)]}'
{"security-guide-rst/source/compute.rst":[{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1a505a930ce4a99200d53d9b35d5d14931fc0158","unresolved":false,"context_lines":[{"line_number":58,"context_line":"As part of your hypervisor selection process, you must consider a number of"},{"line_number":59,"context_line":"important factors to help increase your security posture. Specifically, you"},{"line_number":60,"context_line":"must become familiar with these areas:"},{"line_number":61,"context_line":"* Team expertise"},{"line_number":62,"context_line":"* Product or project maturity"},{"line_number":63,"context_line":"* Common criteria"},{"line_number":64,"context_line":"* Certifications and attestations"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a50d1a3_25024970","line":61,"updated":"2015-07-21 06:25:36.000000000","message":"Empty line before any list","commit_id":"8960266221f5ca24185da7649057078442c5478f"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1a505a930ce4a99200d53d9b35d5d14931fc0158","unresolved":false,"context_lines":[{"line_number":91,"context_line":"The maturity of a given hypervisor product or project is critical to your"},{"line_number":92,"context_line":"security posture as well. Product maturity has a number of effects once you"},{"line_number":93,"context_line":"have deployed your cloud:"},{"line_number":94,"context_line":"* Availability of expertise"},{"line_number":95,"context_line":"* Active developer and user communities"},{"line_number":96,"context_line":"* Timeliness and availability of updates"},{"line_number":97,"context_line":"* Incidence response"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a50d1a3_85f31d9e","line":94,"updated":"2015-07-21 06:25:36.000000000","message":"Empty line before any list","commit_id":"8960266221f5ca24185da7649057078442c5478f"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1a505a930ce4a99200d53d9b35d5d14931fc0158","unresolved":false,"context_lines":[{"line_number":100,"context_line":"vibrancy of the community that surrounds it. As this concerns security, the"},{"line_number":101,"context_line":"quality of the community affects the availability of expertise if you need"},{"line_number":102,"context_line":"additional cloud operators. It is also a sign of how widely deployed the"},{"line_number":103,"context_line":"hypervisor is, in turn leading to the battle readiness of any reference "},{"line_number":104,"context_line":"architectures and best practices."},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"Further, the quality of community, as it surrounds an open source hypervisor"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a50d1a3_05ff0d68","line":103,"updated":"2015-07-21 06:25:36.000000000","message":"extra whitespace at EOL","commit_id":"8960266221f5ca24185da7649057078442c5478f"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1a505a930ce4a99200d53d9b35d5d14931fc0158","unresolved":false,"context_lines":[{"line_number":132,"context_line":"perform as advertised. In the government sector, NSTISSP No. 11 mandates that"},{"line_number":133,"context_line":"U.S. Government agencies only procure software which has been Common Criteria"},{"line_number":134,"context_line":"certified, a policy which has been in place since July 2002. It should be"},{"line_number":135,"context_line":"specifically noted that OpenStack has not undergone Common Criteria "},{"line_number":136,"context_line":"certification, however many of the available hypervisors have."},{"line_number":137,"context_line":""},{"line_number":138,"context_line":"In addition to validating a technologies capabilities, the Common Criteria"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a50d1a3_452c3502","line":135,"updated":"2015-07-21 06:25:36.000000000","message":"extra whitespace at EOL","commit_id":"8960266221f5ca24185da7649057078442c5478f"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1a505a930ce4a99200d53d9b35d5d14931fc0158","unresolved":false,"context_lines":[{"line_number":137,"context_line":""},{"line_number":138,"context_line":"In addition to validating a technologies capabilities, the Common Criteria"},{"line_number":139,"context_line":"process evaluates *how*  technologies are developed."},{"line_number":140,"context_line":"* How is source code management performed?"},{"line_number":141,"context_line":"* How are users granted access to build systems?"},{"line_number":142,"context_line":"* Is the technology cryptographically signed before distribution?"