From 70f5897e94b3a78aee096d3cff2f021e2cabef63 Mon Sep 17 00:00:00 2001 From: Billy Olsen Date: Tue, 14 Oct 2025 21:22:58 -0700 Subject: [PATCH] [WIP] Security docs draft Signed-off-by: Billy Olsen --- how-to/index.rst | 9 +++ how-to/security/authentication.rst | 66 ++++++++++++++++++ how-to/security/checklist.rst | 55 +++++++++++++++ how-to/security/compliance.rst | 34 ++++++++++ how-to/security/hardening.rst | 60 ++++++++++++++++ how-to/security/incident-response.rst | 48 +++++++++++++ .../includes/openstack-ports-full.rst | 68 +++++++++++++++++++ how-to/security/index.rst | 49 +++++++++++++ how-to/security/logging-monitoring.rst | 63 +++++++++++++++++ how-to/security/ports.rst | 29 ++++++++ 10 files changed, 481 insertions(+) create mode 100644 how-to/security/authentication.rst create mode 100644 how-to/security/checklist.rst create mode 100644 how-to/security/compliance.rst create mode 100644 how-to/security/hardening.rst create mode 100644 how-to/security/incident-response.rst create mode 100644 how-to/security/includes/openstack-ports-full.rst create mode 100644 how-to/security/index.rst create mode 100644 how-to/security/logging-monitoring.rst create mode 100644 how-to/security/ports.rst diff --git a/how-to/index.rst b/how-to/index.rst index ac28f42..087887b 100644 --- a/how-to/index.rst +++ b/how-to/index.rst @@ -40,3 +40,12 @@ Troubleshooting :maxdepth: 2 troubleshooting/index + +Security +-------- + +.. toctree:: + :maxdepth: 2 + + security/index + diff --git a/how-to/security/authentication.rst b/how-to/security/authentication.rst new file mode 100644 index 0000000..6487d7f --- /dev/null +++ b/how-to/security/authentication.rst @@ -0,0 +1,66 @@ +================================ +Authentication and Authorization +================================ + +.. _security-authentication: + +This guide focuses on identity management, Fernet tokens, and service credentials. + +Keystone Overview +================= + +Keystone provides authentication, authorization, and service discovery for OpenStack. +Sunbeam configures Keystone automatically and registers service users via Juju. + +Key Concepts +------------ + +* **Domains**: logical boundaries for users and projects. +* **Projects**: map to tenants or teams. +* **Roles**: define permissions; assign to users per project or domain. + +Example commands: + +.. code-block:: bash + + openstack user create --domain default --project demo demo-user + openstack role add --project demo --user demo-user member + +Fernet Token Management +======================= + +Sunbeam supports only Fernet tokens for authentication. +These are lightweight, stateless, and cryptographically signed. + +* Keys are distributed and rotated via Juju secrets. +* Default rotation interval: 30–90 days. +* Rotation command (for reference): + +.. code-block:: bash + + juju run keystone/leader "keystone-manage fernet_rotate" + +Juju Secrets and Service Authentication +======================================= + +All inter-service credentials (e.g., Nova→Keystone, Neutron→RabbitMQ) are exchanged using **Juju secrets**. + +* Secrets are encrypted and versioned automatically. +* They can be revoked, refreshed, and audited. +* Avoid storing credentials in plain charm config. + +Federated Identity (Optional) +============================= + +Keystone supports SAML or OIDC federation for SSO. + +* Validate IdP metadata signatures. +* Map external attributes carefully to local roles. +* Restrict project scopes for federated users. + +References +========== + +* :doc:`logging-monitoring` +* `Keystone Security Guide `_ + diff --git a/how-to/security/checklist.rst b/how-to/security/checklist.rst new file mode 100644 index 0000000..427819e --- /dev/null +++ b/how-to/security/checklist.rst @@ -0,0 +1,55 @@ +============================ +Security Hardening Checklist +============================ + +.. _security-checklist: + +This checklist summarises key items to verify for a secure OpenStack Sunbeam environment. +For detailed procedures, refer to :doc:`hardening`. + +Infrastructure and OS +===================== + +- [ ] Ubuntu LTS with all updates applied +- [ ] Minimal package set installed +- [ ] AppArmor/SELinux enabled +- [ ] SSH key-based access only +- [ ] Auditd configured and active + +Networking +========== + +- [ ] Management and tenant networks isolated +- [ ] Firewalls restrict only required ports (see :doc:`ports`) +- [ ] TLS configured on all APIs +- [ ] Neutron security groups enforced + +Identity and Access +=================== + +- [ ] Keystone users and roles follow least privilege +- [ ] Fernet keys rotated regularly +- [ ] Juju secrets verified and limited to intended services + +Storage and Secrets +=================== + +- [ ] Encrypted Cinder volumes