CYSAT: The leading European cybersecurity and space exhibition to take place 26th-27th April in Paris (Station F)

By

-

20 April 2023

The biggest European event entirely focused on cybersecurity for the space industry will take place in Paris in April 2023. Since 2021, the event brings space and cybersecurity experts together to create a European ecosystem capable of responding to the current and future challenges faced by the European space industry

Paris, 10th March 2023 – CYSEC, a leading cybersecurity company, is organising the third edition of CYSAT, the largest European event entirely dedicated to cybersecurity for the space industry, on 26th and 27th April 2023 at Station F in Paris.

Faced with cybersecurity challenges and the growing importance of data protection in space, it is crucial to bring together communities of cybersecurity experts to build a European ecosystem capable of addressing current and future industry challenges.

Last years’ event saw more than 450 space specialists, decision-makers and experts come together. In its third year, CYSAT will highlight Europe’s cybersecurity capabilities and solutions dedicated to space from both a technological and geostrategic perspective.

What to expect at the event:

An exclusive testimony by Colonel Oleksandr Potii, Deputy Chairman of the State Service of Special Communications and Information Protection of Ukraine. A year since the cyber-attack on satellite network KA-SAT, Potii will reflect on what lessons can be learned from this attack.
Talks and keynotes from renowned industry experts, including Philippe Baptiste, President of CNES, Jean-Marc Nasr, Vice-President Space at Airbus Defence and Space, Massimo Mercati, Head of Security at ESA and Greg Wyler, founder of E-Space.

Workshops and demonstrations highlighting the know-how of the space industry

Mathieu Bailly, VP Space at CYSEC and Director of CYSAT said: “Last years’ CYSAT event focused on the importance and critical value of space data, in a particularly charged geopolitical context. Data protection has proven to be a major issue for both companies and European countries in recent times. This year, we want to bring the major players in space and cybersecurity together again, with the aim to create a sovereign European ecosystem, capable of addressing these technological and economic challenges.

Mathieu Bailly, VP Space chez CYSEC et Directeur de CYSAT

“We hope to foster a continuum between established players and newcomers in the space industry to demonstrate Europe’s capacity for innovation and the opportunities this new ecosystem will create.”

To find the full programme and more information on the event, visit: https://cysat.eu/

A propos de CYSEC

CYSEC is a Franco-Swiss cybersecurity company that is a pioneer in the protection of satellites and data collected and transmitted in space.

The company has just launched two security products in 2023, ARCA SATCOM dedicated to the satellite internet market, and ARCA SATLINK dedicated to constellation operators.

For more information : www.cysec.com

Space Cybersecurity Weekly Watch by CyberInflight – W15 2023

By

François Quiquet

-

13 April 2023

0

CyberInflight and Florent Rizzo released their new Space Cybersecurity Weekly Watch for week 15 (April 3-11, 2023)

In this second Space Cybersecurity Watch, you will find Articles, company’s communications, whitepapers, academic works, podcast, and sources not to be missed on the topic of space cybersecurity over a specified timeframe.

The areas covered by this watch are : geopolitic, market & competition, threat intelligence, regulation, technology, training & education, important news.

You can download this second Space Cybersecurity Weekly Watch here.

HOT NEWS

At the top of their watch, CyberInflight and Florent Rizzo make a very important announcement :

“CyberInflight new space cybersecurity market intelligence research report is out ! The team has put an incredible amount of effort to release this “150-pages bible of the space cybersecurity market” ! You can get the details and the table of content contacting us. This report is a unique resource that identifies the main market trends and intelligence indicators to comprehend the overall space cybersecurity ecosystem and to make better strategic decision making.”

Congratulations to all CyberInflight team for this achievement.

You can check a sample here.

Space Cybersecurity Weekly Watch by CyberInflight – 20 26/03/2023

By

François Quiquet

-

31 March 2023

0

HOT NEWS

CyberInflight and Florent Rizzo have just announced the release of their first Space Cybersecurity Weekly Watch. They have been working on a weekly space cybersecurity watch for a few months.

CyberInflight explained the need to release this Space Cybersecurity Watch :

Cyberinflight needs it internally to conduct their business intelligence activities.
Existing watch services are often automated and not very relevant, even those carried out by actors with huge resources. Watches are often either too “cyber” or too “spatial”.
The number of articles on the subject has exploded in the last 2 years.
Everybody gets a watch but nobody reads it…
Time is precious, so they try to estimate a reading time as well as the 5 key articles not to be missed.

In this first Space Cybersecurity Watch, you will find Articles, company’s communications, whitepapers, academic works, podcast, and sources not to be missed on the topic of space cybersecurity over a specified timeframe.

The watch will be freely available for a few weeks. Feedback and remarks are welcome and don’t hesitate to share.

You can download the first release here.

Présentation du mastère “Defense and Security in Space” de l’École de l’Air et de l’Espace (EAE)

By

François Quiquet

-

22 February 2023

0

Depuis plusieurs années, l’espace connaît un développement particulièrement important, que ce soit en lien avec des applications de la vie quotidienne (télécommunication, navigation & positionnement, transfert bancaire, observation de la Terre, …) ou avec les opérations militaires. Cette forte croissance ne va pas sans soulever des questions liées à la sécurité.

Pour vous en convaincre, nous avons écris plusieurs articles sur le sujet dont en voici quelques-uns :

L’École de l’air et de l’espace (EAE), en partenariat avec le Commandement de l’Espace (CDE), le Centre national d’études spatiales (CNES) et l’Office national d’études et de recherches aérospatiales (ONERA) vous propose un Mastère Spécialisé®« Defense and Security in Space » (MS DefSiS). Cette formation duale de haut niveau (BAC+6) civile et militaire, et ouverte à l’international vise à former des cadres civils et militaires ayant une vision intégrée de la sécurité des systèmes spatiaux dans les opérations spatiales civiles ou de défense.

Les compétences développées dans le cadre du MS® DefSiS permettront d’accéder de façon privilégiée aux domaines de l’analyse et du conseil au sein d’industries, d’organismes gouvernementaux ou de cabinets liés au fonctionnement et l’utilisation des systèmes spatiaux civils et militaires dans leur dimension sécuritaire.

Cette expertise pourra notamment être employée dans le cadre de la recherche ou du développement d’un programme spatial, de la mise en œuvre et de l’emploi opérationnel d’un système spatial ou encore de l’analyse, la prévention, le suivi ou la gestion de crises.

Plaquette PDF du Master DefSis

Retrouvez ci-dessous une plaquette en PDF qui présente en 3 pages le mastère “Defense and Security in Space” de l’École de l’Air et de l’Espace (EAE)

Présentation du master DefSis en Vidéo dans le Journal de l’espace

Pour en savoir plus

Les inscriptions pour la promotion 2023-2024 sont ouvertes. Pour en savoir plus, retrouvez toutes les informations et modalités d’inscription (Dossier de candidature, Demande de Bourses) sur le site internet de l’école de l’air et de l’espace.

CYSAT ’22, a space cybersecurity conference in Paris (April 6-7th 2022)

By

François Quiquet

-

19 March 2022

0

CYSAT is the first European event entirely dedicated to cybersecurity for space.

After a first successful edition over 2 days in March 2021 with over 200 participants, CYSAT is back and selected Paris for its new home!

The second edition will be on April 6-7th, 2022 in a hybrid format, i.e., hosted both physically in downtown Paris at Station F and accessible online.

An event around 3 pillars

The CYSAT event will be centered around 3 pillars:

A technical conference with keynotes by selected cyber and space experts, offering a unique opportunity to deep dive into all the different aspects of cybersecurity for space. Ideal for space engineers willing to learn.
An executive day featuring industrial leaders and top-level representatives from national and European agencies.
Demos by 3 teams of ethical hackers of cyber attacks on a flying satellite : Hack CYSAT.

The technical conference, similar to the first edition, will be led with experts both from the space and cybersecurity fields. Tackling all important topics from cyber threats, security-by-design, mission control security, on board security, cloud security, quantum tech, newspace, etc …

There will be a day dedicated to executives with keynotes from the industry as well as national and European agencies. Panel discussions related to the protection of European space assets (upstream) and data (downstream), mixing established players, newspace companies and space agencies.

Hack CYSAT challenge

The Hack CYSAT challenge is a great surprise. CYSAT team is working on with partners to get the community of hackers excited.

