Browse Source

Fix: docs formatting

Change-Id: If2782de681c737c25d03428da2219d201aae1ea9
changes/24/636324/2
Roman Gorshunov 3 months ago
parent
commit
0931ad1530

+ 3
- 1
doc/source/code-conventions.rst View File

@@ -35,6 +35,7 @@ that chart.
35 35
 
36 36
 e.g.: For project ``foo``, which also maintains the charts for ``bar`` and
37 37
 ``baz``:
38
+
38 39
 -  foo/charts/foo contains the chart for ``foo``
39 40
 -  foo/charts/bar contains the chart for ``bar``
40 41
 -  foo/charts/baz contains the chart for ``baz``
@@ -50,7 +51,8 @@ will contain subdirectories for each of the images created as part of that
50 51
 project. The subdirectory will contain the dockerfile that can be used to
51 52
 generate the image.
52 53
 
53
-e.g.: For project ``foo``, which also produces a Docker image for ``bar``
54
+e.g.: For project ``foo``, which also produces a Docker image for ``bar``:
55
+
54 56
 -  foo/images/foo contains the dockerfile for ``foo``
55 57
 -  foo/images/bar contains the dockerfile for ``bar``
56 58
 

+ 3
- 0
doc/source/security/guide.rst View File

@@ -33,11 +33,14 @@ be listed as well as the project scope.
33 33
 
34 34
   * Project Scope: Which Airship projects address this security item.
35 35
   * Solution: The solution is how this security concern is addressed in the platform
36
+
36 37
     * Remediated: The item is solved for automatically
37 38
     * Configurable: The item is based on configuration. Guidance will be provided.
38 39
     * Mitigated: The item currently mitigated while a permanent remediation is in progress.
39 40
     * Pending: Addressing the item is in-progress
41
+
40 42
   * Audit: Auditing the item provides for ongoing monitoring to ensure there is no regression
43
+
41 44
     * Testing: The item is tested for in an automated test pipeline during development
42 45
     * Validation: The item is reported on by a validation framework after a site deployment
43 46
     * Pending: Auditing is in-progress

+ 1
- 1
doc/source/security/haproxy.rst View File

@@ -52,4 +52,4 @@ value to an existing header.
52 52
 References
53 53
 ----------
54 54
 
55
-HAProxy Configuration Guide - http://cbonte.github.io/haproxy-dconv/1.8/configuration.html
55
+`HAProxy Configuration Guide <http://cbonte.github.io/haproxy-dconv/1.8/configuration.html>`_

+ 16
- 13
doc/source/security/ubuntu.rst View File

@@ -61,9 +61,10 @@ The mounts ``/tmp``, ``/var``, ``/var/log``, ``/var/log/audit`` and ``/home`` sh
61 61
 individual file systems.
62 62
 
63 63
   - Project Scope: Drydock
64
-  - Solution *Configurable*: Drydock supports user designed partitioning, see `Filesystem Configuration`_.
64
+  - Solution *Configurable*: Drydock supports user designed partitioning, see
65
+    `Filesystem Configuration`_.
65 66
   - Audit: *Testing*: The Airship testing pipeline will validate that nodes are partitioned
66
-           as described in the site definition.
67
+    as described in the site definition.
67 68
 
68 69
 Filesystem Hardening
69 70
 ^^^^^^^^^^^^^^^^^^^^
@@ -73,7 +74,7 @@ Disallow symlinks and hardlinks to files not owned by the user. Set ``fs.protect
73 74
 
74 75
   - Project Scope: Diving Bell
75 76
   - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable. By default
76
-             MAAS deploys nodes in compliance.
77
+    MAAS deploys nodes in compliance.
77 78
   - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
78 79
 
79 80
 Execution Environment Hardening
@@ -84,8 +85,8 @@ disabling core dumps (``hard core 0``)
84 85
 
85 86
   - Project Scope: DivingBell, Drydock
86 87
   - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
87
-             MAAS deploys nodes with ``fs.suid_dumpable = 2``. A boot action will put in place
88
-             the hard limit.
88
+    MAAS deploys nodes with ``fs.suid_dumpable = 2``. A boot action will put in place the hard
89
+    limit.
89 90
   - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
90 91
 
91 92
 Randomizing stack space can make it harder to exploit buffer overflow vulnerabilities. Enable
@@ -93,7 +94,7 @@ the kernel tunable ``kernel.randomize_va_space = 2``.
93 94
 
94 95
   - Project Scope: DivingBell
95 96
   - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
96
-             MAAS deploys nodes in compliance.
97
+    MAAS deploys nodes in compliance.
97 98
   - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
98 99
 
99 100
 Mandatory Access Control
@@ -104,9 +105,9 @@ to use it.
104 105
 
105 106
   - Project Scope: Drydock, Promenade
106 107
   - Solution *Configurable*: A bootaction will put in place the default AppArmor profile. Promenade
107
-             will deploy a Docker configuration to enforce the default policy.
108
+    will deploy a Docker configuration to enforce the default policy.
108 109
   - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin probing
109
-           ``/proc/<pid>/attr/current``.
110
+    ``/proc/<pid>/attr/current``.
110 111
 
111 112
 Put in place an approved AppArmor profile to be used by containers that will manipulate the
112 113
 on-host AppArmor profiles. This allows an init container in Pods to put customized AppArmor
@@ -114,7 +115,7 @@ profile in place and load them.
114 115
 
115 116
   - Project Scope: Drydock
116 117
   - Solution *Configurable*: A bootaction will put in place the profile-manager AppArmor profile and
117
-             load it on each boot.
118
+    load it on each boot.
118 119
   - Audit: *Pending*: The availability of this profile will be verified by a Sonobuoy plugin.
119 120
 
120 121
 .. IMPORTANT::
@@ -135,7 +136,8 @@ Run `rsyslogd` to log events.
135 136
 Run a monitor for logging kernel audit events such as auditd.
136 137
 
137 138
   - Project Scope: Non-Airship
138
-  - Solution *Remediated*: The Sysdig Falco <https://sysdig.com/opensource/falco/> will be used and
139
+  - Solution *Remediated*: The `Sysdig Falco <https://sysdig.com/opensource/falco/>`_ will be used
140
+    and
139 141
   - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
140 142
 
141 143
 Watch the watchers. Ensure that monitoring services are up and responsive.
@@ -239,6 +241,7 @@ Temporary Mitigation Status
239 241
 References
240 242
 ----------
241 243
 
242
-OpenSCAP for Ubuntu 16.04 - https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-common.html
243
-Ubuntu 16.04 Server Guide - https://help.ubuntu.com/16.04/serverguide/security.html
244
-Canonical MAAS 2.x TLS - https://docs.maas.io/2.3/en/installconfig-network-ssl & https://docs.maas.io/2.4/en/installconfig-network-ssl
244
+  * `OpenSCAP for Ubuntu 16.04 <https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-common.html>`_
245
+  * `Ubuntu 16.04 Server Guide <https://help.ubuntu.com/16.04/serverguide/security.html>`_
246
+  * `Canonical MAAS 2.3 TLS <https://docs.maas.io/2.3/en/installconfig-network-ssl>`_
247
+  * `Canonical MAAS 2.4 TLS <https://docs.maas.io/2.4/en/installconfig-network-ssl>`_

Loading…
Cancel
Save