SiteSecurity

Site Security and Administration

This set of pages has been created by Steve Cobrin of RAL initially for the HEPSYSMAN 2006 conference

This page is to be used to discuss some basic Site Security and SysAdmin issues, primarily focusing on Unix, Unix-like and Unix-derived systems. e.g. Solaris, AIX, HP-UX, Linux, GNU/Linux, FreeBSD, MacOSX, OpenBSD.

This section does not look at deploying or using LCG/EGEE middleware, but is still related to GridPP Deployment: Pages

Introduction

There are quite a few areas of security and administration, which don't seem to be discussed enough. Perhaps maybe, because they're not new topics or particularly interesting for those of us who've been administering systems for some time. However, when overlooked, can cause substantial interruption in server, or impact on the quality of service we provide. We also need to provide more information and help to new or less-experienced administrators.

Initial commissioning of machines (building, configuration, deployment)

Defining the life-cycle / work-flow of machines.

http://www.usenix.org/publications/library/proceedings/lisa97/full_papers/20.evard/20_html/fig4.good.eps.gif

1. Original article An Analysis of UNIX System Configuration by Rémy Evard containing above picture

Differing type of operating systems

• Many different Linux distributions (RedHat, Scientific Linux, SuSE, Debian)
  • Some sites negotiate and pay site license to RedHat, SuSE/Novell
  • Other sites go the non-licensed (free beer) route, e.g. Scientific Linux, OpenSuse, Centos

Growing importance of virtualisation, especially VMware and Xen

Interoperability of use: Linux and Legacy Unix, Linux and Windows, Single Sign-On

MacOSX is a Unix System too!

Building

How do people initial install systems?

• ad hoc manual installation with CD's
• Anaconda / Kickstart based - Red Hat and derived systems
• SUSE's Alice
• Quattor

Generally it is helpful, to have some form of template (pre-defined idea of how machine should be set up) to work with.

• Minimal applications and services, provide only what is necessary
• Separation between Production and Development systems. Often further categories are required.
• Ensure that machines comply with security guidelines
• Machines should be fully patched against day-zero exploits.

Configuring

• Need to ensure that all necessary configuration options are correctly set
• Configuration options must then be monitored to ensure that stay set, with some process to raise alerts or correct changes.
• Need to be able to tie into change control process. Why is an option set, why was it changed.

Deployment

Once a machine configuration needs to be replicated, what are the processes to aid keeping like-machines as close as possible to each other. Will system-imaging/cloning mechanisms be used?

Documentation

Different audiences for documentation

• Management
• Administrators
• Auditors
• Service Providers

Documentation management

• Need a central document repository
• Need to avoid duplication
  • Different audiences
  • Some content needs to be shared
• Need to keep up to date
• Need to encourage documentation!

Security Documents

• Internal Documents:
  • Site Security Policies
  • Acceptable Use Policies
  • Incident Response Procedures
  • Baseline Security Documents
  • Local Security Hardening Procedures
• Standard off the shelf documents:
  • BSI 7799 /ISO 27001 Standards
  • The Center for Internet Security Benchmarks

System Documents

These must always be documentation related to the service being provided. The detail unfortunately will usually be dependent on the importance of the service

• System Overview - purpose of the system, who owns it, who's responsible for it.
• Hardware Documentation - How hardware is put together, how elements can be replaced
• Systems Documentation - How hardware and Systems software interoperate, networking configuration
• Backup procedures - details of recovery procedures and testing
• Security measures and procedures
• Dependencies - what the service relies on, what other services may depend on it
• Change control process and procedures
• Maintenance and Monitoring processes and procedures
• Continuity and disaster recovery plans

SysAdmin Procedures

• Initial build and deployment of systems - Kickstart, Imaging
• Documentation - Useful documentation used at sites
• Patch Management - e.g. OS Vendor and Distribution patches
  • up2date
  • yumit/pakiti
• Software Management - e.g. 3rd party software, compiling from source, etc
• Cluster management - for example how you perform kernel updates across a large cluster
• Admin methods - how you go about configuration tasks (e.g. logging in as root, use of SSH keys, Sudo
• Managing non-user accounts
• Helpdesk Systems -
• Configuration Management and Change Control
  • CFengine
  • RT and Footprints
  • SubVersion

Security Monitoring & Forensics

• Asset Management - Do you know all the machines on your network?
• Logging - is critical aiding in the identification of problems, also to aid in the analysis in what caused a problem
  • Central Syslogging - need to provide a 24/7 service. Should provide redundancy.
  • level of error logging for tools like ssh
• Network Monitoring
  • Any network tracing or forensics that you perform (tracing IDs via processes), e.g. Snort, sguil
• General Monitoring
  • Nagios
  • Tripwire & AIDE
• Inventorying & Auditing -
  • Tests that are performed to check security and so on, e.g. Bastille, Nessus, SARA
• Forensics - procedures, techniques
• Benchmarking - performance, network
• Alerts and Escalation

SysAdmin Training

Job Descriptions

Do you have a clear definition of what your job entails? Do you have a clear idea of what your career path is? Does your management understand what you do? Do they know how to properly advertise new posts. Do they understand the difference between a different degrees of experience of sysadmins.

• SAGE Job Descriptions

Training Courses

Do you receive adequate training to do your job? Do you get the opportunity to learn how to do new things? .. or old things better?

• Read More! - there's some great SysAdmin Books about (see the [links Links] item, also magazines can be a great way to tell you about things which might be good to learn more about.
• UKERNA Training
• Company Training Courses - Sun, Red Hat, Novell
• Conferences
  • UKUUG Conferences
  • USENIX Conferences
  • SANS Institute - Network, Security, Computer, Audit Information and Training

Certification

Obtaining a certificate or passing a practical exam, can be useful in reaffirming your skills, or help you identify shortcomings in your experience, or help Management easier recognise your value.

• Linux Professional Institute
• Red Hat Certification

Ethics

Do you know how to protect yourself from prosecution? Do you know how to do the right thing &tm;

• JANET Suggested Charter for System Administrators
• SAGE - System Administrators' Code of Ethics

Membership of Organisations and User groups

Membership of professional or even informal groups, can help you to learn, inform others, to grow in professionalism, or just have more fun in your job.

• USENIX - The Advanced Computing Systems Association
• SAGE - The USENIX Special Interest Group for Sysadmins
• LOPSA - League of Professional Systems Administrators
• UKUUG - UK's Unix & Open Systems User Group

Links

• Practical UNIX and Internet Security, Third Edition
• Integrated Site Security for Grids
• The Practice of System and Network Administration (Addison-Wesley), 2001, by Tom Limoncelli and Christine Hogan ISBN 0-201-70271-1
• Principles of Network and System Administration, Second Edition (Wiley, by Mark Burgess) ISBN 0-470-86807-4
• Time Management for System Administrators by Tom Limoncelli (O'Reilly), 2005 ISBN 0-596-00783-3