On Wed, 25 May 2011, Jim Hickstein wrote:
> I am being asked to provide content for a "UNIX/Linux Security Architecture
> Standard". Google is unavailing. Does anyone have a (link to a) document of
> this kind, that we could mine/steal? Or do I need to hire a security
> consultant for that?
What do you mean by a 'Security Architecture Standard'?
Something like that could mean one, some, or all of (in no particular order,
and of necessity incomplete -- I need my caffeine):
- Standards:
- Defining approved operating systems and configurations
- Defining approved applications and configurations
- Defining acceptable inter- and intra- server/app communications
- Defining system/application lifecycle
- Defining how to handle routine security tasks (eg: patching)
- Defining how to handle security issues (eg: breach, 0-day ...)
- Defining AAA standards
- Defining data handling standards, including data retention, purging,
access
- Backups (of what, to where, for whom, for how long...)
- Logging (of what, to where, for whom, for how long...))
- Ensuring separation/segregation of duties
- Defining network zones and associated security requirements for
servers
in those zones
- Indentifying required external standards (eg: PCI, HIPAA, yada)
- Processes for:
- defining and updating security standards
- Audit/Compliance:
- verifying that systems meet security standards (ideally
automated and
regularly)
- verifying that users/groups meet security standards (ideally
automated and regularly)
- verifying that processes are being followed
- timelines to resolve issues with systems that do not meet standards
- timelines to resolve issues with users/groups that do not follow
processes
- penalities for systems that do not meet standards
- exception processes (non-compliant systems, applications)
- handling security issues (patching, breaches, change management)
- determining ownership and contacts for everything
- keeping information up to date
A 'Security Architecture Standard' isn't just about whether a server is
or isn't hardened -- and isn't just a technical checklist, although that's
certainly a helpful/useful part of a 'Security Architecture Standard'.
You'll need to think about what your use cases are, what makes sense for your
environment and requirements (a 10-server shop and a 1,000,000-server shop
are going to have different needs, simply from the difference in scale, and
a department in a larger whole may have some/many standards/processes set
for them already), and what your threat models are.
cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet. This is the defining metaphor of my life right now."
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
