(security) Airship Security Guide framework
The document shell for holding Airship security guide topics Change-Id: I35b216f742b93c984506674d20344a74b26c876c
This commit is contained in:
parent
cd0c023425
commit
22691950d4
@ -58,6 +58,7 @@ Conventions and Standards
|
|||||||
:maxdepth: 3
|
:maxdepth: 3
|
||||||
|
|
||||||
conventions
|
conventions
|
||||||
|
security/guide
|
||||||
dev-getting-started
|
dev-getting-started
|
||||||
ucp-basic-deployment
|
ucp-basic-deployment
|
||||||
|
|
||||||
|
50
doc/source/security/guide.rst
Normal file
50
doc/source/security/guide.rst
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
..
|
||||||
|
Copyright 2018 AT&T Intellectual Property.
|
||||||
|
All Rights Reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
License for the specific language governing permissions and limitations
|
||||||
|
under the License.
|
||||||
|
|
||||||
|
.. _security_guide:
|
||||||
|
|
||||||
|
Airship Security Guide
|
||||||
|
======================
|
||||||
|
|
||||||
|
An undercloud environment deployed via Airship crosses many security domains. This
|
||||||
|
guide explains many of the security concerns that have been reviewed and considered
|
||||||
|
by the Airship developers. Because Airship is a highly configuration-driven platform,
|
||||||
|
there is some onus on the end-user to make good decisions with their configuration.
|
||||||
|
|
||||||
|
Layout and Nomenclature
|
||||||
|
-----------------------
|
||||||
|
|
||||||
|
Each topic in the security guide will provide some overview for scope of that topic
|
||||||
|
and then provide a list of tactical security items. For each item two statuses will
|
||||||
|
be listed as well as the project scope.
|
||||||
|
|
||||||
|
* Project Scope: Which Airship projects address this security item.
|
||||||
|
* Solution: The solution is how this security concern is addressed in the platform
|
||||||
|
* Remediated: The item is solved for automatically
|
||||||
|
* Configurable: The item is based on configuration. Guidance will be provided.
|
||||||
|
* Pending: Addressing the item is in-progress
|
||||||
|
* Audit: Auditing the item provides for ongoing monitoring to ensure there is no regression
|
||||||
|
* Testing: The item is tested for in an automated test pipeline during development
|
||||||
|
* Validation: The item is reported on by a validation framework after a site deployment
|
||||||
|
* Pending: Auditing is in-progress
|
||||||
|
|
||||||
|
Airship Security Topics
|
||||||
|
-----------------------
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth: 1
|
||||||
|
|
||||||
|
template
|
70
doc/source/security/template.rst
Normal file
70
doc/source/security/template.rst
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
..
|
||||||
|
Copyright 2018 AT&T Intellectual Property.
|
||||||
|
All Rights Reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
License for the specific language governing permissions and limitations
|
||||||
|
under the License.
|
||||||
|
|
||||||
|
.. _template_security_guide:
|
||||||
|
|
||||||
|
Template for a Security Guide Topic
|
||||||
|
===================================
|
||||||
|
|
||||||
|
Updated: 1-AUG-2018
|
||||||
|
|
||||||
|
An overview of the scope of this topic.
|
||||||
|
|
||||||
|
.. contents:: :depth: 2
|
||||||
|
|
||||||
|
Security Item List
|
||||||
|
------------------
|
||||||
|
|
||||||
|
Sensitive Data Security
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Sensitive data should be encrypted at-rest.
|
||||||
|
|
||||||
|
* Project Scope: Deckhand
|
||||||
|
* Solution *Remediated*: The ``storagePolicy`` metadata determines if Deckhand will persist
|
||||||
|
document data encrypted.
|
||||||
|
* Audit: *Testing*: Pipeline test checks that documents with a ``storagePolicy: encrypted``
|
||||||
|
are not persisted to the database with an intact ``data`` section.
|
||||||
|
|
||||||
|
Sensitive data should be encrypted in-transit.
|
||||||
|
|
||||||
|
* Project Scope: Shipyard, Deckhand
|
||||||
|
* Solution *Pending*: Shipard and Deckhand API endpoints should support
|
||||||
|
TLS. See data_security_.
|
||||||
|
* Audit: *Pending*: Expect to validate post-deployment that endpoints all support TLS
|
||||||
|
|
||||||
|
Configuration Guidance
|
||||||
|
----------------------
|
||||||
|
|
||||||
|
For items that require guidance on configuration that impact a security item
|
||||||
|
please list an item here. Use RST anchors and links to link the security item solution
|
||||||
|
status to this guidance.
|
||||||
|
|
||||||
|
Temporary Mitigation Status
|
||||||
|
---------------------------
|
||||||
|
|
||||||
|
.. _data_security:
|
||||||
|
|
||||||
|
Data Security In-Transit
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Current work to support Deckhand enabling TLS termination, Shipyard enabling self-signing
|
||||||
|
CAs and Barbican supporting TLS termination.
|
||||||
|
|
||||||
|
References
|
||||||
|
----------
|
||||||
|
|
||||||
|
`Transport Layer Security (TLS) <https://www.sans.org/reading-room/whitepapers/protocols/ssl-tls-beginners-guide-1029>`_
|
Loading…
Reference in New Issue
Block a user