Next steps / to-do list
If you set ansible variable apparmor_enabled: True then
AppArmor profiles and abstractions
are installed to confine all components to enforce mode.
Only supported on Debian Stretch and openSUSE/SLE.
Using various systemd security configuration options for starting services via systemd units. See ansible variable aedir_systemd_hardening for global settings.
- systemd.index — List all manpages from the systemd project
- lwn.net: Using systemd for more secure services in Fedora
- Security focused systemd configuration
aehostd -- custom PAM/NSS demon
aehostd is now ready for QA tests.
Some details still to be improved:
- Location-specific replicas
- read DC locations in attribute aeLocation of aeHost entry to determine "near" consumer replicas to access
- integrated monitoring (alarming and performance)
In no particular order...
Custom IdP implementation supporting SAML 2.0, OAuth 2.0, Open ID Connect checking login relationship of user and service based on aeSrvGroup - aeLoginGroups.
- Issue server certs to aeHost, aeNwDevice, aeService or aeSrvGroup based on authorization of role Setup Admins
- see also LDAPcon 2017 talk: X.509 PKI RA schema for Æ-DIR
- direct ansible integration for server cert enrollment
- X.509 cert enrollment for aeUser with multi-factor authc
- use X.509 certs as SSH authorized keys instead of attribute sshPublicKey
- remote CA keys (e.g. based on pyeleven and PyKCS11)
- Are there ready-to-use PKI backend solutions in Python?
- Scripts for local slapd-ldap instance used as admin proxy for bulk operations from ansible plays, dynamic ansible inventory based on Æ-DIR entries or similar.
- proper keyring support for tools (inspired by Mirko's password_from_keyring-py)
- Automated authentication configuration (set userPassword) for aeHost and aeService
- Dynamic inventory module for accessing attributes in Æ-DIR entries
- Log performance data as Graylog Extended Log Format (GELF)
- The web applications should use Python's logging module and file ae-logging.conf
- Add cee_syslog_handler in file ae-logging.conf
- Extend one of the following Python demon implementations to look up correct boot config in Æ-DIR:
- make use of aeNwDevice
Network Access Control (NAC)
Support for RADIUS with dynamic RADIUS client configuration (see also NAC).
- FreeRADIUS: has many features, basic LDAP authc out-of-the-box
- BSDRadius: needs own module
- thin implementation based on pyrad
- use PowerDNS to serve attributes as DNS RRs to augment regular DNS service:
- use remote backend (preferrably with DNSSEC) via pdns-remotebackend-python
- specific web application for administrative use-cases
- Python / flask / WTForms…
- Simple reporting use-cases (expired objects etc.).
- Graph reporting of data structures in a zone.
Define a ruleset for ModSecurity.
- Consolidate various command-line tools into one tool with sub-commands within Python module package aedir.
Implement following use-cases:
- Add aeHost entries
- Set password (replace ae-passwd.py)
- Make use of Subresource Integrity either with ansible-generated hashes or on-the-fly-generation in the web app(s):
Possible LDAP modules with support for Python 3.x:
Prepare compliance statements: