|
|
|
|
|
FNAL
|
|
|
|
|
F1
|
Nessus Scanning
|
Full OS and web server (vhosts, CGI, and application) scans every 6 months.
Results and configuration saved in central place.
|
Full OS and web server (vhosts, CGI, and application) scans monthly.
Results and configuration saved in central place.
|
Minimum
|
F2
|
System logs
|
Local and forwarded to
the computer security logging service.
|
Local and forwarded to the computer security logging service.
|
Minimum, by baseline implementation date
|
F3
|
Web logs
|
Local and forwarded to the computer security logging service.
30 days of logs kept.
All publicly accessible apache web servers (regardless of port)
must be syslog forwarding all standard web server access and
error log file content to the computer security logging service.
|
Local and forwarded to the computer security logging service.
90 days of logs kept.
All publicly accessible apache web servers (regardless of port)
must be syslog forwarding all standard web server access and
error log file content to the computer security logging service.
|
Recommended
|
F4
|
Notification of syslog restart facility
|
Yes, may be via watcher script or other monitoring such as NGOP
|
Yes, may be via watcher script or other monitoring such as NGOP
|
Recommended, by baseline implementation date
|
F5a
|
Notification of changes in Web machine file system
|
Yes, may be via tripwire, MD5, ...
|
Tripwire, Database separate from system
|
Recommended
|
F5b
|
Notification of changes in Web conifguration
|
Yes, may be via tripwire, MD5, AIDE, ...
|
Tripwire, Database separate from system
|
Recommended, by baseline implementation date
|
F6
|
Automatic patching support for OS
|
See OS baseline
|
See OS baseline
|
Recommended
|
F7a
|
Checks on installed modules
|
Checks on installed modules every 6 months
|
Checks on installed modules monthly.
|
Minimum, by baseline implementation date
|
|
|
|
|
|
|
|
|
|
|
F9
|
Serving content by read-only mechanism
|
No
|
Yes, via AFS, read-only file system copy, CDROM, or DVDROM
|
Minimum-Recommended, AFS replication available by request
|
F10
|
/tmp handing
(So web server cannot write or exec in /tmp)
|
See OS baseline
|
See OS baseline
|
Recommended
|
|
|
|
|
|
F11b
|
System Administrators
|
Each web machine has a registered system administrator.
|
Each web machine has two or more registered system administrators.
|
Recommended
|
|
|
|
|
|
F13
|
Database Services (MySQL, MSQL, ORACLE, POSTGRES, ...)
|
Should not be on the same machine as web services. Database should only talk to needed hosts.
|
On the same machine as web services with outside access cutoff. Only localhost can talk to the database.
|
Minimum
|
F14
|
Product security notification (being on notification lists for the place you obtain your software from) Example: for SLF LINUX, this would be the SciLinux Errata list,
not the redhat list
|
Primary and secondary webmasters are on available mailing lists for security announcements for products/applications on their web server.
|
Web administrators are on available mailing lists for security announcements for products/applications on the web server.
|
Recommeded, for centrally supported products such as Apache and PHP. Web author responsibility for any additional products/applications installed.
|
F15
|
Documented procedures
|
The system has a documented backup procedure for content and system files.
|
The system has a documented backup procedure for system files and Web content files. The system has a contingency plan.
|
Minimum
|
|
|
|
|
|
|