},{"line_number":143,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a50d1a3_652ff1f6","line":140,"updated":"2015-07-21 06:25:36.000000000","message":"Empty line before any list","commit_id":"8960266221f5ca24185da7649057078442c5478f"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1a505a930ce4a99200d53d9b35d5d14931fc0158","unresolved":false,"context_lines":[{"line_number":158,"context_line":"achieved Common Criteria Certification their underlying certified feature set"},{"line_number":159,"context_line":"differs. It is recommended to evaluate vendor claims to ensure they minimally"},{"line_number":160,"context_line":"satisfy the following requirements:"},{"line_number":161,"context_line":"#TODO: figure out tables, and if they\u0027re needed here"},{"line_number":162,"context_line":"      \u003cinformaltable rules\u003d\"all\" width\u003d\"80%\"\u003e"},{"line_number":163,"context_line":"        \u003ccolgroup\u003e"},{"line_number":164,"context_line":"          \u003ccol/\u003e"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a50d1a3_a545f9b3","line":161,"updated":"2015-07-21 06:25:36.000000000","message":"Use list-table, this one works bets here.","commit_id":"8960266221f5ca24185da7649057078442c5478f"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1a505a930ce4a99200d53d9b35d5d14931fc0158","unresolved":false,"context_lines":[{"line_number":297,"context_line":"When selecting a hypervisor, the following are recommended algorithms and"},{"line_number":298,"context_line":"implementation standards to ensure the virtualization layer supports:"},{"line_number":299,"context_line":"#TODO: figure out tables and if they\u0027re needed here"},{"line_number":300,"context_line":"      \u003cinformaltable rules\u003d\"all\" width\u003d\"80%\"\u003e"},{"line_number":301,"context_line":"        \u003ccolgroup\u003e"},{"line_number":302,"context_line":"          \u003ccol/\u003e"},{"line_number":303,"context_line":"          \u003ccol/\u003e"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a50d1a3_a5e1799c","line":300,"updated":"2015-07-21 06:25:36.000000000","message":"Best use list-table, see http://git.openstack.org/cgit/openstack/openstack-manuals/tree/doc/user-guide/source/cli_nova_launch_instance_from_volume.rst#n10 for an example","commit_id":"8960266221f5ca24185da7649057078442c5478f"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1a505a930ce4a99200d53d9b35d5d14931fc0158","unresolved":false,"context_lines":[{"line_number":623,"context_line":"      \u003c/informaltable\u003e"},{"line_number":624,"context_line":"MAC Policy: Mandatory Access Control; may be implemented with SELinux or other"},{"line_number":625,"context_line":"operating systems"},{"line_number":626,"context_line":"* Features in this table might not be applicable to all hypervisors or directly "},{"line_number":627,"context_line":"mappable between hypervisors."},{"line_number":628,"context_line":""},{"line_number":629,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a50d1a3_a5f8994a","line":626,"updated":"2015-07-21 06:25:36.000000000","message":"Extra whitespace at EOL - and please add everywhere an empty line before lists.","commit_id":"8960266221f5ca24185da7649057078442c5478f"},{"author":{"_account_id":979,"name":"Dave Walker","email":"email@daviey.com","username":"davewalker"},"change_message_id":"28d31bd0c9f7d0da4adf6dd16c28443d40e8f36a","unresolved":false,"context_lines":[{"line_number":8,"context_line":"when using the OpenStack Compute service, and these can be"},{"line_number":9,"context_line":"deployment-specific. In this chapter we will call out general best practice"},{"line_number":10,"context_line":"around Compute security as well as specific known configurations that can lead"},{"line_number":11,"context_line":"to security issues. In general, the *nova.conf* file and the */var/lib/nova*"},{"line_number":12,"context_line":"locations should be secured. Controls like centralized logging, the"},{"line_number":13,"context_line":"*policy.json* file, and a mandatory access control framework should be"},{"line_number":14,"context_line":"implemented. Additionally, there are environmental considerations to keep in"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_d38f3673","line":11,"updated":"2015-07-23 00:11:50.000000000","message":"should this be :file: ?","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":12325,"name":"Nathaniel