Jack Singleton
Jack Singleton
by default we should have all log levels set to a fairly high level like NOTICE or ERROR. where possible, we can also configure logs to exclude information we don't...
we could reduce our attack surface by disabling SPK uploads and whitelisting a set of app ids (possibly even all app ids in the oasis app store). is this possible?
https://www.opsmate.com/titus/ titus is a tool from Andrew Ayer (https://www.agwa.name/about/) that handles TLS termination and then proxies to (in our case) nginx. this would protect from vulnerabilities in openssl because 1)...
Two systems for MAC are apparmor and selinux. A third option is grsec rbac, but since it's unclear at this point whether sandstorm will even run on a grsec patched...
let's look at https://github.com/CISOfy/lynis Could we run this as part of our Ansible deploy? Or as a separate task with tags?
we could look at porting hardening.io's nginx hardening scripts to ansible. they have chef and puppet implementations and even a test suite - https://github.com/hardening-io?utf8=%E2%9C%93&query=nginx Looking at the spec though, it...
https://docs.sandstorm.io/en/latest/install/#option-3-pgp-verified-install
Can we use that short list for ssl_ciphers?