-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 3 Oct 2011 23:13:25 -0400
"Eric H. Christensen" <sparks(a)fedoraproject.org> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings.
Kevin asked me to take a look at the CSI Security Policy (I believe
it was recently tweaked). I have a few questions that I'd like to
ask in +hopes that I will learn and maybe we'll add some more good
information to the policy.
Thanks!
First, in section 2.2 the policy discusses host general security.
All of this information relates specifically to IPv4 settings. Now I
don't +have a good enough understanding of all the possibilities in
sysctl but I know that ip6tables can be similarly configured for IPv6
networks. +Now it should be said that if you don't have IPv6 deployed
that all IPv6 paths should be shut down and tools turned off to avoid
utilizing +anything that may open up a path, unexpectantly, into the
system. But if you are utilizing IPv6 we shouldn't forget about
these paths and +should harden our systems against their misuse.
Perhaps someone could help me with the sysctl stuff?
Yeah, good idea. Ideally, we should just suggest a ip6tables that
deny's all traffic, since folks will have at least a link local ipv6.
Next, in the incident response I see there are great plans for
safeguarding the evidence after an incident has occurred. I would
like to +caution that one person's way of obtaining the information
is not the next person's way of doing so. I'd like to see specific
commands to be +run, that the drive is mounted as read-only while
obtaining the images, and what safeguarding needs to occur with these
images and what the +procedure is, for the hard drive, once an image
has been obtained.
Also, great suggestion.
Also, should we talk about remote authentication methods that
should
be used (ssh keys (RSA or DSA)(bit strength), encryption standards to
be +used while transmitting data, what data should be stored
encrypted and how should that be done, etc. I know how we (Fedora)
does it now but +others that might look at this guide for...
guidance... would probably want to know this information. My thought
is that we should document +stuff that we are doing now even if it
seems common sense.
Sure. To my understanding both RSA and DSA ssh keys are fine to be used
currently. But yeah, adding more info on this would be great.
This is really some good stuff in that guide and I'd like to see
even
more technical information and technical explaination so we can
continue +to be leaders in how things should be done in FLOSS
community.
Yep. Agreed.
kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
iEYEARECAAYFAk6LSnEACgkQ3imCezTjY0Gy1gCePIgs/lY7OKU82+RspEtT9N01
IOUAnR5EylPcq4syzNo3HGiyC/cgWMpa
=XXaL
-----END PGP SIGNATURE-----