Open Stack

Excerpts from Major Hayden's message of 2015-09-10 09:33:27 -0700:
> Hash: SHA256
> 
> On 09/10/2015 11:22 AM, Matthew Thode wrote:
> > Sane defaults can't be used?  The two bugs you listed look fine to me as
> > default things to do.
> 
> Thanks, Matthew.  I tend to agree.
> 
> I'm wondering if it would be best to make a "punch list" of CIS benchmarks and try to tag them with one of the following:
> 
>   * Do this in OSAD
>   * Tell deployers how to do this (in docs)

Just a thought from somebody outside of this. If OSAD can provide the
automation, turned off by default as a convenience, and run a bank of
tests with all of these turned on to make sure they do actually work with
the stock configuration, you'll get more traction this way. Docs should
be the focus of this effort, but the effort should be on explaining how
it fits into the system so operators who are customizing know when they
will have to choose a less secure path. One should be able to have code
do the "turn it on" "turn it off" mechanics.

>   * Tell deployers not to do this (in docs)
> 
> That could be lumped in with a spec/blueprint of some sort.  Would that be beneficial?
> 
>