ca0e1ca769
This is an initial import of the osel codebase. The osel tool is a tool that initiates external security scans (initially through Qualys) upon reciept of AMQP events that indicate certain sensitive events have occurred, like a security group rule change. The commit history had to be thrown away because it contained some non-public data, so I would like to call out the following contributors: This uses go 1.10 and vgo for dependency management. Co-Authored-By: Charles Bitter <Charles_Bitter@cable.comcast.com> Co-Authored-By: Olivier Gagnon <Olivier_Gagnon@cable.comcast.com> Co-Authored-By: Joseph Sleiman <Joseph_Sleiman@comcast.com> Change-Id: Ib6abe2024fd91978b783ceee4cff8bb4678d7b15
25 lines
984 B
YAML
25 lines
984 B
YAML
---
|
|
prelude: >
|
|
This is the first public release of the OpenStack Event Listener (OSEL).
|
|
It had previously been a project within Comcast, but was open-sourced
|
|
under the Apache license.
|
|
features:
|
|
- |
|
|
Connects to RabbitMQ to listen for notification events specific to security
|
|
group changes. When those are intercepted, query Nova for information about
|
|
what the affected IP addresses are, then initiate a Qualys scan. Finally
|
|
send info in the IP addresses and the Qualys scan ID to syslog.
|
|
issues:
|
|
- |
|
|
Only processes security group changes, should also process new port events
|
|
as well.
|
|
- |
|
|
Needs to exponential backoff for AMQP connections.
|
|
- |
|
|
Needs to be integrated with Aodh for modern OpenStacks.
|
|
security:
|
|
- |
|
|
Requires access to RabbitMQ as well as OpenStack credentials that have access
|
|
to data in all projects, so this should be considered a privileged process and
|
|
should be run in a properly secured context.
|