OpenStack Keystone Secure Configuration

keystone
gsf
compliance
policy
scan-config

#1

Description

OpenStack is a free and open-source software platform for cloud computing, mostly deployed as infrastructure-as-a-service (IaaS), whereby virtual servers and other resources are made available.

See here for the official website.

The OpenStack identity service (codename Keystone) is a service that provides API client authentication, service discovery, and distributed multi-tenant authorization by implementing OpenStack’s Identity API. It supports LDAP, OAuth, OpenID Connect, SAML and SQL (see also: Keystone docs).

With the new implemented OpenStack Keystone Policy Controls it is possible to check for a (basic) secure configuration. The tests are based on this security checklist. They are available in GSF only.

Scan Config

To run an OpenStack Keystone configuration scan, import this scan config openstack_scan_config.xml (754.9 KB).

Note: The scan needs to be an authenticated scan against a Linux target (see Requirements on Target Systems with Linux/UNIX for more information).

Included VTs

Name Family OID Script preferences
Compliance Tests Compliance 1.3.6.1.4.1.25623.1.0.95888 Check that Launch Compliance Test and Verbose Policy Controls are set to yes
Policy Controls Summary Compliance 1.3.6.1.4.1.25623.1.0.109006
All OpenStack Keystone VTs Policy 1.3.6.1.4.1.25623.1.0.109672 - 1.3.6.1.4.1.25623.1.0.109678