgstr "<emphasis role=\"bold\">デフォルト</emphasis>のルールは、ユーザーが管理者であるか、ボリュームの所有者である必要があることを指定しています。つまり、ボリュームの所有者と管理者のみがボリュームを作成、削除、更新できます。ボリューム形式の管理など、他の特定の操作は管理ユーザーのみがアクセス可能です。"
#: ./doc/security-guide/ch024_authentication.xml118(title)
msgid "Tokens"
msgstr "トークン"
#: ./doc/security-guide/ch024_authentication.xml119(para)
msgid ""
"Once a user is authenticated, a token is generated and used internally in "
"OpenStack for authorization and access. The default token <emphasis "
"role=\"bold\">lifespan</emphasis> is<emphasis role=\"bold\"> 24 "
"hours</emphasis>. It is recommended that this value be set lower but caution"
" needs to be taken as some internal services will need sufficient time to "
"complete their work. The cloud may not provide services if tokens expire too"
" early. An example of this would be the time needed by the Compute Service "
"to transfer a disk image onto the hypervisor for local caching."
msgstr "ユーザーが認証されると、トークンが生成され、認可とアクセスのために OpenStack で内部的に使用されます。デフォルトのトークンの<emphasis role=\"bold\">有効期間</emphasis>は <emphasis role=\"bold\">24 時間</emphasis>です。この値はより短く設定することが推奨されますが、いくつかの内部サービスが処理を完了するために十分な時間が必要であるので注意する必要があります。トークンがすぐに失効すると、クラウドがサービスを提供できないかもしれません。これの例は、Compute Service がディスクイメージをハイパーバイザーのローカルキャッシュに転送するために必要な時間です。"
#: ./doc/security-guide/ch024_authentication.xml120(para)
msgid ""
"Below is an example of a PKI token. Note that, in practice, the token id "
"value is very long (e.g., around 3500 bytes), but for brevity we shorten it "
"in this example."
msgstr "以下は PKI トークンの例です。実際は token id の値が非常に長いことに注意してください (例: 約3500バイト)。しかし、読みやすさのため、この例では短くしています。"
#: ./doc/security-guide/ch024_authentication.xml133(para)
msgid ""
"Note that the token is often passed within the structure of a larger context"
" of a Identity Service response. These responses also provide a catalog of "
"the various OpenStack services. Each service is listed with its name, access"
" endpoints for internal, admin, and public access."
msgstr "トークンは Identity Service 応答のより大きなコンテキスト構造の中で渡されることに注意してください。これらの応答はさまざまな OpenStack サービスのカタログも提供しています。各サービスはその名前と、内部、管理、パブリックなアクセス用のエンドポイントを一覧にします。"
#: ./doc/security-guide/ch024_authentication.xml134(para)
msgid ""
"The Identity Service supports token revocation. This manifests as an API to "
"revoke a token, to list revoked tokens and individual OpenStack services "
"that cache tokens to query for the revoked tokens and remove them from their"
" cache and append the same to their list of cached revoked tokens."
msgstr "Identity Service はトークン失効をサポートします。これは、トークンを失効するため、失効済みトークンを一覧表示するために API として宣言されます。また、トークンをキャッシュしている各 OpenStack サービスが失効済みトークンを問い合わせるため、それらのキャッシュから失効済みトークンを削除するため、キャッシュした失効済みトークンの一覧に追加するためにもあります。"
#: ./doc/security-guide/ch024_authentication.xml137(title)
msgid "Future"
msgstr "将来"
#: ./doc/security-guide/ch024_authentication.xml138(para)
msgid ""
"Domains are high-level containers for projects, users and groups. As such, "
"they can be used to centrally manage all Keystone-based identity components."
" With the introduction of account Domains, server, storage and other "
"resources can now be logically grouped into multiple Projects (previously "
"called Tenants) which can themselves be grouped under a master account-like "
"container. In addition, multiple users can be managed within an account "
"Domain and assigned roles that vary for each Project."
msgstr "ドメインはプロジェクト、ユーザー、グループの高いレベルでのコンテナーです。そのように、すべての Ketstone ベースの識別コンポーネントを一元的に管理するために使用されます。アカウントドメインを導入すると、サーバー、ストレージ、他のリソースは複数のプロジェクト (以前はテナントと呼ばれていました) の中で論理的にグループ化できます。これは、アカウントのようなマスターコンテナーの下でグループ化できます。さらに、複数のユーザーがアカウントドメインの中で管理でき、各プロジェクトで変化するロールを割り当てられます。"
#: ./doc/security-guide/ch024_authentication.xml139(para)
msgid ""
"Keystone's V3 API supports multiple domains. Users of different domains may "
"be represented in different authentication backends and even have different "
"attributes that must be mapped to a single set of roles and privileges, that"
" are used in the policy definitions to access the various service resources."
msgstr "Keystone の V3 API はマルチドメインをサポートします。異なるドメインのユーザーは、異なる認証バックエンドで表現され、単一セットのロールと権限にマッピングされる異なる属性を持ちます。これらはさまざまなサービスリソースにアクセスするために、ポリシー定義で使用されます。"
#: ./doc/security-guide/ch024_authentication.xml140(para)
msgid ""
"Where a rule may specify access to only admin users and users belonging to "
"the tenant, the mapping may be trivial. In other scenarios the cloud "
"administrator may need to approve the mapping routines per tenant."
msgstr "ルールにより管理ユーザーとテナントに所属するユーザーのみにアクセス権を設定されるかもしれないため、マッピングはささいなことであるかもしれません。他のシナリオの場合、クラウド管理者がテナントごとのマッピング作業を承認する必要があるかもしれません。"
#: ./doc/security-guide/ch015_case-studies-management.xml9(title)
msgid "Case Studies: Management Interfaces"
msgstr ""
#: ./doc/security-guide/ch015_case-studies-management.xml10(para)
msgid ""
"Previously we discussed typical OpenStack management interfaces and "
"associated backplane issues. We will now approach these issues by returning "
"to our Alice and Bob case study. Specifically, we will look into how both "
"Alice and Bob will address:"
msgstr ""
#: ./doc/security-guide/ch015_case-studies-management.xml16(para)
msgid "Cloud Administration"
msgstr "クラウド管理"
#: ./doc/security-guide/ch015_case-studies-management.xml19(para)
msgid "Self Service"
msgstr "セルフサービス"
#: ./doc/security-guide/ch015_case-studies-management.xml22(para)
msgid "Data Replication &amp; Recovery"
msgstr "データの複製およびリカバリー"
#: ./doc/security-guide/ch015_case-studies-management.xml25(para)
msgid "SLA &amp; Security Monitoring."
msgstr "SLA およびセキュリティの監視"
#: ./doc/security-guide/ch015_case-studies-management.xml30(para)
msgid ""
"When building her private cloud, while air-gapped, Alice still needs to "
"consider her service management interfaces. Before deploying her private "
"cloud, Alice has completed her system documentation. Specifically she has "
"identified which OpenStack services will exist in each security domain. From"
" there Alice has further restricted access to management interfaces by "
"deploying a combination of IDS, SSL encryption, and physical network "
"isolation. Additionally, Alice requires high availability and redundant "
"services. Thus, Alice sets up redundant infrastructure for various OpenStack"
" API services."
msgstr "プライベートクラウドを構築する際、エアギャップはされていますが、アリスはサービス管理インターフェースを検討する必要があります。プライベートクラウドをデプロイする前に、システム文書を書き上げましあ。特に、どの OpenStack サービスが各セキュリティドメインに存在するかを特定しました。そこから、アリスは、IDS、SSL、暗号化、物理的なネットワークの分離を組み合わせてデプロイすることで、管理インターフェースへのアクセスをさらに制限しました。また、高可用性や冗長サービスも必要とするため、様々な OpenStack API サービスに対してインフラストラクチャーの冗長設定を行いました。"
#: ./doc/security-guide/ch015_case-studies-management.xml31(para)
msgid ""
"Alice also needs to provide assurances that the physical servers and "
"hypervisors have been built from a known secure state into a well-defined "
"configuration. To enable this, Alice uses a combination of a Configuration "
"Management platform to configure each machine according to the standards and"
" regulations she must comply with. It will also enable Alice to report "
"periodically on the state of her cloud and perform remediation to a known "
"state should anything be out of the ordinary. Additionally, Alice provides "
"hardware assurances by using a PXE system to build her nodes from a known "
"set of base images. During the boot process, Alice provides further "
"assurances by enabling Intel TXT and related trusted boot technologies "
"provided by the hardware."
msgstr "また、物理サーバーと Hypervisor は既知のセキュアな状態から十分に定義された設定へと確実に構築されるようにする必要があります。これを可能にするには、構成管理プラットフォームを合わせて使用して、準拠する必要のある規格や規定に従い各マシンを設定していきます。また、構成管理プラットフォームは、クラウドの状態を定期的に報告して、通常以外のことが発生した場合に既知の状態に修正することができます。さらに、PXE システムを使用することで、既知のベースイメージからノードを構築してハードウェア保証を提供することができます。ブートプロセス時に、そのハードウェアから提供される Intel TXT や関連の信頼できるブート技術を有効にすることでさらなる保証を確保できます。"
#: ./doc/security-guide/ch015_case-studies-management.xml35(para)
msgid ""
"As a public cloud provider, Bob is concerned with both the continuous "
"availability of management interfaces and the security of transactions to "
"the management interfaces. To that end Bob implements multiple redundant "
"OpenStack API endpoints for the services his cloud will run. Additionally on"
" the public network Bob uses SSL to encrypt all transactions between his "
"customers and his cloud interfaces. To isolate his cloud operations Bob has "
"physically isolated his management, instance migration, and storage "
"networks."
msgstr "パブリッククラウドのプロバイダーとして、ボブは管理インターフェースの継続的な可用性と、管理インターフェースへのトランザクションのセキュリティの両方を考慮しています。このように、ボブは、クラウドが実行するサービスに対して、複数の冗長 OpenStack API エンドポイントを実装します。さらに、パブリックネットワークでは、SSL を使用して、顧客とクラウドインターフェースの間のトランザクションをすべて暗号化します。クラウドの運用を分離するために、ボブは管理、インスタンス移行、ストレージネットワークを物理的に分離しました。"
#: ./doc/security-guide/ch015_case-studies-management.xml36(para)
msgid ""
"To ease scaling and reduce management overhead Bob implements a "
"configuration management system. For customer data assurances, Bob offers a "
"backup as a service product as requirements will vary between customers. "
"Finally, Bob does not provide a \"baremetal\" or the ability to schedule an "
"entire node, so to reduce management overhead and increase operational "
"efficiency Bob does not implement any node boot time security."
msgstr "管理オーバーヘッドのスケーリングや削減を簡単にするため、構成管理システムを実装します。顧客のデータ保証に対しては、顧客ごとに要件が変わるためサービス商品としてバックアップを提供します。最後に、「ベアメタル」やノード全体のスケジュール機能を提供せず、管理オーバーヘッドの削減、運用効率の向上を図るため、ノードのブート時間におけるセキュリティ実装はありません。"
#: ./doc/security-guide/ch018_case-studies-pkissl.xml3(title)
msgid "Case Studies: PKI and Certificate Management"
msgstr ""
#: ./doc/security-guide/ch018_case-studies-pkissl.xml4(para)
msgid ""
"In this case study we discuss how Alice and Bob would address deployment of "
"PKI certification authorities (CA) and certificate management."