Dillon","email":"nathaniel.dillon@alumni.depaul.edu","username":"sicarie"},"change_message_id":"a2fc822da643ecc3c7a554a1647ea437985ff0f5","unresolved":false,"context_lines":[{"line_number":8,"context_line":"when using the OpenStack Compute service, and these can be"},{"line_number":9,"context_line":"deployment-specific. In this chapter we will call out general best practice"},{"line_number":10,"context_line":"around Compute security as well as specific known configurations that can lead"},{"line_number":11,"context_line":"to security issues. In general, the *nova.conf* file and the */var/lib/nova*"},{"line_number":12,"context_line":"locations should be secured. Controls like centralized logging, the"},{"line_number":13,"context_line":"*policy.json* file, and a mandatory access control framework should be"},{"line_number":14,"context_line":"implemented. Additionally, there are environmental considerations to keep in"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_c3b2da05","line":11,"in_reply_to":"3a50d1a3_d38f3673","updated":"2015-07-23 16:06:26.000000000","message":"Done","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":979,"name":"Dave Walker","email":"email@daviey.com","username":"davewalker"},"change_message_id":"28d31bd0c9f7d0da4adf6dd16c28443d40e8f36a","unresolved":false,"context_lines":[{"line_number":10,"context_line":"around Compute security as well as specific known configurations that can lead"},{"line_number":11,"context_line":"to security issues. In general, the *nova.conf* file and the */var/lib/nova*"},{"line_number":12,"context_line":"locations should be secured. Controls like centralized logging, the"},{"line_number":13,"context_line":"*policy.json* file, and a mandatory access control framework should be"},{"line_number":14,"context_line":"implemented. Additionally, there are environmental considerations to keep in"},{"line_number":15,"context_line":"mind, depending on what functionality is desired for your cloud."},{"line_number":16,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_7343c213","line":13,"updated":"2015-07-23 00:11:50.000000000","message":"::file::","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":12325,"name":"Nathaniel Dillon","email":"nathaniel.dillon@alumni.depaul.edu","username":"sicarie"},"change_message_id":"a2fc822da643ecc3c7a554a1647ea437985ff0f5","unresolved":false,"context_lines":[{"line_number":10,"context_line":"around Compute security as well as specific known configurations that can lead"},{"line_number":11,"context_line":"to security issues. In general, the *nova.conf* file and the */var/lib/nova*"},{"line_number":12,"context_line":"locations should be secured. Controls like centralized logging, the"},{"line_number":13,"context_line":"*policy.json* file, and a mandatory access control framework should be"},{"line_number":14,"context_line":"implemented. Additionally, there are environmental considerations to keep in"},{"line_number":15,"context_line":"mind, depending on what functionality is desired for your cloud."},{"line_number":16,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_e3b596ec","line":13,"in_reply_to":"3a50d1a3_7343c213","updated":"2015-07-23 16:06:26.000000000","message":"Done","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"}],"security-guide-rst/source/compute/case-studies.rst":[{"author":{"_account_id":979,"name":"Dave Walker","email":"email@daviey.com","username":"davewalker"},"change_message_id":"28d31bd0c9f7d0da4adf6dd16c28443d40e8f36a","unresolved":false,"context_lines":[{"line_number":11,"context_line":""},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Alice\u0027s private cloud"},{"line_number":14,"context_line":"---------------------"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Alice chooses Xen for the hypervisor in her cloud due to a strong internal"},{"line_number":17,"context_line":"knowledge base and a desire to use the Xen security modules (XSM) for"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_13e11e2d","line":14,"updated":"2015-07-23 00:11:50.000000000","message":"Shouldn\u0027t this be ~~~~~ to represent h2?","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":12325,"name":"Nathaniel Dillon","email":"nathaniel.dillon@alumni.depaul.edu","username":"sicarie"},"change_message_id":"a2fc822da643ecc3c7a554a1647ea437985ff0f5","unresolved":false,"context_lines":[{"line_number":11,"context_line":""},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Alice\u0027s private cloud"},{"line_number":14,"context_line":"---------------------"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Alice