OpenStack Keystone Secure Configuration


OpenStack is a free and open-source software platform for cloud computing, mostly deployed as infrastructure-as-a-service (IaaS), whereby virtual servers and other resources are made available.

See here for the official website.

The OpenStack identity service (codename Keystone) is a service that provides API client authentication, service discovery, and distributed multi-tenant authorization by implementing OpenStack’s Identity API. It supports LDAP, OAuth, OpenID Connect, SAML and SQL (see also: Keystone docs).

With the new implemented OpenStack Keystone Policy Controls it is possible to check for a (basic) secure configuration. The tests are based on this security checklist. They are available in GSF only.

Scan Config

Moderator note: This is an older scan config that does not work with current versions of Greenbone software, but remains here for reference purposes.

To run an OpenStack Keystone configuration scan, import this scan config openstack_scan_config.xml (754.9 KB).

Note: The scan needs to be an authenticated scan against a Linux target (see Requirements on Target Systems with Linux/UNIX for more information).

Included VTs

Name Family OID Script preferences
Compliance Tests Compliance Check that Launch Compliance Test and Verbose Policy Controls are set to yes
Policy Controls Summary Compliance
All OpenStack Keystone VTs Policy -