|
|
|
|
@ -4,6 +4,42 @@
|
|
|
|
|
<head>
|
|
|
|
|
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8">
|
|
|
|
|
<title>Security Policy</title>
|
|
|
|
|
|
|
|
|
|
<style type="text/css">
|
|
|
|
|
<!--
|
|
|
|
|
body {
|
|
|
|
|
font-family : verdana, helvetica, arial, sans-serif;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
th {
|
|
|
|
|
text-align : left;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
.q {
|
|
|
|
|
color : green;
|
|
|
|
|
font-weight: bold;
|
|
|
|
|
text-align: center;
|
|
|
|
|
font-style:italic;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
.error {
|
|
|
|
|
color : red;
|
|
|
|
|
font-weight: bold;
|
|
|
|
|
text-align: center;
|
|
|
|
|
font-style:italic;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
.change {
|
|
|
|
|
color : blue;
|
|
|
|
|
font-weight: bold;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
a:hover {
|
|
|
|
|
color : gray;
|
|
|
|
|
}
|
|
|
|
|
-->
|
|
|
|
|
</style>
|
|
|
|
|
|
|
|
|
|
</head>
|
|
|
|
|
<body lang="en-GB">
|
|
|
|
|
|
|
|
|
|
@ -11,7 +47,14 @@
|
|
|
|
|
<p><a href="PolicyOnPolicy.html"><img src="Images/cacert-draft.png" alt="CAcert Security Policy Status == wip" border="0"></a>
|
|
|
|
|
<br>
|
|
|
|
|
Creation date: 20090216<br>
|
|
|
|
|
Status: <b>DRAFT 20090327</b>
|
|
|
|
|
Status: <b>DRAFT 20090327</b><br><br>
|
|
|
|
|
|
|
|
|
|
Changes: WIP 20090915<br>
|
|
|
|
|
<span class="change">work-in-progress additions are in BLUE</b>
|
|
|
|
|
(unvoted / nonbinding)<br>
|
|
|
|
|
work-in-progress deletions are </span> <s>struck-out in black</s>
|
|
|
|
|
<span class="change">but still DRAFT/binding</span> <br>
|
|
|
|
|
<span class="q">some random comments in GREEN added</span> <br>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<h2><a name="1">1.</a> INTRODUCTION</h2>
|
|
|
|
|
@ -49,6 +92,8 @@ These roles are directly covered:
|
|
|
|
|
Support Engineers
|
|
|
|
|
</li><li>
|
|
|
|
|
Software Assessors
|
|
|
|
|
</li><li class="change">
|
|
|
|
|
Application Engineers
|
|
|
|
|
</li></ul>
|
|
|
|
|
|
|
|
|
|
<h4><a name="1.1.2">1.1.2.</a> Out of Scope </h4>
|
|
|
|
|
@ -102,6 +147,14 @@ deriving from the above principles.
|
|
|
|
|
See §1.1.
|
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
|
|
<dt class="change"><i>Application Engineer</i> </dt>
|
|
|
|
|
<dd class="change">
|
|
|
|
|
A Member who manages the critical application,
|
|
|
|
|
including installing them on the critical system,
|
|
|
|
|
final testing, emergency patching, and ad hoc scripting.
|
|
|
|
|
See §x.x.
|
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
|
|
<dt><i>Software Assessor</i> </dt>
|
|
|
|
|
<dd>
|
|
|
|
|
A Member who reviews patches for security and workability,
|
|
|
|
|
@ -440,25 +493,42 @@ independent of filed disputes.
|
|
|
|
|
|
|
|
|
|
<h3><a name="3.3"> 3.3.</a> Application </h3>
|
|
|
|
|
|
|
|
|
|
<p class="change">
|
|
|
|
|
Systems administration is to provide a limited environment
|
|
|
|
|
to Applications Engineers in order to install and maintain
|
|
|
|
|
the application.
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<ul class="q">
|
|
|
|
|
<li> insert SSH / non-unix in SM? </li>
|
|
|
|
|
<li> move all below to §7 </li>
|
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
<s>
|
|
|
|
|
Software assessment takes place on various test systems
|
|
|
|
|
(not a critical system). See §7.
|
|
|
|
|
Once offered by Software Assessment (team),
|
|
|
|
|
system administration team leader has to
|
|
|
|
|
approve the installation of each release or patch.
|
|
|
|
|
</s>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
<s>
|
|
|
|
|
Any changes made to source code must be referred
|
|
|
|
|
back to software assessment team
|
|
|
|
|
and installation needs to be deferred
|
|
|
|
|
until approved by the Software Assessment Team.
