You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1307 lines
36 KiB

<?xml version="1.0" encoding="utf-8"?>
<html xmlns="">
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" />
<title>Security Policy - DRAFT</title>
<style type="text/css"> <!-- only for WIP -->
body {
font-family : verdana, helvetica, arial, sans-serif;
.q {
color : green;
font-weight: bold;
text-align: center;
<body lang="en-GB">
<p class="q">
This version: going to DRAFT <a href="//">p20100510</a>
<hr />
<h1>Security Policy for CAcert Systems</h1>
<!-- Absolute URL because the policies are located absolutely. -->
<table width="100%"><tr><td>
Creation date: 20090216<br />
Editor: iang<br />
Status: <b>DRAFT <a href="//">p20100510</a></b> <br /><br />
</td><td align="right">
<a href="//"><img src="images/cacert-draft.png" alt="Security Policy Status == DRAFT" style="border-width:0" /></a>
<h2 id="s1">1. INTRODUCTION</h2>
<h3 id="s1.1">1.1. Motivation and Scope </h3>
This Security Policy sets out the policy
for the secure operation of the CAcert critical computer systems.
These systems include:
Physical hardware mounting the logical services
Webserver + database (core server(s))
Signing service (signing server)
Source code (changes and patches)
The Committee of CAcert, Inc. (hereafter, "Board")
may add additional components into the Security Manual.
<h4 id="s1.1.1">1.1.1. Covered Personnel </h4>
Critical roles are covered.
These roles are defined as:
Access Engineer
Systems Administrator
Support Engineer
Software Assessor
<h4 id="s1.1.2">1.1.2. Out of Scope </h4>
Non-critical systems are not covered by this manual,
but may be guided by it, and impacted where they are
found within the security context.
Architecture is out of scope, see CPS#6.2.
<h3 id="s1.2">1.2. Principles </h3>
Important principles of this Security Policy are:
<i>dual control</i> -- at least two individuals must control a task
<i>four eyes</i> -- at least two individuals must participate in a task,
one to execute and one to observe.
<i>redundancy</i> -- no single individual is the only one authorized
to perform a task.
<i>escrow</i> -- where critical information (backups, passphrases)
is kept with other parties
<i>logging</i> -- where events are recorded in a file
<i>separation of concerns</i> -- when a core task is split between
two people from different areas
<i>Audit</i> -- where external reviewers do checks on practices and policies
<i>Authority</i> -- every action is authorised by either a policy or by the Arbitrator.
Each task or asset is covered by a variety of protections
deriving from the above principles.
<h3 id="s1.3">1.3. Definition of Terms</h3>
<dt><i>Access Engineer</i> </dt>
A Member who manages the critical hardware,
including maintenance, access control and physical security.
See &sect;1.1.
<dt><i>Software Assessor</i> </dt>
A Member who reviews patches for security and workability,
signs-off on them, and incorporates them into the repository.
See &sect;7.2.
<dt><i>Support Engineer</i> </dt>
A Member who mans the support list,
and has access to restricted
data through the online interface.
See &sect;8.
<dt><i>Systems Administrator</i> </dt>
A Member who manages a critical system, and has access
to security-sensitive functions or data.
<h3 id="s1.4">1.4. Documents and Version control</h3>
<h4 id="s1.4.1">1.4.1. The Security Policy Document </h4>
This Security Policy is part of the Configuration-Control Specification
for audit purposes (DRC-A.1).
It is under the control of Policy on Policy for version purposes.
This policy document says what is done, rather than how to do it.
<b>Some sections are empty, which means "refer to the Manual."</b>
<h4 id="s1.4.2">1.4.2. The Security Manual (Practices) Document </h4>
This Policy explicitly defers detailed security practices to the
<a href="">Security Manual</a>
The SM says how things are done.
As practices are things that vary from time to time,
including between each event of practice,
the SM is under the direct control of the
applicable team leaders.
It is located and version-controlled on the CAcert wiki.
Section Headings are the same in both documents.
Where Sections are empty in one document,
they are expected to be documented in the other.
"Document further in Security Manual" can be implied from
any section heading in the Policy.
<h4 id="s1.4.3">1.4.3. The Security Procedures </h4>
The team leaders may from time to time
explicitly defer single, cohesive components of the
security practices into separate procedures documents.
Each procedure should be managed in a wiki page under
their control, probably at
<a href="">
Each procedure must be referenced explicitly in the Security Manual.
<h2 id="s2">2. PHYSICAL SECURITY</h2>
<h3 id="s2.1">2.1. Facility </h3>
CAcert shall host critical servers in a highly secure facility.
There shall be independent verification of the physical and
access security.
<h3 id="s2.2">2.2. Physical Assets </h3>
<h4 id="s2.2.1">2.2.1. Computers </h4>
Computers shall be inventoried before being put into service.
Inventory list shall be available to all
Access Engineers and all Systems Administrators.
List must be subject to change control.
Each unit shall be distinctly and uniquely identified on all visible sides.
Machines shall be housed in secured facilities (cages and/or locked racks).
<h4 id="s2.2.1.1"> Acquisition </h4>
Equipment for critical purposes should be acquired
in a way to minimise pre-acquisition security risks.
