= 20090306 Meeting Sysadms = * Present: Wytze, Philipp D, Iang, Mendel * Opened 17:00 closed 21:30 * SM=[[SecurityManual|Security Manual]] * SP=[[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html|Security Policy]] == Misc == * '''Wytze/Mendel to propose to board''' "we will do this after 7 days unless vetoed": * separate development machine with CVS tree from webserver into a vserver * cut off ssh access to webserver for everyone except critical sysadmins, with option for case by case access for support purposes * (argument: implementation of security policy) * DNS * should be a decision by sysadm team leaders * is there a need for a policy line? * point was that both decision by t/l is needed and authorisation to t/l to move the servers outsourced. * section added to Security Policy that t/l can outsource the DNS. * '''Wytze to define the details in the Security Manual'''. * '''iang to point new section to board.''' * Security Manual / Security Policy as the document and Contract for all Systems Administrators * in past, an NDA has been used * NDA has bad clauses in, but could not be found at time. '''Mendel to find and advise.''' * NDA is some document from the net, mostly not relevant * Some clauses could be incorporated into SM/SP * '''iang to look at NDA.''' * Question of whether SM/SP applies to Oophaga * if not then audit cannot apply to Oophaga easily * which means they either have to be audited separately, differently, or provide an alternate audit. * Occam's razor says SM/SP should replace security areas in MoU * in effect, Oophaga and access engineers are under SM/SP. * generally, the answer is yes * implementation and contract negotiations would be the next question * some outstanding questions in SM to trace. * key access * power control * Need for critical services on a VM/host * set up a VM/host on Sun4 (the remaining unused Sun) * DNS primary, SSH hopper * check allocation of Sun4 and start on it * '''Mendel to set up VM/hosting environment''' * general consensus to shift the non-critical servers out of the rack * there was an offer for an AMS hosting location * '''Mendel to ping Teus''' * need to split the Tunix firewalls? Or duplicate them? * currently the Tunix firewalls are bypassed for crit * why? Unknown. But make changes slowly. * Discussion of Software Development * change name to Software Assessment? * we need a software maillist, '''Philipp D request to Daniel''' * discussion of current code state, difficulties in current code base * provisional discussion to meet and work out future software development team * current code base is problematic == Priorities == Before summer, says Mendel: 1. hop has to be moved 1. separate the crit / non-crit systems 1. move webserver behind firewall 1. password cleanup * SSH keys for user account access (via hop) * on crit server, local user passwords for sudo only * disallow password login for remote users (SSH) * root password only for console access * agent forwarding / tunnelling on hop only (otherwise hop has to be critical machine) * (this part into SM '''Wytze''') == HAR2009 == * Mendel is "in" the [[HAR2009]] administration * did CCC last year as well * rg is on papers committee * looking for good papers * '''Mendel to look at [[http://iang.org/papers/open_audit_lisa.html|iang's paper]]''' * which had some unpresented sections, and could be updated ... * other things possible * dates * camping is available 7 - 17 * tent is available 8 - 16 * availability * tent price is maybe 500, better estimates to follow * rooms also available, cheaper * bungalows, 8 bunks, are available for 1500 (includes 1 pass). * tickets * each 150 * food & drink * laundry * transport * coordinate with mendel as to requirements * basic issue is software side * audit has work budget available for this * this year is the software development year * last year was sysadm year * If Mendel doesn't get his "summer priorities" completed, he can't go to HAR!?!?! == Admin == * food bill for meeting is euros 80x euros. ---- . CategoryAudit . CategoryAdvisory