Skip to main content

Posts

Showing posts from July, 2017

Build and use security hardened images with TripleO

Starting to apply since Pike Concept of security hardened images Normally the images used for overcloud deployment in TripleO are not security hardened. It means, the images lack all the extra security measures needed to accomplish with ANSSI requirements. These extra measures are needed to deploy TripleO in environments where security is an important feature. The following recommendations are given to accomplish with security guidelines: ensure that /tmp is mounted on a separate volume or partition, and that it is mounted with rw,nosuid,nodev,noexec,relatime flags ensure that /var, /var/log and /var/log/audit are mounted on separates volumes or partitions, and that are mounted with rw,relatime flags. ensure that /home is mounted on a separate partition or volume, and that it is mounted with rw,nodev,relatime flags. include extra kernel boot flag to enable auditing: add audit=1 to GRUB_CMDLINE_LINUX setting disable kernel support for USB via bootloader configuration