Skip to content

Infra docs

CentOS infra security guidelines

centos/centos-infra-docs

CentOS infra security guidelines

CentOS infra security guidelines¶

We want to enforce the following security points on Every deployed node:

iptables rules (even if hosted in a DC behind a hardware firewall and so not using public IP)
selinux turned on (enforcing and not permissive or even worse : disabled)
TLS communication between infra components (if possible, or through similar method)
consuming only GPG signed RPM pkgs from our own infra cbs/koji tags (so signed with our key)

Optional (depending on the criticality level, if storing sensitive information on disk):

luks to encrypt the filesystem on disk (with luks passphrase itself crypted in git repo for inventory)