chooses Xen for the hypervisor in her cloud due to a strong internal"},{"line_number":17,"context_line":"knowledge base and a desire to use the Xen security modules (XSM) for"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_a3930e5a","line":14,"in_reply_to":"3a50d1a3_13e11e2d","updated":"2015-07-23 16:06:26.000000000","message":"Done","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":979,"name":"Dave Walker","email":"email@daviey.com","username":"davewalker"},"change_message_id":"28d31bd0c9f7d0da4adf6dd16c28443d40e8f36a","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Bob\u0027s public cloud"},{"line_number":34,"context_line":"------------------"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Bob is very concerned about instance isolation since the users in a public"},{"line_number":37,"context_line":"cloud represent anyone with a credit card, meaning they are inherently"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_f3e1122b","line":34,"updated":"2015-07-23 00:11:50.000000000","message":"as above.","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":12325,"name":"Nathaniel Dillon","email":"nathaniel.dillon@alumni.depaul.edu","username":"sicarie"},"change_message_id":"a2fc822da643ecc3c7a554a1647ea437985ff0f5","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Bob\u0027s public cloud"},{"line_number":34,"context_line":"------------------"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Bob is very concerned about instance isolation since the users in a public"},{"line_number":37,"context_line":"cloud represent anyone with a credit card, meaning they are inherently"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_439eca63","line":34,"in_reply_to":"3a50d1a3_f3e1122b","updated":"2015-07-23 16:06:26.000000000","message":"Done","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":979,"name":"Dave Walker","email":"email@daviey.com","username":"davewalker"},"change_message_id":"797c0284d3cb8a5edb30e8de2d2a9c46f0832cb4","unresolved":false,"context_lines":[{"line_number":5,"context_line":".. TODO (elmiko) fixup introduction chapter link to point to intro to"},{"line_number":6,"context_line":"   case studies"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"Earlier in :doc:`../introduction` we introduced the Alice and Bob case"},{"line_number":9,"context_line":"studies where Alice is deploying a private government cloud and Bob is"},{"line_number":10,"context_line":"deploying a public cloud each with different security requirements."},{"line_number":11,"context_line":"Here we discuss how Alice and Bob would ensure that their instances are"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a50d1a3_2a6c7c07","line":8,"updated":"2015-07-24 14:25:46.000000000","message":"This TODO can be closed now that the file it is referencing has landed:\n:doc:`../introduction/introduction-to-case-studies`","commit_id":"81743d7407d5dfd4b2eaaed57e48d6b96f23574a"}],"security-guide-rst/source/compute/hardening-deployments.rst":[{"author":{"_account_id":979,"name":"Dave Walker","email":"email@daviey.com","username":"davewalker"},"change_message_id":"28d31bd0c9f7d0da4adf6dd16c28443d40e8f36a","unresolved":false,"context_lines":[{"line_number":19,"context_line":"information such as the last time the file was modified and when it was"},{"line_number":20,"context_line":"created."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"The ``/var/lib/nova`` directory is used to hold details about the instances on"},{"line_number":23,"context_line":"a given Compute host. This directory should be considered sensitive as well,"},{"line_number":24,"context_line":"with strictly enforced file permissions. Additionally, it should be backed up"},{"line_number":25,"context_line":"regularly as it contains information and metadata for the instances associated"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_73cc22bb","line":22,"updated":"2015-07-23 00:11:50.000000000","message":"Should this be ::file::?","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":12325,"name":"Nathaniel Dillon","email":"nathaniel.dillon@alumni.depaul.edu","username":"sicarie"},"change_message_id":"a2fc822da643ecc3c7a554a1647ea437985ff0f5","unresolved":false,"context_lines":[{"line_number":19,"context_line":"information such as the last time the file was modified and when it was"},{"line_number":20,"context_line":"created."