[openstack-dev] [openstack-ansible] Security hardening

Jesse Pretorius jesse.pretorius at gmail.com
Mon Sep 14 08:28:21 UTC 2015


On 10 September 2015 at 19:21, Clint Byrum <clint at fewbar.com> wrote:

> Excerpts from Major Hayden's message of 2015-09-10 09:33:27 -0700:
> > Hash: SHA256
> >
> > On 09/10/2015 11:22 AM, Matthew Thode wrote:
> > > Sane defaults can't be used?  The two bugs you listed look fine to me
> as
> > > default things to do.
> >
> > Thanks, Matthew.  I tend to agree.
> >
> > I'm wondering if it would be best to make a "punch list" of CIS
> benchmarks and try to tag them with one of the following:
> >
> >   * Do this in OSAD
> >   * Tell deployers how to do this (in docs)
>
> Just a thought from somebody outside of this. If OSAD can provide the
> automation, turned off by default as a convenience, and run a bank of
> tests with all of these turned on to make sure they do actually work with
> the stock configuration, you'll get more traction this way. Docs should
> be the focus of this effort, but the effort should be on explaining how
> it fits into the system so operators who are customizing know when they
> will have to choose a less secure path. One should be able to have code
> do the "turn it on" "turn it off" mechanics.
>

I agree with Clint that this is a good approach.

If there is an automated way that we can verify the security of an
installation at a reasonable/standardised level then I think we should add
a gate check for it too.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150914/52c34f4f/attachment.html>


More information about the OpenStack-dev mailing list