# CentOS infra security guidelines

We want to enforce the following security points on *Every* deployed node:

  * iptables rules (*even* if hosted in a DC behind a hardware firewall and so not using public IP)

  * selinux turned on (`enforcing` and *not* `permissive` or even worse : `disabled`)

  * TLS communication between infra components (if possible, or through similar method)

  * consuming only GPG signed RPM pkgs from our own `infra` cbs/koji tags (so signed with our key)

Optional (depending on the criticality level, if storing sensitive information on disk): 

  * `luks` to encrypt the filesystem on disk (with luks passphrase itself crypted in git repo for inventory)