Re: [openstack-dev] [openstack-ansible] Security hardening

Thu, 10 Sep 2015 09:29:53 -0700 

On 09/10/2015 09:54 AM, Major Hayden wrote:
> Hey there,
> 
> I've been looking for some ways to harden the systems that are deployed by 
> os-ansible-deployment (soon to be openstack-ansible?) and I've been using the 
> Center for Internet Security (CIS)[1] benchmarks as a potential pathway for 
> that.  There are benchmarks available for various operating systems and 
> applications there.
> 
> Many of the items shown there fall into a few different categories:
> 
>   1) things OSAD should configure
>   2) things deployers should configure
>   3) things nobody should configure (they break the deployment, for example)
> 
> #3 is often quite obvious, but #1 and #2 are a bit more nebulous.  For 
> example, I opened a ticket[2] about getting auditd installed by default with 
> openstack-ansible.  My gut says that many deployers could use auditd since it 
> collects denials from AppArmor and that can help with troubleshooting broken 
> policies.
> 
> Also, I opened another ticket[3] for compressing all logs by default.  This 
> affects availability (part of the information security CIA triad[4]) in a 
> fairly critical way in the long term.
> 
> My question is this: How should I go about determining which security changes 
> should go upstream and which should go into documentation as things deployers 
> should do locally?
> 
> 
> [1] https://benchmarks.cisecurity.org/
> [2] https://bugs.launchpad.net/openstack-ansible/+bug/1491915
> [3] https://bugs.launchpad.net/openstack-ansible/+bug/1493981
> [4] https://en.wikipedia.org/wiki/Information_security#Key_concepts
> 
> --
> Major Hayden
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 

Sane defaults can't be used?  The two bugs you listed look fine to me as
default things to do.

-- 
Matthew Thode (prometheanfire)

Attachment: signature.asc
Description: OpenPGP digital signature

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to