...
- Windows Active Directory will be used for authentication
- This aligns with the SCS long term plan to reduce dependence on Unix Heimdal Kerberos
...
Security Services/Features needed
...
, based on SLAC MinSec
...
- Anti-virus Software
- Install and configure ClamAV (optional, since not in moderate enclave)
- Application Patches
- Configure automatic updates for Applications via apt/yum config
- Authentication
- Global account authentication policy handled by Active Directory
- Use Chef Compliance to scan for any enabled insecure protocols such as telnet and ftp
- Logging
- Configure syslog to log to central syslog server, and enable logging locally to /var/log/everything
- Network Services
- Check for inappropriate network services via Chef Compliance
- Operating System Patches
- Configure automatic updates for OS patches via apt/yum
- Passwords
- Configure local password quality checks and policies (expiration time, etc) according to SLAC password policy
- Global account password policy handled by Active Directory
- Baseline Security Configuration
- Chef Compliance CIS Desktop profile CIS Level 1 Workstation Profile will be used (modified where appropriate) will be used as baseline
- Chef Compliance scanning can report on compliance level for our baseline
- PDFs are available for the CIS Benchmarks for Ubuntu 16.04 and CentOS 7
- Training
- No additional changes needed (same SLAC Training Assignments are required)
- Security Scanning
- Local scanner account will be enabled to allow authenticated Nessus scans by Cyber Security team
- Banner
- The SLAC DOE login banner will be configured
- The SLAC DOE login banner will be configured
...