V-3851{1,2,3}, V-38686: IPv4 security controls

Mainly a documentation commit with one special case and three exceptions. Implements: blueprint security-hardening Change-Id: Ib9607f6df8aaed63b494a7f87af33cb7d3117f1d
2015-10-07 11:25:36 -05:00 · 2015-10-07 11:25:36 -05:00 · d8946874c8
parent 241f6cd074
commit d8946874c8
4 changed files with 17 additions and 0 deletions
--- a/doc/source/developer-notes/V-38511.rst
+++ b/doc/source/developer-notes/V-38511.rst
@ -0,0 +1,5 @@
+**Special Case**
+
+Running virtual infrastructure requires IP forwarding to be enabled on various
+interfaces. The STIG allows for this, so long as the system is being operated
+as a router (as is the case for an OpenStack host).
--- a/doc/source/developer-notes/V-38512.rst
+++ b/doc/source/developer-notes/V-38512.rst
@ -0,0 +1,10 @@
+**Exception**
+
+Although a minimal set of iptables rules are configured on openstack-ansible
+hosts, the "deny all" requirement of the STIG is not met. This is largely left
+up to the deployer to do, based on their assessment of their own network
+segmentation.
+
+Deployers are urged to review the network access controls that are applied
+on the network devices between their OpenStack environment and the rest of
+their network.
--- a/doc/source/developer-notes/V-38513.rst
+++ b/doc/source/developer-notes/V-38513.rst
@ -0,0 +1 @@
+V-38512.rst
--- a/doc/source/developer-notes/V-38686.rst
+++ b/doc/source/developer-notes/V-38686.rst
@ -0,0 +1 @@
+V-38512.rst