|
|
|
|
|
</s>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
<s>
|
|
|
|
|
Requests to systems administration for ad hoc queries
|
|
|
|
|
over the database for business or similar purposes
|
|
|
|
|
must be approved by the Arbitrator.
|
|
|
|
|
</s>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<h3><a name="3.4"> 3.4.</a> Access control </h3>
|
|
|
|
|
@ -518,8 +588,8 @@ authorisations on the below access control lists
|
|
|
|
|
<td>systems administration team leader</td>
|
|
|
|
|
</tr><tr>
|
|
|
|
|
<td>Repository Access List</td>
|
|
|
|
|
<td>Software Assessors</td>
|
|
|
|
|
<td>change the source code repository</td>
|
|
|
|
|
<td><span class="change">Application Engineers</span><s>Software Assessors</s></td>
|
|
|
|
|
<td>change the source code repository <span class="change">and install patches to application</change></td>
|
|
|
|
|
<td>exclusive with Access Engineers and systems administrators</td>
|
|
|
|
|
<td>software assessment team leader</td>
|
|
|
|
|
</tr></table>
|
|
|
|
|
@ -568,12 +638,16 @@ Access to Accounts
|
|
|
|
|
must be strictly controlled.
|
|
|
|
|
Passphrases and SSH private keys used for entering into the systems
|
|
|
|
|
will be kept private
|
|
|
|
|
to CAcert sysadmins in all cases.
|
|
|
|
|
to CAcert sysadmins
|
|
|
|
|
<span class="change">and Application Engineers</span>
|
|
|
|
|
in all cases.
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<h5> <a name="4.1.1.1">4.1.1.1.</a> Authorized users </h5>
|
|
|
|
|
<p>
|
|
|
|
|
Only System Administrators designated on the Access Lists
|
|
|
|
|
Only System Administrators
|
|
|
|
|
<span class="change">and Application Engineers</span>
|
|
|
|
|
designated on the Access Lists
|
|
|
|
|
in §3.4.2 are authorized to access accounts,
|
|
|
|
|
unless specifically directed by the Arbitrator.
|
|
|
|
|
</p>
|
|
|
|
|
@ -825,7 +899,7 @@ infrastructure is not available.
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
Software assessment team is responsible
|
|
|
|
|
for the security of the code.
|
|
|
|
|
for the security <span class="change">and maintenance</span> of the code.
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<h3> <a name="7.1"> 7.1. </a> Authority </h3>
|
|
|
|
|
@ -838,7 +912,7 @@ See §3.4.2.
|
|
|
|
|
|
|
|
|
|
<h3> <a name="7.2"> 7.2. </a> Tasks </h3>
|
|
|
|
|
<p>
|
|
|
|
|
The primary tasks are:
|
|
|
|
|
The primary tasks <span class="change">for Software Assessors</span> are:
|
|
|
|
|
</p>
|
|
|
|
|
<ol><li>
|
|
|
|
|
Keep the code secure in its operation,
|
|
|
|
|
@ -847,7 +921,7 @@ The primary tasks are:
|
|
|
|
|
</li><li>
|
|
|
|
|
Audit, Verify and sign-off proposed patches,
|
|
|
|
|
</li><li>
|
|
|
|
|
Guide Systems Administration team in inserting patches,
|
|
|
|
|
<s>Guide Systems Administration team in inserting patches,</s>
|
|
|
|
|
</li><li>
|
|
|
|
|
Provide guidance for architecture,
|
|
|
|
|
</li></ol>
|
|
|
|
|
@ -857,6 +931,27 @@ Software assessment is not primarily tasked to write the code.
|
|
|
|
|
In principle, anyone can submit code changes for approval.
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<p class="change">
|
|
|
|
|
The primary tasks for Application Engineers are:
|
|
|
|
|
</p>
|
|
|
|
|
<ol class="change"><li>
|
|
|
|
|
Installing signed-off patches,
|
|
|
|
|
</li><li>
|
|
|
|
|
Verifying correct running,
|
|
|
|
|
</li><li>
|
|
|
|
|
Correcting immediate errors and copying fixes back to
|
|
|
|
|
upstream repositories,
|
|
|
|
|
</li><li>
|
|
|
|
|
Running ad-hoc database scripts and other programs,
|
|
|
|
|
</li><li>
|
|
|
|
|
Repairing data errors,
|
|
|
|
|
</li><li>
|
|
|
|
|
Backing up at the database level,
|
|
|
|
|
</li><li>
|
|
|
|
|
Watching application-level logs.
|
|
|
|
|
</li></ol>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<h3> <a name="7.3"> 7.3. </a> Repository </h3>
|
|
|
|
|
|
|
|
|
|
@ -866,6 +961,26 @@ in a central repository that is run by the
|
|
|
|
|
software assessment team.
