Metadata-Version: 2.1
Name: varroa
Version: 0.11.1
Summary: Vulnerability management for Opentack
Home-page: https://github.com/NeCTAR-RC/varroa
Author: ARDC Nectar Cloud Services
Author-email: coreservices@ardc.edu.au
License: Apache-2.0
Keywords: varroa
Classifier: Environment :: OpenStack
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Operating System :: POSIX :: Linux
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.12
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: pbr
Requires-Dist: openstacksdk
Requires-Dist: keystoneauth1
Requires-Dist: keystonemiddleware
Requires-Dist: oslo.context
Requires-Dist: oslo.config
Requires-Dist: oslo.log
Requires-Dist: oslo.messaging
Requires-Dist: oslo.policy
Requires-Dist: flask>=1.0.2
Requires-Dist: marshmallow>=3.4.0
Requires-Dist: flask-migrate>=2.1.1
Requires-Dist: flask-restful>=0.3.6
Requires-Dist: flask-sqlalchemy>=2.4.1
Requires-Dist: flask-marshmallow>=0.11.0
Requires-Dist: marshmallow-sqlalchemy>=0.22.3
Requires-Dist: cotyledon
Requires-Dist: pymysql
Requires-Dist: python-memcached

# Varroa

Varroa is a security related openstack service. It is named after the varroa mite
which could be considered a vulnerability to bees.
It has several functions:

 * Track IP ownership over time in openstack
 * Store and manage discovered security risks from openstack resources.

It's main/initial purpose is to ingest security scan data, link these IP addresses to
openstack resources and provide the ability for the owners of those resources to see
these security risks.

## Client
To install the client:
 pip install varroaclient

Source: https://github.com/NeCTAR-RC/python-varroaclient

## Concepts

### IP Usage
Varroa will keep track of what openstack resource owned an IP address for what period.
It does this by consuming port create/update/delete events from neutron.

### Security Risk Type
A security risk type is an admin defined type of security risk. An example could be "Password SSH allowed"

A security risk type has a name and a description. The description should describe what the security risk is
and ideally the steps taken to fix this risk.

### Security Risk
A security risk is the linkage of a security risk type to an openstack resource.
eg. Compute instance with id XYZ has a "Password SSH allowed" security risk.

Only the IP address of the affected resource needs to be entered when creating a new security risk. Varroa
will then process this entry and attempt to link that IP address to an Openstack resource.

#### Security Risk workflow/states

When you create a new security risk it will have the initial state of NEW.
Varroa will attempt to link all NEW security risks with an openstack resource.
If varroa finds a matching resource then it will add these details to the security risk
Once varroa has attempted to link the IP to a resource it will change the status of the
security risk to PROCESSED. If project_id/resource_id is null and status = PROCESSED it
means varroa couldn't find a matching resource.

## Installation
You can install varroa using helm onto a k8s cluster
see https://github.com/NeCTAR-RC/varroa-helm