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"The ``/var/lib/nova`` directory is used to hold details about the instances on"},{"line_number":23,"context_line":"a given Compute host. This directory should be considered sensitive as well,"},{"line_number":24,"context_line":"with strictly enforced file permissions. Additionally, it should be backed up"},{"line_number":25,"context_line":"regularly as it contains information and metadata for the instances associated"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_e3a03644","line":22,"in_reply_to":"3a50d1a3_73cc22bb","updated":"2015-07-23 16:06:26.000000000","message":"Done","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1af53a378289dc834cc1bcd2cab2cd8f81f0ebe3","unresolved":false,"context_lines":[{"line_number":95,"context_line":"hypervisor(s) you have chosen. Several common hypervisor security lists are"},{"line_number":96,"context_line":"below:"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"* Xen:"},{"line_number":99,"context_line":"     `http://xenbits.xen.org/xsa/ \u003chttp://xenbits.xen.org/xsa/\u003e`__"},{"line_number":100,"context_line":"* VMWare:"},{"line_number":101,"context_line":"     `http://blogs.vmware.com/security/ \u003chttp://blogs.vmware.com/security/\u003e`__"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3a50d1a3_a8699027","line":98,"updated":"2015-07-24 03:47:43.000000000","message":"Remove initial * for a definition list","commit_id":"bd4cf8b5262af190bad73008a8db07da7141f4ea"}],"security-guide-rst/source/compute/hardening-the-virtualization-layers.rst":[{"author":{"_account_id":979,"name":"Dave Walker","email":"email@daviey.com","username":"davewalker"},"change_message_id":"28d31bd0c9f7d0da4adf6dd16c28443d40e8f36a","unresolved":false,"context_lines":[{"line_number":217,"context_line":"the virtual machine\u0027s access to resources outside of its boundary such as host"},{"line_number":218,"context_line":"machine data files or other VMs."},{"line_number":219,"context_line":""},{"line_number":220,"context_line":".. image:: static/sVirt_Diagram_1.png"},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"As shown above, sVirt isolation is provided regardless of the guest Operating"},{"line_number":223,"context_line":"System running inside the virtual machine\u0026mdash;Linux or Windows VMs can be"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_33f8dac2","line":220,"updated":"2015-07-23 00:11:50.000000000","message":"I think this should be ../figure/ , not static.","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":12325,"name":"Nathaniel Dillon","email":"nathaniel.dillon@alumni.depaul.edu","username":"sicarie"},"change_message_id":"a2fc822da643ecc3c7a554a1647ea437985ff0f5","unresolved":false,"context_lines":[{"line_number":217,"context_line":"the virtual machine\u0027s access to resources outside of its boundary such as host"},{"line_number":218,"context_line":"machine data files or other VMs."},{"line_number":219,"context_line":""},{"line_number":220,"context_line":".. image:: static/sVirt_Diagram_1.png"},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"As shown above, sVirt isolation is provided regardless of the guest Operating"},{"line_number":223,"context_line":"System running inside the virtual machine\u0026mdash;Linux or Windows VMs can be"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_c9219b9f","line":220,"in_reply_to":"3a50d1a3_33f8dac2","updated":"2015-07-23 16:06:26.000000000","message":"Done","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":979,"name":"Dave Walker","email":"email@daviey.com","username":"davewalker"},"change_message_id":"28d31bd0c9f7d0da4adf6dd16c28443d40e8f36a","unresolved":false,"context_lines":[{"line_number":281,"context_line":""},{"line_number":282,"context_line":"   * -sVirt SELinux Boolean"},{"line_number":283,"context_line":"     - Description"},{"line_number":284,"context_line":"   * - virt_use_common "},{"line_number":285,"context_line":"     - Allow virt to use serial/parallel communication ports."},{"line_number":286,"context_line":"   * - virt_use_fusefs"},{"line_number":287,"context_line":"     - Allow virt to read FUSE mounted files."}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_932f6e3e","line":284,"updated":"2015-07-23 00:11:50.000000000","message":"white space","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":12325,"name":"Nathaniel Dillon","email":"nathaniel.dillon@alumni.depaul.edu","username":"sicarie"},"change_message_id":"a2fc822da643ecc3c7a554a1647ea437985ff0f5","unresolved":false,"context_lines":[{"line_number":281,"context_line":""},{"line_number":282,"context_line":"   * -sVirt SELinux Boolean"},{"line_number":283,"context_line":"     - Description"},{"line_number":284,"context_line":"   * - virt_use_common "},{"line_number":285,"context_line":"     - Allow virt to use serial/parallel communication ports."