The winners will be invited to STATION F (Paris) to showcase their demos live. Details at hack.cysat.eu

CYSAT Program

The CYSAT program is out and avalaible here. Check out speakers and panelists line-up to discuss cybersecurity for European space assets and data.

The program combines technical keynotes on the topics of:

Cyber threats relevant for space systems
Ground segment security
On-board security

Don’t hesitate to visit Cysat website to register. Tickets on site and online at www.cysat.eu

See you all at the STATION F in Paris, April 6-7th!

Check the CYSAT replay 2021 here

Install KYPO Cyber Range Platform on Openstack and Ubuntu in AWS cloud

By

François Quiquet

-

14 November 2021

4

KYPO is a Cyber Range Platform (KYPO CRP) developed by Masaryk University since 2013. KYPO CRP is entirely based on state-of-the-art approaches such as containers, infrastructures as code, microservices, and open-source software, including cloud provider technology – OpenStack. (source).

KYPO CRP is now part of CONCORDIA consortium. CONCORDIA H2020 is a dedicated consortium of over 52 partners from academia, industry and public bodies. The main objective of the project is to lead the integration of Europe’s excellent cybersecurity competencies into the network of expertise to build the European secure, resilient and trusted ecosystem for the Digital Sovereignty of Europe.

The CONCORDIA project released KYPO CRP as open source in 2020. The release of an open-source cyber range is part of CONCORDIA strategy to build the European Trusted, Secure and Resilient Ecosystem for Digital Sovereignty of Europe.

KYPO Cyber Range Platform is the European Commission’s Innovation Radar Prize Winner in the ‘Disruptive Tech’ category.

In this article, I describe how to install KYPO Cyber Range Platform (CRP) on Openstack and Ubuntu Server running on the AWS cloud. I installed OpenStack on Ubuntu with DevStack.

What is a Cyber Range ?

Cyber Range is a platform for cyber security research and education – it is a simulated
representation of an organization’s network, system, tools, and applications connected
in an isolated environment.

Cyber Range (a sort of modelized network or a digital twin of a real network) allows Adversary Emulation, a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization.

The goal of these engagements is to improve education but also technology and to do some cyber security research.

Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization.

What is DevStack ?

DevStack is a modular set of scripts that can be run to deploy a basic OpenStack cloud for use as a demo or test environment. The scripts can be run on a single node that is baremetal or a virtual machine. It can also be configured to deploy to multiple nodes. DevStack deployment takes care of tedious tasks like configuring the database and message queueing system, making it possible for developers to quickly and easily deploy an OpenStack cloud.

By default, the core services for OpenStack are installed but users can configure additional services to be deployed. All services are installed from source. DevStack will pull the services from git master unless configured to clone from a stable branch (i.e. stable/pike).

Devstack installed keystone, glance, nova, placement, cinder, neutron, and horizon. But DevStack doesn’t install heat, the orchestration service of Openstack which is required by KYPO CRP. So you have to configure DevStack to enable heat.

Unbun Server Installation on AWS Cloud

This is Ubuntu Server 20.04.3 LTS (HVM) with 4vCPU, 16 Go RAM and 55 Gb SSD Disk.

root# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal

DevStack installation

I followed this official tutorial but also this article. So let’s go step by step.

ubuntu$ sudo apt update
Fetched 20.6 MB in 4s (5862 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
31 packages can be upgraded. Run 'apt list --upgradable' to see them.

ubuntu$ sudo apt -y upgrade
Found linux image: /boot/vmlinuz-5.11.0-1021-aws
Found initrd image: /boot/microcode.cpio /boot/initrd.img-5.11.0-1021-aws
Found linux image: /boot/vmlinuz-5.11.0-1020-aws
Found initrd image: /boot/microcode.cpio /boot/initrd.img-5.11.0-1020-aws
Found Ubuntu 20.04.3 LTS (20.04) on /dev/xvda1
Done

ubuntu$ sudo apt -y dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

ubuntu$ sudo reboot

ubuntu$ sudo useradd -s /bin/bash -d /opt/stack -m stack

ubuntu$ echo "stack ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/stack

ubuntu$ sudo su – stack

stack$ sudo su –

root$ su – stack

stack$ sudo apt -y install git
Reading package lists... Done
Building dependency tree
Reading state information... Done
git is already the newest version (1:2.25.1-1ubuntu3.2).
git set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

stack$ git clone https://git.openstack.org/openstack-dev/devstack
Cloning into 'devstack'...
warning: redirecting to https://opendev.org/openstack/devstack/
remote: Enumerating objects: 27621, done.
remote: Counting objects: 100% (27621/27621), done.
remote: Compressing objects: 100% (9258/9258), done.
remote: Total 47887 (delta 26959), reused 18363 (delta 18363), pack-reused 20266
Receiving objects: 100% (47887/47887), 10.19 MiB | 4.03 MiB/s, done.
Resolving deltas: 100% (33650/33650), done.

stack$ cd devstack

stack$ vi local.conf

Add:

[[local|localrc]]

# Password for KeyStone, Database, RabbitMQ and Service
ADMIN_PASSWORD=StrongAdminSecret
DATABASE_PASSWORD=$ADMIN_PASSWORD
RABBIT_PASSWORD=$ADMIN_PASSWORD
SERVICE_PASSWORD=$ADMIN_PASSWORD

Heat is configured by default on devstack for Icehouse and Juno releases. But as mentioned at the beginning, newer versions of OpenStack require enabling heat services in devstack local.conf. I followed this tutorial.

Add the following to [[local|localrc]] section of local.conf:

[[local|localrc]]

#Enable heat services
enable_service h-eng h-api h-api-cfn h-api-cw

Since Newton release, heat is available as a devstack plugin. To enable the plugin add the following to the [[local|localrc]] section of local.conf:

[[local|localrc]]

#Enable heat plugin
enable_plugin heat https://opendev.org/openstack/heat

I tried to add a stable branches by specifying the branch name to enable_plugin, but it doesn’t work for me so I didn’t add the following line.

enable_plugin heat https://opendev.org/openstack/heat stable/newton

It would also be useful to automatically download and register a VM image that heat can launch. To do that add the following to [[local|localrc]] section of local.conf:

IMAGE_URL_SITE="https://download.fedoraproject.org"
IMAGE_URL_PATH="/pub/fedora/linux/releases/33/Cloud/x86_64/images/"
IMAGE_URL_FILE="Fedora-Cloud-Base-33-1.2.x86_64.qcow2"
IMAGE_URLS+=","$IMAGE_URL_SITE$IMAGE_URL_PATH$IMAGE_URL_FILE

Disable the Ubuntu Firewall

stack$ sudo ufw disable

I then started the installation of Openstack.

stack$ ./stack.sh

This will take a 15 – 20 minutes, largely depending on the speed of the internet connection. At the end of the installation process, you should see output like this:

=========================
DevStack Component Timing
(times are in seconds)
=========================
wait_for_service      16
pip_install          232
apt-get              264
run_process           27
dbsync                15
git_timed            286
apt-get-update         1
test_with_retry        5
async_wait            72
osc                  305
-------------------------
Unaccounted time     155
=========================
Total runtime        1378

=================
Async summary
=================
Time spent in the background minus waits: 367 sec
Elapsed time: 1378 sec
Time if we did everything serially: 1745 sec
Speedup:  1.26633

This is your host IP address: xxx.xxx.xxx.xxx
This is your host IPv6 address: ::1
Horizon is now available at http://xxx.xxx.xxx.xxx/dashboard
Keystone is serving at http://xxx.xxx.xxx.xxx/identity/
The default users are: admin and demo
The password: xxxxxxx

Services are running under systemd unit files.
For more information see:
https://docs.openstack.org/devstack/latest/systemd.html

DevStack Version: yoga
Change: f9a896c6e6afcf52e9a50613285940c26e353ba3 Rehome functions to enable Neutron's QoS service 2021-11-13 19:52:06 +0000
OS Version: Ubuntu 20.04 focal

2021-11-15 20:47:52.095 | stack.sh completed in 1378 seconds.

Copy the Horizon URL shown on the installation output and paste it into your web browser:

http://192.168.10.100/dashboard

Use the default users admin and configured password to login.

I have access to the Horizon web interface dashboard to manage vms, networks, volumes, and images.

