diff --git a/security-guide/source/locale/ja/LC_MESSAGES/security-guide.po b/security-guide/source/locale/ja/LC_MESSAGES/security-guide.po index 325dc95b..d5d744e2 100644 --- a/security-guide/source/locale/ja/LC_MESSAGES/security-guide.po +++ b/security-guide/source/locale/ja/LC_MESSAGES/security-guide.po @@ -21,11 +21,11 @@ msgid "" msgstr "" "Project-Id-Version: Security Guide 0.0.1\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2016-03-09 18:34+0000\n" +"POT-Creation-Date: 2016-03-22 09:35+0000\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"PO-Revision-Date: 2016-03-15 12:44+0000\n" +"PO-Revision-Date: 2016-03-23 02:23+0000\n" "Last-Translator: KATO Tomoyuki \n" "Language: ja\n" "Plural-Forms: nplurals=1; plural=0;\n" @@ -181,6 +181,34 @@ msgstr "" "**失敗:** 上のコマンドが、ユーザー所有者とグループ所有者として何も返さない場" "合。keystone 以外のユーザーに設定されている可能性があります。" +msgid "" +"**Fail:** If value of parameter ``CSRF_COOKIE_SECURE`` in ``/etc/openstack-" +"dashboard/local_settings.py`` is set to ``False``." +msgstr "" +"**失敗:** ``/etc/openstack-dashboard/local_settings.py`` の " +"``CSRF_COOKIE_SECURE`` パラメーターが ``False`` に設定されている場合。" + +msgid "" +"**Fail:** If value of parameter ``SESSION_COOKIE_HTTPONLY`` in ``/etc/" +"openstack-dashboard/local_settings.py`` is set to ``False``." +msgstr "" +"**失敗:** ``/etc/openstack-dashboard/local_settings.py`` の " +"``SESSION_COOKIE_HTTPONLY`` パラメーターが ``False`` に設定されている場合。" + +msgid "" +"**Fail:** If value of parameter ``SESSION_COOKIE_SECURE`` in ``/etc/" +"openstack-dashboard/local_settings.py`` is set to ``False``." +msgstr "" +"**失敗:** ``/etc/openstack-dashboard/local_settings.py`` の " +"``SESSION_COOKIE_SECURE`` パラメーターが ``False`` に設定されている場合。" + +msgid "" +"**Fail:** If value of parameter ``USE_SSL`` in ``/etc/openstack-dashboard/" +"local_settings.py`` is set to ``False``." +msgstr "" +"**失敗:** ``/etc/openstack-dashboard/local_settings.py`` の ``USE_SSL`` パラ" +"メーターが ``False`` に設定されている場合。" + msgid "" "**Fail:** If value of parameter ``auth_protocol`` under " "``[keystone_authtoken]`` section in ``/etc/cinder/cinder.conf`` is set to " @@ -261,6 +289,13 @@ msgstr "" "**失敗:** ``manila.conf`` の ``[DEFAULT]`` にある ``cinder_api_insecure`` が " "``True`` に設定されている場合。" +msgid "" +"**Fail:** If value of parameter ``disable_password_reveal`` in ``/etc/" +"openstack-dashboard/local_settings.py`` is set to ``False``." +msgstr "" +"**成功:** ``/etc/openstack-dashboard/local_settings.py`` の " +"``disable_password_reveal`` パラメーターが ``False`` に設定されている場合。" + msgid "" "**Fail:** If value of parameter ``enable`` under ``[eventlet_server_ssl]`` " "section is not set to ``True``." @@ -320,6 +355,13 @@ msgstr "" "``max_request_body_size`` パラメーターの値が ``114688`` に設定されていない場" "合。" +msgid "" +"**Fail:** If value of parameter ``password_autocomplete`` in ``/etc/" +"openstack-dashboard/local_settings.py`` is set to ``on``." +msgstr "" +"**成功:** ``/etc/openstack-dashboard/local_settings.py`` の " +"``password_autocomplete`` パラメーターが ``on`` に設定されている場合。" + msgid "" "**Fail:** If value of parameter ``use_ssl`` under ``[DEFAULT]`` section in " "``/etc/neutron/neutron.conf`` is set to ``False``." @@ -392,6 +434,34 @@ msgstr "" "**成功:** 設定ファイルのユーザーおよびグループ所有者がそれぞれ root と " "horizon に設定されている場合。上のコマンドは root horizon を表示します。" +msgid "" +"**Pass:** If value of parameter ``CSRF_COOKIE_SECURE`` in ``/etc/openstack-" +"dashboard/local_settings.py`` is set to ``True``." +msgstr "" +"**成功:** ``/etc/openstack-dashboard/local_settings.py`` の " +"``CSRF_COOKIE_SECURE`` パラメーターが ``True`` に設定されている場合。" + +msgid "" +"**Pass:** If value of parameter ``SESSION_COOKIE_HTTPONLY`` in ``/etc/" +"openstack-dashboard/local_settings.py`` is set to ``True``." +msgstr "" +"**成功:** ``/etc/openstack-dashboard/local_settings.py`` の " +"``SESSION_COOKIE_HTTPONLY`` パラメーターが ``True`` に設定されている場合。" + +msgid "" +"**Pass:** If value of parameter ``SESSION_COOKIE_SECURE`` in ``/etc/" +"openstack-dashboard/local_settings.py`` is set to ``True``." +msgstr "" +"**成功:** ``/etc/openstack-dashboard/local_settings.py`` の " +"``SESSION_COOKIE_SECURE`` パラメーターが ``True`` に設定されている場合。" + +msgid "" +"**Pass:** If value of parameter ``USE_SSL`` in ``/etc/openstack-dashboard/" +"local_settings.py`` is set to ``True``." +msgstr "" +"**成功:** ``/etc/openstack-dashboard/local_settings.py`` の ``USE_SSL`` パラ" +"メーターが ``True`` に設定されている場合。" + msgid "" "**Pass:** If value of parameter ``auth_protocol`` under " "``[keystone_authtoken]`` section in ``/etc/cinder/cinder.conf`` is set to " @@ -486,6 +556,20 @@ msgstr "" "**成功:** ``manila.conf`` の ``[DEFAULT]`` にある ``cinder_api_insecure`` が " "``False`` に設定されている場合。" +msgid "" +"**Pass:** If value of parameter ``disable_password_reveal`` in ``/etc/" +"openstack-dashboard/local_settings.py`` is set to ``True``." +msgstr "" +"**成功:** ``/etc/openstack-dashboard/local_settings.py`` の " +"``disable_password_reveal`` パラメーターが ``True`` に設定されている場合。" + +msgid "" +"**Pass:** If value of parameter ``enable`` under ``[eventlet_server_ssl]`` " +"section in ``/etc/keystone/keystone.conf`` is set to ``True``." +msgstr "" +"**成功:** ``/etc/keystone/keystone.conf`` の ``[eventlet_server_ssl]`` にあ" +"る ``enable`` パラメーターの値が ``True`` に設定されている場合。" + msgid "" "**Pass:** If value of parameter ``glance_api_insecure`` under ``[DEFAULT]`` " "section in ``/etc/cinder/cinder.conf`` is set to ``False``." @@ -526,6 +610,13 @@ msgstr "" "``max_request_body_size`` パラメーターの値が ``114688`` に設定されている場" "合。" +msgid "" +"**Pass:** If value of parameter ``password_autocomplete`` in ``/etc/" +"openstack-dashboard/local_settings.py`` is set to ``off``." +msgstr "" +"**成功:** ``/etc/openstack-dashboard/local_settings.py`` の " +"``password_autocomplete`` パラメーターが ``off`` に設定されている場合。" + msgid "" "**Pass:** If value of parameter ``use_ssl`` under ``[DEFAULT]`` section in " "``/etc/neutron/neutron.conf`` is set to ``True``." @@ -2269,6 +2360,9 @@ msgstr "Check-Block-05: cinder が TLS を用いて nova と通信していま msgid "Check-Block-06: Does cinder communicate with glance over TLS?" msgstr "Check-Block-06: cinder が TLS を用いて glance と通信していますか?" +msgid "Check-Block-07: Is NAS operating in a secure environment?" +msgstr "Check-Block-07: NAS が安全な環境で運用されていますか?" + msgid "" "Check-Block-08: Is max size for the body of a request set to default " "(114688)?" @@ -2368,6 +2462,12 @@ msgstr "" "Check-Identity-05: ``max_request_body_size`` がデフォルト (114688) に設定され" "ていますか?" +msgid "" +"Check-Identity-06: Disable admin token in ``/etc/keystone/keystone.conf``" +msgstr "" +"Check-Identity-06: ``/etc/keystone/keystone.conf`` において管理トークンを無効" +"化していますか?" + msgid "" "Check-Neutron-01: Is user/group ownership of config files set to root/" "neutron?" @@ -2502,6 +2602,9 @@ msgstr "" msgid "Commercial standards" msgstr "商業規格" +msgid "Common Criteria" +msgstr "Common Criteria" + msgid "" "Common Criteria is an internationally standardized software evaluation " "process, used by governments and commercial companies to validate software " @@ -3673,9 +3776,16 @@ msgstr "最初にセキュア化するもの: ネットワーク" msgid "Flow analysis (through open source or third-party plug-ins)" msgstr "フロー分析 (オープンソースのサードパーティプラグイン使用)" +msgid "For SQL, in ``/etc/keystone/keystone.conf`` , set:" +msgstr "SQL の場合、``/etc/keystone/keystone.conf`` に以下を設定します。" + msgid "For Volume storage:" msgstr "ボリュームストレージ" +msgid "For ``memcached``, in ``/etc/keystone/keystone.conf``, set:" +msgstr "" +"``memcached`` の場合、``/etc/keystone/keystone.conf`` に以下を設定います。" + msgid "For additional configuration information see:" msgstr "追加の設定情報は以下を参照してください。" @@ -4309,6 +4419,13 @@ msgstr "" "あなたにとって多分正しい選択肢ではありません。なぜなら、4095 以上に VLAN タグ" "を拡張する為の複数の「改造」が必要だからです。" +msgid "" +"If you use the HTTP/WSGI server for Identity, you should enable TLS on the " +"HTTP/WSGI server." +msgstr "" +"Identity に HTTP/WSGI サーバーを使用する場合、HTTP/WSGI サーバーにおいて TLS " +"を有効化すべきです。" + msgid "" "If your architecture allows it, we recommend using ``django.contrib.sessions." "backends.cache`` as your session back end with memcache as the cache. " @@ -4376,25 +4493,6 @@ msgstr "Image サービス" msgid "Image service delay delete feature" msgstr "Image service の遅延削除機能" -msgid "" -"Images come from the glance service to the nova service on a node. This " -"transfer should be protected by running over TLS. Once the image is on the " -"node, it is verified with a basic checksum and then it's disk is expanded " -"based on the size of the instance being launched. If, at a later time, the " -"same image is launched with the same instance size on this node, it will be " -"launched from the same expanded image. Since this expanded image is not re-" -"verified before launching, it could be tampered with and the user would not " -"have any way of knowing, beyond a manual inspection of the files in the " -"resulting image." -msgstr "" -"イメージはGlanceサービスからノードのNovaサービスへ供給されます。