airship
/
airship-in-a-bottle
Code Issues Proposed changes

Merge "Fix: docs formatting"

This commit is contained in:
Zuul 2019-02-22 05:46:45 +00:00 committed by Gerrit Code Review
parent 564c262065 0931ad1530
commit 5d9139b9ef
4 changed files with 23 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/source/code-conventions.rst
View File

@ -35,6 +35,7 @@ that chart.
e.g.: For project ``foo``, which also maintains the charts for ``bar`` and e.g.: For project ``foo``, which also maintains the charts for ``bar`` and
``baz``: ``baz``:
- foo/charts/foo contains the chart for ``foo`` - foo/charts/foo contains the chart for ``foo``
- foo/charts/bar contains the chart for ``bar`` - foo/charts/bar contains the chart for ``bar``
- foo/charts/baz contains the chart for ``baz`` - foo/charts/baz contains the chart for ``baz``
@ -50,7 +51,8 @@ will contain subdirectories for each of the images created as part of that
project. The subdirectory will contain the dockerfile that can be used to project. The subdirectory will contain the dockerfile that can be used to
generate the image. generate the image.
e.g.: For project ``foo``, which also produces a Docker image for ``bar`` e.g.: For project ``foo``, which also produces a Docker image for ``bar``:
- foo/images/foo contains the dockerfile for ``foo`` - foo/images/foo contains the dockerfile for ``foo``
- foo/images/bar contains the dockerfile for ``bar`` - foo/images/bar contains the dockerfile for ``bar``

3
doc/source/security/guide.rst
View File

@ -33,11 +33,14 @@ be listed as well as the project scope.
* Project Scope: Which Airship projects address this security item. * Project Scope: Which Airship projects address this security item.
* Solution: The solution is how this security concern is addressed in the platform * Solution: The solution is how this security concern is addressed in the platform
* Remediated: The item is solved for automatically * Remediated: The item is solved for automatically
* Configurable: The item is based on configuration. Guidance will be provided. * Configurable: The item is based on configuration. Guidance will be provided.
* Mitigated: The item currently mitigated while a permanent remediation is in progress. * Mitigated: The item currently mitigated while a permanent remediation is in progress.
* Pending: Addressing the item is in-progress * Pending: Addressing the item is in-progress
* Audit: Auditing the item provides for ongoing monitoring to ensure there is no regression * Audit: Auditing the item provides for ongoing monitoring to ensure there is no regression
* Testing: The item is tested for in an automated test pipeline during development * Testing: The item is tested for in an automated test pipeline during development
* Validation: The item is reported on by a validation framework after a site deployment * Validation: The item is reported on by a validation framework after a site deployment
* Pending: Auditing is in-progress * Pending: Auditing is in-progress

2
doc/source/security/haproxy.rst
View File

@ -52,4 +52,4 @@ value to an existing header.
References References
---------- ----------
HAProxy Configuration Guide - http://cbonte.github.io/haproxy-dconv/1.8/configuration.html `HAProxy Configuration Guide <http://cbonte.github.io/haproxy-dconv/1.8/configuration.html>`_

