On 10 September 2015 at 19:21, Clint Byrum <[email protected]> wrote: > Excerpts from Major Hayden's message of 2015-09-10 09:33:27 -0700: > > Hash: SHA256 > > > > On 09/10/2015 11:22 AM, Matthew Thode wrote: > > > Sane defaults can't be used? The two bugs you listed look fine to me > as > > > default things to do. > > > > Thanks, Matthew. I tend to agree. > > > > I'm wondering if it would be best to make a "punch list" of CIS > benchmarks and try to tag them with one of the following: > > > > * Do this in OSAD > > * Tell deployers how to do this (in docs) > > Just a thought from somebody outside of this. If OSAD can provide the > automation, turned off by default as a convenience, and run a bank of > tests with all of these turned on to make sure they do actually work with > the stock configuration, you'll get more traction this way. Docs should > be the focus of this effort, but the effort should be on explaining how > it fits into the system so operators who are customizing know when they > will have to choose a less secure path. One should be able to have code > do the "turn it on" "turn it off" mechanics. >
I agree with Clint that this is a good approach. If there is an automated way that we can verify the security of an installation at a reasonable/standardised level then I think we should add a gate check for it too.
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