この転送はTLS" -"によって保護されている必要があります。イメージがノードに転送されたら、一般的" -"なchecksumで検証され、起動するインスタンスのサイズに合わせてディスクが拡張し" -"ます。以降、このノードで同じサイズの同一イメージを起動する場合はこの拡張され" -"たイメージから起動されます。拡張されたイメージは起動前に再検証されないため、" -"改ざんの可能性があります。これでは作成されたイメージのファイルの手動確認以外" -"に確認方法がありません。" - msgid "Implementation and operation of security controls" msgstr "セキュリティーコントロールの導入および運用" @@ -4420,6 +4518,12 @@ msgstr "" "対するハッシュ衝突の可能性を減らし、あるユーザーが別のユーザーのデータを上書" "きすることを防ぐために、これが提供されます。" +msgid "In ``my.cnf``:" +msgstr "``my.cnf`` の場合:" + +msgid "In ``postgresql.conf``:" +msgstr "``postgresql.conf`` の場合:" + msgid "" "In addition to restricting database communications to the management " "network, we also strongly recommend that the cloud administrator configure " @@ -4442,6 +4546,10 @@ msgstr "" msgid "In an OpenStack deployment you will need to address the following:" msgstr "OpenStack デプロイでは、以下の事も実施する必要があるでしょう。" +msgid "" +"In order to select the best supporting software, consider these factors:" +msgstr "以下の要素を考慮して、最適な補助ソフトウェアを選択します。" + msgid "" "In particular, you must assure your end users that the node has been " "properly sanitized of their data prior to re-provisioning. Additionally, " @@ -5820,17 +5928,6 @@ msgstr "" "できないセキュリティ管理方法の選択肢が増えることです。仮想スタック上のクラウ" "ドテナントの情報管理を改善する技術は多数存在します。" -msgid "" -"OpenStack :term:`Compute` service (nova) provides services to support the " -"management of virtual machine instances at scale, instances that host multi-" -"tiered applications, dev/test environments, \"Big Data\" crunching Hadoop " -"clusters, and/or high performance computing." -msgstr "" -"OpenStack :term:`Compute` サービス (Nova) は、多層アプリケーション、開発/テス" -"ト環境、「ビッグデータ」を処理する Hadoop のクラスター、ハイパフォーマンスコ" -"ンピューティングなどをホストする、大規模な仮想マシンインスタンスの管理をサ" -"ポートするサービスを提供します。" - msgid "OpenStack API" msgstr "OpenStack API" @@ -6270,6 +6367,13 @@ msgstr "" "`Barbican developer documentation `__" +msgid "" +"OpenStack.org, Welcome to Sahara!. 2016. `Sahara project documentation " +"`__" +msgstr "" +"OpenStack.org, Welcome to Sahara!. 2016. `Sahara project documentation " +"`__" + msgid "" "Operating system events on the OpenStack service machines such as user " "logins or restarts also provide valuable insight into proper and improper " @@ -7189,6 +7293,9 @@ msgstr "" "プロセスを経験している人に相談するのがベストでしょう。なお、費用は契約の範囲" "と監査法人に大きく依存します。" +msgid "Selecting supporting software" +msgstr "補助ソフトウェアの選択" + msgid "Selection criteria" msgstr "選択基準" @@ -7353,6 +7460,13 @@ msgstr "" "前のチェック (:ref:`check_shared_fs_05`) と同じように、すべてのコンポーネント" "がお互いにセキュアな通信プロトコルで通信することを推奨します。" +msgid "" +"Similar to the previous check, it is recommended not to reveal password " +"fields." +msgstr "" +"前のチェックと同じように、パスワードのフィールドを公開しないことが推奨されま" +"す。" + msgid "" "Similar to the previous check, it is recommended to enable secure " "communication on API server." @@ -8002,27 +8116,6 @@ msgstr "" "Lightweight Directory Access Protocol。IP ネットワーク上の分散ディレクトリー" "情報サービスへのアクセスと管理を行うためのアプリケーションプロトコル。" -msgid "" -"The OpenStack :term:`Block Storage` service (cinder) provides persistent " -"block storage for compute instances. The Block Storage service is " -"responsible for managing the life-cycle of block devices, from the creation " -"and attachment of volumes to instances, to their release." -msgstr "" -"OpenStack :term:`Block Storage` Service (cinder) は、Compute インスタンス用に" -"永続的なブロックストレージを提供します。Block Storage Service はブロックデバ" -"イスの作成からインスタンスへのボリュームの接続、それらの解放にいたるまでのラ" -"イフサイクルを管理する役割を果たします。" - -msgid "" -"The OpenStack :term:`Identity` service (keystone) is a **shared service** " -"that provides authentication and authorization services throughout the " -"entire cloud infrastructure. The Identity service has pluggable support for " -"multiple forms of authentication." -msgstr "" -"OpenStack :term:`Identity` (keystone) は、クラウドインフラストラクチャー全体" -"にわたる認証および承認サービスを提供する**共有サービス**です。