29
doc/source/security/ubuntu.rst
View File

@ -61,9 +61,10 @@ The mounts ``/tmp``, ``/var``, ``/var/log``, ``/var/log/audit`` and ``/home`` sh
individual file systems. individual file systems.
- Project Scope: Drydock - Project Scope: Drydock
- Solution *Configurable*: Drydock supports user designed partitioning, see `Filesystem Configuration`_. - Solution *Configurable*: Drydock supports user designed partitioning, see
`Filesystem Configuration`_.
- Audit: *Testing*: The Airship testing pipeline will validate that nodes are partitioned - Audit: *Testing*: The Airship testing pipeline will validate that nodes are partitioned
as described in the site definition. as described in the site definition.
Filesystem Hardening Filesystem Hardening
^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^
@ -73,7 +74,7 @@ Disallow symlinks and hardlinks to files not owned by the user. Set ``fs.protect
- Project Scope: Diving Bell - Project Scope: Diving Bell
- Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable. By default - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable. By default
MAAS deploys nodes in compliance. MAAS deploys nodes in compliance.
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin. - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
Execution Environment Hardening Execution Environment Hardening
@ -84,8 +85,8 @@ disabling core dumps (``hard core 0``)
- Project Scope: DivingBell, Drydock - Project Scope: DivingBell, Drydock
- Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
MAAS deploys nodes with ``fs.suid_dumpable = 2``. A boot action will put in place MAAS deploys nodes with ``fs.suid_dumpable = 2``. A boot action will put in place the hard
the hard limit. limit.
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
Randomizing stack space can make it harder to exploit buffer overflow vulnerabilities. Enable Randomizing stack space can make it harder to exploit buffer overflow vulnerabilities. Enable
@ -93,7 +94,7 @@ the kernel tunable ``kernel.randomize_va_space = 2``.
- Project Scope: DivingBell - Project Scope: DivingBell
- Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
MAAS deploys nodes in compliance. MAAS deploys nodes in compliance.
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
Mandatory Access Control Mandatory Access Control
@ -104,9 +105,9 @@ to use it.
- Project Scope: Drydock, Promenade - Project Scope: Drydock, Promenade
- Solution *Configurable*: A bootaction will put in place the default AppArmor profile. Promenade - Solution *Configurable*: A bootaction will put in place the default AppArmor profile. Promenade
will deploy a Docker configuration to enforce the default policy. will deploy a Docker configuration to enforce the default policy.
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin probing - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin probing
``/proc/<pid>/attr/current``. ``/proc/<pid>/attr/current``.
Put in place an approved AppArmor profile to be used by containers that will manipulate the Put in place an approved AppArmor profile to be used by containers that will manipulate the
on-host AppArmor profiles. This allows an init container in Pods to put customized AppArmor on-host AppArmor profiles. This allows an init container in Pods to put customized AppArmor
@ -114,7 +115,7 @@ profile in place and load them.
- Project Scope: Drydock - Project Scope: Drydock
- Solution *Configurable*: A bootaction will put in place the profile-manager AppArmor profile and - Solution *Configurable*: A bootaction will put in place the profile-manager AppArmor profile and
load it on each boot. load it on each boot.
- Audit: *Pending*: The availability of this profile will be verified by a Sonobuoy plugin. - Audit: *Pending*: The availability of this profile will be verified by a Sonobuoy plugin.
.. IMPORTANT:: .. IMPORTANT::
@ -135,7 +136,8 @@ Run `rsyslogd` to log events.
Run a monitor for logging kernel audit events such as auditd. Run a monitor for logging kernel audit events such as auditd.
- Project Scope: Non-Airship - Project Scope: Non-Airship
- Solution *Remediated*: The Sysdig Falco <https://sysdig.com/opensource/falco/> will be used and - Solution *Remediated*: The `Sysdig Falco <https://sysdig.com/opensource/falco/>`_ will be used
and
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin. - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
Watch the watchers. Ensure that monitoring services are up and responsive. Watch the watchers. Ensure that monitoring services are up and responsive.
@ -239,6 +241,7 @@ Temporary Mitigation Status
References References
---------- ----------
OpenSCAP for Ubuntu 16.04 - https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-common.html * `OpenSCAP for Ubuntu 16.04 <https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-common.html>`_
Ubuntu 16.04 Server Guide - https://help.ubuntu.com/16.04/serverguide/security.html * `Ubuntu 16.04 Server Guide <https://help.ubuntu.com/16.04/serverguide/security.html>`_
Canonical MAAS 2.x TLS - https://docs.maas.io/2.3/en/installconfig-network-ssl & https://docs.maas.io/2.4/en/installconfig-network-ssl * `Canonical MAAS 2.3 TLS <https://docs.maas.io/2.3/en/installconfig-network-ssl>`_
* `Canonical MAAS 2.4 TLS <https://docs.maas.io/2.4/en/installconfig-network-ssl>`_