msgstr "このケーススタディでは、アリスとボグがPKI認証局(CA)の構築と証明書管理をどのように行うのかについて解説します。"
#: ./doc/security-guide/ch018_case-studies-pkissl.xml7(para)
msgid ""
"Alice as a cloud architect within a government agency knows that her agency "
"operates its own certification authority. Alice contacts the PKI office in "
"her agency that manages her PKI and certificate issuance. Alice obtains "
"certificates issued by this CA and configures the services within both the "
"public and management security domains to use these certificates. Since "
"Alice's OpenStack deployment exists entirely on a disconnected from the "
"Internet network, she makes sure to remove all default CA bundles that "
"contain external public CA providers to ensure the OpenStack services only "
"accept client certificates issued by her agency's CA."
msgstr "アリスは政府機関のクラウドアーキテクトで、彼女の機関が独自のCAを運用している事を知っています。アリスは、彼女のPKIを管理して証明書を発行する職場の PKI オフィスにコンタクトします。アリスはこのCAによって発行された証明書を入手し、これらの証明書を使用するようパブリックと管理セキュリティドメインの両方のサービスを設定します。アリスの OpenStack デプロイが完全にインターネットから独立して存在するので、OpenStack サービスが彼女の組織の CA から発行されたクライアント証明書のみ許可するよう、外部のパブリックな CA プロバイダを含むデフォルトの全 CA バンドルが削除されている事を確認しています。"
#: ./doc/security-guide/ch018_case-studies-pkissl.xml11(para)
msgid ""
"Bob is architecting a public cloud and needs to ensure that the publicly "
"facing OpenStack services are using certificates issued by a major public "
"CA. Bob acquires certificates for his public OpenStack services and "
"configures the services to use PKI and SSL and includes the public CAs in "
"his trust bundle for the services. Additionally, Bob also wants to further "
"isolate the internal communications amongst the services within the "
"management security domain. Bob contacts the team within his organization "
"that is responsible for managing his organizations PKI and issuance of "
"certificates using their own internal CA. Bob obtains certificates issued by"
" this internal CA and configures the services that communicate within the "
"management security domain to use these certificates and configures the "
"services to only accept client certificates issued by his internal CA."
msgstr "ボブはパブリッククラウドのアーキテクトで、インターネットに接続された OpenStack サービスが主要な公的 CA から発行された証明書を確実に使用する必要があります。ボブは彼のパブリックな OpenStack サービス用の証明書を受領し、PKI と SSL を使用するようサービスを設定し、彼のサービス用の信用バンドル中に公的CAが含まれるようにします。更に、ボブはセキュリティ管理ドメイン内でサービス間の内部通信の更なる分断をしたいとも思っています。ボブは、彼の組織中で、内部CAを使用して彼の組織の PKI 管理と証明書の発行を担当しているチームにコンタクトします。ボブはこの内部CAが発行した証明書を入手し、これらの証明書を使用するよう管理セキュリティドメイン中での通信を行うサービスを設定し、内部CAが発行したクライアント証明書のみ許可するようサービスを設定します。"
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch031_neutron-architecture.xml24(None)
#: ./doc/security-guide/ch031_neutron-architecture.xml27(None)
msgid ""
"@@image: 'static/sdn-connections.png'; md5=3fb0f3e2bea0784fea8832526d2b2832"
msgstr "@@image: 'static/sdn-connections.png'; md5=3fb0f3e2bea0784fea8832526d2b2832"
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch031_neutron-architecture.xml36(None)
#: ./doc/security-guide/ch031_neutron-architecture.xml39(None)
msgid ""
"@@image: 'static/1aa-network-domains-diagram.png'; "
"md5=57ae4448b05a3852180f75f3995711b9"
msgstr "@@image: 'static/1aa-network-domains-diagram.png'; md5=57ae4448b05a3852180f75f3995711b9"
#: ./doc/security-guide/ch031_neutron-architecture.xml3(title)
msgid "Networking Architecture"
msgstr "Networking アーキテクチャ"
#: ./doc/security-guide/ch031_neutron-architecture.xml4(para)
msgid ""
"OpenStack Networking is a standalone service that often involves deploying "
"several processes across a number of nodes. These processes interact with "
"each other and with other OpenStack services. The main process of the "
"OpenStack Networking service is neutron-server, a Python daemon that exposes"
" the OpenStack Networking API and passes tenant requests to a suite of "
"plugins for additional processing."
msgstr "OpenStack Networking は多数ード間において幾つかのプロセスのデプロイにしばしば含まれる独立サービスです。OpenStack Networking サービスのメインプロセスは neutron-server で、これは OpenStack Networking API を提供し、追加処理用の適切なプラグインにテナントのリクエストを渡します。"
#: ./doc/security-guide/ch031_neutron-architecture.xml5(para)
msgid "OpenStack Networking components encompasses the following elements:"
msgstr "OpenStack Networking コンポーネントは以下の要素を含みます。"
#: ./doc/security-guide/ch031_neutron-architecture.xml7(para)
msgid ""
"<emphasis role=\"bold\">neutron server</emphasis> (<literal>neutron-"
"server</literal> and <literal>neutron-*-plugin</literal>): This service runs"
" on the network node to service the Networking API and its extensions. It "
"also enforces the network model and IP addressing of each port. The neutron-"
"server and plugin agents require access to a database for persistent storage"
" and access to a message queue for inter-communication."
msgstr "<emphasis role=\"bold\">neutron サーバー</emphasis> (<literal>neutron-server</literal> と <literal>neutron-*-plugin</literal>): このサービスはネットワークード上で実行され、Networking API とその拡張を提供します。これはまた、各ポートのネットワークモデルと IP アドレスを管理します。neutron-server とプラグインエージェントは、永続ストレージ用のデータベースへのアクセスと、内部通信用のメッセージキューへのアクセスを要求します。"
#: ./doc/security-guide/ch031_neutron-architecture.xml10(para)
msgid ""
"<emphasis role=\"bold\">plugin agent</emphasis> "
"(<literal>neutron-*-agent</literal>): Runs on each compute node to manage "
"local virtual switch (vswitch) configuration. The agents to be run will "
"depend on which plugin you are using. This service requires message queue "
"access. <emphasis>Optional depending on plugin.</emphasis>"
msgstr "<emphasis role=\"bold\">プラグインエージェント</emphasis> (<literal>neutron-*-agent</literal>): ローカルの仮想スイッチvswitch設定を管理する為に各 compute ノード上で実行されます。実行するエージェントは、あなたが使用するプラグインに依存するでしょう。このサービスはメッセージキューへのアクセスを必要とします。<emphasis>オプションのプラグインに依存します。</emphasis>"
#: ./doc/security-guide/ch031_neutron-architecture.xml13(para)
msgid ""
"<emphasis role=\"bold\">DHCP agent</emphasis> (<literal>neutron-dhcp-"
"agent</literal>): Provides DHCP services to tenant networks. This agent is "
"the same across all plugins and is responsible for maintaining DHCP "
"configuration. The neutron-dhcp-agent requires message queue access."
msgstr "<emphasis role=\"bold\">DHCP エージェント</emphasis> (<literal>neutron-dhcp-agent</literal>): テナントネットワークに DHCP サービスを提供します。このエージェントは全てのプラグインと同様で、DHCP 設定の管理を担当します。neutron-dhcp-agent はメッセージキューアクセスが必要です。"
#: ./doc/security-guide/ch031_neutron-architecture.xml16(para)
msgid ""
"<emphasis role=\"bold\">l3 agent</emphasis> "
"(<literal>neutron-l3-agent</literal>): Provides L3/NAT forwarding for "
"external network access of VMs on tenant networks. Requires message queue "
"access. <emphasis>Optional depending on plugin.</emphasis>"
msgstr "<emphasis role=\"bold\">L3 エージェント</emphasis> (<literal>neutron-l3-agent</literal>): テナントネットワーク上の VM において外部ネットワーク用 L3/NAT 転送を提供します。メッセージキューが必要です。<emphasis>プラグイン次第では別の物が必要になります。</emphasis>"
#: ./doc/security-guide/ch031_neutron-architecture.xml19(para)
msgid ""
"<emphasis role=\"bold\">network provider services</emphasis> (SDN "
"server/services). Provide additional networking services that are provided "
"to tenant networks. These SDN services may interact with the neutron-server,"
" neutron-plugin, and/or plugin-agents via REST APIs or other communication "
"channels."
msgstr "<emphasis role=\"bold\">ネットワークプロバイダサービス</emphasis> (SDN サーバ/サービス)。テナントネットワークを提供する追加のネットワークサービスを提供します。これらの SDN サービスは REST API 又は他の通信チャネルを介して、neutron-server、neutron-plugin、プラグインエージェントと交信するかも知れません。"
#: ./doc/security-guide/ch031_neutron-architecture.xml22(para)
msgid ""
"The figure that follows provides an architectural and networking flow "
"diagram of the OpenStack Networking components:"
msgstr "次表はOpenStack Networking コンポーネント群の構造・ネットワークフローダイアグラムを示しています。"
#: ./doc/security-guide/ch031_neutron-architecture.xml31(title)
msgid "OS Networking Service placement on Physical Servers"
msgstr "OS ネットワーキングサービスの配置と物理サービス"
#: ./doc/security-guide/ch031_neutron-architecture.xml32(para)
msgid ""
"In this guide, we focus primarily on a standard architecture that includes a"
" <emphasis>cloud controller</emphasis> host, a <emphasis>network</emphasis> "
"host, and a set of <emphasis>compute</emphasis> hypervisors for running VMs."
msgstr "このガイドでは、我々はまず、<emphasis>クラウドコントローラ</emphasis>ホスト1台、<emphasis>ネットワーク</emphasis>ホスト台、VMを実行する<emphasis>compute</emphasis>ハイパーバイザーの集合を含む標準的なアーキテクチャにフォーカスします。"
#: ./doc/security-guide/ch031_neutron-architecture.xml34(title)
msgid "Network Connectivity of Physical Servers"
msgstr "物理サーバのネットワーク接続性"
#: ./doc/security-guide/ch031_neutron-architecture.xml42(para)
msgid ""
"A standard OpenStack Networking setup has up to four distinct physical data "
"center networks:"
msgstr "標準的な OpenStack Networking セットアップは最大4つの物理データセンターネットワークがあります。"
#: ./doc/security-guide/ch031_neutron-architecture.xml44(para)
msgid ""
"<emphasis role=\"bold\">Management network</emphasis> Used for internal "
"communication between OpenStack Components. The IP addresses on this network"
" should be reachable only within the data center and is considered the "
"Management Security Domain."
msgstr "<emphasis role=\"bold\">管理ネットワーク</emphasis> OpenStack コンポーネント間の内部通信に使用されます。このネットワークの IP アドレスはデータセンター内でのみアクセス可能であるべきです。管理セキュリティドメインで検討します。"
#: ./doc/security-guide/ch031_neutron-architecture.xml47(para)
msgid ""
"<emphasis role=\"bold\">Guest network</emphasis> Used for VM data "
"communication within the cloud deployment. The IP addressing requirements of"
" this network depend on the OpenStack Networking plugin in use and the "
"network configuration choices of the virtual networks made by the tenant. "
"This network is considered the Guest Security Domain."
msgstr "<emphasis role=\"bold\">ゲストネットワーク</emphasis> クラウドデプロイ中の VM データ通信に使用されます。このネットワークの IP アドレス要件は、使用中の OpenStack Networking プラグインとテナントにより作成される仮想ネットワークのネットワーク設定の選定に依存します。このネットワークはゲストセキュリティドメインで検討します。"
#: ./doc/security-guide/ch031_neutron-architecture.xml50(para)
msgid ""
"<emphasis role=\"bold\">External network</emphasis> Used to provide VMs with"
" Internet access in some deployment scenarios. The IP addresses on this "
"network should be reachable by anyone on the Internet and is considered to "
"be in the Public Security Domain."
