TripleO Security Hardening
Over this Ocata cycle I have been working on the automation of security hardening in the TripleO OpenStack Installer and various openstack puppet-modules. The desired outcome of this work is to assist operators meet the various compliance standards that exist in the private and public sectors of IT security, using an automated approach.
This blog post will be a round up of the patches merged into Ocata. I will try to follow up soon with a post on plans to the next cycle of Pike.
Note that this is not an exhaustive list of all hardening checks within OpenStack and Linux, the following are patches to amend values not already set “out of the box” as part of a overcloud deployment.
Various values have been set to the secure default in Horizon.
Enforce Password Check
True within Horizons
local_settings.py, it displays an ‘Admin Password’ field on the
“Change Password” form to verify that it is the admin logged-in that wants
to perform the password change, and not an opportunist who has found their workstation
ENFORCE_PASSWORD_CHECK value can now be toggled via puppet as seen in the
following commit to puppet-horizon.
Within TripleO Heat templates, we populate the hiera data fed to puppet-horizon
True boolean, as seen in this
By utlising TripleO Heat templates, it then becomes possible to toggle this
value to false (should someone have a reason to do that) using an enviroment
file and passing in a value of
Disallow Iframe Embed
DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded within an iframe. Legacy browsers are still vulnerable to a Cross-Frame Scripting (XFS) vulnerability, so this option allows extra security hardening where iframes are not used in deployment
In much the same way as with the previous patch, the value is now manageable in
with a secure default set within TripleO with
Disable Password Reveal
Horizon provides a password validation check, which OpenStack cloud operators can use to enforce password complexity checks for users within horizon.
A dictionary containing a regular expression can be used for password validation with help text that is displayed if the password does not pass validation.
This is harnessed using a regex field in Horizons
An enviroment file can be passed to
openstack overcloud deploy --templates -e passsword_validation.yaml
Secure Proxy SSL Header Option
SECURE_PROXY_SSL_HEADER is used to tell Horizon (Django( to take into account the X-Forwarded-Proto header. It is disabled by default as it should only be enabled if one
is running horizon behind a proxy.
- Note that the
SECURE_PROXY_SSL_HEADERpatch was part of the TLS Everywhere work driven by Juan Antonio Osorio
OS Based Changes
Having a system capable of recording all audit events is key for troubleshooting and peforming analysis of events that led to a certain outcome. Red Hat Enterprise Linux already has a complete audit system which is capable of logging many events such as someone changing the system time, changes to Mandatory / Discretionary Access Control.
Rules can be entered as follows, and injected into
auditd service will also be verified as runnning.
A full example of audit rules that can be set using Tripleo can be found here
Pike work items
Pike will include changes sufficient enough to provide full DISA STIG compliance.
It is then expected that full security Hardening will be available through the use of a single environment file, for example:
openstack overcloud deploy --templates -e disa-stig-compliance.yaml
Configure openstack services to emit audit events using CADF
Further Horizon security
Configurable values for
CSRF_COOKIE_SECURE and further Horizon values.
Kernel Parameter Hardening
Various sysctl values will be manageable via tripleo-heat-templates, including values for Restricting Access to Kernel Message Buffer, Disable ICMP Redirects and Disable KDump Kernel Crash Analyzer (kdump).
Values to Limit Password Reuse, Set Lockout Time For Failed Password Attempts, Set Password Minimum Length, and other attributes such as Minimum Digits, Minimum number of consecutive characters, retry prompts per session.
Install and Manage AIDE
AIDE (Advanced Intrusion Detection Environment) available to nodes, along with the option to build an itegrity database and configuration of a periodic execution of AIDE integrity verification.
Currently overcloud images contain a single flat partition. Ongoing work in
Ironic and Disc Image Builder will make it possible implement to allow layouts
/tmp as seperate volumes in heat template formatting.
A full FIPS Compliant Kernel as a deploy option.
Restrict Dynamic Mounting and Unmounting of Filesystems
- Disable Modprobe Loading of USB Storage Driver
- Disable Kernel Support for USB via Bootloader Configuration
- Disable Booting from USB Devices in Boot Firmware
Disable Core Dumps
Disable Core Dumps for SUID programs
Enable Randomized Layout of Virtual Address Space.
Kernel Message Buffer
Restrict Access to Kernel Message Buffer
- Allow Only SSH Protocol 2
- Disable GSSAPI Authentication
- Disable Kerberos Authentication
- Enable Use of StictModes
- Enable Use of Privilege Separation
- Disable Compression Or Set Compression to delayed
- Set SSH Idle Timeout Interval
- Set SSH Client Alive Count
- Disable SSH Support for .rhosts Files
- Disable Host-Based Authentication
- Enable Encrypted X11 Fordwarding
- Disable SSH Root Login
- Disable SSH Access via Empty Passwords
- Do Not Allow SSH Environment Options
- Use Only Approved Ciphers
- Use Only FIPS Approved MACs
This is not a final list, and additions may be made as the work proceeds, but it provides a decent overview of changes