Next steps / to-do list

  1. Done
    1. Multi-factor authc
    2. Hardening
      1. AppArmor
      2. systemd
    3. Custom PAM/NSS caching demon
  2. Open
    1. WebSSO
    2. X.509 PKI
    3. DevOps tooling
    4. Logging
    5. PXE/DHCP/TFTP integration
    6. Network Access Control (NAC)
    7. RADIUS
    8. aehostd -- custom PAM/NSS demon
    9. DNS
    10. User Interface
    11. ModSecurity
    12. Command-line tool
    13. Browser integration/security
    14. Python 3.x
    15. Compliance checks

Done

Multi-factor authc

Hardening

AppArmor

If you set ansible variable apparmor_enabled: True then AppArmor profiles and abstractions are installed to confine all components to enforce mode.
Only supported on Debian Stretch and openSUSE/SLE.

systemd

Using various systemd security configuration options for starting services via systemd units. See ansible variable aedir_systemd_hardening for global settings.

See also:

aehostd -- custom PAM/NSS demon

aehostd is now ready for QA tests.

Some details still to be improved:

Location-specific replicas
read DC locations in attribute aeLocation of aeHost entry to determine "near" consumer replicas to access
Monitoring
integrated monitoring (alarming and performance)

Open

In no particular order...

WebSSO

Custom IdP implementation supporting SAML 2.0, OAuth 2.0, Open ID Connect checking login relationship of user and service based on aeSrvGroup - aeLoginGroups.

Python modules to be used: pysaml2, oic, pyop

X.509 PKI

DevOps tooling

ansible

Logging

PXE/DHCP/TFTP integration

Network Access Control (NAC)

RADIUS

Support for RADIUS with dynamic RADIUS client configuration (see also NAC).

DNS

User Interface

ModSecurity

Define a ruleset for ModSecurity.

Command-line tool

Browser integration/security

Python 3.x

Possible LDAP modules with support for Python 3.x:

Module License Notes
ldap3 LGPLv3
  • supports Python 2.7 and 3.4+
bonsai MIT
  • only Python 3.4+
ldap0 Python-style
  • needs work to support Python 3

Compliance checks

Prepare compliance statements: