CAcert System Admins discussion list

["Ian G (Audit)" <iang AT cacert.org>]

On 26/3/09 21:28, Mendel Mobach wrote:

> > OK, I'm not making myself clear. What I wanted to know is what
> > *applications* are going on these machines, and whether these are
> > *critical* or *infrastructure* .
>
> Infrastructure. The critical apps like signing server, user database,
> frontend etc do have their own hardware with even more strict rules.
>
> > In particular, are we talking about the signing app, the critical user
> > database, the frontend CA application or the other related critical
> > parts living on a virtual server / host?
>
> No they will keep their own hardware.
>
> > Or are you talking about the logging server, being separate from the
> > above?
>
> That's one. However the signing server doesn't speak IP. It won't be
> able to log (yet) to another server.
>
> > Or, does "remote root access" mean this is for the hop-server, the
> > server where sysadms connect into before ssh-ing to the critical
> > servers and/or the console access?
>
> yes. That's what remote root access does mean in this case. For the
> webserver it's a bit different at the moment but that will change to
> comply with the SP.


OK, so you are talking about a host to manage the logging server 
(virtual 1) and the remote root access hopper (virtual 2) and anything 
else coming along that might be suitable.

(So, this is a new physical machine, like Sun4.  Implementation detail.)

Last question:  is this machine to be designated a *critical machine* 
and therefore slap-bang inside the Security Policy domain?

Or, is this machine to be designated an infrastructure machine and 
therefore is run by our friendly but slightly more relaxed 
infrastructure team?



iang



PS: I'm not promising it's the last question ...

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature