875f635ab4
This patch gets rid of the old "special notes" section that was a dead-end in the documentation and replaces it with a brief header followed by a dynamically-generated list of tag-specific documentation. All of this sits underneath the "Hardening Domains" section. It also splits the "Deviations" documentation into its own section because it's quite important for a deployer to review. The patch also includes a link to video/slides from the Boston Summit, which provided the latest updates for the project and some background on how everything fits together. Change-Id: I1a5e78733c301335fe1bcfcee36cc146d690b841
1.1 KiB
misc - Miscellaneous security controls
Some of the security controls provided by the STIG are difficult to group together. The following documentation includes STIG requirements which do not easily fit into one of the other hardening domains.
Overview
Reliable time synchronization is a requirement in the STIG and the
chrony package will be installed to handle NTP for systems
secured with the openstack-ansible-security role. The default settings
will work for most environments, but some deployers may prefer to use
NTP servers which are geographically closer to their servers.
The role configures the chrony daemon to listen only on
localhost. To allow chrony to listen on all addresses (the
upstream default for chrony), set the
security_ntp_bind_local_interfaces_only variable to
False.
The default configuration allows RFC1918
addresses to reach the NTP server running on each host. That could be
changed by using the security_allowed_ntp_subnets
parameter.