Versions Compared

Old Version 24

changes.mady.by.user Karl Amrhein

Saved on

compared with

New Version 25

changes.mady.by.user Karl Amrhein

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Anti-virus Software
    1. Install and configure ClamAV (optional, since not in moderate enclave)
  2. Application Patches
    1. Configure automatic updates for Applications via apt/yum config
  3. Authentication
    1. Kerberos and SSH will be configured and used for encrypted authentication
    2. Use Chef Compliance to scan for any enabled insecure server protocols such as telnet and ftp
  4. Logging
    1. Configure syslog to log to central syslog server, and enable logging locally to /var/log/everything
  5. Network Services
    1. Check for inappropriate network services via Chef Compliance
  6. Operating System Patches
    1. Configure automatic updates for OS patches via apt/yum 
  7. Passwords
    1. To deal with any local accounts that might get created on the desktop, we will configure local password quality checks and policies (expiration time, etc) according to SLAC password policy.  Ideally Microsoft AD accounts will be used and no local accounts will be required.
    2. Global account password policies are handled by Active Directory, not the local desktop configuration.  Windows AD passwords will be changed in the same way they are being done now.
  8. Baseline Security Configuration
    1. CIS Level 1 Workstation Profile will be used (modified where appropriate)
    2. Chef Compliance scanning can report on compliance level for our baseline
    3. PDFs are available for the CIS Benchmarks for Ubuntu 16.04 and CentOS 7
  9. Training
    1. No additional changes needed (same SLAC Training Assignments are required)
  10. Security Scanning
    1. Local scanner account will be enabled to allow authenticated Nessus scans by Cyber Security team
  11. Banner
    1. The SLAC DOE login banner will be configured

 

 

...

Stanford Minimum Security Standards

In order to align with Stanford Minimum Security Standards for Endpoints (defined as any laptop, desktop, or mobile device), there are some additional requirements, as documented on this link: 

https://uit.stanford.edu/guide/securitystandards

 

The standards include patching (within 7 days), whole disk encryption, malware protection, and backups.

apt-get on Ubuntu can be configured to apply updates daily or weekly. 

 

Crash Plan (Stanford) on Ubuntu can be used:

https://uit.stanford.edu/service/code42crashplan

 

ClamAV and chkrootkit can be used on on Ubuntu for malware. 

 

Ubuntu has an option for full disk encryption at install time. 

https://www.eff.org/deeplinks/2012/11/privacy-ubuntu-1210-full-disk-encryption

 

...

Additional Operating System Configuration needed

...