Periodic Security Checks
The highest-level objective of this blueprint is to support integrity aspect of security in OpenStack Trusted Computing Pool.
Currently there is only one type of security checks implemented in OpenStack: static integrity file checks performed by OpenAttestation service using TPM/IMA technology. And OpenAttestation checks nodes only once, when the node is booted.
That’s why this blueprint has two main high-level goals:
* Extend OpenStack so that administrator of OpenStack could add periodic security checks against the computing nodes, not only OpenAttestation checks. For example, administrator could add dynamic check to verify memory of running OpenStack services. Thus we will provide more agility to the administrator for customizing criteria of deciding which nodes are trusted and which are not.
* Provide common interface that must be implemented by a check to be considered pluggable according to the first goal. The example interface implementation that should be provided, which might be re-used by the developer to implement his own checks. This example interface will use OpenAttestation service to perform static file integrity checks periodically.
For more information, see the referenced specification.
Blueprint information
- Status:
- Started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Vasiliy Artemev
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- New
- Series goal:
- None
- Implementation:
- Started
- Milestone target:
- None
- Started by
- Vasiliy Artemev
- Completed by