Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve security docs to include a 'hardened' configuration for an example scenario #1172

Closed
tsandall opened this issue Jan 16, 2019 · 0 comments · Fixed by #1362
Closed

Improve security docs to include a 'hardened' configuration for an example scenario #1172

tsandall opened this issue Jan 16, 2019 · 0 comments · Fixed by #1362
Assignees
@tsandall
Labels
docs

Comments

@tsandall
Copy link
Member

tsandall commented Jan 16, 2019
edited
Loading

In August we had a thirdparty pen-testing firm conduct a security audit of OPA. The result of the audit can be found here. For the purpose of the audit we created an environment for the pen-testers that ran a hardened OPA configuraton. Details on the environment can be found here.

We should update the security documentation with details on the hardened configuration. Specifically, make a recommendation for cases where OPA is:

  • Deployed as a daemon
  • Configured to use bundles for policy distribution
  • Accessed by services on the same host

In this scenario, OPA can be configured to:

  • Only listen on localhost or a unix domain socket
  • Enable TLS (in case of localhost)
  • Only expose a single decision endpoint to clients (deny all other API requests)
@tsandall tsandall self-assigned this Apr 12, 2019
tsandall added a commit to tsandall/opa that referenced this issue Apr 18, 2019
@tsandall
Add hardened configuration example to security page
c37404b 
Fixes open-policy-agent#1172

Signed-off-by: Torin Sandall <torinsandall@gmail.com>
@tsandall tsandall mentioned this issue Apr 18, 2019
Merged
patrick-east pushed a commit that referenced this issue Apr 19, 2019
@tsandall @patrick-east
Add hardened configuration example to security page
faa573f 
Fixes #1172

Signed-off-by: Torin Sandall <torinsandall@gmail.com>
@snyk-bot snyk-bot mentioned this issue Feb 8, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsandall tsandall

Labels
docs
Projects
Open Policy Agent
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add hardened configuration example to security page tsandall/opa
1 participant
@tsandall