cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Daniel Black <daniel AT cacert.org>
- To: cacert-sysadm AT lists.cacert.org
- Subject: [Cacert-sysadm] cacert systems strategy
- Date: Sun, 8 Mar 2009 16:52:25 +1100
- Authentication-results: lists.cacert.org; dkim=neutral header.i= AT cacert.org; dkim-asp=none
- List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
- List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>
- Organization: CAcert
Well I think sysadmins think of working as just getting/keeping stuff going
however theres room for a little thought about what is the final optimal
state
for systems.
I think the sysadmins of cacert should be focusing on the following (and
probably are however a clear list of priorities probably could help):
1. supporting audit objectives
http://audit.cacert.org/drc/browser.php
2. encouraging contribution
2.1 defined process that facilitate development (particularly of cacert main
webpage)
2.2 defined process for accepting system administrators
2.3 well documented systems
2.4 install puppet or some centralised system management
2.5 better configuration control (etc-keeper or something)
2.6 define system configuration standards - ( OS / apache2 / ssh / php )
3. best practices in security
3.1 high standards in application development - audits against best practice
-
e.g OWASP
3.2 high security standards in application configuration (2.6 above)
3.3 high security standards in network configuration - ingress/egress
firewall
rules
3.4 high security standards on logging integrity
3.5 high quality system monitoring / intrusion detection - alerting on
anomalies or even distro security releases
3.6 DR planning
3.X centralised account management. - ensure old sysadmins accounts are
purged
and current sysadmins can be granted permissions to do other stuff as
required.
3.7 ensuring public services use certificates and authentication whenever
possible.
3.8 web services like wiki.cacert.org use client side certificates or openid
for authentication
3.9 push application developers to adopt client side certificate support
their
applications
3.10 adoption of new technologies that promote security - DNSSEC, DKIM
(digitally signed email that can be checked at gateways)
3.11 other cool stuff - IPv6
let me know what you think and we'll see whether the board agrees.
--
Daniel Black
--
Email/List Administrator
CAcert
- [Cacert-sysadm] cacert systems strategy, Daniel Black, 03/08/2009
- Re: [Cacert-sysadm] cacert systems strategy, Sam Johnston, 03/08/2009
- Re: [Cacert-sysadm] cacert systems strategy, Daniel Black, 03/08/2009
- Re: [Cacert-sysadm] cacert systems strategy, Ian G (Audit), 03/09/2009
- Re: [Cacert-sysadm] cacert systems strategy, Daniel Black, 03/14/2009
- Re: [Cacert-sysadm] cacert systems strategy, Ian G (Audit), 03/14/2009
- Re: [Cacert-sysadm] cacert systems strategy, Daniel Black, 03/14/2009
- Re: [Cacert-sysadm] cacert systems strategy, Ian G (Audit), 03/09/2009
- Re: [Cacert-sysadm] cacert systems strategy, Daniel Black, 03/08/2009
- Re: [Cacert-sysadm] cacert systems strategy, Sam Johnston, 03/08/2009
Archive powered by MHonArc 2.6.16.