On 09/14/2015 03:28 AM, Jesse Pretorius wrote: > On 10 September 2015 at 19:21, Clint Byrum <cl...@fewbar.com > <mailto:cl...@fewbar.com>> wrote: > > Excerpts from Major Hayden's message of 2015-09-10 09:33:27 -0700: > > Hash: SHA256 > > > > On 09/10/2015 11:22 AM, Matthew Thode wrote: > > > Sane defaults can't be used? The two bugs you listed look fine to me > as > > > default things to do. > > > > Thanks, Matthew. I tend to agree. > > > > I'm wondering if it would be best to make a "punch list" of CIS > benchmarks and try to tag them with one of the following: > > > > * Do this in OSAD > > * Tell deployers how to do this (in docs) > > Just a thought from somebody outside of this. If OSAD can provide the > automation, turned off by default as a convenience, and run a bank of > tests with all of these turned on to make sure they do actually work > with > the stock configuration, you'll get more traction this way. Docs should > be the focus of this effort, but the effort should be on explaining how > it fits into the system so operators who are customizing know when they > will have to choose a less secure path. One should be able to have code > do the "turn it on" "turn it off" mechanics. > > > I agree with Clint that this is a good approach. > > If there is an automated way that we can verify the security of an > installation at a reasonable/standardised level then I think we should > add a gate check for it too. > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > There are a few different ways to verify system security. They are generally outside tools though.
http://www.open-scap.org/page/Main_Page for instance. -- -- Matthew Thode (prometheanfire) __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