},{"line_number":286,"context_line":"   * - virt_use_fusefs"},{"line_number":287,"context_line":"     - Allow virt to read FUSE mounted files."}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_29335ff7","line":284,"in_reply_to":"3a50d1a3_932f6e3e","updated":"2015-07-23 16:06:26.000000000","message":"Done","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1af53a378289dc834cc1bcd2cab2cd8f81f0ebe3","unresolved":false,"context_lines":[{"line_number":102,"context_line":""},{"line_number":103,"context_line":".. code:: console"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"   *$* glance image-update \\"},{"line_number":106,"context_line":"    --property hw_disk_bus\u003dide \\"},{"line_number":107,"context_line":"    --property hw_cdrom_bus\u003dide \\"},{"line_number":108,"context_line":"    --property hw_vif_model\u003de1000 \\"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3a50d1a3_c80adc79","line":105,"updated":"2015-07-24 03:47:43.000000000","message":"Don\u0027t use *$*, use just \"$\"","commit_id":"bd4cf8b5262af190bad73008a8db07da7141f4ea"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1af53a378289dc834cc1bcd2cab2cd8f81f0ebe3","unresolved":false,"context_lines":[{"line_number":131,"context_line":"verification is called"},{"line_number":132,"context_line":"`checksec.sh \u003chttp://www.trapkit.de/tools/checksec.html\u003e`__"},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"* RELocation Read-Only (RELRO)"},{"line_number":135,"context_line":"     Hardens the data sections of an executable. Both full and partial RELRO"},{"line_number":136,"context_line":"     modes are supported by gcc. For QEMU full RELRO is your best choice."},{"line_number":137,"context_line":"     This will make the global offset table read-only and place various"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3a50d1a3_8825b40b","line":134,"updated":"2015-07-24 03:47:43.000000000","message":"Remove the extra * on front, this is a definition list. It renders ugly this way in HTML.","commit_id":"bd4cf8b5262af190bad73008a8db07da7141f4ea"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1af53a378289dc834cc1bcd2cab2cd8f81f0ebe3","unresolved":false,"context_lines":[{"line_number":203,"context_line":"OpenStack\u0027s sVirt implementation aspires to protect hypervisor hosts and"},{"line_number":204,"context_line":"virtual machines against two primary threat vectors:"},{"line_number":205,"context_line":""},{"line_number":206,"context_line":"* Hypervisor threats"},{"line_number":207,"context_line":"     A compromised application running within a virtual machine attacks the"},{"line_number":208,"context_line":"     hypervisor to access underlying resources. For example, when a virtual"},{"line_number":209,"context_line":"     machine is able to access the hypervisor OS, physical devices, or other"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3a50d1a3_681ce8c1","line":206,"updated":"2015-07-24 03:47:43.000000000","message":"This is a definition list, remove initial *","commit_id":"bd4cf8b5262af190bad73008a8db07da7141f4ea"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1af53a378289dc834cc1bcd2cab2cd8f81f0ebe3","unresolved":false,"context_lines":[{"line_number":271,"context_line":"be able to access the system, and should have an appropriate context around"},{"line_number":272,"context_line":"both the administrative users and any other users that are on the system."},{"line_number":273,"context_line":""},{"line_number":274,"context_line":"* SELinux users documentation:"},{"line_number":275,"context_line":"     `SELinux.org Users and Roles Overview"},{"line_number":276,"context_line":"     \u003chttp://selinuxproject.org/page/BasicConcepts#Users\u003e`__"},{"line_number":277,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3a50d1a3_287d80e7","line":274,"updated":"2015-07-24 03:47:43.000000000","message":"This is a definition list, remove initial *","commit_id":"bd4cf8b5262af190bad73008a8db07da7141f4ea"}],"security-guide-rst/source/compute/how-to-select-virtual-consoles.rst":[{"author":{"_account_id":10670,"name":"Michael McCune","email":"elmiko@redhat.com","username":"mimccune"},"change_message_id":"a24e46a54d202740ded0644592ea37d6d9798429","unresolved":false,"context_lines":[{"line_number":37,"context_line":"Bibliography"},{"line_number":38,"context_line":"------------"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"#. blog.malchuk.ru, OpenStack VNC Security. 