From d8946874c81c3af9eae130b645feafa44ebc0609 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Wed, 7 Oct 2015 11:25:36 -0500 Subject: [PATCH] V-3851{1,2,3}, V-38686: IPv4 security controls Mainly a documentation commit with one special case and three exceptions. Implements: blueprint security-hardening Change-Id: Ib9607f6df8aaed63b494a7f87af33cb7d3117f1d --- doc/source/developer-notes/V-38511.rst | 5 +++++ doc/source/developer-notes/V-38512.rst | 10 ++++++++++ doc/source/developer-notes/V-38513.rst | 1 + doc/source/developer-notes/V-38686.rst | 1 + 4 files changed, 17 insertions(+) create mode 100644 doc/source/developer-notes/V-38511.rst create mode 100644 doc/source/developer-notes/V-38512.rst create mode 120000 doc/source/developer-notes/V-38513.rst create mode 120000 doc/source/developer-notes/V-38686.rst diff --git a/doc/source/developer-notes/V-38511.rst b/doc/source/developer-notes/V-38511.rst new file mode 100644 index 00000000..7e872ff9 --- /dev/null +++ b/doc/source/developer-notes/V-38511.rst @@ -0,0 +1,5 @@ +**Special Case** + +Running virtual infrastructure requires IP forwarding to be enabled on various +interfaces. The STIG allows for this, so long as the system is being operated +as a router (as is the case for an OpenStack host). diff --git a/doc/source/developer-notes/V-38512.rst b/doc/source/developer-notes/V-38512.rst new file mode 100644 index 00000000..63471791 --- /dev/null +++ b/doc/source/developer-notes/V-38512.rst @@ -0,0 +1,10 @@ +**Exception** + +Although a minimal set of iptables rules are configured on openstack-ansible +hosts, the "deny all" requirement of the STIG is not met. This is largely left +up to the deployer to do, based on their assessment of their own network +segmentation. + +Deployers are urged to review the network access controls that are applied +on the network devices between their OpenStack environment and the rest of +their network. diff --git a/doc/source/developer-notes/V-38513.rst b/doc/source/developer-notes/V-38513.rst new file mode 120000 index 00000000..aae1aca4 --- /dev/null +++ b/doc/source/developer-notes/V-38513.rst @@ -0,0 +1 @@ +V-38512.rst \ No newline at end of file diff --git a/doc/source/developer-notes/V-38686.rst b/doc/source/developer-notes/V-38686.rst new file mode 120000 index 00000000..aae1aca4 --- /dev/null +++ b/doc/source/developer-notes/V-38686.rst @@ -0,0 +1 @@ +V-38512.rst \ No newline at end of file