Excerpts from Major Hayden's message of 2015-09-10 09:33:27 -0700: > Hash: SHA256 > > On 09/10/2015 11:22 AM, Matthew Thode wrote: > > Sane defaults can't be used? The two bugs you listed look fine to me as > > default things to do. > > Thanks, Matthew. I tend to agree. > > I'm wondering if it would be best to make a "punch list" of CIS benchmarks > and try to tag them with one of the following: > > * Do this in OSAD > * Tell deployers how to do this (in docs)
Just a thought from somebody outside of this. If OSAD can provide the automation, turned off by default as a convenience, and run a bank of tests with all of these turned on to make sure they do actually work with the stock configuration, you'll get more traction this way. Docs should be the focus of this effort, but the effort should be on explaining how it fits into the system so operators who are customizing know when they will have to choose a less secure path. One should be able to have code do the "turn it on" "turn it off" mechanics. > * Tell deployers not to do this (in docs) > > That could be lumped in with a spec/blueprint of some sort. Would that be > beneficial? > > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
