wiki:SystemAdministration/Security

  1. 1. Strategy
    1. 1.1. Personal data compromise
    2. 1.2. Denial of service
    3. 1.3. Internal accountability
  2. 2. Security team
    1. 2.1. Organization
    2. 2.2. Response
      1. 2.2.1. Issues that require cooperation with external persons
      2. 2.2.2. Post-breach procedure
        1. 2.2.2.1. Communication with affected clients (users, organizations)
      3. 2.2.3. Documentation of issues (breach or not)
    3. 2.3. Prevention
      1. 2.3.1. Awareness
        1. 2.3.1.1. Generally important security advisory channels
          1. 2.3.1.1.1. Our technology base and the relevant security advisory channels
      2. 2.3.2. Action
      3. 2.3.3. Notes on specific software
        1. 2.3.3.1. Docker
          1. 2.3.3.1.1. Firewalling
        2. 2.3.3.2. Drupal

Information security

1. Strategy

...

1.1. Personal data compromise

...

1.2. Denial of service

...

1.3. Internal accountability

...

2. Security team

The mission of the security team is to prevent and respond to information security issues.

2.1. Organization

The security team consists of the CLARIN system administrations (sysops@clarin.eu). It can be reached concerning security through security-issues@clarin.eu

2.2. Response

In case a security issue comes to the team's attention ...

2.2.1. Issues that require cooperation with external persons

Some issues may not or cannot be resolved by th e CLARIN security team alone. ...

2.2.2. Post-breach procedure

...

2.2.2.1. Communication with affected clients (users, organizations)

...

2.2.3. Documentation of issues (breach or not)

...

2.3. Prevention

...

2.3.1. Awareness

The security team signs up to all relevant information security advisory channels. This includes mailing lists, RSS feeds, etc. These are delivered to a central mailbox ...

2.3.1.1. Generally important security advisory channels

General information about open source software (OSS) security and discussion and dissemination channels.

General overview including visualizations and statistics on the numbers and types of security vulnerabilities reported in OSS.

2.3.1.1.1. Our technology base and the relevant security advisory channels

software feed (*: unofficial) manual
Shibboleth IdP 3 announce-subscribe@shibboleth.net https://wiki.shibboleth.net/confluence/display/IDP30/SecurityAdvisories
Shibboleth SP 2 announce-subscribe@shibboleth.net https://wiki.shibboleth.net/confluence/display/SHIB2/SecurityAdvisories
Drupal https://www.drupal.org/security/rss.xml
https://www.drupal.org/security/contrib/rss.xml
https://www.drupal.org/security/psa/rss.xml 		https://www.drupal.org/security/
https://www.drupal.org/security/contrib
https://www.drupal.org/security/psa
CentOS centos-announce@centos.org https://lists.centos.org/pipermail/centos-announce/
Django * oss-security@lists.openwall.com http://www.openwall.com/lists/oss-security/
Python * CVEDetails None ...
openssl * CVEDetails https://www.openssl.org/news/vulnerabilities.html
Java * CVEDetails ?
nginx * CVEDetails http://nginx.org/en/security_advisories.html
Apache 2.4 * CVEDetails https://httpd.apache.org/security/vulnerabilities_24.html

2.3.2. Action

Most priority is given to security issues for which no automatic resolution would occur.

Example

  1. An OS kernel security bug is found. The kernel is part of the OS, for which automatic updates are distributed.
  2. A bug is found in Django, a web application framework. As this framework is distributed with our application(s) upon release, a new release of the application is required and updates are not automatic.

2.3.3. Notes on specific software

2.3.3.1. Docker

2.3.3.1.1. Firewalling

  1. Docker Engine daemon modifies iptables to bypass firewall rules for mapped ports by default!
  1. Docker Engine daemon enabled kernel IP forwarding without adding any restricting rules on what inbound IP packets are being forwarded!

Possible solution to second issue, using script: 

EXT_IF=$( ip r s 0.0.0.0/0 | cut -f5 -d" " )
EXT_IPV4=$( ip a s dev ${EXT_IF} | grep "inet " | awk '{print $2}' | sed 's/\/.*//' )

iptables -t mangle -I PREROUTING 1 -i $EXT_IF ! -d $EXT_IPV4 -j DROP

2.3.3.2. Drupal

http://www.drupal.org/security

Last modified 8 years ago Last modified on 05/18/16 14:31:35