InSpec Compliance for the OpenStack Security Guide

This is a collection of InSpec scripts to check compliance against the OpenStack Security Guide.

The control checklists for Keystone, Horizon, Cinder, Nova and Neutron are implemented based on OpenStack Mitaka and beyond configuration standards.

Some control implementation exists for Swift and Manila, but has not been tested.

Beta-level controls exist for Glance. These controls are inspired by those currently recommended in the OpenStack Security Guide for Cinder.

Installation

git clone [email protected]:chef-partners/inspec-openstack-security.git
cd inspec-openstack-security
bundle install

Run tests locally

bundle exec inspec exec .

Run tests against remote host(s)

Note that the controls can only be run against a single host until https://github.com/chef/inspec/issues/268 is closed.

If your OpenStack control plane consists of multiple hosts, you'll need to run InSpec against each host separately.

bundle exec inspec exec . -t ssh://user@hostname

Run controls for a particular service

Identity controls

bundle exec inspec exec . \
  --controls check-identity-01 check-identity-02 \
    check-identity-03 check-identity-04 \
    check-identity-05 check-identity-06

Dashboard controls

bundle exec inspec exec . \
  --controls check-dashboard-01 check-dashboard-02 \
    check-dashboard-03 check-dashboard-04 \
    check-dashboard-05 check-dashboard-06 \
    check-dashboard-07 check-dashboard-08 \
    check-dashboard-09 check-dashboard-10 \
    check-dashboard-11

Block Storage controls

bundle exec inspec exec . \
  --controls check-block-01 check-block-02 \
    check-block-03 check-block-04 \
    check-block-05 check-block-06 \
    check-block-07 check-block-08

Compute controls

bundle exec inspec exec . \
  --controls check-compute-01 check-compute-02 \
    check-compute-03 check-compute-04 \
    check-compute-05

Network controls

bundle exec inspec exec . \
  --controls check-neutron-01 check-neutron-02 \
    check-neutron-03 check-neutron-04 \
    check-neutron-05

Image controls

bundle exec inspec exec . \
  --controls check-image-01 check-image-02 \
    check-image-03 check-image-04

Orchestration controls

bundle exec inspec exec . \
  --controls check-orchestration-01 check-orchestration-02 \
    check-orchestration-03 --attrs attributes.yml

attributes.yml has the following contents

heat_enabled: true

Telemetry and Telemetry Alarming controls

inspec exec . --controls check-telemetry-01 check-telemetry-02 \
                check-telemetry-03 check-telemetry-04 \
                check-telemetry-alarming-01 check-telemetry-alarming-02 \
                check-telemetry-alarming-03 \
                --attrs attributes.yml

attributes.yml has the following contents

ceilometer_enabled: true
aodh_enabled: true

License

Apache 2

License & Authors

• Author: JJ Asghar ([email protected])

Copyright:: 2015-2017, Chef Software, Inc

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.