and Glance backends +- [ ] Secrets rotated and securely backed up +- [ ] Vault or Juju secret audit logs enabled + +Monitoring and Response +======================= + +- [ ] Centralised logs with TLS transport +- [ ] Alerts for failed auth and certificate expiry +- [ ] Backup and restore tested quarterly +- [ ] Incident response procedures documented + +References +========== + +* :doc:`hardening` +* :doc:`logging-monitoring` +* :doc:`incident-response` + diff --git a/how-to/security/compliance.rst b/how-to/security/compliance.rst new file mode 100644 index 0000000..49c7672 --- /dev/null +++ b/how-to/security/compliance.rst @@ -0,0 +1,34 @@ +========================= +Compliance and References +========================= + +.. _security-compliance: + +This section maps Canonical OpenStack (Sunbeam) security practices +to common frameworks and provides further reading. + +CIS and Ubuntu Baselines +======================== + +Ubuntu security baselines align with CIS Benchmarks for Linux hosts. +Operators can use `CIS-CAT` or `OpenSCAP` to validate compliance. + +FIPS 140-3 and Cryptography +=========================== + +OpenStack services rely on system OpenSSL libraries; +Ubuntu FIPS builds can be used where certification is required. + +ISO / SOC2 Alignment +==================== + +Canonical infrastructure guidance supports traceability and +auditability suitable for ISO 27001 or SOC2 environments. + +Canonical Security Resources +============================ + +* `Ubuntu Pro and Livepatch `_ +* `OpenStack Security Guide `_ +* `Canonical OpenStack Docs `_ + diff --git a/how-to/security/hardening.rst b/how-to/security/hardening.rst new file mode 100644 index 0000000..10b56d7 --- /dev/null +++ b/how-to/security/hardening.rst @@ -0,0 +1,60 @@ +========================= +Hardening Guide +========================= + +.. _security-hardening: + +This guide describes steps to secure a Canonical OpenStack (Sunbeam) deployment before +and after it is installed. + +Pre-Deployment Hardening +======================== + +* Use minimal Ubuntu LTS images. +* Apply all security updates and enable unattended-upgrades. +* Disable password logins, allow SSH key-based access only. +* Enable AppArmor or SELinux. +* Configure firewall rules before deployment. +* Verify Juju controller TLS certificates. + +Network and Service Isolation +============================= + +* Isolate management, API, tenant, and storage traffic. +* Limit inbound ports (see :doc:`ports`). +* Restrict inter-service communication using TLS. +* Use separate networks or VLANs for control plane and data plane. +* Apply security groups for tenant isolation. + +Juju and Secrets +================ + +* Use Juju secrets for all credential exchanges between charms. +* Rotate secrets periodically and revoke unused ones. +* Restrict Juju controller access to trusted admins only. +* Store Juju controller backups encrypted and offline. + +Host and Container Security +=========================== + +* Remove unused packages and services. +* Enforce least-privilege for system daemons. +* Enable kernel hardening (ASLR, NX bit, StackProtector). +* Use minimal container images; enforce read-only rootfs and drop privileges. +* Audit container profiles periodically. + +Runtime Practices +================= + +* Keep packages patched via unattended-upgrades or Canonical Livepatch. +* Rotate Fernet keys every 30–90 days. +* Enable log forwarding and auditing (see :doc:`logging-monitoring`). +* Perform quarterly security scans and reviews. + +References +========== + +* `Ubuntu Security `_ +* :doc:`checklist` +* :doc:`authentication` + diff --git a/how-to/security/incident-response.rst b/how-to/security/incident-response.rst new file mode 100644 index 0000000..7ef6140 --- /dev/null +++ b/how-to/security/incident-response.rst @@ -0,0 +1,48 @@ +============================== +Incident Response and Recovery +============================== + +.. _security-incident-response: + +Preparation and planning are key to responding effectively to security incidents. + +Preparation +=========== + +* Define roles and responsibilities. +* Maintain offline copies of Fernet keys, certificates, and Juju backups. +* Document contact paths and escalation procedures. + +Detection +========= + +* Review logs for anomalies and failed authentication bursts. +* Use monitoring alerts for token abuse or service instability. + +Containment +=========== + +* Revoke or rotate compromised secrets with Juju. +* Rotate Fernet keys on Keystone leader. +* Restrict network access to affected services. + +Eradication and Recovery +======================== + +* Rebuild compromised hosts from trusted images. +* Re-deploy charms to refresh configurations. +* Validate service health