Before you can start running client commands, OpenStack RC file must be downloaded from the Horizon dashboard and sourced in the current SHELL environment.

To download OpenStack RC file, log in to the Horizon dashboard. Check that you are in the good project (admin for me) and go to Project > API Access

On the API Access section, use the “Download OpenStack RC File” link to pull and save the “admin-openrc.sh” file on your desktop.

Copy the contents of the file on the server.

stack$ vi admin-openrc.sh

Source the file. As a security mechanism the file won’t contain the user password. You’ll be asked to set the password when sourcing the file.

source admin-openrc.sh
Please enter your OpenStack Password for project admin as user admin:

Test some OpenStack client commands just to confirm it is working. Check mainly that heat service is started.

stack$ openstack service list
+----------------------------------+-------------+----------------+
| ID                               | Name        | Type           |
+----------------------------------+-------------+----------------+
| 0b293dc58885450bad190bbfe3bacc40 | nova_legacy | compute_legacy |
| 1c05400514e341d09bd5a973136a9789 | cinderv3    | volumev3       |
| 3049ac1cc4a84b81a41d9fdb559ce922 | heat        | orchestration  |
| 775998becd0142579289a613a4313e1a | keystone    | identity       |
| 840023d4bc6f4e75a7fdb6e7d49ed28e | placement   | placement      |
| b9a2b39775a94d4f8a5fdfb25b9e4dc1 | neutron     | network        |
| c7b83375dafa428cbc21ceafb8611fbe | heat-cfn    | cloudformation |
| e62bfc0c37774f8da910b3062df43d53 | cinder      | block-storage  |
| f2ffbf578599481295140dec77bcd549 | nova        | compute        |
| f619511aea824a59a76e66702de4e1c2 | glance      | image          |
+----------------------------------+-------------+----------------+

In order to avoid to set the password each time you source the RC file, you can optionally comment out the lines that prompts you the password and provide it statically:

stack$ vi admin-openrc.sh
# With Keystone you pass the keystone password.
#echo "Please enter your OpenStack Password for project $OS_PROJECT_NAME as user $OS_USERNAME: "
#read -sr OS_PASSWORD_INPUT
#export OS_PASSWORD=$OS_PASSWORD_INPUT
export OS_PASSWORD='xxxxxxxxxxx'

You can copy the RC file to keystonerc_admin

stack$ cp admin-openrc.sh keystonerc_admin
stack$ source keystonerc_admin

You can run some others OpenStack client commands to confirm that all is working properly:

stack$ openstack catalog list
+-------------+----------------+----------------------------------------------------------------------------+
| Name        | Type           | Endpoints                                                                  |
+-------------+----------------+----------------------------------------------------------------------------+
| nova_legacy | compute_legacy | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/compute/v2/d81af43ddd074376a8e7fff88d61c905  |
|             |                |                                                                            |
| cinderv3    | volumev3       | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/volume/v3/d81af43ddd074376a8e7fff88d61c905   |
|             |                |                                                                            |
| heat        | orchestration  | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/heat-api/v1/d81af43ddd074376a8e7fff88d61c905 |
|             |                |                                                                            |
| keystone    | identity       | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/identity                                     |
|             |                |                                                                            |
| placement   | placement      | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/placement                                    |
|             |                |                                                                            |
| neutron     | network        | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx:9696/                                        |
|             |                |                                                                            |
| heat-cfn    | cloudformation | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/heat-api-cfn/v1                              |
|             |                |                                                                            |
| cinder      | block-storage  | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/volume/v3/d81af43ddd074376a8e7fff88d61c905   |
|             |                |                                                                            |
| nova        | compute        | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/compute/v2.1                                 |
|             |                |                                                                            |
| glance      | image          | RegionOne                                                                  |
|             |                |   public: http://xxx.xxx.xxx.xxx/image                                        |
|             |                |                                                                            |
+-------------+----------------+----------------------------------------------------------------------------+

I checked the endpoint list to find public endpoint for orchestration service (heat).

stack$ openstack endpoint list
+----------------------------------+-----------+--------------+----------------+---------+-----------+------------------------------------------------+
| ID                               | Region    | Service Name | Service Type   | Enabled | Interface | URL                                            |
+----------------------------------+-----------+--------------+----------------+---------+-----------+------------------------------------------------+
| 064822424bfe4c4394951dce1832e316 | RegionOne | cinder       | block-storage  | True    | public    | http://xxx.xxx.xxx.xxx/volume/v3/$(project_id)s  |
| 11fbdcab6dfe42cb82c3ac4c3f61296a | RegionOne | nova         | compute        | True    | public    | http://xxx.xxx.xxx.xxx/compute/v2.1              |
| 2cb9561aa98a4c079d0c7f35ba347647 | RegionOne | keystone     | identity       | True    | public    | http://xxx.xxx.xxx.xxx/identity                  |
| 52bcd8dde6fb4f7b82d976cf71a0d37e | RegionOne | cinderv3     | volumev3       | True    | public    | http://xxx.xxx.xxx.xxx/volume/v3/$(project_id)s  |
| 82d29e1ceb464b7f831b84434ebb0be3 | RegionOne | glance       | image          | True    | public    | http://xxx.xxx.xxx.xxx/image                     |
| 98037666c0e74127ab713bd4865b062d | RegionOne | neutron      | network        | True    | public    | http://xxx.xxx.xxx.xxx:9696/                     |
| 9bda08ed79fe4fc399f94f6274ceaca0 | RegionOne | placement    | placement      | True    | public    | http://xxx.xxx.xxx.xxx/placement                 |
| cc35f42f35304534b83301f4fc70e778 | RegionOne | nova_legacy  | compute_legacy | True    | public    | http://xxx.xxx.xxx.xxx/compute/v2/$(project_id)s |
+----------------------------------+-----------+--------------+----------------+---------+-----------+------------------------------------------------+

stack$ openstack orchestration service list
+-----------------+-------------+--------------------------------------+-----------------+--------+----------------------------+--------+
| Hostname        | Binary      | Engine ID                            | Host            | Topic  | Updated At                 | Status |
+-----------------+-------------+--------------------------------------+-----------------+--------+----------------------------+--------+
| xxxxxxxxxxxxxxx | heat-engine | 5ffc9a0d-2756-462a-8da1-b5f2aeca165b | xxxxxxxxxxxxxxx | engine | 2021-11-15T21:40:55.000000 | up     |
| xxxxxxxxxxxxxxx | heat-engine | 54387f8e-44d7-4749-853a-c06d6be92ace | xxxxxxxxxxxxxxx | engine | 2021-11-15T21:40:55.000000 | up     |
+-----------------+-------------+--------------------------------------+-----------------+--------+----------------------------+--------+

KYPO CRP installation

OpenStack Requirements

Check before the OpenStack Requirements here

root# openstack flavor create --ram 2048 --disk 20 --vcpus 1 csirtmu.tiny1x2
+----------------------------+--------------------------------------+
| Field                      | Value                                |
+----------------------------+--------------------------------------+
| OS-FLV-DISABLED:disabled   | False                                |
| OS-FLV-EXT-DATA:ephemeral  | 0                                    |
| description                | None                                 |
| disk                       | 20                                   |
| id                         | 69fb4a25-d8f3-4a5b-afbd-8a4823210733 |
| name                       | csirtmu.tiny1x2                      |
| os-flavor-access:is_public | True                                 |
| properties                 |                                      |
| ram                        | 2048                                 |
| rxtx_factor                | 1.0                                  |
| swap                       |                                      |
| vcpus                      | 1                                    |
+----------------------------+--------------------------------------+

stack$ wget https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img -P /tmp/
Resolving cloud-images.ubuntu.com (cloud-images.ubuntu.com)... 91.189.88.248, 91.189.88.247, 2001:67c:1360:8001::33, ...
Connecting to cloud-images.ubuntu.com (cloud-images.ubuntu.com)|91.189.88.248|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 568131584 (542M) [application/octet-stream]
Saving to: ‘/tmp/focal-server-cloudimg-amd64.img.1’

focal-server-cloudimg-amd64.img.1      100%[===========================================================================>] 541.81M  87.5MB/s    in 6.2s

2021-11-15 21:50:30 (88.1 MB/s) - ‘/tmp/focal-server-cloudimg-amd64.img.1’ saved [568131584/568131584]

stack$ openstack image create --disk-format qcow2 --container-format bare --public --property \
> os_type=linux --file /tmp/focal-server-cloudimg-amd64.img ubuntu-focal-x86_64

