...
Security Services/Features needed, based on SLAC MinSec
These will be configured using Chef Configuration Management and Compliance scanning/reporting
- Anti-virus Software
- Install and configure ClamAV (optional, since not in moderate enclave)
- Application Patches
- Configure automatic updates for Applications via apt/yum config
- Authentication
- Global account authentication policy handled by Active Directory
- Use Chef Compliance to scan for any enabled insecure protocols such as telnet and ftp
- Logging
- Configure syslog to log to central syslog server, and enable logging locally to /var/log/everything
- Network Services
- Check for inappropriate network services via Chef Compliance
- Operating System Patches
- Configure automatic updates for OS patches via apt/yum
- Passwords
- Configure local password quality checks and policies (expiration time, etc) according to SLAC password policy
- Global account password policy handled by Active Directory
- Baseline Security Configuration
- CIS Level 1 Workstation Profile will be used (modified where appropriate)
- Chef Compliance scanning can report on compliance level for our baseline
- PDFs are available for the CIS Benchmarks for Ubuntu 16.04 and CentOS 7
- Training
- No additional changes needed (same SLAC Training Assignments are required)
- Security Scanning
- Local scanner account will be enabled to allow authenticated Nessus scans by Cyber Security team
- Banner
- The SLAC DOE login banner will be configured
- The SLAC DOE login banner will be configured
...
Additional Operating System Configuration needed
These will be configured using Chef Configuration Management and Compliance scanning/reporting
- NTP client
- DNS client
- logrotate
- mailgateway (mail client)
- sudo
- shells
- unixadmins (sets up unix-admin logins and scanner account)
- root (manage root password and root home environment)
...