Checklist

Check-Dashboard-01: Is user/group of config files set to root/horizon?

Configuration files contain critical parameters and information required for smooth functioning of the component. If an unprivileged user, either intentionally or accidentally modifies or deletes any of the parameters or the file itself then it would cause severe availability issues causing a denial of service to the other end users. Thus user ownership of such critical configuration files must be set to root and group ownership must be set to horizon.

Run the following commands:

$ stat -L -c "%U %G"  /etc/openstack-dashboard/local_settings.py | egrep "root horizon"

Pass: If user and group ownership of the config file is set to root and horizon respectively. The above commands show output of root horizon.

Fail: If the above commands does not return any output as the user and group ownership might have set to any user other than root or any group other than horizon.

Check-Dashboard-02: Are strict permissions set for horizon configuration files?

Similar to the previous check, it is recommended to set strict access permissions for such configuration files.

Run the following commands:

$ stat -L -c "%a" /etc/openstack-dashboard/local_settings.py

Pass: If permissions are set to 640 or stricter. The permissions of 640 translates into owner r/w, group r, and no rights to others i.e. “u=rw,g=r,o=”. Note that with Check-Dashboard-01: Is user/group of config files set to root/horizon? and permissions set to 640, root has read/write access and horizon has read access to these configuration files. The access rights can also be validated using the following command. This command will only be available on your system if it supports ACLs.

$ getfacl --tabular -a /etc/openstack-dashboard/local_settings.py
getfacl: Removing leading '/' from absolute path names
# file: etc/openstack-dashboard/local_settings.py
USER   root     rw-
GROUP  horizon  r--
mask            r--
other           ---

Fail: If permissions are not set to at least 640.

Check-Dashboard-03: Is DISALLOW_IFRAME_EMBED parameter set to True?

DISALLOW_IFRAME_EMBED can be used to prevent the OpenStack Dashboard from being embedded within an iframe.

Legacy browsers are still vulnerable to a Cross-Frame Scripting (XFS) vulnerability, so this option allows extra security hardening where iframes are not used in deployment.

Default setting is True.

Pass: If value of parameter DISALLOW_IFRAME_EMBED in /etc/openstack-dashboard/local_settings.py is set to True.

Fail: If value of parameter DISALLOW_IFRAME_EMBED in /etc/openstack-dashboard/local_settings.py is set to False.

Recommended in: HTTPS, HSTS, XSS, and SSRF.

Check-Dashboard-07: Is PASSWORD_AUTOCOMPLETE set to False?

Common feature that applications use to provide users a convenience is to cache the password locally in the browser (on the client machine) and having it ‘pre-typed’ in all subsequent requests. While this feature can be perceived as extremely friendly for the average user, at the same time, it introduces a flaw, as the user account becomes easily accessible to anyone that uses the same account on the client machine and thus may lead to compromise of the user account.

Pass: If value of parameter PASSWORD_AUTOCOMPLETE in /etc/openstack-dashboard/local_settings.py is set to off.

Fail: If value of parameter PASSWORD_AUTOCOMPLETE in /etc/openstack-dashboard/local_settings.py is set to on.

Check-Dashboard-08: Is DISABLE_PASSWORD_REVEAL set to True?

Similar to the previous check, it is recommended not to reveal password fields.

Pass: If value of parameter DISABLE_PASSWORD_REVEAL in /etc/openstack-dashboard/local_settings.py is set to True.

Fail: If value of parameter DISABLE_PASSWORD_REVEAL in /etc/openstack-dashboard/local_settings.py is set to False.

Note

This option was introduced in Kilo release.

Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True?

Setting ENFORCE_PASSWORD_CHECK to True will display an ‘Admin Password’ field on the Change Password form to verify that it is indeed the admin logged-in who wants to change the password.

Pass: If value of parameter ENFORCE_PASSWORD_CHECK in /etc/openstack-dashboard/local_settings.py is set to True.

Fail: If value of parameter ENFORCE_PASSWORD_CHECK in /etc/openstack-dashboard/local_settings.py is set to False.

Check-Dashboard-10: Is PASSWORD_VALIDATOR configured?

Allows a regular expression to validate user password complexity.

Pass: If value of parameter PASSWORD_VALIDATOR in /etc/openstack-dashboard/local_settings.py is set to any value outside of the defaul allow all “regex”: ‘.*’,

Fail: If value of parameter PASSWORD_VALIDATOR in /etc/openstack-dashboard/local_settings.py is set to allow all “regex”: ‘.*’

Check-Dashboard-11: Is SECURE_PROXY_SSL_HEADER configured?

If the OpenStack Dashboard is deployed behind a proxy and the proxy strips X-Forwarded-Proto header from all incoming requests, or sets the X-Forwarded-Proto header and sends it to the Dashboard, but only for requests that originally come in via HTTPS, then you should consider configuring SECURE_PROXY_SSL_HEADER

Futher information can be found in the Django documentation.

Pass: If value of parameter SECURE_PROXY_SSL_HEADER in /etc/openstack-dashboard/local_settings.py is set to 'HTTP_X_FORWARDED_PROTO', 'https'

Fail: If value of parameter SECURE_PROXY_SSL_HEADER in /etc/openstack-dashboard/local_settings.py is not set to 'HTTP_X_FORWARDED_PROTO', 'https' or commented out.