+------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field            | Value                                                                                                                                                                    |
+------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| container_format | bare                                                                                                                                                                     |
| created_at       | 2021-11-15T21:49:14Z                                                                                                                                                     |
| disk_format      | qcow2                                                                                                                                                                    |
| file             | /v2/images/f748c173-c9d7-4ded-92c2-d84d9d6bcd82/file                                                                                                                     |
| id               | f748c173-c9d7-4ded-92c2-d84d9d6bcd82                                                                                                                                     |
| min_disk         | 0                                                                                                                                                                        |
| min_ram          | 0                                                                                                                                                                        |
| name             | ubuntu-focal-x86_64                                                                                                                                                      |
| owner            | d81af43ddd074376a8e7fff88d61c905                                                                                                                                         |
| properties       | os_hidden='False', os_type='linux', owner_specified.openstack.md5='', owner_specified.openstack.object='images/ubuntu-focal-x86_64', owner_specified.openstack.sha256='' |
| protected        | False                                                                                                                                                                    |
| schema           | /v2/schemas/image                                                                                                                                                        |
| status           | queued                                                                                                                                                                   |
| tags             |                                                                                                                                                                          |
| updated_at       | 2021-11-15T21:49:14Z                                                                                                                                                     |
| visibility       | public                                                                                                                                                                   |
+------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Base Infrastructure

I then followed this tutorial that describes how to prepare the KYPO base infrastructure used by the KYPO Cyber Range Platform.

stack$ sudo apt install python3-pip openssh-client jq
Reading package lists... Done
Building dependency tree
Reading state information... Done
openssh-client is already the newest version (1:8.2p1-4ubuntu0.3).
openssh-client set to manually installed.
python3-pip is already the newest version (20.0.2-5ubuntu1.6).
The following NEW packages will be installed:
  jq libjq1 libonig5
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 313 kB of archives.
After this operation, 1062 kB of additional disk space will be used.
Get:1 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 libonig5 amd64 6.9.4-1 [142 kB]
Get:2 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 libjq1 amd64 1.6-1ubuntu0.20.04.1 [121 kB]
Get:3 http://eu-west-3.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 jq amd64 1.6-1ubuntu0.20.04.1 [50.2 kB]
Fetched 313 kB in 0s (2145 kB/s)
Selecting previously unselected package libonig5:amd64.
(Reading database ... 140023 files and directories currently installed.)
Preparing to unpack .../libonig5_6.9.4-1_amd64.deb ...
Unpacking libonig5:amd64 (6.9.4-1) ...
Selecting previously unselected package libjq1:amd64.
Preparing to unpack .../libjq1_1.6-1ubuntu0.20.04.1_amd64.deb ...
Unpacking libjq1:amd64 (1.6-1ubuntu0.20.04.1) ...
Selecting previously unselected package jq.
Preparing to unpack .../jq_1.6-1ubuntu0.20.04.1_amd64.deb ...
Unpacking jq (1.6-1ubuntu0.20.04.1) ...
Setting up libonig5:amd64 (6.9.4-1) ...
Setting up libjq1:amd64 (1.6-1ubuntu0.20.04.1) ...
Setting up jq (1.6-1ubuntu0.20.04.1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...

stack$ sudo pip3 install pipenv
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
Collecting pipenv
  Downloading pipenv-2021.11.15-py2.py3-none-any.whl (3.6 MB)
     |████████████████████████████████| 3.6 MB 25.8 MB/s
Requirement already satisfied: virtualenv in /usr/local/lib/python3.8/dist-packages (from pipenv) (20.10.0)
Requirement already satisfied: setuptools>=36.2.1 in /usr/local/lib/python3.8/dist-packages (from pipenv) (59.1.0)
Collecting virtualenv-clone>=0.2.5
  Downloading virtualenv_clone-0.5.7-py3-none-any.whl (6.6 kB)
Requirement already satisfied: certifi in /usr/lib/python3/dist-packages (from pipenv) (2019.11.28)
Requirement already satisfied: pip>=18.0 in /usr/local/lib/python3.8/dist-packages (from pipenv) (21.3.1)
Requirement already satisfied: filelock<4,>=3.2 in /usr/local/lib/python3.8/dist-packages (from virtualenv->pipenv) (3.3.2)
Requirement already satisfied: platformdirs<3,>=2 in /usr/local/lib/python3.8/dist-packages (from virtualenv->pipenv) (2.4.0)
Requirement already satisfied: distlib<1,>=0.3.1 in /usr/local/lib/python3.8/dist-packages (from virtualenv->pipenv) (0.3.3)
Requirement already satisfied: six<2,>=1.9.0 in /usr/local/lib/python3.8/dist-packages (from virtualenv->pipenv) (1.16.0)
Requirement already satisfied: backports.entry-points-selectable>=1.0.4 in /usr/local/lib/python3.8/dist-packages (from virtualenv->pipenv) (1.1.1)
Installing collected packages: virtualenv-clone, pipenv
Successfully installed pipenv-2021.11.15 virtualenv-clone-0.5.7
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

Create application credentials with this video. Be sure to generate Application Credentials with the parameter unrestricted.

After application credentials created, download on your desktop the “app-cred-kypo-openrc.sh” file from the Horizon dashboard and copy/paste the contents of the file on the server.

stack$ vi app-cred-kypo-openrc.sh

Source the file

stack$ source app-cred-kypo-openrc.sh

stack$ git clone https://gitlab.ics.muni.cz/muni-kypo-crp/devops/kypo-crp-openstack-base.git
Cloning into 'kypo-crp-openstack-base'...
remote: Enumerating objects: 269, done.
remote: Counting objects: 100% (138/138), done.
remote: Compressing objects: 100% (80/80), done.
remote: Total 269 (delta 54), reused 129 (delta 47), pack-reused 131
Receiving objects: 100% (269/269), 78.56 KiB | 1.31 MiB/s, done.
Resolving deltas: 100% (111/111), done.

stack$ cd kypo-crp-openstack-base

stack$ pipenv install
Creating a virtualenv for this project...
Pipfile: /opt/stack/devstack/kypo-crp-openstack-base/Pipfile
Using /usr/bin/python3.8 (3.8.10) to create virtualenv...
⠴ Creating virtual environment...created virtual environment CPython3.8.10.final.0-64 in 235ms
  creator CPython3Posix(dest=/opt/stack/.local/share/virtualenvs/kypo-crp-openstack-base-5QbM23-5, clear=False, no_vcs_ignore=False, global                                                                                        =False)
  seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/opt/stack/.local/share/virtualenv                                                                                        )
    added seed packages: pip==21.3.1, setuptools==58.3.0, wheel==0.37.0
  activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator
✔ Successfully created virtual environment!
Virtualenv location: /opt/stack/.local/share/virtualenvs/kypo-crp-openstack-base-5QbM23-5
Installing dependencies from Pipfile.lock (5ccba9)...
  🐍   ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 61/61 — 00:01:39
To activate this project's virtualenv, run pipenv shell.
Alternatively, run a command inside the virtualenv with pipenv run.

stack$ pipenv shell
Creating a virtualenv for this project...
Pipfile: /opt/stack/Pipfile
Using /usr/bin/python3 (3.8.10) to create virtualenv...
⠋ Creating virtual environment...created virtual environment CPython3.8.10.final.0-64 in 619ms
  creator CPython3Posix(dest=/opt/stack/.local/share/virtualenvs/stack-mJieuOd4, clear=False, no_vcs_ignore=False, global=False)
  seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/opt/stack/.local/share/virtualenv)
    added seed packages: pip==21.3.1, setuptools==58.3.0, wheel==0.37.0
  activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator
✔ Successfully created virtual environment!
Virtualenv location: /opt/stack/.local/share/virtualenvs/stack-mJieuOd4
Creating a Pipfile for this project...
Launching subshell in virtual environment...
stack$  . /opt/stack/.local/share/virtualenvs/stack-mJieuOd4/bin/activate

((kypo-crp-openstack-base) ) stack$ pipenv sync

Installing dependencies from Pipfile.lock (5ccba9)...
  🐍   ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 0/0 — 00:00:00
All dependencies are now up-to-date!

