Security Guide
- 1 HPE Helion OpenStack®: Security Features Overview
- 2 Key Management with the Barbican Service
- 3 Key Management Service Administration
- 4 HPE Helion OpenStack®: Service Admin Role Segregation in the Identity Service
- 5 Role-Based Access Control in Neutron
- 6 Configuring Keystone and Horizon to use X.509 Client Certificates
- 7 Transport Layer Security (TLS) Overview
- 8 HPE Helion OpenStack®: Preventing Host Header Poisoning
- 9 Encryption of Passwords and Sensitive Data
- 10 Encryption of Ephemeral Volumes
- 11 Refining Access Control with AppArmor
- 12 Data at Rest Encryption
- 13 Glance-API Rate Limit (CVE-2016-8611)
- 14 Security Audit Logs
14 Security Audit Logs
14.1 The need for auditing #
Enterprises need the ability to audit and monitor workflows and data in accordance with their strict corporate, industry or governmental policies and compliance requirements such as FIPS-140-2, PCI-DSS, HIPAA, SOX, or ISO. To meet this need, HPE Helion OpenStack supports CADF (Cloud Auditing Data Federation)-compliant security audit logs that can easily be integrated with your organization's Security Information and Event Management (SIEM) tools. Such auditing is valuable not only to meet regulatory compliance requirements, but also for correlating threat forensics.
Note that logs from existing OpenStack services can also be used for auditing purposes, even though they are not in a consistent audit friendly CADF format today. All logs can easily be integrated with a SIEM tool such as HPE ArcSight, Splunk etc.
14.2 Audit middleware #
Audit middleware is python middleware logic that addresses the aforementioned logging shortcomings. Audit middleware constructs audit event data in easily consumed CADF format. This data can be mined to answer critical questions about activities over REST resources such as who made the request, when, why, and so forth.
Audit middleware supports delivery of audit data via the Oslo messaging notifier feature. Each service is configured to route data to an audit-specific log file.
The following are key aspects of auditing support in HPE Helion OpenStack 8:
Auditing is disabled by default and can be enabled only after HPE Helion OpenStack installation.
Auditing support has been added to eight HPE Helion OpenStack services (Nova, Cinder, Glance, Keystone, Neutron, Heat, Barbican, and Ceilometer).
Auditing has been added for interactions where REST API calls are invoked.
All audit events are recorded in a service-specific audit log file.
Auditing configuration is centrally managed and indicates for which services auditing is currently disabled or enabled.
Auditing can be enabled or disabled on a per-service basis.
14.3 Centralized auditing configuration #
In HPE Helion OpenStack, all auditing configuration is centrally managed and controlled
via input model YAML files on the Cloud Lifecycle Manager node. The settings are
configured in the file
~/openstack/my_cloud/definition/cloudConfig.yml in a newly
added audit-settings section shown below the following table.
| Key | Value (default) | Type | Description | Expected value(s) | Comments |
|---|---|---|---|---|---|
| default | disabled | String | Flag to globally enable or disable auditing for all services. | disabled, enabled |
A service's auditing behavior is determined via this default key value unless it is listed explicitly in the enabled-services or disabled-services list. |
| enabled-services | [] (empty list) | yaml list |
Setting to explicitly enable auditing for listed services regardless of default flag setting. |
nova, cinder, glance, keystone, neutron, heat, barbican, ceilometer |
To enable a specific service, either add the service name in the
enabled-services list when default is set to
If a service name is present in both enabled-services and disabled-services, then auditing will be enabled for that service. |
| disabled-services | Nova, Barbican, Keystone, Cinder, Ceilometer, Neutron | yaml list |
Setting to explicitly disable auditing for listed services regardless of default flag setting. |
nova, cinder, glance, keystone,neutron, heat, barbican, ceilometer |
To disable a specific service, either add the service name in
disabled-services when default is set to |
Audit settings in cloudConfig.yml with default set to
disabled and services selectively enabled:
product:
version: 2
cloud:
....
....
# Disc space needs to be allocated to the audit directory before enabling
# auditing.
# keystone and nova has auditing enabled
# cinder, ceilometer, glance, neutron, heat, barbican have auditing disabled
audit-settings:
audit-dir: /var/audit
default: disabled
enabled-services:
- keystone
- nova
disabled-services:
- cinder
- ceilometer
Audit setting in cloudConfig.yml with default set to
enabled and services selectively disabled:
product:
version: 2
cloud:
....
....
# Disc space needs to be allocated to the audit directory before enabling
# auditing.
# keystone, nova, glance, neutron, heat, barbican has auditing enabled
# cinder, ceilometer has auditing disabled
audit-settings:
audit-dir: /var/audit
default: enabled
enabled-services:
- keystone
- nova
disabled-services:
- cinder
- ceilometerBecause auditing is disabled by default, you will need to follow the steps below to enable it:
Book “Operations Guide”, Chapter 12 “Managing Monitoring, Logging, and Usage Reporting”, Section 12.2 “Centralized Logging Service”, Section 12.2.7 “Audit Logging Overview”, Section 12.2.7.1 “Audit Logging Checklist”
Book “Operations Guide”, Chapter 12 “Managing Monitoring, Logging, and Usage Reporting”, Section 12.2 “Centralized Logging Service”, Section 12.2.7 “Audit Logging Overview”, Section 12.2.7.2 “Enable Audit Logging”
For instructions on backing up and restoring audit logs, see: Book “Operations Guide”, Chapter 14 “Backup and Restore”, Section 14.13 “Backing up and Restoring Audit Logs” .