Merge "Fix: docs formatting"
This commit is contained in:
commit
5d9139b9ef
|
@ -35,6 +35,7 @@ that chart.
|
||||||
|
|
||||||
e.g.: For project ``foo``, which also maintains the charts for ``bar`` and
|
e.g.: For project ``foo``, which also maintains the charts for ``bar`` and
|
||||||
``baz``:
|
``baz``:
|
||||||
|
|
||||||
- foo/charts/foo contains the chart for ``foo``
|
- foo/charts/foo contains the chart for ``foo``
|
||||||
- foo/charts/bar contains the chart for ``bar``
|
- foo/charts/bar contains the chart for ``bar``
|
||||||
- foo/charts/baz contains the chart for ``baz``
|
- foo/charts/baz contains the chart for ``baz``
|
||||||
|
@ -50,7 +51,8 @@ will contain subdirectories for each of the images created as part of that
|
||||||
project. The subdirectory will contain the dockerfile that can be used to
|
project. The subdirectory will contain the dockerfile that can be used to
|
||||||
generate the image.
|
generate the image.
|
||||||
|
|
||||||
e.g.: For project ``foo``, which also produces a Docker image for ``bar``
|
e.g.: For project ``foo``, which also produces a Docker image for ``bar``:
|
||||||
|
|
||||||
- foo/images/foo contains the dockerfile for ``foo``
|
- foo/images/foo contains the dockerfile for ``foo``
|
||||||
- foo/images/bar contains the dockerfile for ``bar``
|
- foo/images/bar contains the dockerfile for ``bar``
|
||||||
|
|
||||||
|
|
|
@ -33,11 +33,14 @@ be listed as well as the project scope.
|
||||||
|
|
||||||
* Project Scope: Which Airship projects address this security item.
|
* Project Scope: Which Airship projects address this security item.
|
||||||
* Solution: The solution is how this security concern is addressed in the platform
|
* Solution: The solution is how this security concern is addressed in the platform
|
||||||
|
|
||||||
* Remediated: The item is solved for automatically
|
* Remediated: The item is solved for automatically
|
||||||
* Configurable: The item is based on configuration. Guidance will be provided.
|
* Configurable: The item is based on configuration. Guidance will be provided.
|
||||||
* Mitigated: The item currently mitigated while a permanent remediation is in progress.
|
* Mitigated: The item currently mitigated while a permanent remediation is in progress.
|
||||||
* Pending: Addressing the item is in-progress
|
* Pending: Addressing the item is in-progress
|
||||||
|
|
||||||
* Audit: Auditing the item provides for ongoing monitoring to ensure there is no regression
|
* Audit: Auditing the item provides for ongoing monitoring to ensure there is no regression
|
||||||
|
|
||||||
* Testing: The item is tested for in an automated test pipeline during development
|
* Testing: The item is tested for in an automated test pipeline during development
|
||||||
* Validation: The item is reported on by a validation framework after a site deployment
|
* Validation: The item is reported on by a validation framework after a site deployment
|
||||||
* Pending: Auditing is in-progress
|
* Pending: Auditing is in-progress
|
||||||
|
|
|
@ -52,4 +52,4 @@ value to an existing header.
|
||||||
References
|
References
|
||||||
----------
|
----------
|
||||||
|
|
||||||
HAProxy Configuration Guide - http://cbonte.github.io/haproxy-dconv/1.8/configuration.html
|
`HAProxy Configuration Guide <http://cbonte.github.io/haproxy-dconv/1.8/configuration.html>`_
|
||||||
|
|
|
@ -61,9 +61,10 @@ The mounts ``/tmp``, ``/var``, ``/var/log``, ``/var/log/audit`` and ``/home`` sh
|
||||||
individual file systems.
|
individual file systems.
|
||||||
|
|
||||||
- Project Scope: Drydock
|
- Project Scope: Drydock
|
||||||
- Solution *Configurable*: Drydock supports user designed partitioning, see `Filesystem Configuration`_.
|
- Solution *Configurable*: Drydock supports user designed partitioning, see
|
||||||
|
`Filesystem Configuration`_.
|
||||||
- Audit: *Testing*: The Airship testing pipeline will validate that nodes are partitioned
|
- Audit: *Testing*: The Airship testing pipeline will validate that nodes are partitioned
|
||||||
as described in the site definition.
|
as described in the site definition.
|
||||||
|
|
||||||
Filesystem Hardening
|
Filesystem Hardening
|
||||||
^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^
|
||||||
|
@ -73,7 +74,7 @@ Disallow symlinks and hardlinks to files not owned by the user. Set ``fs.protect
|
||||||
|
|
||||||
- Project Scope: Diving Bell
|
- Project Scope: Diving Bell
|
||||||
- Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable. By default
|
- Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable. By default
|
||||||
MAAS deploys nodes in compliance.
|
MAAS deploys nodes in compliance.
