To secure the block storage:
Set strict access permissions (at least 640
) for the following
configuration files in /etc/cinder/
: cinder.conf
, api-paste.ini
,
policy.json
, rootwrap.conf
.
Do not set the noauth
value to parameter auth_strategy
under
the [DEFAULT]
section.
Enable TLS for authentication.
Enable secure file permissions for Network-attached storage (NAS) by
the following setting in /etc/cinder/cinder.conf
:
[DEFAULT]
nas_secure_file_permissions = auto
To avoid a DoS attack when an attacker sends an oversized request, verify
osapi_max_request_body_size
or max_request_body_size
under the
[oslo_middleware]
section in /etc/cinder/cinder.conf
is set to
114688
:
[DEFAULT]
osapi_max_request_body_size = 114688
[oslo_middleware]
max_request_body_size = 114688