msgstr "<emphasis role=\"bold\">外部ネットワーク</emphasis> 幾つかのデプロイシナリオ中のインターネットアクセスを持つVMを提供する為に使用されます。このネットワーク上の IP アドレスはインターネット上の誰もがアクセス可能です。パブリックセキュリティドメインで検討します。"
#: ./doc/security-guide/ch031_neutron-architecture.xml53(para)
msgid ""
"<emphasis role=\"bold\">API network</emphasis> Exposes all OpenStack APIs, "
"including the OpenStack Networking API, to tenants. The IP addresses on this"
" network should be reachable by anyone on the Internet. This may be the same"
" network as the external network, as it is possible to create a subnet for "
"the external network that uses IP allocation ranges to use only less than "
"the full range of IP addresses in an IP block. This network is considered "
"the Public Security Domain."
msgstr "<emphasis role=\"bold\">API ネットワーク</emphasis> テナントに OpenStack Networking API を含む全 OpenStack API を晒します。このネットワーク上の IP アドレスはインターネット上の誰もがアクセス可能であるべきです。これは外部ネットワークと同じネットワークであっても構いません。外部ネットワーク用に、IP ブロック中の全 IP アドレス範囲より少ない部分を使う為の IP 割当範囲を使用するサブネットを作成する事が出来るからです。このネットワークはパブロックセキュリティドメインで検討します。"
#: ./doc/security-guide/ch031_neutron-architecture.xml56(para)
msgid ""
"For additional information see the <link href=\"http://docs.openstack.org"
"/admin-guide-cloud/content/ch_networking.html\">Networking chapter</link> in"
" the <citetitle>OpenStack Cloud Administrator Guide</citetitle>."
msgstr "更なる情報は、<citetitle>OpenStack Cloud Administrator Guide</citetitle> 中の <link href=\"http://docs.openstack.org/admin-guide-cloud/content/ch_networking.html\">Networking</link> の章を参照して下さい。"
#: ./doc/security-guide/ch047_data-encryption.xml3(title)
msgid "Data Encryption"
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml4(para)
msgid ""
"The option exists for implementors to encrypt tenant data wherever it is "
"stored on disk or transported over a network. This is above and beyond the "
"general recommendation that users encrypt their own data before sending it "
"to their provider."
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml5(para)
msgid ""
"The importance of encrypting data on behalf of tenants is largely related to"
" the risk assumed by a provider that an attacker could access tenant data. "
"There may be requirements here in government, as well as requirements per-"
"policy, in private contract, or even in case law in regard to private "
"contracts for public cloud providers. It is recommended that a risk "
"assessment and legal consul advised before choosing tenant encryption "
"policies."
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml6(para)
msgid ""
"Per-instance or per-object encryption is preferable over, in descending "
"order, over per-project, per-tenant, per-host, and per-cloud aggregations. "
"This recommendation is inverse to the complexity and difficulty of "
"implementation. Presently, in some projects it is difficult or impossible to"
" implement encryption as loosely granular as even per-tenant. We recommend "
"implementors make a best-effort in encrypting tenant data."
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml7(para)
msgid ""
"Often, data encryption relates positively to the ability to reliably destroy"
" tenant and per-instance data, simply by throwing away the keys. It should "
"be noted that in doing so, it becomes of great importance to destroy those "
"keys in a reliable and secure manner."
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml8(para)
msgid "Opportunities to encrypt data for users are present:"
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml10(para)
msgid "Object Storage objects"
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml13(para)
msgid "Block Storage volumes &amp; Instance Ephemeral Filesystems"
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml16(para)
msgid "Network data"
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml20(title)
msgid "Object Storage Objects"
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml21(para)
msgid ""
"The ability to encrypt objects in Object Stoarge is presently limited to "
"disk-level encryption per node. However, there does exist third-party "
"extensions and modules for per-object encryption. These modules have been "
"proposed upstream, but have not per this writing been formally accepted. "
"Below are some pointers: "
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml22(link)
msgid "https://github.com/Mirantis/swift-encrypt"
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml23(link)
msgid ""
"http://www.mirantis.com/blog/on-disk-encryption-prototype-for-openstack-"
"swift/"
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml26(title)
msgid "Block Storage Volumes &amp; Instance Ephemeral Filesystems"
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml27(para)
msgid ""
"The ability to encrypt volumes depends on the service backends chosen. Some "
"backends may not support this at all."
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml28(para)
msgid ""
"As both block storage and compute support LVM backed storage, we can easily "
"provide an example applicable to both systems. In deployments using LVM, "
"encryption may be performed against the backing physical volumes. An "
"encrypted block device would be created using the standard Linux tools, with"
" the LVM physical volume (PV) created on top of the decrypted block device "
"using pvcreate. Then, the vgcreate or vgmodify tool may be used to add the "
"encrypted physical volume to an LVM volume group (VG)."
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml29(para)
msgid ""
"A feature aimed for the Havana release provides encryption of the VM's data "
"before it is written to disk. This allows the privacy of data to be "
"maintained while residing on the storage device. The idea is similar to how "
"self-encrypting drives work. This feature presents a normal block storage "
"device to the VM but encrypts the bytes in the virtualization host before "
"writing them to the disk. The block server operates exactly as it does when "
"reading and writing unencrypted blocks, except special handling will be "
"required for Block Storage features such as snapshots and live migration.  "
"Note that this feature uses an independent key manager."
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml32(title)
msgid "Network Data"
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml33(para)
msgid ""
"Tenant data for compute could be encrypted over IPSec or other tunnels. This"
" is not functionality common or standard in OpenStack, but is an option "
"available to motivated and interested implementors."
msgstr ""
#: ./doc/security-guide/ch047_data-encryption.xml37(para)
msgid ""
"Block storage supports a variety of mechanisms for supplying mountable "
"volumes. It is outside the scope of this guide to specify recommendations "
"for each Block Storage backend driver. For the purpose of performance, many "
"storage protocols are unencrypted. Some protocols such as iSCSI can provide "
"authentication and encrypted sessions, it is our recommendation to enable "
"these features."
msgstr ""
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch005_security-domains.xml24(None)
#: ./doc/security-guide/ch005_security-domains.xml27(None)
msgid ""
"@@image: 'static/untrusted_trusted.png'; "
"md5=a582dac2ad0b3f439fd4b08386853056"
msgstr "@@image: 'static/untrusted_trusted.png'; md5=a582dac2ad0b3f439fd4b08386853056"
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch005_security-domains.xml55(None)
#: ./doc/security-guide/ch005_security-domains.xml58(None)
msgid ""
"@@image: 'static/bridging_security_domains_1.png'; "
"md5=0d5ca26c51882ce3253405e91a597715"
msgstr "@@image: 'static/bridging_security_domains_1.png'; md5=0d5ca26c51882ce3253405e91a597715"
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch005_security-domains.xml63(None)
#: ./doc/security-guide/ch005_security-domains.xml66(None)
msgid ""
"@@image: 'static/bridging_domains_clouduser.png'; "
"md5=17c8a233ee7de17d2f600c7f6f6afe24"
msgstr "@@image: 'static/bridging_domains_clouduser.png'; md5=17c8a233ee7de17d2f600c7f6f6afe24"
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch005_security-domains.xml95(None)
#: ./doc/security-guide/ch005_security-domains.xml98(None)
msgid ""
"@@image: 'static/threat_actors.png'; md5=114c2f9bd9d0319bdd83f9e229d44649"
msgstr "@@image: 'static/threat_actors.png'; md5=114c2f9bd9d0319bdd83f9e229d44649"
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch005_security-domains.xml116(None)
#: ./doc/security-guide/ch005_security-domains.xml119(None)
msgid ""
"@@image: 'static/high-capability.png'; md5=b7ab599c8b40558a52c0ca86aad89741"
msgstr "@@image: 'static/high-capability.png'; md5=b7ab599c8b40558a52c0ca86aad89741"
#: ./doc/security-guide/ch005_security-domains.xml3(title)
msgid "Security Boundaries and Threats"
msgstr "セキュリティ境界と脅威"
#: ./doc/security-guide/ch005_security-domains.xml4(para)
msgid ""
"A cloud can be abstracted as a collection of logical components by virtue of"
" their function, users, and shared security concerns, which we call security"
" domains. Threat actors and vectors are classified based on their motivation"
" and access to resources. Our goal is to provide you a sense of the security"
" concerns with respect to each domain depending on your risk/vulnerability "
"protection objectives."
msgstr "クラウドとは、セキュリティドメインと呼ばれる、機能やユーザー、共有セキュリティの関心事に基づいた論理コンポーネントの集まりであると要約できます。脅威に関するアクターやベクトルは、リソースへのアクセスや動機をベースに分類されます。OpenStack の目標は、リスクや脆弱性保護の目的にあわせてドメインごとにセキュリティの関心事についての判断材料を提供することです。"
#: ./doc/security-guide/ch005_security-domains.xml6(title)
msgid "Security Domains"
msgstr "セキュリティドメイン"
#: ./doc/security-guide/ch005_security-domains.xml7(para)
msgid ""
"A security domain comprises users, applications, servers or networks that "
"share common trust requirements and expectations within a system. Typically "
"they have the same authentication and authorization (AuthN/Z) requirements "
"and users."
msgstr "セキュリティドメインは、システム内の信頼性に関する共通の要件や期待を共有するユーザー、アプリケーション、サーバー、ネットワークのいずれかで構成されています。通常、これらのドメインには、同じ認証と承認 (AuthN/Z) 要件およびユーザーが指定されています。"
#: ./doc/security-guide/ch005_security-domains.xml8(para)
msgid ""
"Although you may desire to break these domains down further (we later "
"discuss where this may be appropriate), we generally refer to four distinct "
"security domains which form the bare minimum that is required to deploy any "
"OpenStack cloud securely. These security domains are:"
msgstr "これらのドメインをさらに分類する場合もありますが (該当箇所で説明)、一般的に OpenStack クラウドをセキュアにデプロイしていく上で最低限必要な部分を構成する、4 つの異なるセキュリティドメインのことを指します。以下に、これらのセキュリティドメインを示しています。"
#: ./doc/security-guide/ch005_security-domains.xml10(para)
#: ./doc/security-guide/ch005_security-domains.xml31(title)
msgid "Public"
msgstr "パブリック"
#: ./doc/security-guide/ch005_security-domains.xml13(para)
#: ./doc/security-guide/ch005_security-domains.xml36(title)
msgid "Guest"
msgstr "ゲスト"
#: ./doc/security-guide/ch005_security-domains.xml16(para)
#: ./doc/security-guide/ch005_security-domains.xml41(title)
msgid "Management"
msgstr "管理"
#: ./doc/security-guide/ch005_security-domains.xml19(para)
#: ./doc/security-guide/ch005_security-domains.xml46(title)
msgid "Data"
msgstr "データ"
#: ./doc/security-guide/ch005_security-domains.xml22(para)
msgid ""
"We selected these security domains because they can be mapped independently "
"or combined to represent the majority of the possible areas of trust within "
"a given OpenStack deployment. For example, some deployment topologies "
"combine both guest and data domains onto one physical network versus others,"
" which have these networks physically separated. In each case, the cloud "
"operator should be aware of the appropriate security concerns. Security "
"domains should be mapped out against your specific OpenStack deployment "
"topology. The domains and their trust requirements depend upon whether the "
"cloud instance is public, private, or hybrid."
msgstr "上記のセキュリティドメインを選択したのは、個別にマッピング可能であること、または組み合わせると指定の OpenStack デプロイメントで存在する可能性のある信頼エリアの大部分を表すことができるためです。例えば、デプロイメントトポロジによっては、物理ネットワーク 1 つ vs 他のネットワークとなるように、ゲストとデータドメインの両方を組みわせて、ネットワークを物理的に分割するものもあります。いずれの場合も、クラウドオペレーターは、適切なセキュリティの関心事を認識する必要があります。これらのドメインや信頼性に関する要件は、クラウドインスタンスがパブリック、プライベート、ハイブリッドのいずれであるかによって変わってきます。"
#: ./doc/security-guide/ch005_security-domains.xml32(para)
msgid ""
"The public security domain is an entirely untrusted area of the cloud "
"infrastructure. It can refer to the Internet as a whole or simply to "
"networks over which you have no authority. Any data that transits this "
"domain with confidentiality or integrity requirements should be protected "
"using compensating controls."