2013. `Secure Connections to VNC ports"},{"line_number":41,"context_line":"   \u003c\"http://blog.malchuk.ru/2013/05/21/47\u003e`__"},{"line_number":42,"context_line":"#. OpenStack Mailing List, [OpenStack] nova-novnc SSL configuration - Havana."},{"line_number":43,"context_line":"   2014."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a50d1a3_bc47a176","line":40,"updated":"2015-07-23 19:53:02.000000000","message":"apparently this line is too long","commit_id":"6cac9231f2281d7393baa24efb312a3b935789d2"}],"security-guide-rst/source/compute/hypervisor-selection.rst":[{"author":{"_account_id":979,"name":"Dave Walker","email":"email@daviey.com","username":"davewalker"},"change_message_id":"28d31bd0c9f7d0da4adf6dd16c28443d40e8f36a","unresolved":false,"context_lines":[{"line_number":146,"context_line":"       including individual system calls as well as events generated by trusted"},{"line_number":147,"context_line":"       processes. Audit data is collected in regular files in ASCII format. The"},{"line_number":148,"context_line":"       system provides a program for the purpose of searching the audit records."},{"line_number":149,"context_line":"       "},{"line_number":150,"context_line":"       The system administrator can define a rule base to restrict auditing to"},{"line_number":151,"context_line":"       the events they are interested in. This includes the ability to restrict"},{"line_number":152,"context_line":"       auditing to specific events, specific users, specific objects or a"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_d3f096cb","line":149,"updated":"2015-07-23 00:11:50.000000000","message":"white space","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":979,"name":"Dave Walker","email":"email@daviey.com","username":"davewalker"},"change_message_id":"28d31bd0c9f7d0da4adf6dd16c28443d40e8f36a","unresolved":false,"context_lines":[{"line_number":151,"context_line":"       the events they are interested in. This includes the ability to restrict"},{"line_number":152,"context_line":"       auditing to specific events, specific users, specific objects or a"},{"line_number":153,"context_line":"       combination of all of this."},{"line_number":154,"context_line":"       "},{"line_number":155,"context_line":"       Audit records can be transferred to a remote audit daemon."},{"line_number":156,"context_line":"   * - Discretionary Access Control"},{"line_number":157,"context_line":"     - :term:`DAC \u003cDiscretionary Access Control (DAC)\u003e` restricts access to"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_f3eb52da","line":154,"updated":"2015-07-23 00:11:50.000000000","message":"white space","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":979,"name":"Dave Walker","email":"email@daviey.com","username":"davewalker"},"change_message_id":"28d31bd0c9f7d0da4adf6dd16c28443d40e8f36a","unresolved":false,"context_lines":[{"line_number":173,"context_line":"       The access control policy enforced using these categories grant virtual"},{"line_number":174,"context_line":"       machines access to resources if the category of the virtual machine is"},{"line_number":175,"context_line":"       identical to the category of the accessed resource."},{"line_number":176,"context_line":"       "},{"line_number":177,"context_line":"       The TOE implements non-hierarchical categories to control access to"},{"line_number":178,"context_line":"       virtual machines."},{"line_number":179,"context_line":"   * - Role-Based Access Control"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_13d27e28","line":176,"updated":"2015-07-23 00:11:50.000000000","message":"white space","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":979,"name":"Dave Walker","email":"email@daviey.com","username":"davewalker"},"change_message_id":"28d31bd0c9f7d0da4adf6dd16c28443d40e8f36a","unresolved":false,"context_lines":[{"line_number":202,"context_line":"       hardware memory protection mechanisms. The memory and process management"},{"line_number":203,"context_line":"       components of the kernel ensure a user process cannot access kernel"},{"line_number":204,"context_line":"       storage or storage belonging to other processes."