[openstack-dev] [openstack-ansible] Security hardening
major at mhtx.net
Thu Sep 10 14:54:20 UTC 2015
I've been looking for some ways to harden the systems that are deployed by os-ansible-deployment (soon to be openstack-ansible?) and I've been using the Center for Internet Security (CIS) benchmarks as a potential pathway for that. There are benchmarks available for various operating systems and applications there.
Many of the items shown there fall into a few different categories:
1) things OSAD should configure
2) things deployers should configure
3) things nobody should configure (they break the deployment, for example)
#3 is often quite obvious, but #1 and #2 are a bit more nebulous. For example, I opened a ticket about getting auditd installed by default with openstack-ansible. My gut says that many deployers could use auditd since it collects denials from AppArmor and that can help with troubleshooting broken policies.
Also, I opened another ticket for compressing all logs by default. This affects availability (part of the information security CIA triad) in a fairly critical way in the long term.
My question is this: How should I go about determining which security changes should go upstream and which should go into documentation as things deployers should do locally?
More information about the OpenStack-dev