msgstr "パブリックのセキュリティドメインとは、クラウドインフラストラクチャーの中で完全に Untrusted なエリアのことです。インターネット全体を指す場合や、単に権限を持たないネットワークを指す場合があります。機密性や完全性の要件を持つデータがこのドメインを通過する場合には、補完の制御を使用してこのデータを保護する必要があります。"
#: ./doc/security-guide/ch005_security-domains.xml33(para)
msgid ""
"This domain should always be considered <emphasis>untrusted</emphasis>."
msgstr "このドメインは常に、 <emphasis>untrusted</emphasis> であると考えなければなりません。 "
#: ./doc/security-guide/ch005_security-domains.xml37(para)
msgid ""
"Typically used for compute instance-to-instance traffic, the guest security "
"domain handles compute data generated by instances on the cloud but not "
"services that support the operation of the cloud, such as API calls."
msgstr "ゲストのセキュリティドメインは、compute instance-to-instance トラフィックに通常使用されますが、API の呼び出しなどクラウドのオペレーションをサポートするサービスではなく、クラウド上のインスタンスが生成する compute データを処理します。"
#: ./doc/security-guide/ch005_security-domains.xml38(para)
msgid ""
"Public cloud providers and private cloud providers who do not have stringent"
" controls on instance use or who allow unrestricted internet access to VMs "
"should consider this domain to be <emphasis>untrusted</emphasis>. Private "
"cloud providers may want to consider this network as internal and therefore "
"<emphasis>trusted</emphasis> only if they have controls in place to assert "
"that they trust instances and all their tenants."
msgstr "インスタンスの使用に関する厳密な制御がない、または制限なしに仮想マシンへインターネットアクセスが可能なパブリッククラウドのプロバイダーやプライベートクラウドのプロバイダーは、このドメインを <emphasis>untrusted</emphasis> であると見なすべきです。プライベートクライドプロバイダーは、インスタンスおよびすべてのテナントを確実に信頼できるように制御が設定されている場合のみ、このネットワークを内部、つまり <emphasis>trusted</emphasis> であると考えるようにしてください。"
#: ./doc/security-guide/ch005_security-domains.xml42(para)
msgid ""
"The management security domain is where services interact. Sometimes "
"referred to as the \"control plane\", the networks in this domain transport "
"confidential data such as configuration parameters, usernames, and "
"passwords. Command and Control traffic typically resides in this domain, "
"which necessitates strong integrity requirements. Access to this domain "
"should be highly restricted and monitored. At the same time, this domain "
"should still employ all of the security best practices described in this "
"guide."
msgstr "管理セキュリティドメインは、サービスがやりとりをする場所です。このドメインは時に「制御プレーン」と呼ばれることもあり、このドメイン内のネットワークは設定パラメーター、ユーザー名、パスワードなどの機密データをトランスポートします。コマンドや制御トラフィックは通常このドメインに常駐し、完全性に関する強力な要件が必要となります。このドメインへのアクセスについては非常に制限されたものでなくてはならず、さらに監視も必要です。また、このセキュリティドメインでは、本ガイドで記載されているセキュリティのベストプラクティスすべてを採用するようにしてください。"
#: ./doc/security-guide/ch005_security-domains.xml43(para)
msgid ""
"In most deployments this domain is considered <emphasis>trusted</emphasis>. "
"However, when considering an OpenStack deployment, there are many systems "
"that bridge this domain with others, potentially reducing the level of trust"
" you can place on this domain. See <xref linkend=\"ch005_security-domains-"
"idp61360\"/> for more information."
msgstr "多くのデプロイメントでは、この管理セキュリティドメインは <emphasis>trusted</emphasis> と考えられています。しかし、OpenStack のデプロイメントの場合、このドメインと他のものをブリッジするシステムが多数あるため、このドメインの信頼レベルは下がります。詳細は、<xref linkend=\"ch005_security-domains-idp61360\"/>を参照してください。"
#: ./doc/security-guide/ch005_security-domains.xml47(para)
msgid ""
"The data security domain is concerned primarily with information pertaining "
"to the storage services within OpenStack. Much of the data that crosses this"
" network has high integrity and confidentiality requirements and depending "
"on the type of deployment there may also be strong availability "
"requirements."
msgstr "データセキュリティドメインは主に、OpenStack ではストレージサービスの情報に関係します。このネットワークを通過するデータの多くは、完全性や機密性に関する強力な要件を持ち、デプロイメントの種類によっては可用性に関する強力な要件が出てくる場合があります。"
#: ./doc/security-guide/ch005_security-domains.xml48(para)
msgid ""
"The trust level of this network is heavily dependent on deployment decisions"
" and as such we do not assign this any default level of trust."
msgstr "このネットワークの信頼レベルは、デプロイメントの意思決定により左右されるため、デフォルトの信頼レベルは割り当てていません。"
#: ./doc/security-guide/ch005_security-domains.xml52(title)
msgid "Bridging Security Domains"
msgstr "セキュリティドメインのブリッジ"
#: ./doc/security-guide/ch005_security-domains.xml53(para)
msgid ""
"A <emphasis>bridge</emphasis> is a component that exists inside more than "
"one security domain. Any component that bridges security domains with "
"different trust levels or authentication requirements must be carefully "
"configured. These bridges are often the weak points in network architecture."
" A bridge should always be configured to meet the security requirements of "
"the highest trust level of any of the domains it is bridging. In many cases "
"the security controls for bridges should be a primary concern due to the "
"likelihood of attack."
msgstr "<emphasis>ブリッジ</emphasis>とは、複数のセキュリティドメイン内に存在するコンポーネントです。異なる信頼レベルまたは認証要件が指定されたセキュリテイドメイン間をブリッジするコンポーネントは、慎重に設定する必要があります。ネットワークアーキテクチャーの中で、これらのブリッジは弱点となることが多くなっています。常に、ブリッジするドメインの中で最も高い信頼レベルのセキュリティ要件を満たすように、ブリッジを設定するようにしてください。多くの場合、攻撃の可能性の高さから、主にブリッジのセキュリティ制御について考慮する必要があります。"
#: ./doc/security-guide/ch005_security-domains.xml61(para)
msgid ""
"The diagram above shows a compute node bridging the data and management "
"domains, as such the compute node should be configured to meet the security "
"requirements of the management domain. Similarly the API Endpoint in this "
"diagram is bridging the untrusted public domain and the management domain, "
"and should be configured to protect against attacks from the public domain "
"propagating through to the management domain."
msgstr "上記の図は、データドメインと管理ドメインをブリッジする compute ードです。このように、compute ノードは管理ドメインのセキュリティ要件に見合うように設定する必要があります。同様に、この図の API エンドポイントは untrusted であるパブリックドメインと管理ドメインをブリッジしており、パブリックドメインから管理ドメインに伝搬しないように攻撃から保護されるように設定する必要があります。"
#: ./doc/security-guide/ch005_security-domains.xml69(para)
msgid ""
"In some cases deployers may want to consider securing a bridge to a higher "
"standard than any of the domains in which it resides. Given the above "
"example of an API endpoint, an adversary could potentially target the API "
"endpoint from the public domain, leveraging it in the hopes of compromising "
"or gaining access to the management domain."
msgstr "デプロイ担当者は、ブリッジするどのドメインよりも高い基準でブリッジのセキュリティを確保するように考えるようにしてください。API エンドポイントの上記の例では、攻撃者はパブリックドメインから API エンドポイントをターゲットにして、情報漏洩や管理ドメインへアクセス権の獲得を期待しつつこのエンドポイントを利用するのです。"
#: ./doc/security-guide/ch005_security-domains.xml70(para)
msgid ""
"The design of OpenStack is such that separation of security domains is "
"difficult - as core services will usually bridge at least two domains, "
"special consideration must be given when applying security controls to them."
msgstr "OpenStack のデザインではセキュリティドメインの分離が困難です。コアサービスは通常少なくとも 2 つのドメインをブリッジしているため、ドメインのセキュリティ制御を適用する場合、細心の注意を払う必要があります。"
#: ./doc/security-guide/ch005_security-domains.xml73(title)
msgid "Threat Classification, Actors and Attack Vectors"
msgstr "脅威の分類、アクター、攻撃ベクトル"
#: ./doc/security-guide/ch005_security-domains.xml74(para)
msgid ""
"Most types of cloud deployment, public or private, are exposed to some form "
"of attack. In this chapter we categorize attackers and summarize potential "
"types of attacks in each security domain."
msgstr "クラウドデプロイメントの種類の多く (パブリックまたはプライベート) は、なんらかの攻撃にさらされています。本章では、攻撃者を分類して、各セキュリティドメインで考えられる攻撃の種類をまとめていきます。"
#: ./doc/security-guide/ch005_security-domains.xml76(title)
msgid "Threat Actors"
msgstr "脅威のアクター"
#: ./doc/security-guide/ch005_security-domains.xml77(para)
msgid ""
"A threat actor is an abstract way to refer to a class of adversary that you "
"may attempt to defend against. The more capable the actor, the more "
"expensive the security controls that are required for successful attack "
"mitigation and prevention. Security is a tradeoff between cost, usability "
"and defense. In some cases it will not be possible to secure a cloud "
"deployment against all of the threat actors we describe here. Those "
"deploying an OpenStack cloud will have to decide where the balance lies for "
"their deployment / usage."
msgstr "脅威のアクターとは、防御の対象となりえる攻撃者のクラスを抽象的に表したものです。アクターの技術が高くなるにつれ、攻撃の軽減や防止を成功させるために必要なセキュリティ制御にかかるコストが嵩みます。セキュリティはコスト、使いやすさ、防御の間でのトレードオフということになります。ここで記載した脅威のアクターすべてから、クラウドのデプロイメントを保護することはできません。OpenStack クラウドをデプロイする方は、デプロイメントと用途の間でバランスが確保できるポイントを決定する必要が出てきます。"
#: ./doc/security-guide/ch005_security-domains.xml79(para)
msgid ""
"<emphasis role=\"bold\">Intelligence Services</emphasis> — Considered by "
"this guide as the most capable adversary. Intelligence Services and other "
"state actors can bring tremendous resources to bear on a target. They have "
"capabilities beyond that of any other actor. It is very difficult to defend "
"against these actors without incredibly stringent controls in place, both "
"human and technical."
msgstr "<emphasis role=\"bold\">インテリジェンスサービス</emphasis> — このガイドでは最も有能な攻撃者とされています。インテリジェンスサービスやその他の国家主体は、ターゲットに圧力をかけるために莫大なリソースを費やすことができます。他のどのアクターよりも能力があります。人、技術両方の面で非常に厳しい制御がないと、これらのアクターから防御することは極めて困難です。"
#: ./doc/security-guide/ch005_security-domains.xml82(para)
msgid ""
"<emphasis role=\"bold\">Serious Organized Crime</emphasis> — Highly capable "
"and financially driven groups of attackers. Able to fund in-house exploit "
"development and target research. In recent years the rise of organizations "
"such as the Russian Business Network, a massive cyber-criminal enterprise "
"has demonstrated how cyber attacks have become a commodity. Industrial "
"espionage falls within the SOC group."