Before to go to the deployment, you need to obtain several configuration values that might be specific to your OpenStack instance.

stack$ openstack network list --external --column Name
+--------+
| Name   |
+--------+
| public |
+--------+

stack$ openstack image list --column Name
+---------------------------------+
| Name                            |
+---------------------------------+
| Fedora-Cloud-Base-33-1.2.x86_64 |
| cirros-0.5.2-x86_64-disk        |
| ubuntu-focal-x86_64             |
+---------------------------------+

stack$ openstack flavor list --column Name
+-----------+
| Name      |
+-----------+
| m1.tiny   |
| m1.small  |
| m1.medium |
| m1.large  |
| m1.nano   |
| m1.xlarge |
| m1.micro  |
| cirros256 |
| ds512M    |
| ds1G      |
| ds2G      |
| ds4G      |
+-----------+

Un-Source all variables from previous source command

stack$ unset "${!OS_@}"

Below is the default openstack-defaults.sh file.

stack$ cat openstack-defaults.sh
#!/usr/bin/env bash

export KYPO_HEAD_FLAVOR="standard.large"
export KYPO_HEAD_IMAGE="ubuntu-focal-x86_64"
export KYPO_HEAD_USER="ubuntu"
export KYPO_PROXY_FLAVOR="standard.medium"
export KYPO_PROXY_IMAGE="ubuntu-focal-x86_64"
export KYPO_PROXY_USER="ubuntu"
export DNS1="1.1.1.1"
export DNS2="1.0.0.1"

Modify this file and edit the desired values for images (<kypo_base_image>) and flavors (<kypo_base_flavor>). On my side, I remove “standard.large” flavor and “standard.medium” flavor. I replaced them with “m1.small” beause my config is not very strong.

stack$ cat openstack-defaults.sh
#!/usr/bin/env bash

export KYPO_HEAD_FLAVOR="m1.small"
export KYPO_HEAD_IMAGE="ubuntu-focal-x86_64"
export KYPO_HEAD_USER="ubuntu"
export KYPO_PROXY_FLAVOR="m1.small"
export KYPO_PROXY_IMAGE="ubuntu-focal-x86_64"
export KYPO_PROXY_USER="ubuntu"
export DNS1="1.1.1.1"
export DNS2="1.0.0.1"

stack$ source openstack-defaults.sh

I checked default Security Group Rules. I’m not sure if I have to delete them or not. The tutorial is not clear about this point.

stack$ openstack security group rule list default
+--------------------------------------+-------------+-----------+-----------+------------+--------------------------------------+
| ID                                   | IP Protocol | Ethertype | IP Range  | Port Range | Remote Security Group                |
+--------------------------------------+-------------+-----------+-----------+------------+--------------------------------------+
| 38b8c48a-494c-49bd-bee3-51e2c415f30b | None        | IPv4      | 0.0.0.0/0 |            | d18b863a-0b8d-4110-878a-de40e24307a5 |
| 7e5ae97e-cb42-4024-aeef-ed631a2b567c | None        | IPv6      | ::/0      |            | None                                 |
| d8808eb1-1edc-4e3f-8ddb-7061927fe9a3 | None        | IPv6      | ::/0      |            | d18b863a-0b8d-4110-878a-de40e24307a5 |
| de4d2cce-2fee-4e01-b966-5f7420c5d484 | None        | IPv4      | 0.0.0.0/0 |            | None                                 |
+--------------------------------------+-------------+-----------+-----------+------------+--------------------------------------+

I then bootstraped Floating IPs and Keypair. The results will be saved into kypo-base-params.yml file. Private key of the keypair will be saved into <openstack-project>_kypo-base-key.key

stack$ ./bootstrap.sh public
Floating IP kypo-base-head for network public does not exist. Creating...
Floating IP kypo-base-proxy for network public does not exist. Creating...
No keypair with a name or ID of 'admin_kypo-base-key' exists.
Creating keypair admin_kypo-base-key.
fingerprint: 86:8f:ea:34:dc:4b:bc:77:a8:6d:d5:7b:42:3c:a4:e4
name: admin_kypo-base-key
user_id: 042e20a21d0f4cf2a8473daf72ca2193
Private key for user access does not exist. Creating...
Generating RSA private key, 2048 bit long modulus (2 primes)
......................+++++
..+++++
e is 65537 (0x010001)

stack$ ./create-base.sh

2021-11-15 23:57:31Z [kypo-base-networking-stack]: CREATE_IN_PROGRESS  Stack CREATE started
2021-11-15 23:57:31Z [kypo-base-networking-stack.kypo-base-net]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:31Z [kypo-base-networking-stack.kypo-base-net]: CREATE_COMPLETE  state changed
2021-11-15 23:57:31Z [kypo-base-networking-stack.kypo-base-subnet]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:32Z [kypo-base-networking-stack.kypo-base-router-public]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:32Z [kypo-base-networking-stack.kypo-base-subnet]: CREATE_COMPLETE  state changed
2021-11-15 23:57:32Z [kypo-base-networking-stack.kypo-base-router-public-port]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:33Z [kypo-base-networking-stack.kypo-base-router-public-port]: CREATE_COMPLETE  state changed
2021-11-15 23:57:34Z [kypo-base-networking-stack.kypo-base-router-public]: CREATE_COMPLETE  state changed
2021-11-15 23:57:34Z [kypo-base-networking-stack.kypo-base-router-public-interface]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:36Z [kypo-base-networking-stack.kypo-base-router-public-interface]: CREATE_COMPLETE  state changed
2021-11-15 23:57:36Z [kypo-base-networking-stack]: CREATE_COMPLETE  Stack CREATE completed successfully
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| id                  | cb20a1c9-da98-4699-a14e-09b4d2ee78a4 |
| stack_name          | kypo-base-networking-stack           |
| description         | KYPO base networking.                |
| creation_time       | 2021-11-15T23:57:30Z                 |
| updated_time        | None                                 |
| stack_status        | CREATE_COMPLETE                      |
| stack_status_reason | Stack CREATE completed successfully  |
+---------------------+--------------------------------------+
2021-11-15 23:57:42Z [kypo-base-security-groups-stack]: CREATE_IN_PROGRESS  Stack CREATE started
2021-11-15 23:57:43Z [kypo-base-security-groups-stack.kypo-base-head-sg]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:43Z [kypo-base-security-groups-stack.kypo-base-head-sg]: CREATE_COMPLETE  state changed
2021-11-15 23:57:44Z [kypo-base-security-groups-stack.kypo-global-ingress-icmp]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:44Z [kypo-base-security-groups-stack.kypo-global-ingress-icmp]: CREATE_COMPLETE  state changed
2021-11-15 23:57:45Z [kypo-base-security-groups-stack.kypo-base-proxy-sg]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:45Z [kypo-base-security-groups-stack.kypo-base-proxy-sg]: CREATE_COMPLETE  state changed
2021-11-15 23:57:45Z [kypo-base-security-groups-stack.kypo-global-remote-security-groups]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:57:57Z [kypo-base-security-groups-stack.kypo-global-remote-security-groups]: CREATE_COMPLETE  state changed
2021-11-15 23:57:57Z [kypo-base-security-groups-stack]: CREATE_COMPLETE  Stack CREATE completed successfully
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| id                  | 0b52e47b-45d8-47cb-aa06-c204feedb038 |
| stack_name          | kypo-base-security-groups-stack      |
| description         | KYPO base security groups.           |
| creation_time       | 2021-11-15T23:57:42Z                 |
| updated_time        | None                                 |
| stack_status        | CREATE_COMPLETE                      |
| stack_status_reason | Stack CREATE completed successfully  |
+---------------------+--------------------------------------+
2021-11-15 23:58:00Z [kypo-head-stack]: CREATE_IN_PROGRESS  Stack CREATE started
2021-11-15 23:58:00Z [kypo-head-stack.kypo-head-port]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:58:01Z [kypo-head-stack.kypo-head-port]: CREATE_COMPLETE  state changed
2021-11-15 23:58:01Z [kypo-head-stack.kypo-head-floating-ip]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:58:01Z [kypo-head-stack.kypo-head]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:58:01Z [kypo-head-stack.kypo-head-floating-ip]: CREATE_COMPLETE  state changed
2021-11-15 23:58:06Z [kypo-head-stack.kypo-head]: CREATE_COMPLETE  state changed
2021-11-15 23:58:06Z [kypo-head-stack]: CREATE_COMPLETE  Stack CREATE completed successfully
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| id                  | 043f10e3-a13d-4e87-9732-e85e13eb6e6c |
| stack_name          | kypo-head-stack                      |
| description         | KYPO Head server.                    |
| creation_time       | 2021-11-15T23:58:00Z                 |
| updated_time        | None                                 |
| stack_status        | CREATE_COMPLETE                      |
| stack_status_reason | Stack CREATE completed successfully  |
+---------------------+--------------------------------------+
2021-11-15 23:58:12Z [kypo-proxy-jump-stack]: CREATE_IN_PROGRESS  Stack CREATE started
2021-11-15 23:58:12Z [kypo-proxy-jump-stack.kypo-proxy-jump-port]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:58:13Z [kypo-proxy-jump-stack.kypo-proxy-jump-port]: CREATE_COMPLETE  state changed
2021-11-15 23:58:13Z [kypo-proxy-jump-stack.kypo-proxy-jump-floating-ip]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:58:13Z [kypo-proxy-jump-stack.kypo-proxy-jump]: CREATE_IN_PROGRESS  state changed
2021-11-15 23:58:14Z [kypo-proxy-jump-stack.kypo-proxy-jump-floating-ip]: CREATE_COMPLETE  state changed
2021-11-15 23:58:19Z [kypo-proxy-jump-stack.kypo-proxy-jump]: CREATE_COMPLETE  state changed
2021-11-15 23:58:19Z [kypo-proxy-jump-stack]: CREATE_COMPLETE  Stack CREATE completed successfully
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| id                  | 479af43a-a6f8-4413-8291-5ce03eb56a4b |
| stack_name          | kypo-proxy-jump-stack                |
| description         | KYPO Proxy Jump server.              |
| creation_time       | 2021-11-15T23:58:12Z                 |
| updated_time        | None                                 |
| stack_status        | CREATE_COMPLETE                      |
| stack_status_reason | Stack CREATE completed successfully  |
+---------------------+--------------------------------------+

