summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZuul <zuul@review.openstack.org>2019-02-22 05:46:45 +0000
committerGerrit Code Review <review@openstack.org>2019-02-22 05:46:45 +0000
commit5d9139b9ef246bfaf22090d1c6df87f994adff79 (patch)
tree547709b1e92a70abd005fc02e136981883dd4c65
parent564c262065fb28c7f475c5f8ac18582202c9ce4c (diff)
parent0931ad1530e0d88a28501216bbf4bca5016626ff (diff)
Merge "Fix: docs formatting"
-rw-r--r--doc/source/code-conventions.rst4
-rw-r--r--doc/source/security/guide.rst3
-rw-r--r--doc/source/security/haproxy.rst2
-rw-r--r--doc/source/security/ubuntu.rst29
4 files changed, 23 insertions, 15 deletions
diff --git a/doc/source/code-conventions.rst b/doc/source/code-conventions.rst
index 62a5d57..16cb3ab 100644
--- a/doc/source/code-conventions.rst
+++ b/doc/source/code-conventions.rst
@@ -35,6 +35,7 @@ that chart.
35 35
36e.g.: For project ``foo``, which also maintains the charts for ``bar`` and 36e.g.: For project ``foo``, which also maintains the charts for ``bar`` and
37``baz``: 37``baz``:
38
38- foo/charts/foo contains the chart for ``foo`` 39- foo/charts/foo contains the chart for ``foo``
39- foo/charts/bar contains the chart for ``bar`` 40- foo/charts/bar contains the chart for ``bar``
40- foo/charts/baz contains the chart for ``baz`` 41- foo/charts/baz contains the chart for ``baz``
@@ -50,7 +51,8 @@ will contain subdirectories for each of the images created as part of that
50project. The subdirectory will contain the dockerfile that can be used to 51project. The subdirectory will contain the dockerfile that can be used to
51generate the image. 52generate the image.
52 53
53e.g.: For project ``foo``, which also produces a Docker image for ``bar`` 54e.g.: For project ``foo``, which also produces a Docker image for ``bar``:
55
54- foo/images/foo contains the dockerfile for ``foo`` 56- foo/images/foo contains the dockerfile for ``foo``
55- foo/images/bar contains the dockerfile for ``bar`` 57- foo/images/bar contains the dockerfile for ``bar``
56 58
diff --git a/doc/source/security/guide.rst b/doc/source/security/guide.rst
index 61db00f..35dfc7e 100644
--- a/doc/source/security/guide.rst
+++ b/doc/source/security/guide.rst
@@ -33,11 +33,14 @@ be listed as well as the project scope.
33 33
34 * Project Scope: Which Airship projects address this security item. 34 * Project Scope: Which Airship projects address this security item.
35 * Solution: The solution is how this security concern is addressed in the platform 35 * Solution: The solution is how this security concern is addressed in the platform
36
36 * Remediated: The item is solved for automatically 37 * Remediated: The item is solved for automatically
37 * Configurable: The item is based on configuration. Guidance will be provided. 38 * Configurable: The item is based on configuration. Guidance will be provided.
38 * Mitigated: The item currently mitigated while a permanent remediation is in progress. 39 * Mitigated: The item currently mitigated while a permanent remediation is in progress.
39 * Pending: Addressing the item is in-progress 40 * Pending: Addressing the item is in-progress
41
40 * Audit: Auditing the item provides for ongoing monitoring to ensure there is no regression 42 * Audit: Auditing the item provides for ongoing monitoring to ensure there is no regression
43
41 * Testing: The item is tested for in an automated test pipeline during development 44 * Testing: The item is tested for in an automated test pipeline during development
42 * Validation: The item is reported on by a validation framework after a site deployment 45 * Validation: The item is reported on by a validation framework after a site deployment
43 * Pending: Auditing is in-progress 46 * Pending: Auditing is in-progress
diff --git a/doc/source/security/haproxy.rst b/doc/source/security/haproxy.rst
index dc24a62..7185020 100644
--- a/doc/source/security/haproxy.rst
+++ b/doc/source/security/haproxy.rst
@@ -52,4 +52,4 @@ value to an existing header.
52References 52References
53---------- 53----------
54 54
55HAProxy Configuration Guide - http://cbonte.github.io/haproxy-dconv/1.8/configuration.html 55`HAProxy Configuration Guide <http://cbonte.github.io/haproxy-dconv/1.8/configuration.html>`_
diff --git a/doc/source/security/ubuntu.rst b/doc/source/security/ubuntu.rst
index 5418e09..aaf8737 100644
--- a/doc/source/security/ubuntu.rst
+++ b/doc/source/security/ubuntu.rst
@@ -61,9 +61,10 @@ The mounts ``/tmp``, ``/var``, ``/var/log``, ``/var/log/audit`` and ``/home`` sh
61individual file systems. 61individual file systems.
62 62
63 - Project Scope: Drydock 63 - Project Scope: Drydock
64 - Solution *Configurable*: Drydock supports user designed partitioning, see `Filesystem Configuration`_. 64 - Solution *Configurable*: Drydock supports user designed partitioning, see
65 `Filesystem Configuration`_.