Identity には、" -"複数形式の認証に対するプラグ可能なサポートを採用しています。" - msgid "" "The OpenStack :term:`Image service` (glance) provides disk image management " "services. The Image service provides image discovery, registration, and " @@ -8032,47 +8125,6 @@ msgstr "" "供します。Image service は、必要に応じて、イメージの検索、登録、デリバリサー" "ビスを Compute サービスに提供します。" -msgid "" -"The OpenStack :term:`Networking` service (neutron, previously called " -"quantum) provides various networking services to cloud users (tenants) such " -"as IP address management, DNS, DHCP, load balancing, and security groups " -"(network access rules, like firewall policies). It provides a framework for " -"software defined networking (SDN) that allows for pluggable integration with " -"various networking solutions." -msgstr "" -"OpenStack :term:`Networking` (neutron、旧称 quantum) はIP アドレス管理、DNS、" -"DHCP、負荷分散、セキュリティグループ (ファイアウォールのポリシーなど、ネット" -"ワークのアクセスルール) など、さまざまなネットワークサービスをクラウドユー" -"ザー (テナント) に提供します。また、各種ネットワークソリューションとのプラグ" -"可能な統合を可能にするソフトウェア定義ネットワーク(SDN) のフレームワークを提" -"供します。" - -msgid "" -"The OpenStack :term:`Object Storage` service (swift) provides support for " -"storing and retrieving arbitrary data in the cloud. The Object Storage " -"service provides both a native API and an Amazon Web Services S3 compatible " -"API. The service provides a high degree of resiliency through data " -"replication and can handle petabytes of data." -msgstr "" -"OpenStack :term:`Object Storage` Service (swift) は、クラウド内の任意データの" -"保管/取得機能のサポートを提供します。Object Storage Service はネイティブ " -"API および Amazon Web Services S3 互換の API の両方を提供します。このサービス" -"は、データレプリケーションにより高度な回復性を提供し、ペタバイト規模のデータ" -"の処理が可能です。" - -msgid "" -"The OpenStack :term:`dashboard` (horizon) provides a web-based interface for " -"both cloud administrators and cloud tenants. Through this interface " -"administrators and tenants can provision, manage, and monitor cloud " -"resources. Horizon is commonly deployed in a public facing manner with all " -"the usual security concerns of public web portals." -msgstr "" -"OpenStack :term:`dashboard` (Horizon) は、クラウド管理者とクラウドテナントの" -"両方に向けた Web ベースのインターフェースを提供します。このインターフェースに" -"より、管理者およびテナントは、クラウドリソースのプロビジョニング、管理、監視" -"を行うことができます。Horizon は通常、一般i向けにデプロイされ、パブリック " -"Web ポータルの一般的なセキュリティ問題が伴います。" - msgid "" "The OpenStack API is a RESTful web service endpoint to access, provision and " "automate cloud-based resources. Operators and users typically access the API " @@ -8658,6 +8710,13 @@ msgid "" "file:" msgstr "以下の行をシステム全体の MySQL 設定ファイルに追加する必要があります。" +msgid "" +"The following lines should be added in the system-wide PostgreSQL " +"configuration file, ``postgresql.conf``." +msgstr "" +"以下の行をシステム全体の PostgreSQL 設定ファイル ``postgresql.conf`` に追加す" +"る必要があります。" + msgid "" "The following lines should be added to the system-wide RabbitMQ " "configuration file, typically ``/etc/rabbitmq/rabbitmq.config``:" @@ -9545,6 +9604,13 @@ msgstr "" "Personally Identifiable Information (PII)*\" をおすすめします。このガイドは以" "下を保護するプロセスについて述べています。" +msgid "" +"To disable the nova-conductor, place the following into your ``nova.conf`` " +"file (on your compute hosts):" +msgstr "" +"nova-conductor を無効化するために、以下を (コンピュートホストの) ``nova." +"conf`` ファイルに記入します。" + msgid "" "To ease scaling and reduce management overhead Bob implements a " "configuration management system. For customer data assurances, Bob offers a " @@ -9818,16 +9884,6 @@ msgstr "" msgid "Understanding the audit process" msgstr "監査プロセスを理解する" -msgid "" -"Unfortunately, it is not currently possible to force Compute to validate an " -"image hash immediately prior to starting an instance. To understand the " -"situation, we begin with a brief overview of how images are handled around " -"the time of image launch." -msgstr "" -"残念ながら、現在はインスタンス起動直前にコンピュートにイメージのハッシュを検" -"証を強制する方法がありません。状況を理解するために、イメージ起動の際にイメー" -"ジがどのように扱われるのかを簡単に説明します。" - msgid "" "Unfortunately, this solution complicates the task of more fine-grained " "access control and the ability to audit data access. Because the nova-" @@ -10122,18 +10178,6 @@ msgstr "" "デーモンユーザに限定させるようにしてください。こうすることで、メッセージサー" "バ上の許可を与えていない他プロセスやユーザによるアクセスを防ぐことできます。" -msgid "" -"We hope that future versions of Compute and/or the Image service will offer " -"support for validating the image hash before each instance launch. An " -"alternative option that would be even more powerful would be allow users to " -"sign an image and then have the signature validated when the instance is " -"launched." -msgstr "" -"将来的に Compute または Image でインスタンス起動の前にイメージのハッシュを検" -"証する機構を提供することが期待されています。