msgstr "<emphasis role=\"bold\">重大組織犯罪</emphasis> — 極めて有能で金銭で動く攻撃者グループ。エクスポロイト開発やターゲットのリサーチに対する資金を組織内で調達できます。最近、ロシアンビジネスネットワーク (RBN) などの組織が登場し、大規模なサイバー犯罪企業がサイバー攻撃がどのようにして商品として成り立ったかを証明しました。産業スパイ活動は、SOC グループに分類されます。"
#: ./doc/security-guide/ch005_security-domains.xml85(para)
msgid ""
"<emphasis role=\"bold\">Highly Capable Groups</emphasis> — This refers to "
"'Hacktivist' type organizations who are not typically commercially funded "
"but can pose a serious threat to service providers and cloud operators."
msgstr "<emphasis role=\"bold\">非常に有能な組織</emphasis> — これは通常ビジネスから資金を調達しているのではありませんが、サービスプロバイダーやクラウドオペレーターに対して重大な脅威をもたらす可能性のある「ハクティビスト」タイプの組織のことを指します。"
#: ./doc/security-guide/ch005_security-domains.xml88(para)
msgid ""
"<emphasis role=\"bold\">Motivated Individuals</emphasis> — Acting alone, "
"these attackers come in many guises, such as rogue or malicious employees, "
"disaffected customers, or small-scale industrial espionage."
msgstr "<emphasis role=\"bold\">動機のある個人</emphasis> — 一人で行動するこれらの攻撃者は、詐欺師または悪意のある従業員、不満を持った顧客、小規模の産業スパイなど多くのものに扮して攻撃します。"
#: ./doc/security-guide/ch005_security-domains.xml91(para)
msgid ""
"<emphasis role=\"bold\">Script Kiddies</emphasis> — Automated vulnerability "
"scanning/exploitation. Non-targeted attacks. Often only a nuisance, "
"compromise by one of these actors presents a major risk to an organization's"
" reputation."
msgstr "<emphasis role=\"bold\">スクリプトキディ</emphasis> — 自動化された脆弱性のスキャンやエクスプロイト。非標的型の攻撃。単なるいたずらの場合が多く、上記のアクターのいずれかによる情報漏洩により組織の評判に大きなリスクを与えます。"
#: ./doc/security-guide/ch005_security-domains.xml103(title)
msgid "Public / Private Considerations"
msgstr "パブリック/プライベートの考慮点"
#: ./doc/security-guide/ch005_security-domains.xml104(para)
msgid ""
"Private clouds are typically deployed by enterprises or institutions inside "
"their networks and behind their firewalls. Enterprises will have strict "
"policies on what data is allowed to exit their network and may even have "
"different clouds for specific purposes. Users of a private cloud are "
"typically employees of the organization that owns the cloud and are able to "
"be held accountable for their actions. Employees often attend training "
"sessions before accessing the cloud and will likely take part in regular "
"scheduled security awareness training. Public clouds by contrast cannot make"
" any assertions about their users, cloud use-cases or user motivations. This"
" immediately pushes the guest security domain into a completely "
"<emphasis>untrusted</emphasis> state for public cloud providers."
msgstr "通常プライベートクラウドは企業や組織により、内部のネットワークやファイアウォールの内側にデプロイされます。企業は、社内のネットワークから出すことのできるデータが何であるか、厳密な方針が設定されており、特定の目的ごとに別のクラウドを設定する場合さえもあります。プライベートクラウドのユーザーは通常、クラウドを所有して各自の行動に責任を課される組織内の従業員です。このような従業員は、クラウドにアクセスする前にトレーニングセッションに出席することもしばしばあり、定期的に予定されるセキュリティ認識トレーニングに参加する場合も多くあります。反対に、パブリッククラウドはユーザー、クラウドのユースケース、ユーザーの動機を断定することができません。このように、すぐにゲストのセキュリティドメインは、パブリッククラウドプロバイダーにとっては完全に <emphasis>untrusted</emphasis> な状態となります。"
#: ./doc/security-guide/ch005_security-domains.xml105(para)
msgid ""
"A notable difference in the attack surface of public clouds is that they "
"must provide internet access to their services. Instance connectivity, "
"access to files over the internet and the ability to interact with the cloud"
" controlling fabric such as the API endpoints and dashboard are must-haves "
"for the public cloud."
msgstr "パブリッククラウドの攻撃対象領域での顕著な相違点は、サービスに対してインターネットアクセスを提供しなければならない点です。API エンドポイントやダッシュボードなど、インスタンスの接続性、インターネット経由でのファイルアクセス、クラウド制御のファブリックとの対話機能は、パブリッククラウドで必須アイテムなのです。"
#: ./doc/security-guide/ch005_security-domains.xml106(para)
msgid ""
"Privacy concerns for public and private cloud users are typically "
"diametrically opposed. The data generated and stored in private clouds is "
"normally owned by the operator of the cloud, who is able to deploy "
"technologies such as data loss prevention (DLP) protection, file inspection,"
" deep packet inspection and prescriptive firewalling. In contrast, privacy "
"is one of the primary barriers to adoption for the public cloud, as many of "
"these controls do not exist."
msgstr "プライバシーの課題は、パブリッククラウドのユーザーとプライベートクラウドのユーザーとでは全く正反対になっています。プライベートクラウドで生成・格納されているデータは通常、データ損失防止 (DLP)、ファイルの検査、ディープパケットインスペクション (DPI)、規範ファイアウォール (Prescriptive Firewall) などの技術をデプロイ可能なクラウドのオペレーターが所有します。反対に、パブリッククラウドには上記の様な制御の多くが存在しないため、プライバシーは、パブリッククラウドを採用する際の主な障害の 1 つとなっています。"
#: ./doc/security-guide/ch005_security-domains.xml109(title)
msgid "Outbound attacks and reputational risk"
msgstr "アウトバウンド攻撃とレピュテーションリスク"
#: ./doc/security-guide/ch005_security-domains.xml110(para)
msgid ""
"Careful consideration should be given to potential outbound abuse from a "
"cloud deployment.  Whether public or private, clouds tend to have lots of "
"resource available. An attacker who has established a point of presence "
"within the cloud, either through hacking in or via entitled access (rogue "
"employee), can bring these resources to bear against the internet at large. "
"Clouds with compute services make for ideal DDoS and brute force engines. "
"This is perhaps a more pressing issue for public clouds as their users are "
"largely unaccountable, and can quickly spin up numerous disposable instances"
" for outbound attacks.  Major damage can be inflicted upon a company's "
"reputation if it becomes known for hosting malicious software or launching "
"attacks on other networks. Methods of prevention include egress security "
"groups, outbound traffic inspection, customer education and awareness, and "
"fraud and abuse mitigation strategies."
msgstr "クラウドデプロイメントからアウトバウンド方向で起こりえる不正使用に対して、十分な配慮が必要です。パブリックでも、プライベートでも、クラウドは多くのリソースが使用出来る状態になっている傾向にあります。ハッキングや与えられているアクセス権限 (悪意のある従業員) のいずれかによりクラウド内に攻撃ポイントを設定した攻撃者は、これらのリソースにインターネット全体の負荷をかけることができます。コンピュートサービスがあるクラウドは、理想的な DDoS や総当り攻撃エンジンを作り出します。パブリッククラウドのユーザーは多くの場合、責任を負う必要がなく、自由に使用できるインスタンスをすぐにアウトバウンドの攻撃として作り出すことができるため、パブリッククラウドにとっては、この点はより差し迫った課題でしょう。悪意のあるソフトウェアをホストしたり、他のネットワークへ攻撃していたりしたことが判明すると、企業の評判に大きな打撃を与えることでしょう。防止の方法には、egress セキュリティグループ、アウトバウンドトラフィックの検査、顧客の教育・認識、詐欺や悪用軽減戦略などがあります。"
#: ./doc/security-guide/ch005_security-domains.xml113(title)
msgid "Attack Types"
msgstr "攻撃の種類"
#: ./doc/security-guide/ch005_security-domains.xml114(para)
msgid ""
"The diagram shows the types of attacks that may be expected from the actors "
"described in the previous section. Note that there will always be exceptions"
" to this diagram but in general, this describes the sorts of attack that "
"could be typical for each actor."
msgstr "以下の図は、前項で説明したアクターから出される可能性のある攻撃の種類を記載しています。このような図では常に例外が存在しますが、アクター毎に典型的であると考えられる攻撃の種類を一般論として記述しています。"
#: ./doc/security-guide/ch005_security-domains.xml122(para)
msgid ""
"The prescriptive defense for each form of attack is beyond the scope of this"
" document. The above diagram can assist you in making an informed decision "
"about which types of threats, and threat actors, should be protected "
"against. For commercial public cloud deployments this might include "
"prevention against serious crime. For those deploying private clouds for "
"government use, more stringent protective mechanisms should be in place, "
"including carefully protected facilities and supply chains. In contrast "
"those standing up basic development or test environments will likely require"
" less restrictive controls (middle of the spectrum)."
msgstr "攻撃の形式ごとの規範的な防御については、本書の対象範囲外となっています。上記の図は、対策を行うべき脅威の種類、脅威のアクターについて詳細な情報を得た状態で意思決定ができるように支援します。商業的なパブリッククラウドのデプロイに関しては重大な犯罪の防止などが含まれる場合があります。 政府で使用するプライベートクラウドをデプロイする方は、細心の注意を払って設置された対策施設やサプライチェーンなど、より厳密な保護メカニズムを設置する必要があります。反対に、基本的なデプロイメントやテスト環境を設定する方は、制御に関する制約が少なくて済むでしょう。"
#: ./doc/security-guide/ch035_case-studies-networking.xml3(title)
msgid "Case Studies: Networking"
msgstr ""
#: ./doc/security-guide/ch035_case-studies-networking.xml4(para)
msgid ""
"In this case study we discuss how Alice and Bob would address providing "
"networking services to the user."
msgstr ""
#: ./doc/security-guide/ch035_case-studies-networking.xml7(para)
msgid ""
"A key objective of Alice's cloud is to integrate with the existing auth "
"services and security resources. The key design parameters for this private "
"cloud are a limited scope of tenants, networks and workload type. This "
"environment can be designed to limit what available network resources are "
"available to the tenant and what are the various default quotas and security"
" policies are available. The network policy engine can be modified to "
"restrict creation and changes to network resources. In this environment, "
"Alice might want to leverage nova-network in the application of security "
"group polices on a per instance basis vs. Neutron's application of security "
"group polices on a per port basis. L2 isolation in this environment would "
"leverage VLAN tagging. The use of VLAN tags will allow great visibility of "
"tenant traffic by leveraging existing features and tools of the physical "
"infrastructure."
msgstr ""
#: ./doc/security-guide/ch035_case-studies-networking.xml25(para)
msgid ""
"A major business driver for Bob is to provide an advanced networking "
"services to his customers. Bob's customers would like to deploy multi-tiered"
" application stacks. This multi-tiered application are either existing "
"enterprise application or newly deployed applications. Since Bob's public "
"cloud is a multi-tenancy enterprise service, the choice to use for L2 "
"isolation in this environment is to use overlay networking. Another aspect "
"of Bob's cloud is the self-service aspect where the customer can provision "
"available networking services as needed. These networking services encompass"
" L2 networks, L3 Routing, Network <glossterm>ACL</glossterm> and NAT. It is "
"important that per-tenant quota's be implemented in this environment."
msgstr ""
#: ./doc/security-guide/ch035_case-studies-networking.xml38(para)
msgid ""
"An added benefit with utilizing OpenStack Networking is when new advanced "
"networking services become available, these new features can be easily "
"provided to the end customers."
msgstr ""
#: ./doc/security-guide/ch011_management-introduction.xml3(title)
msgid "Management Introduction"
msgstr "管理の概要"
#: ./doc/security-guide/ch011_management-introduction.xml4(para)
msgid ""
"A cloud deployment is a living system. Machines age and fail, software "
"becomes outdated, vulnerabilities are discovered. When errors or omissions "
"are made in configuration, or when software fixes must be applied, these "
"changes must be made in a secure, but convenient, fashion. These changes are"
" typically solved through configuration management."