I checked the stack list

stack$ openstack stack list
+--------------------------------------+---------------------------------+-----------------+----------------------+--------------+
| ID                                   | Stack Name                      | Stack Status    | Creation Time        | Updated Time |
+--------------------------------------+---------------------------------+-----------------+----------------------+--------------+
| 479af43a-a6f8-4413-8291-5ce03eb56a4b | kypo-proxy-jump-stack           | CREATE_COMPLETE | 2021-11-15T23:58:12Z | None         |
| 043f10e3-a13d-4e87-9732-e85e13eb6e6c | kypo-head-stack                 | CREATE_COMPLETE | 2021-11-15T23:58:00Z | None         |
| 0b52e47b-45d8-47cb-aa06-c204feedb038 | kypo-base-security-groups-stack | CREATE_COMPLETE | 2021-11-15T23:57:42Z | None         |
| cb20a1c9-da98-4699-a14e-09b4d2ee78a4 | kypo-base-networking-stack      | CREATE_COMPLETE | 2021-11-15T23:57:30Z | None         |
+--------------------------------------+---------------------------------+-----------------+----------------------+--------------+

I checked all the installation on GUI Horizon dashboard

I launched Ansible scripts to test connectivity. PING and SSH are OK.

((kypo-crp-openstack-base) ) root@xxxxxxxx:~/kypo-crp-openstack-base# ./ansible-check-base.sh

PLAY [Check Base Stack] *********************************************************************************************************************************************************************************************************************

TASK [ping : Wait for ssh connection] *******************************************************************************************************************************************************************************************************
ok: [kypo-base-head]
ok: [kypo-base-proxy]

TASK [Try to reach the machine via ping] ****************************************************************************************************************************************************************************************************
ok: [kypo-base-head]
ok: [kypo-base-proxy]

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
kypo-base-head             : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
kypo-base-proxy            : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

((kypo-crp-openstack-base) ) root@xxxx:~/kypo-crp-openstack-base# ./ansible-user-access.sh

PLAY [Create Access for KYPO User] **********************************************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************************
ok: [kypo-base-proxy]

TASK [user : Ensure group kypo] *************************************************************************************************************************************************************************************************************
changed: [kypo-base-proxy]

TASK [Ensure user kypo] *********************************************************************************************************************************************************************************************************************
changed: [kypo-base-proxy]

TASK [Set authorized key for kypo user] *****************************************************************************************************************************************************************************************************
changed: [kypo-base-proxy]

TASK [Add kypo user to sudoers] *************************************************************************************************************************************************************************************************************
changed: [kypo-base-proxy]

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
kypo-base-proxy            : ok=5    changed=4    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

All seem to be OK.

Now I have a problem. I rebooted my OpenStack server and I lost connectivity between Openstask host and instances VM. Ping and SSH was NOK.

After several researches, I found that a Devstack environment is not persistent across server reboots.

DevStack provides a set of scripts for automated installation of OpenStack on Ubuntu as well as Fedora Linux. It is a tool to help OpenStack developers to quickly set up an OpenStack environment using scripts. These scripts automatically download or clone the required packages and repositories from the OpenStack website that are necessary for setting up an OpenStack cloud. One drawback with this approach is that the environment is not persistent across server reboots.

Newer versions of DevStack runs it’s services as systemd unit files so, you can use systemctl to manage them. I checked Openstask services. All seem to be OK

((kypo-crp-openstack-base) ) root@ip-172-31-6-66:~/kypo-crp-openstack-base# sudo systemctl list-units devstack@*
  UNIT                                  LOAD   ACTIVE SUB     DESCRIPTION
  devstack@c-api.service                loaded active running Devstack devstack@c-api.service
  devstack@c-sch.service                loaded active running Devstack devstack@c-sch.service
  devstack@c-vol.service                loaded active running Devstack devstack@c-vol.service
  devstack@dstat.service                loaded active running Devstack devstack@dstat.service
  devstack@etcd.service                 loaded active running Devstack devstack@etcd.service
  devstack@g-api.service                loaded active running Devstack devstack@g-api.service
  devstack@h-api-cfn.service            loaded active running Devstack devstack@h-api-cfn.service
  devstack@h-api.service                loaded active running Devstack devstack@h-api.service
  devstack@h-eng.service                loaded active running Devstack devstack@h-eng.service
  devstack@keystone.service             loaded active running Devstack devstack@keystone.service
  devstack@n-api-meta.service           loaded active running Devstack devstack@n-api-meta.service
  devstack@n-api.service                loaded active running Devstack devstack@n-api.service
  devstack@n-cond-cell1.service         loaded active running Devstack devstack@n-cond-cell1.service
  devstack@n-cpu.service                loaded active running Devstack devstack@n-cpu.service
  devstack@n-novnc-cell1.service        loaded active running Devstack devstack@n-novnc-cell1.service
  devstack@n-sch.service                loaded active running Devstack devstack@n-sch.service
  devstack@n-super-cond.service         loaded active running Devstack devstack@n-super-cond.service
  devstack@placement-api.service        loaded active running Devstack devstack@placement-api.service
  devstack@q-ovn-metadata-agent.service loaded active running Devstack devstack@q-ovn-metadata-agent.service
  devstack@q-svc.service                loaded active running Devstack devstack@q-svc.service

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

20 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

I also restarted all services without change

sudo systemctl restart devstack@*

I checked the status of Open Vswitch

((kypo-crp-openstack-base) ) root@ip-172-31-6-66:~/kypo-crp-openstack-base# ovs-vsctl show
95bd0929-30f8-42d8-9a66-699036952e8c
    Manager "ptcp:6640:127.0.0.1"
        is_connected: true
    Bridge br-ex
        Port br-ex
            Interface br-ex
                type: internal
        Port patch-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3-to-br-int
            Interface patch-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3-to-br-int
                type: patch
                options: {peer=patch-br-int-to-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3}
    Bridge br-int
        fail_mode: secure
        datapath_type: system
        Port br-int
            Interface br-int
                type: internal
        Port tapf147ff8d-9b
            Interface tapf147ff8d-9b
        Port tapc6517e8f-b0
            Interface tapc6517e8f-b0
        Port tap7e86de1c-70
            Interface tap7e86de1c-70
        Port patch-br-int-to-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3
            Interface patch-br-int-to-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3
                type: patch
                options: {peer=patch-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3-to-br-int}
    ovs_version: "2.13.3"

