|
|
@ -513,9 +513,9 @@ Upon resignation from systems administration team, or determination by two membe
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<h2> <a name="4">4. OPERATIONAL SECURITY </h2>
|
|
|
|
<h2> <a name="4">4.</a> OPERATIONAL SECURITY </h2>
|
|
|
|
|
|
|
|
|
|
|
|
<h3> <a name="4.1">4.1. System administration </h3>
|
|
|
|
<h3> <a name="4.1">4.1.</a> System administration </h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Primary systems administration tasks shall be conducted under four eyes principle.
|
|
|
|
Primary systems administration tasks shall be conducted under four eyes principle.
|
|
|
@ -531,14 +531,14 @@ and hardware maintenance.
|
|
|
|
System administrators must pass a background check and comply with all applicable policies in force.
|
|
|
|
System administrators must pass a background check and comply with all applicable policies in force.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.1.1">4.1.1. Privileged accounts and passwords </h4>
|
|
|
|
<h4> <a name="4.1.1">4.1.1.</a> Privileged accounts and passwords </h4>
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Access to Accounts (root and user via SSH or console) must be strictly controlled.
|
|
|
|
Access to Accounts (root and user via SSH or console) must be strictly controlled.
|
|
|
|
Passwords and passphrases entered into the systems will be kept private
|
|
|
|
Passwords and passphrases entered into the systems will be kept private
|
|
|
|
to CAcert sysadmins in all cases.
|
|
|
|
to CAcert sysadmins in all cases.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h5> <a name="4.1.1.1">4.1.1.1. Authorized users </h5>
|
|
|
|
<h5> <a name="4.1.1.1">4.1.1.1.</a> Authorized users </h5>
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Only system administrators designated on the Access List
|
|
|
|
Only system administrators designated on the Access List
|
|
|
|
shall be authorized to access accounts.
|
|
|
|
shall be authorized to access accounts.
|
|
|
@ -547,32 +547,32 @@ shall be authorized to access accounts.
|
|
|
|
<p class="q">Assumes above that there is no reason to have access
|
|
|
|
<p class="q">Assumes above that there is no reason to have access
|
|
|
|
to a Unix-level account on the critical machines unless on the Access List.</p>
|
|
|
|
to a Unix-level account on the critical machines unless on the Access List.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h5> <a name="4.1.1.2">4.1.1.2. Access to </h5>
|
|
|
|
<h5> <a name="4.1.1.2">4.1.1.2.</a> Access to </h5>
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
All remote communications for systems administration purposes is encrypted,
|
|
|
|
All remote communications for systems administration purposes is encrypted,
|
|
|
|
logged and monitored.
|
|
|
|
logged and monitored.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h5> <a name="4.1.1.3">4.1.1.3. Changing </h5>
|
|
|
|
<h5> <a name="4.1.1.3">4.1.1.3.</a> Changing </h5>
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Passwords must be kept secure.
|
|
|
|
Passwords must be kept secure.
|
|
|
|
The procedure for changing passwords should be documented.
|
|
|
|
The procedure for changing passwords should be documented.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.1.2">4.1.2. Required staff response time </h4>
|
|
|
|
<h4> <a name="4.1.2">4.1.2.</a> Required staff response time </h4>
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Response times should be documented.
|
|
|
|
Response times should be documented.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.1.3">4.1.3. Change management procedures </h4>
|
|
|
|
<h4> <a name="4.1.3">4.1.3.</a> Change management procedures </h4>
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
All changes made to system configuration must be recorded.
|
|
|
|
All changes made to system configuration must be recorded.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3> <a name="4.2">4.2. Logging </h3>
|
|
|
|
<h3> <a name="4.2">4.2.</a> Logging </h3>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.2.1">4.2.1. Coverage </h4>
|
|
|
|
<h4> <a name="4.2.1">4.2.1.</a> Coverage </h4>
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Logs shall be maintained for:
|
|
|
|
Logs shall be maintained for:
|
|
|
@ -587,7 +587,7 @@ Logs shall be maintained for:
|
|
|
|
<li> configuration changes. </li>
|
|
|
|
<li> configuration changes. </li>
|
|
|
|
</ul>
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.2.2">4.2.2. Access and Security </h4>
|
|
|
|
<h4> <a name="4.2.2">4.2.2.</a> Access and Security </h4>
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Access to logs must be restricted.
|
|
|
|
Access to logs must be restricted.
|
|
|
@ -595,7 +595,7 @@ The security of the logs should be documented.
|
|
|
|
The records retention should be documented.
|
|
|
|
The records retention should be documented.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.2.3">4.2.3. Automated logs </h4>
|
|
|
|
<h4> <a name="4.2.3">4.2.3.</a> Automated logs </h4>
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Logging should be automated,
|
|
|
|
Logging should be automated,
|
|
|
|
and use should be made of appropriate system-provided automated tools.
|
|
|
|
and use should be made of appropriate system-provided automated tools.
|
|
|
@ -603,7 +603,7 @@ Automated logs should be reviewed periodically;
|
|
|
|
suspicious events should be flagged and investigated in a timely fashion.
|
|
|
|
suspicious events should be flagged and investigated in a timely fashion.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.2.4">4.2.4. Operational (manual) logs </h4>
|
|
|
|
<h4> <a name="4.2.4">4.2.4.</a> Operational (manual) logs </h4>
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Configuration changes, no matter how small, must be logged.
|
|
|
|
Configuration changes, no matter how small, must be logged.