65 - Audit: *Testing*: The Airship testing pipeline will validate that nodes are partitioned 66 - Audit: *Testing*: The Airship testing pipeline will validate that nodes are partitioned
66 as described in the site definition. 67 as described in the site definition.
67 68
68Filesystem Hardening 69Filesystem Hardening
69^^^^^^^^^^^^^^^^^^^^ 70^^^^^^^^^^^^^^^^^^^^
@@ -73,7 +74,7 @@ Disallow symlinks and hardlinks to files not owned by the user. Set ``fs.protect
73 74
74 - Project Scope: Diving Bell 75 - Project Scope: Diving Bell
75 - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable. By default 76 - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable. By default
76 MAAS deploys nodes in compliance. 77 MAAS deploys nodes in compliance.
77 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin. 78 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
78 79
79Execution Environment Hardening 80Execution Environment Hardening
@@ -84,8 +85,8 @@ disabling core dumps (``hard core 0``)
84 85
85 - Project Scope: DivingBell, Drydock 86 - Project Scope: DivingBell, Drydock
86 - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default 87 - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
87 MAAS deploys nodes with ``fs.suid_dumpable = 2``. A boot action will put in place 88 MAAS deploys nodes with ``fs.suid_dumpable = 2``. A boot action will put in place the hard
88 the hard limit. 89 limit.
89 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin 90 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
90 91
91Randomizing stack space can make it harder to exploit buffer overflow vulnerabilities. Enable 92Randomizing stack space can make it harder to exploit buffer overflow vulnerabilities. Enable
@@ -93,7 +94,7 @@ the kernel tunable ``kernel.randomize_va_space = 2``.
93 94
94 - Project Scope: DivingBell 95 - Project Scope: DivingBell
95 - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default 96 - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
96 MAAS deploys nodes in compliance. 97 MAAS deploys nodes in compliance.
97 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin 98 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
98 99
99Mandatory Access Control 100Mandatory Access Control
@@ -104,9 +105,9 @@ to use it.
104 105
105 - Project Scope: Drydock, Promenade 106 - Project Scope: Drydock, Promenade
106 - Solution *Configurable*: A bootaction will put in place the default AppArmor profile. Promenade 107 - Solution *Configurable*: A bootaction will put in place the default AppArmor profile. Promenade
107 will deploy a Docker configuration to enforce the default policy. 108 will deploy a Docker configuration to enforce the default policy.
108 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin probing 109 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin probing
109 ``/proc/<pid>/attr/current``. 110 ``/proc/<pid>/attr/current``.
110 111
111Put in place an approved AppArmor profile to be used by containers that will manipulate the 112Put in place an approved AppArmor profile to be used by containers that will manipulate the
112on-host AppArmor profiles. This allows an init container in Pods to put customized AppArmor 113on-host AppArmor profiles. This allows an init container in Pods to put customized AppArmor
@@ -114,7 +115,7 @@ profile in place and load them.
114 115
115 - Project Scope: Drydock 116 - Project Scope: Drydock
116 - Solution *Configurable*: A bootaction will put in place the profile-manager AppArmor profile and 117 - Solution *Configurable*: A bootaction will put in place the profile-manager AppArmor profile and
117 load it on each boot. 118 load it on each boot.
118 - Audit: *Pending*: The availability of this profile will be verified by a Sonobuoy plugin. 119 - Audit: *Pending*: The availability of this profile will be verified by a Sonobuoy plugin.
119 120
120.. IMPORTANT:: 121.. IMPORTANT::
@@ -135,7 +136,8 @@ Run `rsyslogd` to log events.
135Run a monitor for logging kernel audit events such as auditd. 136Run a monitor for logging kernel audit events such as auditd.
136 137
137 - Project Scope: Non-Airship 138 - Project Scope: Non-Airship
138 - Solution *Remediated*: The Sysdig Falco <https://sysdig.com/opensource/falco/> will be used and 139 - Solution *Remediated*: The `Sysdig Falco <https://sysdig.com/opensource/falco/>`_ will be used
140 and
139 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin. 141 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
140 142
141Watch the watchers. Ensure that monitoring services are up and responsive. 143Watch the watchers. Ensure that monitoring services are up and responsive.
@@ -239,6 +241,7 @@ Temporary Mitigation Status
239References 241References
240---------- 242----------
241 243
242OpenSCAP for Ubuntu 16.04 - https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-common.html 244 * `OpenSCAP for Ubuntu 16.04 <https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-common.html>`_
243Ubuntu 16.04 Server Guide - https://help.ubuntu.com/16.04/serverguide/security.html 245 * `Ubuntu 16.04 Server Guide <https://help.ubuntu.com/16.04/serverguide/security.html>`_
244Canonical MAAS 2.x TLS - https://docs.maas.io/2.3/en/installconfig-network-ssl & https://docs.maas.io/2.4/en/installconfig-network-ssl 246 * `Canonical MAAS 2.3 TLS <https://docs.maas.io/2.3/en/installconfig-network-ssl>`_
247 * `Canonical MAAS 2.4 TLS <https://docs.maas.io/2.4/en/installconfig-network-ssl>`_