((kypo-crp-openstack-base) ) root@ip-172-31-6-66:~/kypo-crp-openstack-base# ovs-vsctl list-ports br-ex
patch-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3-to-br-int

((kypo-crp-openstack-base) ) root@ip-172-31-6-66:~/kypo-crp-openstack-base# ovs-vsctl list-ports br-int
patch-br-int-to-provnet-b606a04f-2955-4f7d-807b-3677bb3cb4e3
tap7e86de1c-70
tapc6517e8f-b0
tapf147ff8d-9b

I found some error but I don’t if it’s important

((kypo-crp-openstack-base) ) root@ip-172-31-6-66:~/kypo-crp-openstack-base# ovs-ofctl dump-ports br-ex
2021-11-29T18:15:59Z|00001|vconn|WARN|unix:/var/run/openvswitch/br-ex.mgmt: version negotiation failed (we support version 0x01, peer supports versions 0x04, 0x06)
ovs-ofctl: br-ex: failed to connect to socket (Broken pipe)

((kypo-crp-openstack-base) ) root@ip-172-31-6-66:~/kypo-crp-openstack-base# ovs-dpctl show -s
system@ovs-system:
  lookups: hit:8565 missed:364 lost:0
  flows: 4
  masks: hit:14131 total:2 hit/pkt:1.58
  port 0: ovs-system (internal)
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 aborted:0 carrier:0
    collisions:0
    RX bytes:0  TX bytes:0
  port 1: br-ex (internal)
    RX packets:0 errors:0 dropped:4285 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 aborted:0 carrier:0
    collisions:0
    RX bytes:0  TX bytes:0
  port 2: br-int (internal)
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 aborted:0 carrier:0
    collisions:0
    RX bytes:0  TX bytes:0
  port 3: tap7e86de1c-70
    RX packets:407 errors:0 dropped:0 overruns:0 frame:0
    TX packets:38 errors:0 dropped:0 aborted:0 carrier:0
    collisions:0
    RX bytes:30048 (29.3 KiB)  TX bytes:2668 (2.6 KiB)
  port 4: tapc6517e8f-b0
    RX packets:4 errors:0 dropped:0 overruns:0 frame:0
    TX packets:16 errors:0 dropped:0 aborted:0 carrier:0
    collisions:0
    RX bytes:360  TX bytes:1216 (1.2 KiB)
  port 5: tapf147ff8d-9b
    RX packets:1592 errors:0 dropped:0 overruns:0 frame:0
    TX packets:119 errors:0 dropped:0 aborted:0 carrier:0
    collisions:0
    RX bytes:115182 (112.5 KiB)  TX bytes:6126 (6.0 KiB)

For the moment, I stopped the procedure at this level. I come back quickly. If you have some idea to help me to find connectivity between the OpenStack Host and instances VM, you are welcome !

Ressources

Website: https://www.kypo.cz/
Documentation: https://docs.crp.kypo.muni.cz/
Gitlab: https://gitlab.ics.muni.cz/muni-kypo-crp
Twitter: https://twitter.com/KYPOCRP

What are the components of a generic Space System

By

François Quiquet

-

11 November 2021

3

Space Policy Directive-5 (SPD-5), the Nation’s first comprehensive cybersecurity policy for space systems, defines “Space System” as “a combination of systems, to include ground systems, sensor networks, and one or more space vehicles, that provides a space-based service.”

A space system typically has three segments:

a ground control network,
a space vehicle,
a user or mission network.

These systems include Government national security space systems, Government civil space systems, and private space systems.

“Space Vehicle” means the portion of a space system that operates in space. Examples include satellites, space stations, launch vehicles, launch vehicle upper stage
components, and spacecraft.

The following article is relative to the “Description of the Elements of a Satellite Command and Control System” and this one is relative to “Threats, Vulnerabilities and Risks to Space Systems“.

Space Cyber Security Watch N°7 (November 7, 2021)

By

François Quiquet

-

7 November 2021

0

Find below the new Space Cyber Security Watch No 7 (November 7, 2021). In this paper, you will find everything that has caught our attention since the last time : news, articles, papers, Space CTI, videos, webinars, events, attacks, podcats … This work is not exhaustive, so comments and observations are welcome.

Articles

Space ISAC Newsletter (October 2021) – Mission: Secure Space
From Supply Chains to Spacecraft: Taking an Integrated Approach to Cybersecurity in Space
World leading partnership to deliver Cloud Computing to the edge of the battlespace – Thales Australia, Microsoft and Australian SMEs Myriad Technologies, archTIS and Fortifyedge have partnered to launch Nexium Defence Cloud Edge (NDC Edge), a secure Tactical cloud computing capability at the edge of the battlespace
NSA Leader Promotes Industry Collaboration on Cyber Issues – The National Security Agency (NSA) is seeking collaboration with the private sector on cybersecurity issues
Cyber Advisor to President Biden Details Cybersecurity Points for Space – The U.S. cybersecurity advisor to President Joe Biden said that cyber and space communities are separated by a common challenge, one these communities don’t always realize
Engineering the future of space security – Cyber attacks on space systems are escalating. Defense and intelligence agencies can accelerate cybersecurity with space IT solutions combining open systems architecture, model-based systems engineering (MBSE), and the power of a proactive approach
Space ISAC and NY Metro InfraGard Members Alliance Announce Collaboration to Advance the Mission of Cybersecurity in Space
NRO establishes licenses and cybersecurity rules for commercial imagery providers
Industry panel: U.S. space systems need protection against cyber attacks
Connecting the Dots | Crowded orbits pose new security threats
The EU Faces Legal Changes Ahead for Cybersecurity in Space
US to curb hacking tool exports to Russia, China
AFRL Space Vehicles Directorate holds first Space Cyber Summit
US Space Force to Kick Off IA-PRE Program in January 2022
U.S. Satellite Sector Must Get Agile to Beat China, Says Former USAF Software Chief
BT secures industry first Global Partnership with OneWeb

Videos

Cybersecurity on the Final Frontier: Protecting Our Critical Space Assets from Cyber Threats
Safeguarding the Final Frontier – Analyzing the Legal and Technical Challenges to Mega-Constellations (SGAC Cybersecurity)
ASCEND 2021: Development of Cybersecurity Norms for Space Systems
ASCEND 2021: Planning for Future Conjunctions
ASCEND 2021: Preserving Space Through Collaborative Decision Making by Space Operators
ASCEND 2021: Extending a Big Data Platform for Transportation to Space
ASCEND 2021: Translating Space Cybersecurity Policy into Actionable Guidance for Space Vehicles
MITRE Grand Challenges Power Hour: Preserving the Space Domain
SISE: Decentralized Space Information Sharing as a Key Enabler of Trust & the Preservation of Space

Webinars

National Cybersecurity Center of Excellence (NCCoE) Web-Conferences on Cybersecurity of the Space Ground Segment – The meetings take place every other Thursday and are run under “Chatham House” rules (comments will not be attributed from the conversations). Feel free to attend as many or as few of these meetings as you are able to

Past Events

October 6–8, 2021 : Understanding Cybersecurity in the Space Domain
October 4-7, 2021 : 32nd Aerospace Testing Seminar has new dates – Theme for the 2021 ATS is « Smart Testing for Today’s Missions. »
October 5 – 7, 2021 : ESA Software Product Assurance Workshop 2021. There will be one full day of ECSS training, followed by 3 days of interesting presentations and discussions on various topics. Registration here
October 5 – 7, 2021 : CyberSatGov – To bring together the satellite community with the government and military markets to have a comprehensive, progressive discussion about cybersecurity. The CyberSatGov Agenda is Here!
October 7-8, 2021 : Global Resilience Federation (GRF) Summit on Security and Third-Party Risk
October 13, 2021 : Space Cybersecurity Symposium II: Applied Cybersecurity for Space – The Department of Commerce (DOC) and the Department of Homeland Security (DHS) invite you to their second jointly hosted space cybersecurity symposium.
October 19-20, 2021 : 2nd annual Value of Space Summit – The Space Information Sharing and Analysis Center (Space ISAC) and The Aerospace Corporation are pleased to host the 2021 Value of Space Summit, a 2-day virtual community event to convene a variety of perspectives from across the space enterprise.
October 19 – 21, 2021 : 11th IAASS conference : Managing Risk in Space – The 11th IAASS Conference “Managing Risk in Space”, organized in cooperation with the Japan Aerospace Exploration Agency (JAXA) is an invitation to reflect and exchange information on a number of space safety and sustainability topics of national and international interest.
October 25-29, 2021 : IAF’s IAC 21 in Dubaï – 72nd International Astronautical Congress 2021 (Dubai, United Arab Emirates) with two security sessions

Upcoming Events

November 8, 2021 : COMET CYBersécurité du CNES – Journée « Menaces « cybersécurité » et secteur spatial » à Toulouse et en distanciel.
April 2022 : Breaking news! CYSAT will be back for the second edition and we selected Paris as our home!
November 15-17, 2021 : Welcome to AIAA ASCEND to experience the aerospace cybersecurity programming, including a table top exercise, hands-on demonstrations of satellite cybersecurity, and panel discussions (cybersecurity in space)

This work is not exhaustive, so comments and observations are welcome.