post-recovery. + +Post-Incident Review +==================== + +* Document root cause and mitigation. +* Apply lessons learned to hardening and configuration. +* Update :doc:`checklist` and incident runbooks. + +References +========== + +* :doc:`logging-monitoring` +* :doc:`hardening` + diff --git a/how-to/security/includes/openstack-ports-full.rst b/how-to/security/includes/openstack-ports-full.rst new file mode 100644 index 0000000..5130ddd --- /dev/null +++ b/how-to/security/includes/openstack-ports-full.rst @@ -0,0 +1,68 @@ +Ports Used by OpenStack Services (Extended List) +================================================ + +Below is a more comprehensive list of default ports used by various OpenStack services (API endpoints, agents, data plane) based largely on the upstream “Firewalls and default ports” documentation. :contentReference[oaicite:0]{index=0} +Operators should verify actual port bindings (some can be customized) and only open what is strictly required. + +.. note:: + Ports may differ in your deployment (e.g. TLS vs non-TLS, custom overrides). Always check configuration in your charms, Juju relations, and service charmed layers. + ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Service / Component | Port(s) / Protocol | Notes | ++==================================+========================+=====================================================================+ +| Keystone (Identity) | 5000 TCP | Public / internal API endpoint | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Glance (Image) | 9292 TCP | Image service API | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Nova (Compute API) | 8774 TCP | Compute API | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Nova metadata service | 8775 TCP | Metadata service (VM metadata) | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| VNC / console proxy | 5900-5999 TCP | VM console ports | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Nova noVNC proxy | 6080 TCP | Browser-based console access | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| HTML5 console proxy | 6082 TCP | Alternative console proxy | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Placement API | 8003 TCP | Placement service | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Heat (Orchestration) | 8004 TCP | Heat API | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Heat CloudFormation API | 8000 TCP | Heat CFN API | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Heat CloudWatch API | 8003 TCP | Heat CloudWatch-compatible API | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Cinder (Block Storage) | 8776 TCP | Block Storage API | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Manila (Shared FS) | 8786 TCP | Manila share API | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Neutron (Networking) | 9696 TCP | Neutron API | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Octavia (Load Balancer) | 9876 TCP | Octavia API / control | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Barbican (Key Manager) | 9311 TCP | Secret / key storage API | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Ironic (Bare Metal) | 6385 TCP | Ironic API – bare metal provisioning | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Designate (DNS) | 9001 TCP | DNS API | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| CloudKitty (Rating / Billing) | 8889 TCP | CloudKitty API | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Aodh (Alarming) | 8042 TCP | Alarm / notification API | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| Magnum (Container orchestration) | 9511 TCP | Magnum API / orchestration | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| MySQL | 3306 TCP | Database backend (TLS enabled where possible) | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| RabbitMQ (AMQP / AMQPS) | | 5671 TCP (TLS) | Message bus for inter-service communication | +| | | 5672 TCP (non-TLS) | | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| HTTP / Dashboard Horizon | 80 TCP | If Horizon is exposed insecurely | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| HTTPS / Dashboard Horizon | 443 TCP | Recommended for dashboard / APIs | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| iSCSI target for Cinder | 3260 TCP | Required when using iSCSI-backed Cinder volumes | ++----------------------------------+------------------------+---------------------------------------------------------------------+ +| NVMe-oF target for Cinder | 4420 TCP | If using NVMe-over-Fabrics for block storage | ++----------------------------------+------------------------+---------------------------------------------------------------------+ + diff --git a/how-to/security/index.rst b/how-to/security/index.rst