<liclass="change2"> 20100530: Package of changes to drop the Application Engineer and place those responsibilities back with the Sysadm team. Exception added to permit t/l to bring in a Software Assessor under controlled basis. Because this change is non-trivial, and a compromise in late voting stage, it is marked in a different blue.</li>
<li> 20100525: Two detail changes from Tom Trnka.</li>
<li> 20100513: With some consensus from policy group, changed the text in 2.2.1.1 to transfer the detailed handling of pre-purchase risks to SM.</li>
<li> 20100512: Some clarifying tweaks to semantics supplied by Philipp G, added Arb as a role in 9.1.1. but not as critical role. </li>
<spanclass="strike2">A Member who manages the critical application,
including installing them on the critical system,
final testing, emergency patching, and ad hoc scripting.
See §7.2.</span>
</dd>
<dt><i>Software Assessor</i></dt>
<dd>
A Member who reviews patches for security and workability,
@ -239,12 +177,7 @@ The SM says how things are done.
As practices are things that vary from time to time,
including between each event of practice,
the SM is under the direct control of the
<spanclass="strike">
Systems Administration team
</span>
<spanclass="change">
applicable team leaders.
</span>
It is located and version-controlled on the CAcert wiki.
</p>
@ -295,19 +228,11 @@ Machines shall be housed in secured facilities (cages and/or locked racks).
</p>
<h4id="s2.2.1.1">2.2.1.1 Acquisition </h4>
<pclass="change">
<p>
Equipment for critical purposes should be acquired
in a way to minimise pre-acquisition security risks.
</p>
<pclass="strike">
Acquisition of new equipment that is subject to a
pre-purchase security risk must be done from a
vendor that is regularly and commercially in business.
Precautions must be taken to prevent equipment being
prepared in advance.
</p>
<h4id="s2.2.2">2.2.2. Service </h4>
<p>
@ -327,10 +252,7 @@ are inventoried upon acquisition and tracked in their use.
<p>
New storage media (whether disk or removable) shall be
securely
<spanclass="strike">wiped</span>
<spanclass="change">erased</span>
and reformatted before use.
securely erased and reformatted before use.
</p>
<h4id="s2.2.3.2">2.2.3.2 Storage </h4>
@ -339,9 +261,7 @@ and reformatted before use.
Removable media shall be securely stored at all times,
including when not in use.
Drives that are kept for reuse are
<spanclass="strike">wiped</span>
<spanclass="change">erased</span>
securely before storage.
erased securely before storage.
Reuse can only be within critical systems.
</p>
@ -400,9 +320,6 @@ one Systems Administrator present.
<p>
There is no inherent authorisation to access the data.
Systems Administrators
<spanclass="strike2">
and Application Engineers
</span>
are authorised to access
the raw data under the control of this policy.
All others must not access the raw data.
@ -523,7 +440,6 @@ Documentation for installing and configuring servers with the appropriate softwa
<p>
Software used on production servers must be kept current with respect to patches affecting software security. Patch application
<spanclass="strike">is governed by CCS and</span><!-- this is true, but CCS refers it to here, and the wording doesn't make sense without understanding CCS -->
must be approved by the Systems Administration team leader, fully documented in the logs and reported by email to the Systems Administration list on completion (see §4.2).
</p>
@ -538,10 +454,7 @@ an emergent local exploit may also be deemed to be an emergency).
Application of patches in this case may occur as soon as possible,
bypassing the normal configuration-change process.
The Systems Administration team leader must either approve the patch
<spanclass="change">
or
</span>
instruct remedial action, and refer the case to dispute resolution.
or instruct remedial action, and refer the case to dispute resolution.
</p>
<p>
@ -556,13 +469,7 @@ independent of filed disputes.
<h3id="s3.3"> 3.3. Application </h3>
<pclass="strike2">
Systems administration is to provide a limited environment
to Applications Engineers in order to install and maintain
the application.
</p>
<pclass="change2">
<p>
Requests for ad hoc queries over the application database for business
or similar purposes must be approved by the Arbitrator.