Cartographie de la communauté publique de la Défense Spatiale Française

By

François Quiquet

-

20 October 2021

0

Le Commandement De l’Espace (CDE) a été créé par arrêté le 3 septembre 2019. Il a succédé au Commandement Interarmées de l’Espace (CIE). Il rassemble désormais, au sein d’un unique grand commandement de l’Armée de l’Air et de l’Espace (AAE), la majorité des acteurs experts du domaine spatial militaire.

Afin d’atteindre l’ambition politique fixée par la stratégie de défense spatiale, le CDE poursuit une montée en puissance sans précédent en s’appuyant notamment sur le Centre National des Etudes Spatiales (CNES).

Pour satisfaire la stratégie de défense spatiale, le CDE doit, à l’horizon 2025, être en mesure de conduire les premières actions défensives dans l’Espace. La connaissance permanente de la situation spatiale et l’acquisition d’un démonstrateur satellite manœuvrant sont les principaux jalons capacitaires de cette feuille de route.

Aujourd’hui, le CDE est réparti sur quatre sites :

A Balard, la direction, le niveau de conception et de mise en œuvre sont structurés par 4 piliers : opérations, capacités, coopérations et organique ;
A Toulouse, l’échelon précurseur du centre de commandement et de contrôle des opérations spatiales ;
Le COSMOS (Centre opérationnel de surveillance militaire des objets spatiaux) et le CMOS (Centre militaire d’observation par satellites), respectivement localisés à Lyon et à Creil.

A terme, la transformation du CDE vise à concentrer toute l’expertise militaire du domaine spatial dans un bâtiment dédié, implanté au plus près du CNES. Il abritera des fonctions multiples comme la formation, l’innovation, ou encore le cœur de la conduite des opérations spatiales. Il accueillera près de 500 experts en 2025.

Dans cette nouvelle organisation, le CMOS devient l’Escadron de Conduite des Actions Spatiales (ECAS), situé à Toulouse au CNES, qui aura pour objectif le maintien à poste des moyens spatiaux opérationnels. Le COSMOS devient l’Escadron de Surveillance de l’Espace (ESE), qui aura pour objectif la surveillance des objets spatiaux et de l’espace en général.

Toute cette architecture est représentée dans la cartographie ci-dessous (cartographie non officielle réalisée à titre personnel)

Télécharger la version haute-définition

De façon plus détaillée, voici une description des principales entités de l’infographie.

Office Nationale d’Etudes et de Recherches Aérospatiales (ONERA)

L’Office Nationale d’Etudes et de Recherches Aérospatiales (ONERA) est le principal centre de recherche français du secteur aéronautique, spatial et défense. Il a pour mission de développer et d’orienter les recherches dans le domaine aérospatial, de concevoir, de réaliser, de mettre en œuvre les moyens nécessaires à l’exécution de ces recherches, et d’assurer la diffusion des résultats de ces recherches.

Centre Nationale d’Etudes Spatiales (CNES)

Le Centre Nationale d’Etudes Spatiales (CNES) est un établissement public à caractère industriel et commercial (EPIC) chargé d’élaborer et de proposer au gouvernement français le programme spatial français et de le mettre en œuvre. Le CNES est placé sous la tutelle conjointe des ministères de l’enseignement supérieur, de la recherche et de l’innovation et des Armées.

Commandement de la Cyberdéfense (COMCYBER)

Le Commandement de la Cyberdéfense (COMCYBER), placé sous l’autorité du chef d’Etat-Major des armées rassemble à compter du 1er janvier 2017, l’ensemble des forces de cyberdéfense des armées française

Direction du Renseignement Militaire (DRM)

La Direction du Renseignement Militaire (DRM) est un organisme interarmées responsable du renseignement militaire pour l’ensemble des forcées armées française. Elle fixe les priorités en matière de renseignement d’intérêt militaire et reçoit, avec le CNES, les données récoltées par le CMOS

Commandement de l’Espace (CDE)

Le Commandement de l’Espace (CDE) rassemble désormais, au sein d’un unique et grand commandement de l’armée de l’Air, la majorité des acteurs experts du domaine spatial militaire.

Centre Militaire d‘Observation par Satellites (CMOS)

Situé sur la base aérienne 110 de Creil, le Centre Militaire d’Observation par Satellites (CMOS) 1/92 « Bourgogne » est une unité de l’armée de l’air française spécialisée dans le domaine de l’observation par satellites.

Centre opérationnel de surveillance militaire des objets spatiaux (COSMOS)

Situé sur la base aérienne 942 de Lyon Mont Verdun, le Centre Opérationnel de Surveillance Militaire des Objects Spatiaux (COSMOS) est une unité de l’armée de l’air française spécialisée dans le domaine de la surveillance de l’espace.

Centre de Commandement et de Contrôle des Opérations Spatiales de Paris (C3OS)

Situé à l’Etat-Major des Armées à Paris, le Centre de Commandement et de Contrôle des Opérations Spatiales (C3OS) est le vecteur de direction des opérations spatiales.

Escadron de Conduite des Actions Spatiales (ECAS)

Situé à Toulouse au CNES, l’Escadron de Conduite des Actions Spatiales (ECAS) a pour objectif le maintien à poste des moyens spatiaux opérationnels.

Escadron de Surveillance de l’Espace (ESE)

Situé à Toulouse au CNES, l’Escadron de Surveillance de l’Espace (ESE), ex-COSMOS, a pour objectif la surveillance des objets spatiaux et de l’espace en général.

Cartographie des services spécialisés de la communauté du renseignement (1er et 2ème cercle)

By

François Quiquet

-

20 October 2021

0

L’illustration ci-dessous est une carte heuristique qui présente les services spécialisés de la communauté du renseignement du 1er cercle. Cette cartographie est mise à jour des derniers changements en matière de chefs de service notamment. L’axe des temps relatif à la DPR intègre le lien vers le rapport public 2020-2021 relatif à l’activité des services de renseignement. Ce dernier rapport effectue notamment un focus particulier sur le renseignement territorial.

Télécharger la version haute-définition

Il existe aussi la même cartographie des services de renseignement mais du second cercle

Télécharger la version haute-définition

Plaquette PDF du Master DefSis

Présentation du master DefSis en Vidéo dans le Journal de l’espace

Pour en savoir plus

An event around 3 pillars

Hack CYSAT challenge

CYSAT Program

What is a Cyber Range ?

What is DevStack ?

Unbun Server Installation on AWS Cloud

DevStack installation

KYPO CRP installation

Ressources

Contents

Articles

Videos

Webinars

Past Events

Upcoming Events

Office Nationale d’Etudes et de Recherches Aérospatiales (ONERA)

Centre Nationale d’Etudes Spatiales (CNES)

Commandement de la Cyberdéfense (COMCYBER)

Direction du Renseignement Militaire (DRM)

Commandement de l’Espace (CDE)

Centre Militaire d‘Observation par Satellites (CMOS)

Centre opérationnel de surveillance militaire des objets spatiaux (COSMOS)

Centre de Commandement et de Contrôle des Opérations Spatiales de Paris (C3OS)

Escadron de Conduite des Actions Spatiales (ECAS)

Escadron de Surveillance de l’Espace (ESE)

Last Posts

Popular Category

Popular posts

EDITOR PICKS

POPULAR POSTS

POPULAR CATEGORY