On 09/10/2015 09:54 AM, Major Hayden wrote: > Hey there, > > I've been looking for some ways to harden the systems that are deployed by > os-ansible-deployment (soon to be openstack-ansible?) and I've been using the > Center for Internet Security (CIS)[1] benchmarks as a potential pathway for > that. There are benchmarks available for various operating systems and > applications there. > > Many of the items shown there fall into a few different categories: > > 1) things OSAD should configure > 2) things deployers should configure > 3) things nobody should configure (they break the deployment, for example) > > #3 is often quite obvious, but #1 and #2 are a bit more nebulous. For > example, I opened a ticket[2] about getting auditd installed by default with > openstack-ansible. My gut says that many deployers could use auditd since it > collects denials from AppArmor and that can help with troubleshooting broken > policies. > > Also, I opened another ticket[3] for compressing all logs by default. This > affects availability (part of the information security CIA triad[4]) in a > fairly critical way in the long term. > > My question is this: How should I go about determining which security changes > should go upstream and which should go into documentation as things deployers > should do locally? > > > [1] https://benchmarks.cisecurity.org/ > [2] https://bugs.launchpad.net/openstack-ansible/+bug/1491915 > [3] https://bugs.launchpad.net/openstack-ansible/+bug/1493981 > [4] https://en.wikipedia.org/wiki/Information_security#Key_concepts > > -- > Major Hayden > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
Sane defaults can't be used? The two bugs you listed look fine to me as default things to do. -- Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev