Difference between revisions of "SiteSecurity"
Steve cobrin (Talk | contribs) |
(No difference)
|
Latest revision as of 10:01, 20 November 2006
Contents
Site Security and Administration
This set of pages has been created by Steve Cobrin of RAL initially for the HEPSYSMAN 2006 conference
This page is to be used to discuss some basic Site Security and SysAdmin issues, primarily focusing on Unix, Unix-like and Unix-derived systems. e.g. Solaris, AIX, HP-UX, Linux, GNU/Linux, FreeBSD, MacOSX, OpenBSD.
This section does not look at deploying or using LCG/EGEE middleware, but is still related to GridPP Deployment: Pages
Introduction
There are quite a few areas of security and administration, which don't seem to be discussed enough. Perhaps maybe, because they're not new topics or particularly interesting for those of us who've been administering systems for some time. However, when overlooked, can cause substantial interruption in server, or impact on the quality of service we provide. We also need to provide more information and help to new or less-experienced administrators.
Initial commissioning of machines (building, configuration, deployment)
Defining the life-cycle / work-flow of machines.
- Original article An Analysis of UNIX System Configuration by Rémy Evard containing above picture
Differing type of operating systems
- Many different Linux distributions (RedHat, Scientific Linux, SuSE, Debian)
Growing importance of virtualisation, especially VMware and Xen
Interoperability of use: Linux and Legacy Unix, Linux and Windows, Single Sign-On
MacOSX is a Unix System too!
Building
How do people initial install systems?
- ad hoc manual installation with CD's
- Anaconda / Kickstart based - Red Hat and derived systems
- SUSE's Alice
- Quattor
Generally it is helpful, to have some form of template (pre-defined idea of how machine should be set up) to work with.
- Minimal applications and services, provide only what is necessary
- Separation between Production and Development systems. Often further categories are required.
- Ensure that machines comply with security guidelines
- Machines should be fully patched against day-zero exploits.
Configuring
- Need to ensure that all necessary configuration options are correctly set
- Configuration options must then be monitored to ensure that stay set, with some process to raise alerts or correct changes.
- Need to be able to tie into change control process. Why is an option set, why was it changed.
Deployment
Once a machine configuration needs to be replicated, what are the processes to aid keeping like-machines as close as possible to each other. Will system-imaging/cloning mechanisms be used?
Documentation
Different audiences for documentation
- Management
- Administrators
- Auditors
- Service Providers
Documentation management
- Need a central document repository
- Need to avoid duplication
- Different audiences
- Some content needs to be shared
- Need to keep up to date
- Need to encourage documentation!
Security Documents
- Internal Documents:
- Site Security Policies
- Acceptable Use Policies
- Incident Response Procedures
- Baseline Security Documents
- Local Security Hardening Procedures
- Standard off the shelf documents:
- BSI 7799 /ISO 27001 Standards
- The Center for Internet Security Benchmarks
System Documents
These must always be documentation related to the service being provided. The detail unfortunately will usually be dependent on the importance of the service
- System Overview - purpose of the system, who owns it, who's responsible for it.
- Hardware Documentation - How hardware is put together, how elements can be replaced
- Systems Documentation - How hardware and Systems software interoperate, networking configuration
- Backup procedures - details of recovery procedures and testing
- Security measures and procedures
- Dependencies - what the service relies on, what other services may depend on it
- Change control process and procedures
- Maintenance and Monitoring processes and procedures
- Continuity and disaster recovery plans
SysAdmin Procedures
- Initial build and deployment of systems - Kickstart, Imaging
- Documentation - Useful documentation used at sites
- Patch Management - e.g. OS Vendor and Distribution patches
- up2date
- yumit/pakiti
- Software Management - e.g. 3rd party software, compiling from source, etc
- Cluster management - for example how you perform kernel updates across a large cluster
- Admin methods - how you go about configuration tasks (e.g. logging in as root, use of SSH keys, Sudo
- Managing non-user accounts
- Helpdesk Systems -
- Configuration Management and Change Control
Security Monitoring & Forensics
- Asset Management - Do you know all the machines on your network?
- Logging - is critical aiding in the identification of problems, also to aid in the analysis in what caused a problem
- Central Syslogging - need to provide a 24/7 service. Should provide redundancy.
- level of error logging for tools like ssh
- Network Monitoring
- General Monitoring
- Inventorying & Auditing -
- Forensics - procedures, techniques
- Benchmarking - performance, network
- Alerts and Escalation
SysAdmin Training
Job Descriptions
Do you have a clear definition of what your job entails? Do you have a clear idea of what your career path is? Does your management understand what you do? Do they know how to properly advertise new posts. Do they understand the difference between a different degrees of experience of sysadmins.
Training Courses
Do you receive adequate training to do your job? Do you get the opportunity to learn how to do new things? .. or old things better?
- Read More! - there's some great SysAdmin Books about (see the [links Links] item, also magazines can be a great way to tell you about things which might be good to learn more about.
- UKERNA Training
- Company Training Courses - Sun, Red Hat, Novell
- Conferences
Certification
Obtaining a certificate or passing a practical exam, can be useful in reaffirming your skills, or help you identify shortcomings in your experience, or help Management easier recognise your value.
Ethics
Do you know how to protect yourself from prosecution? Do you know how to do the right thing &tm;
Membership of Organisations and User groups
Membership of professional or even informal groups, can help you to learn, inform others, to grow in professionalism, or just have more fun in your job.
- USENIX - The Advanced Computing Systems Association
- SAGE - The USENIX Special Interest Group for Sysadmins
- LOPSA - League of Professional Systems Administrators
- UKUUG - UK's Unix & Open Systems User Group
Links
- Practical UNIX and Internet Security, Third Edition
- Integrated Site Security for Grids
- The Practice of System and Network Administration (Addison-Wesley), 2001, by Tom Limoncelli and Christine Hogan ISBN 0-201-70271-1
- Principles of Network and System Administration, Second Edition (Wiley, by Mark Burgess) ISBN 0-470-86807-4
- Time Management for System Administrators by Tom Limoncelli (O'Reilly), 2005 ISBN 0-596-00783-3