さらに考えられる強力な代替手段は" -"ユーザーにイメージを署名させ、インスタンスの起動前に署名の検証を実行させるこ" -"とです。" - msgid "" "We recommend configuring X.509 client certificates on all the OpenStack " "service nodes for client connections to the messaging queue and where " @@ -10692,6 +10736,17 @@ msgstr "" "応されている問題 (例: 特定の脆弱性) が実際に修正されているかどうかを確認する" "ことです。" +msgid "" +"Your selection of supporting software, such as messaging and load balancing, " +"can have serious security impacts on your cloud. It is important that you " +"make the proper choices for your organization. This section provides some " +"general guidelines for selecting supporting software." +msgstr "" +"メッセージングやロードバランサーなどの補助ソフトウェアの選択により、お使いの" +"クラウド環境に深刻なセキュリティ影響を与える可能性があります。あなたの組織に" +"あった適切な選択を行うことが重要です。このセクションは、補助ソフトウェアの選" +"択に関する一般的なガイドラインをいくつか提供します。" + msgid "ZeroMQ or 0MQ" msgstr "ZeroMQ、または、0MQ" @@ -10766,6 +10821,11 @@ msgstr "" "`Hadoop セキュアモードドキュメント `_" +msgid "" +"`Hardening Walkthrough `__" +msgstr "" +"`Hardening Walkthrough `__" + msgid "`Hive `_" msgstr "`Hive `_" diff --git a/security-guide/source/locale/security-guide.pot b/security-guide/source/locale/security-guide.pot index 59599afd..aec749b3 100644 --- a/security-guide/source/locale/security-guide.pot +++ b/security-guide/source/locale/security-guide.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: Security Guide 0.0.1\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2016-03-10 06:23+0000\n" +"POT-Creation-Date: 2016-03-23 06:42+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -2879,13 +2879,21 @@ msgid "" "must become familiar with these areas:" msgstr "" +# #-#-#-#-# compute.pot (Security Guide 0.0.1) #-#-#-#-# +# #-#-#-#-# introduction.pot (Security Guide 0.0.1) #-#-#-#-# #: ../compute/hypervisor-selection.rst:36 #: ../compute/hypervisor-selection.rst:51 +#: ../introduction/selecting-supporting-software.rst:13 +#: ../introduction/selecting-supporting-software.rst:19 msgid "Team expertise" msgstr "" +# #-#-#-#-# compute.pot (Security Guide 0.0.1) #-#-#-#-# +# #-#-#-#-# introduction.pot (Security Guide 0.0.1) #-#-#-#-# #: ../compute/hypervisor-selection.rst:37 #: ../compute/hypervisor-selection.rst:62 +#: ../introduction/selecting-supporting-software.rst:14 +#: ../introduction/selecting-supporting-software.rst:28 msgid "Product or project maturity" msgstr "" @@ -2899,8 +2907,12 @@ msgstr "" msgid "Certifications and attestations" msgstr "" +# #-#-#-#-# compute.pot (Security Guide 0.0.1) #-#-#-#-# +# #-#-#-#-# introduction.pot (Security Guide 0.0.1) #-#-#-#-# #: ../compute/hypervisor-selection.rst:40 #: ../compute/hypervisor-selection.rst:308 +#: ../introduction/selecting-supporting-software.rst:16 +#: ../introduction/selecting-supporting-software.rst:48 msgid "Hardware concerns" msgstr "" @@ -2941,19 +2953,31 @@ msgid "" "have deployed your cloud:" msgstr "" +# #-#-#-#-# compute.pot (Security Guide 0.0.1) #-#-#-#-# +# #-#-#-#-# introduction.pot (Security Guide 0.0.1) #-#-#-#-# #: ../compute/hypervisor-selection.rst:68 +#: ../introduction/selecting-supporting-software.rst:34 msgid "Availability of expertise" msgstr "" +# #-#-#-#-# compute.pot (Security Guide 0.0.1) #-#-#-#-# +# #-#-#-#-# introduction.pot (Security Guide 0.0.1) #-#-#-#-# #: ../compute/hypervisor-selection.rst:69 +#: ../introduction/selecting-supporting-software.rst:35 msgid "Active developer and user communities" msgstr "" +# #-#-#-#-# compute.pot (Security Guide 0.0.1) #-#-#-#-# +# #-#-#-#-# introduction.pot (Security Guide 0.0.1) #-#-#-#-# #: ../compute/hypervisor-selection.rst:70 +#: ../introduction/selecting-supporting-software.rst:36 msgid "Timeliness and availability of updates" msgstr "" +# #-#-#-#-# compute.pot (Security Guide 0.0.1) #-#-#-#-# +# #-#-#-#-# introduction.pot (Security Guide 0.0.1) #-#-#-#-# #: ../compute/hypervisor-selection.rst:71 +#: ../introduction/selecting-supporting-software.rst:37 msgid "Incidence response" msgstr "" @@ -7341,22 +7365,22 @@ msgid "Trusted images" msgstr "" #: ../instance-management.rst:28 -#: ../instance-management/security-services-for-instances.rst:229 +#: ../instance-management/security-services-for-instances.rst:231 msgid "Instance migrations" msgstr "" #: ../instance-management.rst:29 -#: ../instance-management/security-services-for-instances.rst:315 +#: ../instance-management/security-services-for-instances.rst:317 msgid "Monitoring, alerting, and reporting" msgstr "" #: ../instance-management.rst:30 -#: ../instance-management/security-services-for-instances.rst:343 +#: ../instance-management/security-services-for-instances.rst:345 msgid "Updates and patches" msgstr "" #: ../instance-management.rst:31 -#: ../instance-management/security-services-for-instances.rst:363 +#: ../instance-management/security-services-for-instances.rst:365 msgid "Firewalls and other host-based security controls" msgstr "" @@ -7643,35 +7667,36 @@ msgstr "" #: ../instance-management/security-services-for-instances.rst:207 msgid "" -"Unfortunately, it is not currently possible to force Compute to validate an " -"image hash immediately prior to starting an instance. To understand the " -"situation, we begin with a brief overview of how images are handled around " -"the time of image launch." +"As of the Mitaka release, the Compute service supports instance signature " +"validation just before starting an instance. The following paragraph " +"describes how images are typically handled (without signature validation) " +"when an instance is launched." msgstr "" #: ../instance-management/security-services-for-instances.rst:212 msgid "" -"Images come from the glance service to the nova service on a node. This " +"Images come from the Image service to the Compute service on a node. This " "transfer should be protected by running over TLS. Once the image is on the " -"node, it is verified with a basic checksum and then it's disk is expanded " +"node, it is verified with a basic checksum and then its disk is expanded " "based on the size of the instance being launched. If, at a later time, the " -"same image is launched with the same instance size on this node, it will be " +"same image is launched with the same instance size on this node, it is " "launched from the same expanded image. Since this expanded image is not re-" -"verified before launching, it could be tampered with and the user would not " -"have any way of knowing, beyond a manual inspection of the files in the " -"resulting image." +"verified by default before launching, it is possible that it has undergone " +"tampering. The user would not be aware of tampering, unless a manual " +"inspection of the files is performed in the resulting image." msgstr "" -#: ../instance-management/security-services-for-instances.rst:222 +#: ../instance-management/security-services-for-instances.rst:223 msgid "" -"We hope that future versions of Compute and/or the Image service will offer " -"support for validating the image hash before each instance launch. An " -"alternative option that would be even more powerful would be allow users to " -"sign an image and then have the signature validated when the instance is " -"launched." +"For additional security of images, you can enable instance signature " +"verification by setting the ``verify_glance_signatures`` flag to ``True`` in " +"the ``/etc/nova/nova.conf`` file. When enabled, the Compute service " +"automatically validates the signed instance prior to its launch. For more " +"information, see `Adding Signed Images `_ in the Operations Guide." msgstr "" -#: ../instance-management/security-services-for-instances.rst:231 +#: ../instance-management/security-services-for-instances.rst:233 msgid "" "OpenStack and the underlying virtualization layers provide for the live " "migration of images between OpenStack nodes, allowing you to seamlessly " @@ -7681,31 +7706,31 @@ msgid "" "performed during a live migration:" msgstr "" -#: ../instance-management/security-services-for-instances.rst:239 +#: ../instance-management/security-services-for-instances.rst:241 msgid "Start instance on destination host" msgstr "" -#: ../instance-management/security-services-for-instances.rst:240 +#: ../instance-management/security-services-for-instances.rst:242 msgid "Transfer memory" msgstr "" -#: ../instance-management/security-services-for-instances.rst:241 +#: ../instance-management/security-services-for-instances.rst:243 msgid "Stop the guest and sync disks" msgstr "" -#: ../instance-management/security-services-for-instances.rst:242 +#: ../instance-management/security-services-for-instances.rst:244 msgid "Transfer state" msgstr "" -#: ../instance-management/security-services-for-instances.rst:243 +#: ../instance-management/security-services-for-instances.rst:245 msgid "Start the guest" msgstr "" -#: ../instance-management/security-services-for-instances.rst:246 +#: ../instance-management/security-services-for-instances.rst:248 msgid "Live migration risks" msgstr "" -#: ../instance-management/security-services-for-instances.rst:248 +#: ../instance-management/security-services-for-instances.rst:250 msgid "" "At various stages of the live migration process the contents of an instances " "run time memory and disk are transmitted over the network in plain text. " @@ -7713,65 +7738,65 @@ msgid "" "migration. The following in-exhaustive list details some of these risks:" msgstr "" -#: ../instance-management/security-services-for-instances.rst:254 +#: ../instance-management/security-services-for-instances.rst:256 msgid "" "*Denial of Service (DoS)*: If something fails during the migration process, " "the instance could be lost." msgstr "" -#: ../instance-management/security-services-for-instances.rst:256 +#: ../instance-management/security-services-for-instances.rst:258 msgid "*Data exposure*: Memory or disk transfers must be handled securely." msgstr "" -#: ../instance-management/security-services-for-instances.rst:257 +#: ../instance-management/security-services-for-instances.rst:259 msgid "" "*Data manipulation*: If memory or disk transfers are not handled securely, " "then an attacker could manipulate user data during the migration." msgstr "" -#: ../instance-management/security-services-for-instances.rst:260 +#: ../instance-management/security-services-for-instances.rst:262 msgid "" "*Code injection*: If memory or disk transfers are not handled securely, then " "an attacker could manipulate executables, either on disk or in memory, " "during the migration." msgstr "" -#: ../instance-management/security-services-for-instances.rst:265 +#: ../instance-management/security-services-for-instances.rst:267 msgid "Live migration mitigations" msgstr "" -#: ../instance-management/security-services-for-instances.rst:267 +#: ../instance-management/security-services-for-instances.rst:269 msgid "" "There are several methods to mitigate some of the risk associated with live " "migrations, the following list details some of these:" msgstr "" -#: ../instance-management/security-services-for-instances.rst:270 -#: ../instance-management/security-services-for-instances.rst:275 +#: ../instance-management/security-services-for-instances.rst:272 +#: ../instance-management/security-services-for-instances.rst:277 msgid "Disable live migration" msgstr "" -#: ../instance-management/security-services-for-instances.rst:271 +#: ../instance-management/security-services-for-instances.rst:273 msgid "Isolated migration network" msgstr "" -#: ../instance-management/security-services-for-instances.rst:272 -#: ../instance-management/security-services-for-instances.rst:299 +#: ../instance-management/security-services-for-instances.rst:274 +#: ../instance-management/security-services-for-instances.rst:301 msgid "Encrypted live migration" msgstr "" -#: ../instance-management/security-services-for-instances.rst:277 +#: ../instance-management/security-services-for-instances.rst:279 msgid "" "At this time, live migration is enabled in OpenStack by default. Live " "migrations can be disabled by adding the following lines to the nova " "``policy.json`` file:" msgstr "" -#: ../instance-management/security-services-for-instances.rst:287 +#: ../instance-management/security-services-for-instances.rst:289 msgid "Migration network" msgstr "" -#: ../instance-management/security-services-for-instances.rst:289 +#: ../instance-management/security-services-for-instances.rst:291 msgid "" "As a general practice, live migration traffic should be restricted to the " "management security domain, see :doc:`../introduction/security-boundaries-" @@ -7782,7 +7807,7 @@ msgid "" "network can reduce the risk of exposure." msgstr "" -#: ../instance-management/security-services-for-instances.rst:301 +#: ../instance-management/security-services-for-instances.rst:303 msgid "" "If there is a sufficient business case for keeping live migration enabled, " "then libvirtd can provide encrypted tunnels for the live migrations. " @@ -7792,23 +7817,23 @@ msgid "" "following high-level steps:" msgstr "" -#: ../instance-management/security-services-for-instances.rst:308 +#: ../instance-management/security-services-for-instances.rst:310 msgid "Instance data is copied from the hypervisor to libvirtd." msgstr "" -#: ../instance-management/security-services-for-instances.rst:309 +#: ../instance-management/security-services-for-instances.rst:311 msgid "" "An encrypted tunnel is created between libvirtd processes on both source and " "destination hosts." msgstr "" -#: ../instance-management/security-services-for-instances.rst:311 +#: ../instance-management/security-services-for-instances.rst:313 msgid "" "Destination libvirtd host copies the instances back to an underlying " "hypervisor." msgstr "" -#: ../instance-management/security-services-for-instances.rst:317 +#: ../instance-management/security-services-for-instances.rst:319 msgid "" "As an OpenStack virtual machine is a server image able to be replicated " "across hosts, best practice in logging applies similarly between physical " @@ -7822,14 +7847,14 @@ msgid "" "co/>`_." msgstr "" -#: ../instance-management/security-services-for-instances.rst:329 +#: ../instance-management/security-services-for-instances.rst:331 msgid "" "These logs should be reviewed at a regular cadence such as a live view by a " "network operations center (NOC), or if the environment is not large enough " "to necessitate a NOC, then logs should undergo a regular log review process." msgstr "" -#: ../instance-management/security-services-for-instances.rst:334 +#: ../instance-management/security-services-for-instances.rst:336 msgid "" "Many times interesting events trigger an alert which is sent to a responder " "for action. Frequently this alert takes the form of an email with the " @@ -7839,7 +7864,7 @@ msgid "" "www.zabbix.com>`_." msgstr "" -#: ../instance-management/security-services-for-instances.rst:345 +#: ../instance-management/security-services-for-instances.rst:347 msgid "" "A hypervisor runs independent virtual machines. This hypervisor can run in " "an operating system or directly on the hardware (called baremetal). Updates " @@ -7849,7 +7874,7 @@ msgid "" "Debian virtual machines." msgstr "" -#: ../instance-management/security-services-for-instances.rst:353 +#: ../instance-management/security-services-for-instances.rst:355 msgid "" "Therefore, we recommend that clear ownership of virtual machines be " "assigned, and that those owners be responsible for the hardening, " @@ -7860,7 +7885,7 @@ msgid "" "patch." msgstr "" -#: ../instance-management/security-services-for-instances.rst:365 +#: ../instance-management/security-services-for-instances.rst:367 msgid "" "Most common operating systems include host-based firewalls for additional " "security. While we recommend that virtual machines run as few applications " @@ -7875,7 +7900,7 @@ msgid "" "denied in the firewall configuration." msgstr "" -#: ../instance-management/security-services-for-instances.rst:379 +#: ../instance-management/security-services-for-instances.rst:381 msgid "" "On Linux virtual machines, the application profile above can be used in " "conjunction with a tool like `audit2allow `_ is an " +"internationally standardized software evaluation process, used by " +"governments and commercial companies to validate that software technologies " +"perform as advertised." +msgstr "" + +#: ../introduction/selecting-supporting-software.rst:50 +msgid "" +"Consider the supportability of the hardware on which the software will run. " +"Additionally, consider the additional features available in the hardware and " +"how those features are supported by the software you choose." +msgstr "" + #: ../introduction/why-and-how-we-wrote-this-book.rst:3 msgid "Why and how we wrote this book" msgstr ""