|
||||||
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
|
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
|
||||||
|
|
||||||
Execution Environment Hardening
|
Execution Environment Hardening
|
||||||
|
@ -84,8 +85,8 @@ disabling core dumps (``hard core 0``)
|
||||||
|
|
||||||
- Project Scope: DivingBell, Drydock
|
- Project Scope: DivingBell, Drydock
|
||||||
- Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
|
- Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
|
||||||
MAAS deploys nodes with ``fs.suid_dumpable = 2``. A boot action will put in place
|
MAAS deploys nodes with ``fs.suid_dumpable = 2``. A boot action will put in place the hard
|
||||||
the hard limit.
|
limit.
|
||||||
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
|
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
|
||||||
|
|
||||||
Randomizing stack space can make it harder to exploit buffer overflow vulnerabilities. Enable
|
Randomizing stack space can make it harder to exploit buffer overflow vulnerabilities. Enable
|
||||||
|
@ -93,7 +94,7 @@ the kernel tunable ``kernel.randomize_va_space = 2``.
|
||||||
|
|
||||||
- Project Scope: DivingBell
|
- Project Scope: DivingBell
|
||||||
- Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
|
- Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
|
||||||
MAAS deploys nodes in compliance.
|
MAAS deploys nodes in compliance.
|
||||||
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
|
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
|
||||||
|
|
||||||
Mandatory Access Control
|
Mandatory Access Control
|
||||||
|
@ -104,9 +105,9 @@ to use it.
|
||||||
|
|
||||||
- Project Scope: Drydock, Promenade
|
- Project Scope: Drydock, Promenade
|
||||||
- Solution *Configurable*: A bootaction will put in place the default AppArmor profile. Promenade
|
- Solution *Configurable*: A bootaction will put in place the default AppArmor profile. Promenade
|
||||||
will deploy a Docker configuration to enforce the default policy.
|
will deploy a Docker configuration to enforce the default policy.
|
||||||
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin probing
|
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin probing
|
||||||
``/proc/<pid>/attr/current``.
|
``/proc/<pid>/attr/current``.
|
||||||
|
|
||||||
Put in place an approved AppArmor profile to be used by containers that will manipulate the
|
Put in place an approved AppArmor profile to be used by containers that will manipulate the
|
||||||
on-host AppArmor profiles. This allows an init container in Pods to put customized AppArmor
|
on-host AppArmor profiles. This allows an init container in Pods to put customized AppArmor
|
||||||
|
@ -114,7 +115,7 @@ profile in place and load them.
|
||||||
|
|
||||||
- Project Scope: Drydock
|
- Project Scope: Drydock
|
||||||
- Solution *Configurable*: A bootaction will put in place the profile-manager AppArmor profile and
|
- Solution *Configurable*: A bootaction will put in place the profile-manager AppArmor profile and
|
||||||
load it on each boot.
|
load it on each boot.
|
||||||
- Audit: *Pending*: The availability of this profile will be verified by a Sonobuoy plugin.
|
- Audit: *Pending*: The availability of this profile will be verified by a Sonobuoy plugin.
|
||||||
|
|
||||||
.. IMPORTANT::
|
.. IMPORTANT::
|
||||||
|
@ -135,7 +136,8 @@ Run `rsyslogd` to log events.
|
||||||
Run a monitor for logging kernel audit events such as auditd.
|
Run a monitor for logging kernel audit events such as auditd.
|
||||||
|
|
||||||
- Project Scope: Non-Airship
|
- Project Scope: Non-Airship
|
||||||
- Solution *Remediated*: The Sysdig Falco <https://sysdig.com/opensource/falco/> will be used and
|
- Solution *Remediated*: The `Sysdig Falco <https://sysdig.com/opensource/falco/>`_ will be used
|
||||||
|
and
|
||||||
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
|
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
|
||||||
|
|
||||||
Watch the watchers. Ensure that monitoring services are up and responsive.
|
Watch the watchers. Ensure that monitoring services are up and responsive.
|
||||||
|
@ -239,6 +241,7 @@ Temporary Mitigation Status
|
||||||
References
|
References
|
||||||
----------
|
----------
|
||||||
|
|
||||||
OpenSCAP for Ubuntu 16.04 - https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-common.html
|
* `OpenSCAP for Ubuntu 16.04 <https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-common.html>`_
|
||||||
Ubuntu 16.04 Server Guide - https://help.ubuntu.com/16.04/serverguide/security.html
|
* `Ubuntu 16.04 Server Guide <https://help.ubuntu.com/16.04/serverguide/security.html>`_
|
||||||
Canonical MAAS 2.x TLS - https://docs.maas.io/2.3/en/installconfig-network-ssl & https://docs.maas.io/2.4/en/installconfig-network-ssl
|
* `Canonical MAAS 2.3 TLS <https://docs.maas.io/2.3/en/installconfig-network-ssl>`_
|
||||||
|
* `Canonical MAAS 2.4 TLS <https://docs.maas.io/2.4/en/installconfig-network-ssl>`_
|
||||||
|
|
Loading…
Reference in New Issue