[legal-discuss] Center for Internet Security hardening standards

Major Hayden major.hayden at rackspace.com
Thu Sep 17 13:37:45 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello there,

I'm currently working on a security hardening spec[1] and blueprint[2] for openstack-ansible.  The goal is to bring additional security to OpenStack hosts via openstack-ansible and also to help organizations down the path to various compliance programs (like PCI).

One of the firm PCI requirements[2] is PCI DSS Requirement 2.2 (page 30 in the PDF) which states that organizations must adhere to "industry-accepted" hardening standards.  A few examples include Center for Internet Security (CIS), ISO, SANS, and NIST.  Most of these are geared towards deployments of Red Hat Enterprise Linux and Windows, not Ubuntu.

CIS seems to have the most comprehensive security hardening standards available for Ubuntu, and I'm able to port many of their recommendations for RHEL-based systems over to Ubuntu systems.  However, their terms of use appears to be fairly strict.

Rackspace (my employer) is a CIS member, but the OpenStack Foundation is not (as far as I know).  I've reached out to CIS' member services group via our Rackspace account to find out if there's a possibility to license these hardening standards for open source use with OpenStack projects, but I'm not sure who they should get in contact with on the OpenStack side to discuss it.

Would anyone be able to advise me on how to proceed?  Thanks a bunch!

[1] https://review.openstack.org/#/c/222619/
[2] https://blueprints.launchpad.net/openstack-ansible/+spec/security-hardening
[3] https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
[4] https://benchmarks.cisecurity.org/downloads/form/index.cfm

- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV+sIhAAoJEHNwUeDBAR+xlqEQAJWZV23yNWV7+XN1Pm7Utb6R
D+pwPfN9up7RMhK5OFzvRGSEaGiQPRop+ENKNeBfiRfLCkI6mx2w5Z58E5NQCJEs
v4ddxY5LokzOpizDmFl2Dkq3mrPCyC6bAE1tml5KF80vM5Vkt2IHnt7w5Q9QQ4hF
UOcKI/4DFB2USO5lQr8jUMILzBUHLB+QO9L4NVxvYiz6LS1xgDRQ7AbmdloldLZb
UqbqZ4rswfpSwCMn+h2jpBDwVzIykg22jdYQY61as8I1i7HrZoXBF2TaSyGc4lca
FAzMxYBF7swWQ+W+/uk8+SUYOgqVSqslHtDyxKbz03JPlMhkSgAVAF80Q0AGE3Yt
eq85QdLHkJnpdZNEfQ/TQHki+2seL+UNM/iSHlx//M+Qa5AZdgk+noEOhGT/dH3I
+Bmz/PGBLJM67oow82No28tEo05xVtIGgDt5bUVf0oWCYy0OHjaLJ8w0DBrKXXlX
otKsn5Q0Z08WUreX7fL74snb2yhg0BsGuR/NsHkJ2YQbG67v4Cr1QhCL8UAyI+OU
MIRG1eswdERZKpBzBO6d+h4GsfEo7fDB6Q0uHe9kiwzVq5gHCI3t/miYwz4vabYR
uZ4YVnfNfAmbjhh5I/uSAf2ie4T9h2b+yoqG6Yn51p43aLuZEHcPmc1VVv7M50Dz
KDQ5nkxc/3XQcnmrZV7j
=u4SR
-----END PGP SIGNATURE-----



More information about the legal-discuss mailing list