Skip to Content.
Sympa Menu

cacert-sysadm - Re: [Cacert-sysadm] cacert systems strategy

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Re: [Cacert-sysadm] cacert systems strategy


Chronological Thread 
  • From: Sam Johnston <samj AT samj.net>
  • To: Daniel Black <daniel AT cacert.org>
  • Cc: cacert-sysadm AT lists.cacert.org
  • Subject: Re: [Cacert-sysadm] cacert systems strategy
  • Date: Sun, 8 Mar 2009 10:03:30 +0100
  • List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
  • List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>

Daniel,

First, thanks again for your tireless work in this area.

First and foremost the IT systems need to be brought up to the level where they meet or exceed the requirements of the organisation. I'm still drowning in OA related mails from individuals inside and outside CAcert as we still don't have a sensible issue (and I mean issue, not bug) tracking system. The wiki is also woefully inadequate compared to e.g. MediaWiki, but less easy to fix. The mail system is too complicated so I don't use it, and I doubt I'm the only one (I have a bunch of aliases in Gmail but cacert.org isn't one of them). These are just some of the things that regularly trip me up - availability's another issue that's caused us some problems.

After that the documentation in terms of audit et al is obviously critical for us but could also be really useful for others. I'd love to see a talk from you on System Administration in High Security Environments for example - usually such things are well under wraps. You should consider doing something like this at one or more of the various System Administrators Guilds and/or events.

Cheers,

Sam

On Sun, Mar 8, 2009 at 6:52 AM, Daniel Black <daniel AT cacert.org> wrote:

Well I think sysadmins think of working as just getting/keeping stuff going
however theres room for a little thought about what is the final optimal state
for systems.

I think the sysadmins of cacert should be focusing on the following (and
probably are however a clear list of priorities probably could help):

1. supporting audit objectives

http://audit.cacert.org/drc/browser.php

2. encouraging contribution

2.1 defined process that facilitate development (particularly of cacert main
webpage)
2.2 defined process for accepting system administrators
2.3 well documented systems
2.4 install puppet or some centralised system management
2.5 better configuration control (etc-keeper or something)
2.6 define system configuration standards - ( OS / apache2 / ssh / php )

3. best practices in security

3.1 high standards in application development - audits against best practice -
e.g OWASP
3.2 high security standards in application configuration (2.6 above)
3.3 high security standards in network configuration - ingress/egress firewall
rules
3.4 high security standards on logging integrity
3.5 high quality system monitoring /  intrusion detection - alerting on
anomalies or even distro security releases
3.6 DR planning
3.X centralised account management. - ensure old sysadmins accounts are purged
and current sysadmins can be granted permissions to do other stuff as required.

3.7 ensuring public services use certificates and authentication whenever
possible.
3.8 web services like wiki.cacert.org use client side certificates or openid
for authentication
3.9 push application developers to adopt client side certificate support their
applications

3.10 adoption of new technologies that promote security - DNSSEC, DKIM
(digitally signed email that can be checked at gateways)
3.11 other cool stuff - IPv6

let me know what you think and we'll see whether the board agrees.

--
Daniel Black
--
Email/List Administrator
CAcert
_______________________________________________
CAcert-sysadm mailing list
CAcert-sysadm AT lists.cacert.org
https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-sysadm




Archive powered by MHonArc 2.6.16.

Top of Page