msgstr "クラウドデプロイメントは生きたシステムです。機械は老朽化して障害が発生し、ソフトウェアは古くなり、脆弱性が発見されます。設定にエラーや抜けがあった場合、ソフトウェアの修正を適用する必要が出た場合、セキュアかつ利便的に、これらの変更を加える必要があります。通常、これらの変更は構成管理などで解決されます。"
#: ./doc/security-guide/ch011_management-introduction.xml5(para)
msgid ""
"Likewise, it is important to protect the cloud deployment from being "
"configured or manipulated by malicious entities. With many systems in a "
"cloud employing compute and networking virtualization, there are distinct "
"challenges applicable to OpenStack which must be addressed through integrity"
" lifecycle management."
msgstr "同様に、悪意のある組織により設定または操作されないように、クラウドデプロイメントを保護することが重要です。コンピュートやネットワークの仮想化を採用するクラウド内の多くのシステムでは、OpenStack に適用される問題が明らかに存在し、整合性のライフサイクル管理で対応していく必要があります。"
#: ./doc/security-guide/ch011_management-introduction.xml6(para)
msgid ""
"Finally, administrators must perform command and control over the cloud for "
"various operational functions. It is important these command and control "
"facilities are understood and secured."
msgstr "最後に、管理者は様々なオペレーション機能に対してクラウド上で指揮統制を行う必要があります。これらの指揮統制機能を理解、確保することが重要です。"
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml3(title)
msgid "Case Studies: Tenant Data"
msgstr ""
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml4(para)
msgid ""
"Returning to Alice and Bob, we will use this section to dive into their "
"particular tenant data privacy requirements. Specifically, we will look into"
" how Alice and Bob both handle tenant data, data destruction, and data "
"encryption."
msgstr ""
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml7(para)
msgid ""
"As stated during the introduction to Alice's case study, data protection is "
"of an extremely high priority. She needs to ensure that a compromise of one "
"tenant's data does not cause loss of other tenant data. She also has strong "
"regulator requirements that require documentation of data destruction "
"activities. Alice does this using the following:"
msgstr ""
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml15(para)
msgid ""
"Establishing procedures to sanitize tenant data when a program or project "
"ends"
msgstr ""
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml16(para)
msgid ""
"Track the destruction of both the tenant data and metadata via ticketing in "
"a CMDB"
msgstr ""
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml17(para)
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml28(para)
msgid "For Volume storage:"
msgstr ""
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml18(para)
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml29(para)
msgid "Physical Server Issues"
msgstr ""
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml19(para)
msgid ""
"To provide secure ephemeral instance storage, Alice implements qcow2 files "
"on an encrypted filesystem."
msgstr ""
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml24(para)
msgid ""
"As stated during the introduction to Bob's case study, tenant privacy is of "
"an extremely high priority. In addition to the requirements and actions Bob "
"will take to isolate tenants from one another at the infrastructure layer, "
"Bob also needs to provide assurances for tenant data privacy. Bob does this "
"using the following:"
msgstr ""
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml26(para)
msgid ""
"Establishing procedures to sanitize customer data when a customer churns"
msgstr ""
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml27(para)
msgid ""
"Track the destruction of both the customer data and metadata via ticketing "
"in a CMDB"
msgstr ""
#: ./doc/security-guide/ch049_case-studies-tenant-data.xml30(para)
msgid ""
"To provide secure ephemeral instance storage, Bob implements qcow2 files on "
"an encrypted filesystems."
msgstr ""
#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml3(title)
msgid "Case Studies: Instance Isolation"
msgstr ""
#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml4(para)
msgid ""
"In this case study we discuss how Alice and Bob would ensure that  their "
"instances are properly isolated. First we consider hypervisor selection, and"
" then techniques for hardening QEMU and applying mandatory access controls."
msgstr ""
#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml7(para)
msgid ""
"Alice chooses Xen for the hypervisor in her cloud due to a strong internal "
"knowledge base and a desire to use the Xen security modules (XSM) for fine-"
"grained policy enforcement."
msgstr ""
#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml8(para)
msgid ""
"Alice is willing to apply a relatively large amount of resources to software"
" packaging and maintenance. She will use these resources to build a highly "
"customized version of QEMU that has many components removed, thereby "
"reducing the attack surface. She will also ensure that all compiler "
"hardening options are enabled for QEMU. Alice accepts that these decisions "
"will increase long-term maintenance costs."
msgstr ""
#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml9(para)
msgid ""
"Alice writes XSM policies (for Xen) and SELinux policies (for Linux domain "
"0, and device domains) to provide stronger isolation between the instances. "
"Alice also uses the Intel TXT support in Xen to measure the hypervisor "
"launch in the TPM."
msgstr ""
#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml13(para)
msgid ""
"Bob is very concerned about instance isolation since the users in a public "
"cloud represent anyone with a credit card, meaning they are inherently "
"untrusted. Bob has just started hiring the team that will deploy the cloud, "
"so he can tailor his candidate search for specific areas of expertise. With "
"this in mind, Bob chooses a hypervisor based on its technical features, "
"certifications, and community support. KVM has an EAL 4+ common criteria "
"rating, with a layered security protection profile (LSPP) to provide added "
"assurance for instance isolation. This, combined with the strong support for"
" KVM within the OpenStack community drives Bob's decision to use KVM."
msgstr ""
#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml14(para)
msgid ""
"Bob weighs the added cost of repackaging QEMU and decides that he cannot "
"commit those resources to the project. Fortunately, his Linux distribution "
"has already enabled the compiler hardening options. So he decides to use "
"this QEMU package. Finally, Bob leverages sVirt to manage the SELinux "
"polices associated with the virtualization stack."
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml3(title)
msgid "Networking Services Security Best Practices"
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml4(para)
msgid ""
"This section discusses OpenStack Networking configuration best practices as "
"they apply to tenant network security within your OpenStack deployment."
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml6(title)
msgid "Tenant Network Services Workflow"
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml7(para)
msgid ""
"OpenStack Networking provides users real self services of network resources "
"and configurations. It is important that Cloud Architects and Operators "
"evaluate the their design use cases in providing users the ability to "
"create, update, and destroy available network resources."
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml10(title)
msgid "Networking Resource Policy Engine"
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml11(para)
msgid ""
"A policy engine and its configuration file, "
"<filename>policy.json</filename>, within OpenStack Networking provides a "
"method to provide finer grained authorization of users on tenant networking "
"methods and objects. It is important that cloud architects and operators "
"evaluate their design and use cases in providing users and tenants the "
"ability to create, update, and destroy available network resources as it has"
" a tangible effect on tenant network availability, network security, and "
"overall OpenStack security. For a more detailed explanation of OpenStack "
"Networking policy definition, please refer to the <link "
"href=\"http://docs.openstack.org/admin-guide-"
"cloud/content/section_auth.html\">Authentication and authorization "
"section</link> in the <citetitle>OpenStack Cloud Administrator "
"Guide</citetitle>."
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml25(address)
msgid ""
"It is important to review the default networking resource policy and modify "
"the policy appropriately for your security posture."
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml26(para)
msgid ""
"If your deployment of OpenStack provides multiple external access points "
"into different security domains it is important that you limit the tenant's "
"ability to attach multiple vNICs to multiple external access points -- this "
"would bridge these security domains and could lead to unforseen security "
"compromise. It is possible mitigate this risk by utilizing the host "
"aggregates functionality provided by OpenStack Compute or through splitting "
"the tenant VMs into multiple tenant projects with different virtual network "
"configurations."
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml29(title)
msgid "Security Groups"
msgstr "セキュリティグループ"
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml30(para)
msgid ""
"The OpenStack Networking Service provides security group functionality using"
" a mechanism that is more flexible and powerful than the security group "
"capabilities built into OpenStack Compute. Thus, when using OpenStack "
"Networking, <emphasis>nova.conf</emphasis> should always disable built-in "
"security groups and proxy all security group calls to the OpenStack "
"Networking API. Failure to do so will result in conflicting security "
"policies being simultaneously applied by both services. To proxy security "
"groups to OpenStack Networking, use the following configuration values:"
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml32(para)
msgid ""
"firewall_driver : must be set to 'nova.virt.firewall.NoopFirewallDriver' so "
"that <systemitem class=\"service\">nova-compute</systemitem> does not "
"perform iptables-based filtering itself."
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml35(para)
msgid ""
"security_group_api : must be set to 'neutron' so that all security group "
"requests are proxied to the OpenStack Network Service."
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml38(para)
msgid ""
"Security groups and security group rules allow administrators and tenants "
"the ability to specify the type of traffic and direction (ingress/egress) "
"that is allowed to pass through a virtual interface port. A security group "
"is a container for security group rules. When a virtual interface port is "
"created in OpenStack Networking it is associated with a security group. If a"
" security group is not specified, the port will be associated with a "
"'default' security group. By default this group will drop all ingress "
"traffic and allow all egress. Rules can be added to this group in order to "
"change the behaviour."
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml39(para)
msgid ""
"When using the security group API through OpenStack Compute, security groups"
" are applied to all virtual interface ports on an instance. The reason for "
"this is that OpenStack Compute security group APIs are instance based and "
"not virtual interface port based as OpenStack Networking."
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml42(title)
msgid "Quotas"
msgstr "クォータ"
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml43(para)
msgid ""
"Quotas provide the ability to limit the number of network resources "
"available to tenants. You can enforce default quotas for all tenants."
msgstr ""
#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml70(para)
msgid ""
"OpenStack Networking also supports per-tenant quotas limit via a quota "
"extension API. To enable per-tenant quotas, you need to set "
"<literal>quota_driver</literal> in <literal>neutron.conf</literal>."
msgstr ""
#. When image changes, this message will be marked fuzzy or untranslated for
#. you.
#. It doesn't matter what you translate it to: it's not used at all.