|
|
|
|
Access to this log shall be restricted.
|
|
|
|
Access to this log shall be restricted.
|
|
|
@ -613,14 +613,14 @@ Access to this log shall be restricted.
|
|
|
|
All physical visits will be logged and a report provided by the accessor.
|
|
|
|
All physical visits will be logged and a report provided by the accessor.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3> <a name="4.3">4.3. Backup </h3>
|
|
|
|
<h3> <a name="4.3">4.3.</a> Backup </h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
The procedure for all backups must be documented,
|
|
|
|
The procedure for all backups must be documented,
|
|
|
|
according to the following sub-headings.
|
|
|
|
according to the following sub-headings.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.3.1">4.3.1. Type </h4>
|
|
|
|
<h4> <a name="4.3.1">4.3.1.</a> Type </h4>
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Backups must be taken for operational
|
|
|
|
Backups must be taken for operational
|
|
|
|
and for disaster recovery purposes ("offline").
|
|
|
|
and for disaster recovery purposes ("offline").
|
|
|
@ -628,25 +628,25 @@ Disaster recovery backups must be offline and remote.
|
|
|
|
Operational backups may be online and local.
|
|
|
|
Operational backups may be online and local.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.3.2">4.3.2. Frequency </h4>
|
|
|
|
<h4> <a name="4.3.2">4.3.2.</a> Frequency </h4>
|
|
|
|
<p>Document.</p>
|
|
|
|
<p>Document.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.3.3">4.3.3. Storage </h4>
|
|
|
|
<h4> <a name="4.3.3">4.3.3.</a> Storage </h4>
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Backups must be protected to the same level as the critical systems themselves.
|
|
|
|
Backups must be protected to the same level as the critical systems themselves.
|
|
|
|
Offline backups should be distributed.
|
|
|
|
Offline backups should be distributed.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.3.4">4.3.4. Retention period and Re-use </h4>
|
|
|
|
<h4> <a name="4.3.4">4.3.4.</a> Retention period and Re-use </h4>
|
|
|
|
<p>Document.</p>
|
|
|
|
<p>Document.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.3.5">4.3.5. Encryption </h4>
|
|
|
|
<h4> <a name="4.3.5">4.3.5.</a> Encryption </h4>
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Backups must be encrypted and must only be transmitted via secured channels.
|
|
|
|
Backups must be encrypted and must only be transmitted via secured channels.
|
|
|
|
Off-site backups must be dual-encrypted using divergent methods.
|
|
|
|
Off-site backups must be dual-encrypted using divergent methods.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.3.6">4.3.6. Verifying Backups </h4>
|
|
|
|
<h4> <a name="4.3.6">4.3.6.</a> Verifying Backups </h4>
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Two CAcert system administrators must be
|
|
|
|
Two CAcert system administrators must be
|
|
|
|
present for verification of a backup.
|
|
|
|
present for verification of a backup.
|
|
|
@ -654,39 +654,39 @@ Four eyes principle must be maintained when the key and backup are together.
|
|
|
|
For any other purpose than verification of the success of the backup, see next.
|
|
|
|
For any other purpose than verification of the success of the backup, see next.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.3.7">4.3.7. Key Management </h4>
|
|
|
|
<h4> <a name="4.3.7">4.3.7.</a> Key Management </h4>
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
The encryption keys must be stored securely by the
|
|
|
|
The encryption keys must be stored securely by the
|
|
|
|
CAcert systems administrators.
|
|
|
|
CAcert systems administrators.
|
|
|
|
Paper documentation must be stored with manual backups.
|
|
|
|
Paper documentation must be stored with manual backups.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.3.8">4.3.8. Reading Backups </h4>
|
|
|
|
<h4> <a name="4.3.8">4.3.8.</a> Reading Backups </h4>
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Conditions and procedures for examining the backups for purposes
|
|
|
|
Conditions and procedures for examining the backups for purposes
|
|
|
|
other than for verification must be documented
|
|
|
|
other than for verification must be documented
|
|
|
|
and must be under Arbitrator control.
|
|
|
|
and must be under Arbitrator control.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3> <a name="4.4">4.4. Data retention </h3>
|
|
|
|
<h3> <a name="4.4">4.4.</a> Data retention </h3>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.4.1">4.4.1. User data </h4>
|
|
|
|
<h4> <a name="4.4.1">4.4.1.</a> User data </h4>
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Termination of user data is under direction of the Arbitrator.
|
|
|
|
Termination of user data is under direction of the Arbitrator.
|
|
|
|
See CCA.
|
|
|
|
See CCA.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.4.2">4.4.2. System logs </h4>
|
|
|
|
<h4> <a name="4.4.2">4.4.2.</a> System logs </h4>
|
|
|
|
<p>Document.</p>
|
|
|
|
<p>Document.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="4.4.3">4.4.3. Incident reports </h4>
|
|
|
|
<h4> <a name="4.4.3">4.4.3.</a> Incident reports </h4>
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
The systems administration team leader is to maintain incident reports securely.
|
|
|
|
The systems administration team leader is to maintain incident reports securely.
|
|
|
|
Access to incident reports is restricted.
|
|
|
|
Access to incident reports is restricted.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3> <a name="4.5">4.5. Cycling </h3>
|
|
|
|
<h3> <a name="4.5">4.5.</a> Cycling </h3>
|
|
|
|
<p>Document.</p>
|
|
|
|
<p>Document.</p>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|