@ -408,14 +408,14 @@ Logs should be examined regularly (by manual or automatic means) for unusual pat
Any operating system used for critical server machines must be available under an OSI-approved open source software license.
Any operating system used for critical server machines must be available under an OSI-approved open source software license.
</p>
</p>
<h4> 3.2.1. Disk Encryption </h4>
<h4><aname="3.2.1"> 3.2.1.</a> Disk Encryption </h4>
<p>
<p>
Any operating system used for critical server machines must support software full-disk or disk volume encryption, and this encryption option must be enabled for all relevant disks/volumes when the operating system is first installed on the machine.
Any operating system used for critical server machines must support software full-disk or disk volume encryption, and this encryption option must be enabled for all relevant disks/volumes when the operating system is first installed on the machine.
Servers must enable only the operating system functions required to support the necessary services. Options and packages chosen at OS install shall be documented, and newly-installed systems must be inspected to ensure that only required services are active, and their functionality is limited through configuration options. Any required application software must follow similar techniques to ensure minimal exposure footprint.
Servers must enable only the operating system functions required to support the necessary services. Options and packages chosen at OS install shall be documented, and newly-installed systems must be inspected to ensure that only required services are active, and their functionality is limited through configuration options. Any required application software must follow similar techniques to ensure minimal exposure footprint.
@ -426,7 +426,7 @@ Documentation for installing and configuring servers with the appropriate softwa
</p>
</p>
<h4> 3.2.3. Patching </h4>
<h4><aname="3.2.3"> 3.2.3.</a> Patching </h4>
<pclass="q">A.1.i, A.1.k:</p>
<pclass="q">A.1.i, A.1.k:</p>
@ -434,7 +434,7 @@ Documentation for installing and configuring servers with the appropriate softwa
Software used on production servers must be kept current with respect to patches affecting software security. Patch application is governed by CCS and must be approved by the systems administration team leader, fully documented in the logs and reported by email to the systems administration list on completion (see §4.2).
Software used on production servers must be kept current with respect to patches affecting software security. Patch application is governed by CCS and must be approved by the systems administration team leader, fully documented in the logs and reported by email to the systems administration list on completion (see §4.2).
Application of a patch is deemed an <i>emergency</i>
Application of a patch is deemed an <i>emergency</i>
@ -455,7 +455,7 @@ Declaration of an emergency patching situation should not occur with any regular
Emergency patch events must be documented within the regular summaries to Board.
Emergency patch events must be documented within the regular summaries to Board.
</p>
</p>
<h3> 3.3. Application </h3>
<h3><aname="3.3"> 3.3.</a> Application </h3>
<p>
<p>
Software assessment takes place on various test systems (not a critical system). See §7. Once offered by Software Assessment (team), system administration team leader has to approve the installation of each release or patch.
Software assessment takes place on various test systems (not a critical system). See §7. Once offered by Software Assessment (team), system administration team leader has to approve the installation of each release or patch.
@ -465,7 +465,7 @@ Software assessment takes place on various test systems (not a critical system).
Any changes made to source code must be referred back to software assessment team.
Any changes made to source code must be referred back to software assessment team.
</p>
</p>
<h3> 3.4. Access control </h3>
<h3><aname="3.4"> 3.4.</a> Access control </h3>
<pclass="q">
<pclass="q">
These two paras seem in wrong place.
These two paras seem in wrong place.
@ -480,7 +480,7 @@ General user access to CAcert services shall normally be conducted through a web
Direct Permissions are managed by the Application to enable special online administrators from the Support Team access to certain functions.
Direct Permissions are managed by the Application to enable special online administrators from the Support Team access to certain functions.