<h4 id="s2.2.2">2.2.2. Service </h4>
Equipment that is subject to a service security risk
must be retired if service is required.
See also &sect;
<h4 id="s2.2.3">2.2.3. Media </h4>
<h4 id="s2.2.3.1"> Provisioning </h4>
Storage media (disk drives, tapes, removable media)
are inventoried upon acquisition and tracked in their use.
New storage media (whether disk or removable) shall be
securely erased and reformatted before use.
<h4 id="s2.2.3.2"> Storage </h4>
Removable media shall be securely stored at all times,
including when not in use.
Drives that are kept for reuse are
erased securely before storage.
Reuse can only be within critical systems.
When there is a change to status of media,
a report is made to the log specifying the new status.
<h4 id="s2.2.3.3"> Retirement </h4>
Storage media that is exposed to critical data and is
to be retired from service shall be destroyed or otherwise secured.
The following steps are to be taken:
The media is securely destroyed, <b>or</b>
the media is securely erased,
and stored securely.
Records of secure erasure and method of final disposal
shall be tracked in the asset inventory.
Where critical data is involved,
two Systems Administrators must sign-off on each step.
<h3 id="s2.3">2.3. Physical Access </h3>
In accordance with the principle of dual control,
at least two persons authorized for access must
be on-site at the same time for physical access to be granted.
<h4 id="s2.3.1">2.3.1. Access Authorisation </h4>
Access to physical equipment must be authorised.
<h4 id="s2.3.2">2.3.2. Access Profiles </h4>
The Security Manual must present the different access profiles.
At least one Access Engineer must control access in all cases.
At least one Systems Administrator will be present for
logical access.
Only the most basic and safest of accesses should be done with
one Systems Administrator present.
There is no inherent authorisation to access the data.
Systems Administrators
are authorised to access
the raw data under the control of this policy.
All others must not access the raw data.
All are responsible for protecting the data
from access by those not authorised.
<h4 id="s2.3.3">2.3.3. Access Logging </h4>
All physical accesses are logged and reported to all.
<h4 id="s2.3.4">2.3.4. Emergency Access </h4>
There must not be a procedure for emergency access.
If, in the judgement of the Systems Administrator,
emergency access is required and gained,
in order to avoid a greater harm,
independent authorisation before the
Arbitrator must be sought as soon as possible.
See DRP.
<h4 id="s2.3.5">2.3.5. Physical Security codes &amp; devices </h4>
All personel who are in possession of physical security
codes and devices (keys) are to be authorised and documented.
<h2 id="s3">3. LOGICAL SECURITY</h2>
<h3 id="s3.1">3.1. Network </h3>
<h4 id="s3.1.1">3.1.1. Infrastructure </h4>
Current and complete diagrams of the physical and logical
CAcert network infrastructure shall be maintained by
Systems Administration team leader.
These diagrams should include cabling information,
physical port configuration details,
expected/allowed data flow directions,
and any further pertinent information,
as applicable.
Diagrams should be revision controlled,
and must be updated when any change is made.
<h5 id="s3.1.1.1"> External connectivity </h5>
Only such services as are required for normal operation
should be visible externally;
systems and servers which do not require access
to the Internet for their normal operation
must not be granted that access.
If such access becomes temporarily necessary for an
authorized administrative task,
such access may be granted under the procedures of the SM
and must be reported and logged.
<h5 id="s3.1.1.2"> Internal connectivity </h5>
System and server connections internal to the CAcert infrastructure should be kept to the minimum required for routine operations. Any new connectivity desired must be requested and approved by System administration team leader and then must be reflected in the appropriate infrastructure diagram(s).
<h4 id="s3.1.2">3.1.2. Operating Configuration </h4>
<h5 id="s3.1.2.1"> Ingress </h5>
All ports on which incoming traffic is expected shall be documented; traffic to other ports must be blocked. Unexpected traffic must be logged as an exception.
<h5 id="s3.1.2.2"> Egress </h5>
All outbound traffic that is initiated shall be documented; traffic to other destinations must be blocked. Unexpected traffic must be logged as an exception.
<h4 id="s3.1.3">3.1.3. Intrusion detection </h4>
Logs should be examined regularly (by manual or automatic means) for unusual patterns and/or traffic; anomalies should be investigated as they are discovered and should be reported to appropriate personnel in near-real-time (e.g. text message, email) and investigated as soon as possible. Suspicious activity which may indicate an actual system intrusion or compromise should trigger the incident response protocol described in section 5.1.
<h3 id="s3.2">3.2. Operating System </h3>
Any operating system used for critical server machines must be available under an OSI-approved open source software license.
<h4 id="s3.2.1"> 3.2.1. Disk Encryption </h4>
Any operating system used for critical server machines must support software full-disk or disk volume encryption, and this encryption option must be enabled for all relevant disks/volumes when the operating system is first installed on the machine.
<h4 id="s3.2.2"> 3.2.2. Operating configuration </h4>
Servers must enable only the operating system functions required to support the necessary services. Options and packages chosen at OS install shall be documented, and newly-installed systems must be inspected to ensure that only required services are active, and their functionality is limited through configuration options. Any required application software must follow similar techniques to ensure minimal exposure footprint.
