Blame docs/security/index.md

0d32f4
# CentOS infra security guidelines
0d32f4
0d32f4
We want to enforce the following security points on *Every* deployed node:
0d32f4
0d32f4
  * iptables rules (*even* if hosted in a DC behind a hardware firewall and so not using public IP)
0d32f4
  * selinux turned on (`enforcing` and *not* `permissive` or even worse : `disabled`)
0d32f4
  * TLS communication between infra components (if possible, or through similar method)
0d32f4
  * consuming only GPG signed RPM pkgs from our own `infra` cbs/koji tags (so signed with our key)
0d32f4
 
0d32f4
Optional (depending on the criticality level, if storing sensitive information on disk): 
0d32f4
0d32f4
  * `luks` to encrypt the filesystem on disk (with luks passphrase itself crypted in git repo for inventory)
0d32f4