(security) Airship Security Guide framework
The document shell for holding Airship security guide topics Change-Id: I35b216f742b93c984506674d20344a74b26c876c
This commit is contained in:
parent
cd0c023425
commit
22691950d4
|
@ -58,6 +58,7 @@ Conventions and Standards
|
|||
:maxdepth: 3
|
||||
|
||||
conventions
|
||||
security/guide
|
||||
dev-getting-started
|
||||
ucp-basic-deployment
|
||||
|
||||
|
|
|
@ -0,0 +1,50 @@
|
|||
..
|
||||
Copyright 2018 AT&T Intellectual Property.
|
||||
All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
not use this file except in compliance with the License. You may obtain
|
||||
a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
License for the specific language governing permissions and limitations
|
||||
under the License.
|
||||
|
||||
.. _security_guide:
|
||||
|
||||
Airship Security Guide
|
||||
======================
|
||||
|
||||
An undercloud environment deployed via Airship crosses many security domains. This
|
||||
guide explains many of the security concerns that have been reviewed and considered
|
||||
by the Airship developers. Because Airship is a highly configuration-driven platform,
|
||||
there is some onus on the end-user to make good decisions with their configuration.
|
||||
|
||||
Layout and Nomenclature
|
||||
-----------------------
|
||||
|
||||
Each topic in the security guide will provide some overview for scope of that topic
|
||||
and then provide a list of tactical security items. For each item two statuses will
|
||||
be listed as well as the project scope.
|
||||
|
||||
* Project Scope: Which Airship projects address this security item.
|
||||
* Solution: The solution is how this security concern is addressed in the platform
|
||||
* Remediated: The item is solved for automatically
|
||||
* Configurable: The item is based on configuration. Guidance will be provided.
|
||||
* Pending: Addressing the item is in-progress
|
||||
* Audit: Auditing the item provides for ongoing monitoring to ensure there is no regression
|
||||
* Testing: The item is tested for in an automated test pipeline during development
|
||||
* Validation: The item is reported on by a validation framework after a site deployment
|
||||
* Pending: Auditing is in-progress
|
||||
|
||||
Airship Security Topics
|
||||
-----------------------
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
template
|
|
@ -0,0 +1,70 @@
|
|||
..
|
||||
Copyright 2018 AT&T Intellectual Property.
|
||||
All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
not use this file except in compliance with the License. You may obtain
|
||||
a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
License for the specific language governing permissions and limitations
|
||||
under the License.
|
||||
|
||||
.. _template_security_guide:
|
||||
|
||||
Template for a Security Guide Topic
|
||||
===================================
|
||||
|
||||
Updated: 1-AUG-2018
|
||||
|
||||
An overview of the scope of this topic.
|
||||
|
||||
.. contents:: :depth: 2
|
||||
|
||||
Security Item List
|
||||
------------------
|
||||
|
||||
Sensitive Data Security
|
||||
^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Sensitive data should be encrypted at-rest.
|
||||
|
||||
* Project Scope: Deckhand
|
||||
* Solution *Remediated*: The ``storagePolicy`` metadata determines if Deckhand will persist
|
||||
document data encrypted.
|
||||
* Audit: *Testing*: Pipeline test checks that documents with a ``storagePolicy: encrypted``
|
||||
are not persisted to the database with an intact ``data`` section.
|
||||
|
||||
Sensitive data should be encrypted in-transit.
|
||||
|
||||
* Project Scope: Shipyard, Deckhand
|
||||
* Solution *Pending*: Shipard and Deckhand API endpoints should support
|
||||
TLS. See data_security_.
|
||||
* Audit: *Pending*: Expect to validate post-deployment that endpoints all support TLS
|
||||
|
||||
Configuration Guidance
|
||||
----------------------
|
||||
|
||||
For items that require guidance on configuration that impact a security item
|
||||
please list an item here. Use RST anchors and links to link the security item solution
|
||||
status to this guidance.
|
||||
|
||||
Temporary Mitigation Status
|
||||
---------------------------
|
||||
|
||||
.. _data_security:
|
||||
|
||||
Data Security In-Transit
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Current work to support Deckhand enabling TLS termination, Shipyard enabling self-signing
|
||||
CAs and Barbican supporting TLS termination.
|
||||
|
||||
References
|
||||
----------
|
||||
|
||||
`Transport Layer Security (TLS) <https://www.sans.org/reading-room/whitepapers/protocols/ssl-tls-beginners-guide-1029>`_
|
Loading…
Reference in New Issue