Getting Started with OpenShift Origin Security in the Cloud - Archived

If you have tested Red Hat’s OpenShift Origin, you have experienced the value and endless possibilities this PaaS will bring to a large enterprise being deployed on site. For the last year, I have been developing security for this great new application platform. To save you a few headaches, and help your understanding of this application platform more fully, I am offering you a few tips. This is by no means a complete list. Just a simple guide to help move your experience along. After reading this blog you should have a nice punch list of items that you can work into your OpenShift Origin infrastructure.

If you have tested Red Hat’s OpenShift Origin, you have experienced the value and endless possibilities this PaaS will bring to a large enterprise being deployed on site. For the last year, I have been developing security for this great new application platform. To save you a few headaches, and help your understanding of this application platform more fully, I am offering you a few tips. This is by no means a complete list. Just a simple guide to help move your experience along. After reading this blog you should have a nice punch list of items that you can work into your OpenShift Origin infrastructure.

Firewalls

Firewalls to the outside world are pretty straight forward. Usually traffic like ssh (port 22) and https (port 443) will be the only in coming port and everything else will be blocked. This part is usually handled by your corporate firewall. For OpenShift Origin, you can also add network intrusion detection at this level to look at packets coming in. The inside (node to node) is another story depending on if your user base is trusted or not (corporate users or outside the enterprise users). For this, you will be looking at iptables.

SELinux Management

When you start to work on something as large and dynamic as OpenShift Origin, you will need to ensure that users are allowed to run needed applications and are blocked from running others. This is where SELinux comes in. Make sure all settings are what they should be. Like a firewall, start with removing all access and only granting what is needed. You can also look into removing “Other” permissions from files. Wall would be a good application to remove any permissions for “Others” to even try. This will also keep your SELinux audit logs a bit cleaner.

Configuration Management

The next biggest issue is performing consistency checks to make sure that files are what they should be. You can look to configuration management tools such as Bcfg2, CF Engine, Chef and Puppet (to name a few). This assures that if a file gets changed, it will be replaced with what is a known “good state”. This can be used to remove rights from files (see the Wall blurb above) that you don’t want people to try or make sure that the proper SSL cert is applied to a system.

Auditing

You will need some type of automated auditing system to make sure you are within your corporate security policies. This can include auditing tools to assure you have a certain level of security content automation protocol (SCAP) compliance or that no files have key signatures of trojans, backdoors, etc and that your RPM database verifies all your files.

Log Creation

There are “bad people” out there who are ready to wreak havoc at the first sign of weakness. Create central logs that put transactions together logically. Look into different remote log aggregaters to help with this task. This will help you see the “who”, “what”, “where” and “when”.

Proactive Management

Proactive management tools need to be in place to tie everything together. It will be looking at the output of all the services to make sure they are within specification. It will also be used to run custom checks such as making sure the SSL certs don’t expire before a certain period; that all users are running within their poly instantiation jail; no services have broken out of SELinux, etc. The more you use OpenShift Origin, the more checks you can add to make your life easier.

This is just the beginning of making OpenShift Origin more enterprise ready. The greatest value of OpenShift Origin is that it is open source. Next, it is easy to plug in the corporate tools you use today. You don’t want to create exceptions for your PaaS, and with OpenShift Origin, you won’t have to.

Look for more Open Shift Origin security related blogging from me soon!

Categories
OpenShift Origin
Tags
Comments are closed.