[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[atomic-devel] Atomic and NIST-800/STIG compliance



Hi -

I'm a developer from the oVirt project, and as we look towards tighter integration with OpenShift plus a potential pivot to Kubevirt, we're taking a very close look at Atomic.

However, there are some features from oVirt Node which are not present in Atomic Host which we'd really like to see. Specifically, a NIST-800 partitioning scheme, which basically amounts to separate partitions/LVs for the following:

/home
/opt
/var
/var/log
/var/log/audit

(ideally with any 'persistent' data like the rpmdb relocated off of /var, with the contents of /var[/*] being the same across all ostree instances, so logs are not lost if users need to roll back).

In my testing, Atomic seems to only take ~3GB of the volume group when installed, though I understand that the remainder of the volume group is often used for Docker image storage. We performed a conversion to a NIST-800 layout as part of an update on oVirt Node, but we were fortunate enough to be using lvmthin, so we didn't need to worry too much about it, but I'm not sure how this would be done on Atomic. I know that /var was added recently, so some shuffling must be possible, but I haven't looked into the details of how that was performed.

Additionally, getting as close as possible to full STIG compliance would be ideal. I see that atomic supports scanning containers running on Atomic hosts, but I'm not sure what the actual status of the host itself is.

We're happy to contribute patches if your load is high, but a preliminary review of these additions would be great, as well as a slap to the head if Atomic already does these things and I didn't notice somehow...

-Ryan

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]