</p>
@ -603,38 +510,36 @@ authorisations on the below access control lists
<td>Access Engineers</td>
<td>control of access by personnel to hardware</td>
<td>exclusive of all other roles </td>
<td><spanclass="change">Access team leader</span><spanclass="strike">Board of CAcert (or designee)</span></td>
<td>Access team leader</td>
</tr><tr>
<td>Physical Access List</td>
<td>Systems Administrators</td>
<td>hardware-level for installation and recovery</td>
<td>exclusive with Access Engineers and Software Assessors</td>
<td><spanclass="change">Systems Administration team leader</span><spanclass="strike">Board of CAcert (or designee)</span></td>
<td>change the source code repository <spanclass="strike2">and install patches to application</span></td>
<td>Software Assessors</td>
<td>change the source code repository </td>
<td>exclusive with Access Engineers and Systems Administrators</td>
<td>software assessment team leader</td>
<td>Software Assessment team leader</td>
</tr><tr>
<td>Support Access List</td>
<td>Support Engineer</td>
<td>support features in the web application</td>
<td><spanclass="change">exclusive with Access Engineers and Systems Administrators</span><spanclass="strike2">includes by default all Application Engineers Systems Administrators </span></td>
<td><spanclass="strike">Systems Administration</span><spanclass="change">Support</span> team leader</td>
<td> exclusive with Access Engineers and Systems Administrators </td>
<td>Support team leader</td>
</tr></table>
<p>
All changes of personnel to the above lists are
<spanclass="change">subject to Board approval.</span>
<spanclass="strike">approved by the Board of CAcert.</span>
subject to Board approval.
</p>
<h4id="s3.4.3"> 3.4.3. Authentication </h4>
@ -670,29 +575,23 @@ and hardware maintenance.
<h4id="s4.1.1">4.1.1. Privileged accounts and passphrases </h4>
<p>
Access to <spanclass="change">privileged</span> accounts
Access to privileged accounts
(root and user via SSH or console)
must be strictly controlled.
Passphrases and SSH private keys used for entering into the systems
System Administration team leader may temporarily permit Software
Systems Administration team leader may temporarily permit Software
Assessors access to the application via SSH in order to do advanced
debugging, or as
</span>
<spanclass="strike2">Other</span>
specifically directed by the Arbitrator.
debugging, or as specifically directed by the Arbitrator.
</p>
<p>
@ -953,8 +852,7 @@ for the security and maintenance of the code.
<p>
The source code is under CCS.
Additions to the team are
<spanclass="change">subject to Board approval.</span>
<spanclass="strike">approved by the Board.</span>
subject to Board approval.
See §3.4.2.
</p>
@ -977,57 +875,8 @@ Software assessment is not primarily tasked to write the code.
In principle, anyone can submit code changes for approval.
</p>
<pclass="q"> Moved to SM 3.3 </p>
<pclass="strike2">
The primary tasks for Application Engineers are:
</p>
<olclass="strike2"><li>
Installing signed-off patches,
</li><li>
Verifying correct running,
</li><li>
Correcting immediate errors and copying fixes back to
upstream repositories,
</li><li>
Running ad-hoc database scripts and other programs,
</li><li>
Repairing data errors,
</li><li>
Backing up at the database level,
</li><li>
Watching application-level logs.
</li></ol>
<h3id="s7.3"> 7.3. Repository </h3>
<pclass="q"> As we are still unsure how to do Repository, I recommend we make this section blank. Therefore, it is handled in Security Manual. <i>Iang, 20100502</i>.</p>
<pclass="strike">
The application code and patches are maintained
in a central repository that is run by the
software assessment team.
</p>
<ulclass="q">
<li> Alternative, also struck: </li>
</ul>
<pclass="strike">
The development code and testing patches are maintained
in a central development repository that is run by the
software assessment team.
</p>
<pclass="strike">
The production code is maintained in a secure production repository
within the critical systems that is run by the
Systems Administation team.
Access is made available to the Application Engineers.
</p>
<h3id="s7.4"> 7.4. Review </h3>
<p>
@ -1057,35 +906,7 @@ Bug submission access should be provided to