},{"line_number":205,"context_line":"       "},{"line_number":206,"context_line":"       Non-kernel TSF software and data are protected by DAC and process"},{"line_number":207,"context_line":"       isolation mechanisms. In the evaluated configuration, the reserved user"},{"line_number":208,"context_line":"       ID root owns the directories and files that define the TSF"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_f399127a","line":205,"updated":"2015-07-23 00:11:50.000000000","message":"white space","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":979,"name":"Dave Walker","email":"email@daviey.com","username":"davewalker"},"change_message_id":"28d31bd0c9f7d0da4adf6dd16c28443d40e8f36a","unresolved":false,"context_lines":[{"line_number":209,"context_line":"       configuration. In general, files and directories containing internal TSF"},{"line_number":210,"context_line":"       data, such as configuration files and batch job queues, are also"},{"line_number":211,"context_line":"       protected from reading by DAC permissions."},{"line_number":212,"context_line":"       "},{"line_number":213,"context_line":"       The system and the hardware and firmware components are required to be"},{"line_number":214,"context_line":"       physically protected from unauthorized access. The system kernel"},{"line_number":215,"context_line":"       mediates all access to the hardware mechanisms themselves, other than"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_b38e2a2c","line":212,"updated":"2015-07-23 00:11:50.000000000","message":"white space","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":979,"name":"Dave Walker","email":"email@daviey.com","username":"davewalker"},"change_message_id":"28d31bd0c9f7d0da4adf6dd16c28443d40e8f36a","unresolved":false,"context_lines":[{"line_number":214,"context_line":"       physically protected from unauthorized access. The system kernel"},{"line_number":215,"context_line":"       mediates all access to the hardware mechanisms themselves, other than"},{"line_number":216,"context_line":"       program visible CPU instruction functions."},{"line_number":217,"context_line":"       "},{"line_number":218,"context_line":"       In addition, mechanisms for protection against stack overflow attacks"},{"line_number":219,"context_line":"       are provided."},{"line_number":220,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a50d1a3_13803ef4","line":217,"updated":"2015-07-23 00:11:50.000000000","message":"white space","commit_id":"f7b185e19ab96896a20c76bc173415034f81c1c3"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1af53a378289dc834cc1bcd2cab2cd8f81f0ebe3","unresolved":false,"context_lines":[{"line_number":285,"context_line":"Module Validation Program. NIST certifies algorithms for conformance against"},{"line_number":286,"context_line":"Federal Information Processing Standard 140-2 (FIPS 140-2), which ensures:"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":".. code::"},{"line_number":289,"context_line":""},{"line_number":290,"context_line":"   *Products validated as conforming to FIPS 140-2 are accepted by the Federal"},{"line_number":291,"context_line":"   agencies of both countries [United States and Canada] for the protection of"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3a50d1a3_085f6476","line":288,"updated":"2015-07-24 03:47:43.000000000","message":"The following is not code. Remove the extra \"*\", they got rendered as well.","commit_id":"bd4cf8b5262af190bad73008a8db07da7141f4ea"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1af53a378289dc834cc1bcd2cab2cd8f81f0ebe3","unresolved":false,"context_lines":[{"line_number":470,"context_line":"~~~~~~~~~~~~"},{"line_number":471,"context_line":""},{"line_number":472,"context_line":"#. Sunar, Eisenbarth, Inci, Gorka Irazoqui Apecechea. Fine Grain Cross-VM"},{"line_number":473,"context_line":"Attacks on Xen and VMware are possible!. 2014. `https://eprint.iacr.org/2014/248.pfd \u003chttps://eprint.iacr.org/2014/248.pdf\u003e`__"},{"line_number":474,"context_line":"#. Artho, Yagi, Iijima, Kuniyasu Suzaki. Memory Deduplication as a Threat to"},{"line_number":475,"context_line":"the Guest OS. 2011."},{"line_number":476,"context_line":"`https://staff.aist.go.jp/c.artho/papers/EuroSec2011-suzaki.pdf"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3a50d1a3_484d6cc3","line":473,"updated":"2015-07-24 03:47:43.000000000","message":"Indent the second and following lines to make it a real list, this renders wrongly currently.","commit_id":"bd4cf8b5262af190bad73008a8db07da7141f4ea"}]}