Open Stack

On 09/14/2015 03:28 AM, Jesse Pretorius wrote:
> On 10 September 2015 at 19:21, Clint Byrum <clint at fewbar.com
> <mailto:clint at fewbar.com>> wrote:
> 
>     Excerpts from Major Hayden's message of 2015-09-10 09:33:27 -0700:
>     > Hash: SHA256
>     >
>     > On 09/10/2015 11:22 AM, Matthew Thode wrote:
>     > > Sane defaults can't be used?  The two bugs you listed look fine to me as
>     > > default things to do.
>     >
>     > Thanks, Matthew.  I tend to agree.
>     >
>     > I'm wondering if it would be best to make a "punch list" of CIS benchmarks and try to tag them with one of the following:
>     >
>     >   * Do this in OSAD
>     >   * Tell deployers how to do this (in docs)
> 
>     Just a thought from somebody outside of this. If OSAD can provide the
>     automation, turned off by default as a convenience, and run a bank of
>     tests with all of these turned on to make sure they do actually work
>     with
>     the stock configuration, you'll get more traction this way. Docs should
>     be the focus of this effort, but the effort should be on explaining how
>     it fits into the system so operators who are customizing know when they
>     will have to choose a less secure path. One should be able to have code
>     do the "turn it on" "turn it off" mechanics.
> 
> 
> I agree with Clint that this is a good approach.
> 
> If there is an automated way that we can verify the security of an
> installation at a reasonable/standardised level then I think we should
> add a gate check for it too.
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
There are a few different ways to verify system security.  They are
generally outside tools though.

http://www.open-scap.org/page/Main_Page for instance.

-- 
-- Matthew Thode (prometheanfire)