#: ./doc/security-guide/ch052_devices.xml113(None)
#: ./doc/security-guide/ch052_devices.xml116(None)
msgid ""
"@@image: 'static/sVirt Diagram 1.png'; md5=ffcdbb45d9054670ad4c270a7c7d3925"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml3(title)
msgid "Hardening the Virtualization Layers"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml4(para)
msgid ""
"In the beginning of this chapter we discuss the use of both physical and "
"virtual hardware by instances, the associated security risks, and some "
"recommendations for mitigating those risks. We conclude the chapter with a "
"discussion of sVirt, an open source project for integrating SELinux "
"mandatory access controls with the virtualization components."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml6(title)
msgid "Physical Hardware (PCI Passthrough)"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml7(para)
msgid ""
"Many hypervisors offer a functionality known as PCI passthrough. This allows"
" an instance to have direct access to a piece of hardware on the node. For "
"example, this could be used to allow instances to access video cards "
"offering the compute unified device architecture (CUDA) for high performance"
" computation. This feature carries two types of security risks: direct "
"memory access and hardware infection."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml8(para)
msgid ""
"Direct memory access (DMA) is a feature that permits certain hardware "
"devices to access arbitrary physical memory addresses in the host computer. "
"Often video cards have this capability. However, an instance should not be "
"given arbitrary physical memory access because this would give it full view "
"of both the host system and other instances running on the same node. "
"Hardware vendors use an input/output memory management unit (IOMMU) to "
"manage DMA access in these situations. Therefore, cloud architects should "
"ensure that the hypervisor is configured to utilize this hardware feature."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml10(para)
msgid ""
"KVM: <link href=\"http://www.linux-kvm.org/page"
"/How_to_assign_devices_with_VT-d_in_KVM\">How to assign devices with VT-d in"
" KVM</link>"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml13(para)
msgid "Xen: <link href=\"http://wiki.xen.org/wiki/VTd_HowTo\">VTd Howto</link>"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml17(para)
msgid "The IOMMU feature is marketed as VT-d by Intel and AMD-Vi by AMD."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml19(para)
msgid ""
"A hardware infection occurs when an instance makes a malicious modification "
"to the firmware or some other part of a device. As this device is used by "
"other instances, or even the host OS, the malicious code can spread into "
"these systems. The end result is that one instance can run code outside of "
"its security domain. This is a potential problem in any hardware sharing "
"scenario. The problem is specific to this scenario because it is harder to "
"reset the state of physical hardware than virtual hardware."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml20(para)
msgid ""
"Solutions to the hardware infection problem are domain specific. The "
"strategy is to identify how an instance can modify hardware state then "
"determine how to reset any modifications when the instance is done using the"
" hardware. For example, one option could be to re-flash the firmware after "
"use. Clearly there is a need to balance hardware longevity with security as "
"some firmwares will fail after a large number of writes. TPM technology, "
"described in <literal>link:Management/Node Bootstrapping</literal>, provides"
" a solution for detecting unauthorized firmware changes. Regardless of the "
"strategy selected, it is important to understand the risks associated with "
"this kind of hardware sharing so that they can be properly mitigated for a "
"given deployment scenario."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml21(para)
msgid ""
"Additionally, due to the risk and complexities associated with PCI "
"passthrough, it should be disabled by default. If enabled for a specific "
"need, you will need to have appropriate processes in place to ensure the "
"hardware is clean before re-issue."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml24(title)
msgid "Virtual Hardware (QEMU)"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml25(para)
msgid ""
"When running a virtual machine, virtual hardware is a software layer that "
"provides the hardware interface for the virtual machine. Instances use this "
"functionality to provide network, storage, video, and other devices that may"
" be needed. With this in mind, most instances in your environment will "
"exclusively use virtual hardware, with a minority that will require direct "
"hardware access. The major open source hypervisors use QEMU for this "
"functionality. While QEMU fills an important need for virtualization "
"platforms, it has proven to be a very challenging software project to write "
"and maintain. Much of the functionality in QEMU is implemented with low-"
"level code that is difficult for most developers to comprehend. Furthermore,"
" the hardware virtualized by QEMU includes many legacy devices that have "
"their own set of quirks. Putting all of this together, QEMU has been the "
"source of many security problems, including hypervisor breakout attacks."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml41(para)
msgid ""
"For the reasons stated above, it is important to take proactive steps to "
"harden QEMU. We recommend three specific steps: minimizing the codebase, "
"using compiler hardening, and using mandatory access controls, for example: "
"sVirt, SELinux, or AppArmor."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml43(title)
msgid "Minimizing the Qemu Codebase"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml44(para)
msgid ""
"One classic security principle is to remove any unused components from your "
"system. QEMU provides support for many different virtual hardware devices. "
"However, only a small number of devices are needed for a given instance. "
"Most instances will use the virtio devices. However, some legacy instances "
"will need access to specific hardware, which can be specified using glance "
"metadata:"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml51(para)
msgid ""
"A cloud architect should decide what devices to make available to cloud "
"users. Anything that is not needed should be removed from QEMU. This step "
"requires recompiling QEMU after modifying the options passed to the QEMU "
"configure script. For a complete list of up-to-date options simply run "
"<literal>./configure --help</literal> from within the QEMU source directory."
" Decide what is needed for your deployment, and disable the remaining "
"options."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml54(title)
msgid "Compiler Hardening"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml55(para)
msgid ""
"The next step is to harden QEMU using compiler hardening options. Modern "
"compilers provide a variety of compile time options to improve the security "
"of the resulting binaries. These features, which we will describe in more "
"detail below, include relocation read-only (RELRO), stack canaries, never "
"execute (NX), position independent executable (PIE), and address space "
"layout randomization (ASLR)."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml56(para)
msgid ""
"Many modern linux distributions already build QEMU with compiler hardening "
"enabled, so you may want to verify your existing executable before "
"proceeding with the information below. One tool that can assist you with "
"this verification is called <link "
"href=\"http://www.trapkit.de/tools/checksec.html\"><literal>checksec.sh</literal></link>."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml58(para)
msgid ""
"<emphasis>RELocation Read-Only (RELRO)</emphasis>: Hardens the data sections"
" of an executable. Both full and partial RELRO modes are supported by gcc. "
"For QEMU full RELRO is your best choice. This will make the global offset "
"table read-only and place various internal data sections before the program "
"data section in the resulting executable."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml61(para)
msgid ""
"<emphasis>Stack Canaries</emphasis>: Places values on the stack and verifies"
" their presence to help prevent buffer overflow attacks."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml64(para)
msgid ""
"<emphasis>Never eXecute (NX)</emphasis>: Also known as Data Execution "
"Prevention (DEP), ensures that data sections of the executable can not be "
"executed."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml67(para)
msgid ""
"<emphasis>Position Independent Executable (PIE)</emphasis>: Produces a "
"position independent executable, which is necessary for ASLR.  "
msgstr ""
#: ./doc/security-guide/ch052_devices.xml70(para)
msgid ""
"<emphasis>Address Space Layout Randomization (ASLR)</emphasis> : This "
"ensures that both code and data regions will be randomized. Enabled by the "
"kernel (all modern linux kernels support ASLR), when the executable is built"
" with PIE."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml73(para)
msgid ""
"Putting this all together, and adding in some additional useful protections,"
" we recommend the following compiler options for gcc when compiling QEMU:"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml76(para)
msgid ""
"We recommend testing your QEMU executable file after it is compiled to "
"ensure that the compiler hardening worked properly."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml77(para)
msgid ""
"Most cloud deployments will not want to build software such as QEMU by hand."
" It is better to use packaging to ensure that the process is repeatable and "
"to ensure that the end result can be easily deployed throughout the cloud. "
"The references below provide some additional details on applying compiler "
"hardening options to existing packages."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml79(para)
msgid ""
"DEB packages: <link "
"href=\"http://wiki.debian.org/HardeningWalkthrough\">Hardening "
"Walkthrough</link>"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml82(para)
msgid ""
"RPM packages: <link "
"href=\"http://fedoraproject.org/wiki/How_to_create_an_RPM_package\">How to "
"create an RPM package</link>"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml88(para)
msgid ""
"Compiler hardening makes it more difficult to attack the QEMU process. "
"However, if an attacker does succeed, we would like to limit the impact of "
"the attack. Mandatory access controls accomplish this by restricting the "
"privileges on QEMU process to only what is needed. This can be accomplished "
"using sVirt / SELinux or AppArmor. When using sVirt, SELinux is configured "
"to run every QEMU process under a different security context. AppArmor can "
"be configured to provide similar functionality. We provide more details on "
"sVirt in the instance isolation section below."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml92(title)
msgid "sVirt: SELinux + Virtualization"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml93(para)
msgid ""
"With unique kernel-level architecture and National Security Agency (NSA) "
"developed security mechanisms, KVM provides foundational isolation "
"technologies for multitenancy. With developmental origins dating back to "
"2002, the Secure Virtualization (sVirt) technology is the application of "
"SELinux against modern day virtualization. SELinux, which was designed to "
"apply separation control based upon labels, has been extended to provide "
"isolation between virtual machine processes, devices, data files and system "
"processes acting upon their behalf."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml94(para)
msgid ""
"OpenStack's sVirt implementation aspires to protect hypervisor hosts and "
"virtual machines against two primary threat vectors:"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml96(para)
msgid ""
"<emphasis role=\"bold\">Hypervisor threats</emphasis> A compromised "
"application running within a virtual machine attacks the hypervisor to "
"access underlying resources (e.g. the host OS, applications, or devices "
"within the physical machine). This is a threat vector unique to "
"virtualization and represents considerable risk as the underlying real "
"machine can be compromised due to vulnerability in a single virtual "
"application."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml99(para)
msgid ""
"<emphasis role=\"bold\">Virtual Machine (multi-tenant) threats</emphasis> A "
"compromised application running within a VM attacks the hypervisor to "
"access/control another virtual machine and its resources. This is a threat "
"vector unique to virtualization and represents considerable risk as a "
"multitude of virtual machine file images could be compromised due to "
"vulnerability in a single application. This virtual network attack is a "
"major concern as the administrative techniques for protecting real networks "
"do not directly apply to the virtual environment."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml111(para)
msgid ""
"Each KVM-based virtual machine is a process which is labeled by SELinux, "
"effectively establishing a security boundary around each virtual machine. "
"This security boundary is monitored and enforced by the Linux kernel, "
"restricting the virtual machine's access to resources outside of its "
"boundary such as host machine data files or other VMs."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml119(para)
msgid ""
"As shown above, sVirt isolation is provided regardless of the guest "
"Operating System running inside the virtual machine -- Linux or Windows VMs "
"can be used. Additionally, many Linux distributions provide SELinux within "
"the operating system, allowing the virtual machine to protect internal "
"virtual resources from threats. "
msgstr ""
#: ./doc/security-guide/ch052_devices.xml121(title)
msgid "Labels and Categories"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml122(para)
msgid ""
"KVM-based virtual machine instances are labelled with their own SELinux data"
" type, known as svirt_image_t. Kernel level protections prevent unauthorized"
" system processes, such as malware, from manipulating the virtual machine "
"image files on disk. When virtual machines are powered off, images are "
"stored as svirt_image_t as shown below:"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml128(para)
msgid ""
"The svirt_image_t label uniquely identifies image files on disk, allowing "
"for the SELinux policy to restrict access. When a KVM-based Compute image is"
" powered on, sVirt appends a random numerical identifier to the image. sVirt"
" is technically capable of assigning numerical identifiers to 524,288 "
"virtual machines per hypervisor node, however OpenStack deployments are "
"highly unlikely to encounter this limitation."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml129(para)
msgid "An example of the sVirt category identifier is shown below:"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml135(title)
msgid "Booleans"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml136(para)
msgid ""
"To ease the administrative burden of managing SELinux, many enterprise Linux"
" platforms utilize SELinux Booleans to quickly change the security posture "
"of sVirt."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml137(para)
msgid ""
"Red Hat Enterprise Linux-based KVM deployments utilize the following sVirt "
"booleans:"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml144(emphasis)
msgid "sVirt SELinux Boolean"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml145(emphasis)
msgid " Description"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml148(para)
msgid "virt_use_common"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml149(para)
msgid "Allow virt to use serial/parallel communication ports."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml152(para)
msgid "virt_use_fusefs"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml153(para)
msgid "Allow virt to read FUSE mounted files."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml156(para)
msgid "virt_use_nfs"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml157(para)
msgid "Allow virt to manage NFS mounted files."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml160(para)
msgid "virt_use_samba"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml161(para)
msgid "Allow virt to manage CIFS mounted files."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml164(para)
msgid "virt_use_sanlock"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml165(para)
msgid "Allow confined virtual guests to interact with the sanlock."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml168(para)
msgid "virt_use_sysfs"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml169(para)
msgid "Allow virt to manage device configuration (PCI)."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml172(para)
msgid "virt_use_usb"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml173(para)
msgid "Allow virt to use USB devices."
msgstr ""
#: ./doc/security-guide/ch052_devices.xml176(para)
msgid "virt_use_xserver"
msgstr ""
#: ./doc/security-guide/ch052_devices.xml177(para)
msgid "Allow virtual machine to interact with the X Window System."
