Skip to content

CentOS infra security guidelines

CentOS infra security guidelines

We want to enforce the following security points on Every deployed node:

  • iptables rules (even if hosted in a DC behind a hardware firewall and so not using public IP)
  • selinux turned on (enforcing and not permissive or even worse : disabled)
  • TLS communication between infra components (if possible, or through similar method)
  • consuming only GPG signed RPM pkgs from our own infra cbs/koji tags (so signed with our key)

Optional (depending on the criticality level, if storing sensitive information on disk):

  • luks to encrypt the filesystem on disk (with luks passphrase itself crypted in git repo for inventory)