Information security
1. Strategy
...
1.1. Personal data compromise
...
1.2. Denial of service
...
1.3. Internal accountability
...
2. Security team
The mission of the security team is to prevent and respond to information security issues.
2.1. Organization
The security team consists of the CLARIN system administrations (sysops@clarin.eu). It can be reached concerning security through security-issues@clarin.eu
2.2. Response
In case a security issue comes to the team's attention ...
2.2.1. Issues that require cooperation with external persons
Some issues may not or cannot be resolved by th e CLARIN security team alone. ...
2.2.2. Post-breach procedure
...
2.2.2.1. Communication with affected clients (users, organizations)
...
2.2.3. Documentation of issues (breach or not)
...
2.3. Prevention
...
2.3.1. Awareness
The security team signs up to all relevant information security advisory channels. This includes mailing lists, RSS feeds, etc. These are delivered to a central mailbox ...
2.3.1.1. Generally important security advisory channels
2.3.1.1.1. Our technology base and the relevant security advisory channels
2.3.2. Action
Most priority is given to security issues for which no automatic resolution would occur.
Example
- An OS kernel security bug is found. The kernel is part of the OS, for which automatic updates are distributed.
- A bug is found in Django, a web application framework. As this framework is distributed with our application(s) upon release, a new release of the application is required and updates are not automatic.
2.3.3. Notes on specific software
2.3.3.1. Docker
- Don't expose the Docker socket (not even to a container)
- Using the docker command to root the host (totally not a security issue)
- Always make sure that the virtualized app drops its privileges as much as possible.
2.3.3.1.1. Firewalling
Possible solution to second issue, using script:
EXT_IF=$( ip r s 0.0.0.0/0 | cut -f5 -d" " ) EXT_IPV4=$( ip a s dev ${EXT_IF} | grep "inet " | awk '{print $2}' | sed 's/\/.*//' ) iptables -t mangle -I PREROUTING 1 -i $EXT_IF ! -d $EXT_IPV4 -j DROP