msgstr ""
#: ./doc/security-guide/ch020_ssl-everywhere.xml3(title)
msgid "SSL Proxies and HTTP Services"
msgstr "SSLプロキシとHTTPサービス"
#: ./doc/security-guide/ch020_ssl-everywhere.xml4(para)
msgid ""
"OpenStack endpoints are HTTP services providing APIs to both end-users on "
"public networks and to other OpenStack services within the same deployment "
"operating over the management network. It is highly recommended these "
"requests, both those internal and external, operate over SSL."
msgstr "OpenStack エンドポイントはパブリックネットワーク上のエンドユーザと管理ネットワークを介して操作する同じデプロイ中の他 OpenStack サービスとの両方に対して API を提供する HTTP サービスです。これらのリクエスト(内部と外部の両方)を SSL 上で操作する事を強く推奨します。"
#: ./doc/security-guide/ch020_ssl-everywhere.xml5(para)
msgid ""
"In order for API requests to be encrypted by SSL it's necessary to position "
"the API services behind a proxy that will establish and terminate SSL "
"sessions. The following table offers a non-exhaustive list of software "
"services that can proxy SSL traffic for API requests:"
msgstr "API リクエストを SSL で暗号化する為に、APIサービスはSSLセッションを確立・切断するプロキシの後ろに位置する必要があります。下記の表はAPIリクエスト用にSSLトラフィックをプロキシ可能なソフトウェアサービスのあまり厳密でない一覧を示しています。"
#: ./doc/security-guide/ch020_ssl-everywhere.xml7(link)
msgid "Pound"
msgstr "Pound"
#: ./doc/security-guide/ch020_ssl-everywhere.xml10(link)
#: ./doc/security-guide/ch020_ssl-everywhere.xml80(title)
msgid "Stud"
msgstr "Stud"
#: ./doc/security-guide/ch020_ssl-everywhere.xml13(link)
#: ./doc/security-guide/ch020_ssl-everywhere.xml119(title)
msgid "nginx"
msgstr "nginx"
#: ./doc/security-guide/ch020_ssl-everywhere.xml16(link)
msgid "Apache httpd"
msgstr "Apache httpd"
#: ./doc/security-guide/ch020_ssl-everywhere.xml19(para)
msgid "Hardware appliance SSL acceleration proxies"
msgstr "ハードウェアアプライアンス SSLアクセラレーションプロキシ"
#: ./doc/security-guide/ch020_ssl-everywhere.xml22(para)
msgid ""
"It is important to be mindful of the size of requests that will be processed"
" by any chosen SSL proxy."
msgstr "選択したSSLプロキシによって処理されるリクエストのサイズを気にする事は重要です。"
#: ./doc/security-guide/ch020_ssl-everywhere.xml24(title)
msgid "Examples"
msgstr "例"
#: ./doc/security-guide/ch020_ssl-everywhere.xml25(para)
msgid ""
"Below we provide some sample configuration setting for enabling SSL in some "
"of the most popular web servers/SSL terminators with recommended "
"configurations. Note that we have SSL v3 enabled in some of these examples "
"as this will be required in many deployments for client compatibility."
msgstr "以下に、幾つかの主な有名 Web サーバSSL 終端を推奨設定でSSLを有効にする為の幾つかの設定例を示します。クライアント互換性の為に多くのデプロイで必要になる筈なので、幾つかの例ではSSL v3 が有効になっている点に注意して下さい。"
#: ./doc/security-guide/ch020_ssl-everywhere.xml27(title)
msgid "Pound - with AES-NI acceleration"
msgstr "PoundAES-NI アクセラレーション付き)"
#: ./doc/security-guide/ch020_ssl-everywhere.xml81(para)
msgid ""
"This stud example enables SSL v3 for client compatibility.  The ciphers line"
" can be tweaked based on your needs, however this is a reasonable starting "
"place."
msgstr "この Stud の例は、クライアント互換性の為に SSL v3 を有効にしています。ciphers 行は必要に応じていじる事が出来ますが、しかしながらこの例の値は合理的な初期値です。"
#: ./doc/security-guide/ch020_ssl-everywhere.xml120(para)
msgid ""
"This nginx example requires TLS v1.1 or v1.2 for maximum security. The "
"ssl_ciphers line can be tweaked based on your needs, however this is a "
"reasonable starting place."
msgstr "この nginx の例は、セキュリティを最大化する為に TLS v1.1 又は v1.2 を必要とします。ssl_ciphers 行は必要に応じていじる事ができますが、しかしながらこの例の値は合理的な初期値です。"
#: ./doc/security-guide/ch020_ssl-everywhere.xml137(title)
msgid "Apache"
msgstr "Apache"
#: ./doc/security-guide/ch020_ssl-everywhere.xml163(para)
msgid ""
"Compute API SSL endpoint in Apache2, which needs to be paired with a short "
"WSGI script."
msgstr "Apache2 中の Compute API SSL エンドポイント(短い WSGI スクリプトと組み合わせる必要あり)"
#: ./doc/security-guide/ch020_ssl-everywhere.xml188(title)
msgid "HTTP Strict Transport Security"
msgstr "HTTP Strict Transport Security"
#: ./doc/security-guide/ch020_ssl-everywhere.xml189(para)
msgid ""
"We recommend that all production deployments use HSTS. This header prevents "
"browsers from making insecure connections after they have made a single "
"secure one. If you have deployed your HTTP services on a public or an "
"untrusted domain, HSTS is especially important. To enable HSTS, configure "
"your web server to send a header like this with all requests:"
msgstr "全ての製品で HSTS を使用する事を推奨します。このヘッダは、ブラウザが単一のセキュアな接続を確立した後に、セキュアでない接続を確立する事を防止します。パブリック上あるいは信用出来ないドメイン上の HTTP サービスをデプロイした場合、HSTS は特に重要です。HSTS を有効にするためには、全リクエストでこのようなヘッダを送信するよう Web サーバを設定します。"
#: ./doc/security-guide/ch020_ssl-everywhere.xml192(para)
msgid ""
"Start with a short timeout of 1 day during testing, and raise it to one year"
" after testing has shown that you haven't introduced problems for users. "
"Note that once this header is set to a large timeout, it is (by design) very"
" difficult to disable."
msgstr "テストでは1日の短いタイムアウトで始め、テストでユーザに問題が発生しなかった事を確認した後で設定を年まで増やします。一旦このヘッダに大きなタイムアウトを設定してしまうと、無効化する事は(設計上)非常に困難です。"
#: ./doc/security-guide/ch058_forensicsincident-response.xml3(title)
msgid "Forensics and Incident Response"
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml4(para)
msgid ""
"A lot of activity goes on within a cloud environment. It is a mix of "
"hardware, operating systems, virtual machine managers, the OpenStack "
"services, cloud-user activity such as creating instances and attaching "
"storage, the network underlying the whole, and finally end-users using the "
"applications running on the various instances."
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml5(para)
msgid ""
"The generation and collection of logs is an important component of securely "
"monitoring an OpenStack infrastructure. Logs provide visibility into the "
"day-to-day actions of administrators, tenants, and guests, in addition to "
"the activity in the compute, networking, and storage and other components "
"that comprise your OpenStack deployment."
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml6(para)
msgid ""
"The basics of logging: configuration, setting log level, location of the log"
" files, and how to use and customize logs, as well as how to do centralized "
"collections of logs is well covered in the <link "
"href=\"http://docs.openstack.org/ops/\"><citetitle>OpenStack Operations "
"Guide</citetitle></link>."
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml7(para)
msgid ""
"Logs are not only valuable for proactive security and continuous compliance "
"activities, but they are also a valuable information  source for "
"investigating and responding to incidents."
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml8(para)
msgid ""
"For instance, analyzing the access logs of Identity Service or its "
"replacement authentication system would alert us to failed logins, their "
"frequency, origin IP, whether the events are restricted to select accounts "
"etc. Log analysis supports detection."
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml9(para)
msgid ""
"On detection, further action may be to black list an IP, or recommend "
"strengthening user passwords, or even de-activating a user account if it is "
"deemed dormant."
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml11(title)
msgid "Monitoring Use Cases"
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml12(para)
msgid ""
"Monitoring events is more pro-active and provides real-time detection and "
"response.  There are several tools to aid in monitoring."
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml13(para)
msgid ""
"In the case of a OpenStack cloud instance, we need to monitor the hardware, "
"the OpenStack services, and the cloud resource usage. The last stems from "
"wanting to be elastic, to scale to the dynamic needs of the users."
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml14(para)
msgid ""
"Here are a few important use cases to consider when implementing log "
"aggregation, analysis and monitoring. These use cases can be implemented and"
" monitored through various commercial and open source tools, homegrown "
"scripts, etc. These tools and scripts can generate events that can then be "
"sent to the administrators through email or integrated dashboard. It is "
"important to consider additional use cases that may apply to your specific "
"network and what you may consider anomalous behavior."
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml16(para)
msgid ""
"Detecting the absence of log generation is an event of high value. Such an "
"event would indicate a service failure or even an intruder who has "
"temporarily switched off logging or modified the log level to hide their "
"tracks."
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml20(para)
msgid ""
"Application events such as start and/or stop that were unscheduled would "
"also be events to monitor and examine for possible security implications."
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml24(para)
msgid ""
"OS events on the OpenStack service machines such as user logins, restarts "
"also provide valuable insight into use/misuse"
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml28(para)
msgid ""
"Being able to detect the load on the OpenStack servers also enables "
"responding by way of introducing additional servers for load balancing to "
"ensure high availability."
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml32(para)
msgid ""
"Other events that are actionable are networking bridges going down, ip "
"tables being flushed on compute nodes and consequential loss of access to "
"instances resulting in unhappy customers. "
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml36(para)
msgid ""
"To reduce security risks from orphan instances on a user/tenant/domain "
"deletion in the Identity service there is discussion to generate "
"notifications in the system and have OpenStack components respond to these "
"events as appropriate such as terminating instances, disconnecting attached "
"volumes, reclaiming CPU and storage resources etc. "
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml39(para)
msgid ""
"A cloud will host many virtual instances, and monitoring these instances "
"goes beyond hardware monitoring and log files which may just contain CRUD "
"events."
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml40(para)
msgid ""
"Security monitoring controls such as intrusion detection software, antivirus"
" software, and spyware detection and removal utilities can generate logs "
"that show when and how an attack or intrusion took place. Deploying these "
"tools on the cloud machines provides value and protection. Cloud users, "
"those running instances on the cloud may also want to run such tools on "
"their instances."
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml44(link)
msgid "http://www.mirantis.com/blog/openstack-monitoring/"
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml45(link)
msgid "http://blog.sflow.com/2012/01/host-sflow-distributed-agent.html"
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml46(link)
msgid "http://blog.sflow.com/2009/09/lan-and-wan.html"
msgstr ""
#: ./doc/security-guide/ch058_forensicsincident-response.xml47(link)
msgid ""
"http://blog.sflow.com/2013/01/rapidly-detecting-large-flows-sflow-vs.html"
msgstr ""
#. Put one translator per line, in the form of NAME <EMAIL>, YEAR1, YEAR2
#: ./doc/security-guide/ch058_forensicsincident-response.xml0(None)
msgid "translator-credits"
msgstr "Akihiro MOTOKI <amotoki@gmail.com>, 2013\nAkira Yoshiyama <akirayoshiyama@gmail.com>, 2013\nMasanori Itoh <masanori.itoh@gmail.com>, 2013\nmasayukig <masayuki.igawa@gmail.com>, 2013\n*はたらくpokotan* <>, 2013\nTsutomu TAKEKAWA <takekawa@gmail.com>, 2013\ndoki701 <tokidokidokidoki@gmail.com>, 2013\nTomoyuki KATO <tomo@dream.daynight.jp>, 2012-2013\ntmak <t.makabe@gmail.com>, 2013"