new file mode 100644 index 0000000..4e4b3a6 --- /dev/null +++ b/how-to/security/index.rst @@ -0,0 +1,49 @@ +====================== +Security Overview +====================== + +.. _security-index: + +The Canonical OpenStack (Sunbeam) security documentation provides guidance for securing +your deployment from initial planning through day-to-day operations. + +This collection of guides covers host hardening, authentication and authorization, +secure secrets handling, port and network reference, logging and auditing, and incident response. + +Security Philosophy +=================== + +Canonical OpenStack is built on Ubuntu, leveraging its long-term security maintenance, +kernel livepatching, and strict package provenance. Sunbeam adds automation and +secure defaults via Juju, reducing operator error and improving repeatability. + +Security objectives include: + +* Protect confidentiality, integrity, and availability of infrastructure and tenant workloads. +* Reduce attack surface across control plane and data plane. +* Enforce cryptographic integrity for authentication and data in transit. +* Enable secure, automated secret management with Juju. +* Provide auditable and traceable change and access history. + +Defense Layers +============== + +Security is achieved through layered defenses: + +1. **Host layer:** Ubuntu security, kernel hardening, AppArmor. +2. **Deployment layer:** Juju relations, secrets, and automation. +3. **Service layer:** OpenStack APIs, Keystone authentication, Fernet tokens. +4. **Network layer:** Segmented management, storage, and tenant networks. +5. **Operational layer:** Logging, auditing, and patching discipline. + +.. toctree:: + :maxdepth: 2 + + hardening + checklist + ports + authentication + logging-monitoring + incident-response + compliance + diff --git a/how-to/security/logging-monitoring.rst b/how-to/security/logging-monitoring.rst new file mode 100644 index 0000000..76da2ff --- /dev/null +++ b/how-to/security/logging-monitoring.rst @@ -0,0 +1,63 @@ +================================= +Logging, Auditing, and Monitoring +================================= + +.. _security-logging: + +Comprehensive logging and monitoring provide traceability, compliance, +and rapid incident response. + +Centralised Logging +=================== + +* Aggregate logs via Loki, Elastic, or other secure collectors. +* Protect log transport using TLS. +* Enforce retention and access controls. +* Enable log integrity checks (e.g., hash chains or WORM storage). + +Keystone Authentication Middleware Logs +======================================= + +The Keystone auth middleware (``keystonemiddleware.auth_token``) records +token validation, user identification, and policy enforcement events. + +Example locations: + +- ``/var/log/keystone/keystone.log`` +- API service logs containing middleware messages (e.g., Nova API logs) + +Enable verbose logging for token validation if required for audits: + +.. code-block:: ini + + [keystone_authtoken] + http_request_debug = true + log_level = INFO + +Auditing +======== + +* Enable audit notifications in Keystone, Nova, and Neutron. +* Forward audit events to a SIEM or monitoring system. +* Retain logs per compliance (e.g. 90–180 days). + +Monitoring and Alerting +======================= + +* Monitor certificate expiry, failed logins, API latency, and service availability. +* Integrate with Prometheus or Canonical Observability Stack. +* Define thresholds and alert routing to the on-call team. + +Security Analytics +================== + +* Correlate Keystone authentication anomalies (e.g., multiple failed tokens). +* Detect large volume API bursts (potential abuse). +* Use dashboards for per-service security posture. + +References +========== + +* :doc:`authentication` +* `Keystonemiddleware Docs `_ + diff --git a/how-to/security/ports.rst b/how-to/security/ports.rst new file mode 100644 index 0000000..652ac10 --- /dev/null +++ b/how-to/security/ports.rst @@ -0,0 +1,29 @@ +============================= +Ports and Protocols Reference +============================= + +.. _security-ports: + +This reference lists default service ports for Canonical OpenStack (Sunbeam) deployments. +Use it to configure firewalls and validate exposed endpoints. + +Core Services +============= + +.. include:: includes/openstack-ports-full.rst + +Port Security Guidance +====================== + +* Allow inbound access only from trusted networks. +* Prefer TLS-enabled ports (e.g., 5671 instead of 5672). +* Disable HTTP on 80 when HTTPS (443) is enabled. +* Restrict SSH (22) to management or bastion hosts. +* Periodically scan with ``ss -tuln`` or ``nmap`` to confirm open ports. + +References +========== + +* :doc:`hardening` +* `OpenStack Firewall Reference `_ +