-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Secure Connections Standard #548
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice first draft - I have a few questions inline
@markus-hentsch I have general remark: Because TLS configuration and security is a moving target, have you considered to base the recommended configuration on one of the profiles offered by Mozilla SSL? For example, the "intermediate" profile, see https://ssl-config.mozilla.org/ and https://wiki.mozilla.org/Security/Server_Side_TLS. (AFAIK, these can be checked with |
lol, I had the same idea and actually checked our haproxy TLS implementation, seems there is some opportunity to do some hardening there:
|
working on a fix for upstream: https://bugs.launchpad.net/kolla-ansible/+bug/2060787 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some minor cosmetic changes:
- Is prefer to write Cloud Service Provider instead of CSP, as "CSP" is not an official abbreviation
- I do not like writing "SCS proposes..", "SCS decides...". AFAIK, SCS stands for Sovereign Cloud Stack, which is a Software Stack, which cannot decide something. I prefer to write "SCS project" or "SCS community"
But again. This is just cosmetics.
I adjusted the SCS references. I left "CSP" as-is and added a glossary instead, like I did with some other standards. We seem to use CSP a lot in other standards so I'd like to stay consistent. The glossary at the top should introduce the abbreviation sufficiently now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall I think this is a good starting point. We need something for the manual audits, but this may something to discuss in the standards SIG or in the IAM and Security Meeting
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for all the work done so far on this.
Unfortunately I think there's still some work left to do.
Thanks.
Updated standard and test script to use the Mozilla TLS "intermediate" preset now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only thing left to consider, would be to convert the mentioning of OpenStack services to IaaS services
. But as all tests we have written do always connect to OpenStack, I don't think that change would be necessary.
…tion Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
The markdown lint issues should be addressed. The link checker issues should solve themselves when this is merged. |
Signed-off-by: Anja Strunk <[email protected]>
Signed-off-by: Anja Strunk <[email protected]>
Signed-off-by: Anja Strunk <[email protected]>
Signed-off-by: Anja Strunk <[email protected]>
I removed the markdown linter errors. The only remaining errors coming from markdown link checker, who complain about the following two dead links:
The files are part if this PR and are not yet there. @mbuechse Any idea how to fix this? Otherwise, I will merge PR anyway, as we have three approvals and all other checks were successfully. |
Signed-off-by: Anja Strunk <[email protected]>
Signed-off-by: Anja Strunk <[email protected]>
Signed-off-by: Anja Strunk <[email protected]>
Signed-off-by: Anja Strunk <[email protected]>
Signed-off-by: Anja Strunk <[email protected]>
…ith node to node encryption DR Signed-off-by: Anja Strunk <[email protected]>
Signed-off-by: Anja Strunk <[email protected]>
Signed-off-by: Anja Strunk <[email protected]>
Signed-off-by: Anja Strunk <[email protected]>
Signed-off-by: Anja Strunk <[email protected]>
I tried to replace absolute links with relative ones, to satisfy markdown link checker. This worked fine, but case markdown linter to fail, as relative links are not allowed. I reverted relative links and decided to merge this PR even markdown link checker fails. As dead links related to files added by this PR, merging will not break repo. |
Closes #547