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<ul class="q">
|
|
|
|
|
<li> is this something that can be and is being run by systems administration team? </li>
|
|
|
|
|
<li> Or are their two, the test one and the critical one? </li>
|
|
|
|
|
<li> Like this: </li>
|
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
<p class="change">
|
|
|
|
|
The development code and testing patches are maintained
|
|
|
|
|
in a central development repository that is run by the
|
|
|
|
|
software assessment team.
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<p class="change">
|
|
|
|
|
The production code is maintained in a secure production repository
|
|
|
|
|
within the critical systems that is run by the
|
|
|
|
|
systems administation team.
|
|
|
|
|
Access is made available to the Application Engineers.
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<h3> <a name="7.4"> 7.4. </a> Review </h3>
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
@ -895,10 +1010,30 @@ Bug submission access should be provided to
|
|
|
|
|
any Member that requests it.
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<h3> <a name="7.6"> 7.6. </a> Handover </h3>
|
|
|
|
|
<h3> <a name="7.6"> 7.6. </a> <s>Handover</s> <span class="change">Production</span> </h3>
|
|
|
|
|
|
|
|
|
|
<p class="change">
|
|
|
|
|
Application Engineers are roles within Software Assessment
|
|
|
|
|
team that are approved to install into production the
|
|
|
|
|
patches that are signed off.
|
|
|
|
|
Once signed off, the Application Engineer
|
|
|
|
|
commits the patch from the development repository
|
|
|
|
|
to the production repository,
|
|
|
|
|
and installs the patch from the production repository
|
|
|
|
|
into the running code.
|
|
|
|
|
The Application Engineer is responsible for basic
|
|
|
|
|
testing of functionality and emergency fixes,
|
|
|
|
|
which then must be back-installed into the repositories.
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<p class="change">
|
|
|
|
|
Requests to Application Engineers for ad hoc queries over the database for business or similar purposes must be approved by the Arbitrator.
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
Once signed off, software assessment (team leader)
|
|
|
|
|
<s>
|
|
|
|
|
Once signed off,
|
|
|
|
|
software assessment (team leader)
|
|
|
|
|
coordinates with systems administration (team leader)
|
|
|
|
|
to offer the upgrade.
|
|
|
|
|
Upgrade format is to be negotiated,
|
|
|
|
|
@ -906,21 +1041,26 @@ but systems administration naturally has the last word.
|
|
|
|
|
Software Assessors are not to have access
|
|
|
|
|
to the critical systems, providing a dual control
|
|
|
|
|
at the teams level.
|
|
|
|
|
</s>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
<s>
|
|
|
|
|
If compilation and/or other processing of the
|
|
|
|
|
application source code in the version control system
|
|
|
|
|
is necessary to deploy the application,
|
|
|
|
|
detailed installation instructions should also be
|
|
|
|
|
maintained in the version control system and offered to the
|
|
|
|
|
System Administrators.
|
|
|
|
|
</s>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
<s>
|
|
|
|
|
Systems administrators copy the patches securely
|
|
|
|
|
from the software assessment repository
|
|
|
|
|
onto the critical machine.
|
|
|
|
|
</s>
|
|
|
|
|
See §3.3.
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
@ -1013,6 +1153,7 @@ or Case Managers.
|
|
|
|
|
<li> Access Engineer: responsible for controlling access to hardware, and maintaining hardware. </li>
|
|
|
|
|
<li> System administrator: responsible for maintaining core services and integrity. </li>
|
|
|
|
|
<li> Software Assessor: maintain the code base and confirm security ("sign-off") of patches and releases.</li>
|
|
|
|
|
<li class="change"> Application Engineer: install application updates and confirm basic working.</li>
|
|
|
|
|
<li> Support Engineer: human interface with users.</li>
|
|
|
|
|
<li> Team leaders: coordinate with teams, report to Board.</li>
|
|
|
|
|
<li> All: respond to Arbitrator's rulings on changes. Respond to critical security issues. Observe.</li>
|
|
|
|
|
@ -1080,7 +1221,7 @@ The background check should be done on all of:
|
|
|
|
|
<ul>
|
|
|
|
|
<li> Systems Administrator </li>
|
|
|
|
|
<li> Access Engineers </li>
|
|
|
|
|
<li> Software Assessor </li>
|
|
|
|
|
<li> Software Assessor <span class="change"> (including Application Engineer)</span></li>
|
|
|
|
|
<li> Support Engineer </li>
|
|
|
|
|
<li> Board </li>
|
|
|
|
|
</ul>
|
|
|
|
|
|
Ian Grigg
15 years ago