Documentation for installing and configuring servers with the appropriate software packages and configurations will be maintained by the System Administrators.
<h4 id="s3.2.3"> 3.2.3. Patching </h4>
Software used on production servers must be kept current with respect to patches affecting software security. Patch application
must be approved by the Systems Administration team leader, fully documented in the logs and reported by email to the Systems Administration list on completion (see &sect;4.2).
<h5 id="s3.2.3.1"> “emergency” patching </h5>
Application of a patch is deemed an <i>emergency</i>
when a remote exploit for a weakness in the particular piece
of software has become known
(on servers allowing direct local user access,
an emergent local exploit may also be deemed to be an emergency).
Application of patches in this case may occur as soon as possible,
bypassing the normal configuration-change process.
The Systems Administration team leader must either approve the patch
or instruct remedial action, and refer the case to dispute resolution.
<b> <!-- this comment left in bold deliberately -->
Declaration of an emergency patching situation should not occur with any regularity.
Emergency patch events must be documented
within the regular summaries
by the team leader to Board
independent of filed disputes.
<h3 id="s3.3"> 3.3. Application </h3>
Requests for ad hoc queries over the application database for business
or similar purposes must be approved by the Arbitrator.
<h3 id="s3.4"> 3.4. Access control </h3>
All access to critical data and services shall be
controlled and logged.
<h4 id="s3.4.1"> 3.4.1. Application Access </h4>
General access for Members shall be provided via
a dedicated application.
General features are made available according to
Assurance Points and similar methods controlled in
the software system.
<h4 id="s3.4.2"> 3.4.2. Special Authorisation </h4>
Additional or special access is granted according to the
authorisations on the below access control lists
(see &sect;1.1.1):
<table style="text-align: center" border="1"> <tr>
<td>List Name</td>
<td>Purpose of access</td>
<td> Manager </td>
<td>Physical Control List</td>
<td>Access Engineers</td>
<td>control of access by personnel to hardware</td>
<td>exclusive of all other roles </td>
<td>Access team leader</td>
<td>Physical Access List</td>
<td>Systems Administrators</td>
<td>hardware-level for installation and recovery</td>
<td>exclusive with Access Engineers and Software Assessors</td>
<td>Systems Administration team leader </td>
<td>SSH Access List</td>
<td>Systems Administrators </td>
<td>Unix / account / shell level</td>
<td> includes by default all on Physical Access List </td>
<td>Systems Administration team leader</td>
<td>Repository Access List</td>
<td>Software Assessors</td>
<td>change the source code repository </td>
<td>exclusive with Access Engineers and Systems Administrators</td>
<td>Software Assessment team leader</td>
<td>Support Access List</td>
<td>Support Engineer</td>
<td>support features in the web application</td>
<td> exclusive with Access Engineers and Systems Administrators </td>
<td>Support team leader</td>
All changes of personnel to the above lists are
subject to Board approval.
<h4 id="s3.4.3"> 3.4.3. Authentication </h4>
Strong methods of authentication shall be used
wherever possible.
All authentication schemes must be documented.
<h4 id="s3.4.4"> 3.4.4. Removing access </h4>
Follow-up actions to termination must be documented.
See &sect;9.1.7.
<h2 id="s4">4. OPERATIONAL SECURITY </h2>
<h3 id="s4.1">4.1. System administration </h3>
Primary Systems Administration tasks
shall be conducted under four eyes principle.
These shall include backup performance verification,
software patch application,
account creation and deletion,
and hardware maintenance.
<h4 id="s4.1.1">4.1.1. Privileged accounts and passphrases </h4>
Access to privileged accounts
(root and user via SSH or console)
must be strictly controlled.
Passphrases and SSH private keys used for entering into the systems
will be kept private
to CAcert sysadmins
in all cases.
<h5 id="s4.1.1.1"> Authorized users </h5>
Only Systems Administrators
designated on the Access Lists
in &sect;3.4.2 are authorized to access accounts.
Systems Administration team leader may temporarily permit Software
Assessors access to the application via SSH in order to do advanced
debugging, or as specifically directed by the Arbitrator.
<h5 id="s4.1.1.2"> Access to Systems</h5>
All access is secured, logged and monitored.
<h5 id="s4.1.1.3"> Changing </h5>
The procedure for changing passphrases and SSH keys shall be documented.
<h4 id="s4.1.2">4.1.2. Required staff response time </h4>
Response times should be documented for Disaster Recovery planning. See &sect;6.
<h4 id="s4.1.3">4.1.3. Change management procedures </h4>
All changes made to system configuration must be recorded
and reported in regular summaries to the Board of CAcert.
<h4 id="s4.1.4">4.1.4. Outsourcing </h4>
<h3 id="s4.2">4.2. Logging </h3>
<h4 id="s4.2.1">4.2.1. Coverage </h4>
All sensitive events should be logged reliably.
Logs should be deleted after an appropriate amount of time
as documented in the Security Manual.
<h4 id="s4.2.2">4.2.2. Access and Security </h4>