User:Gdestuynder/Services checklist
|
NOT READY The goal of this document is to help you figure out what the baseline requirements are when operating Mozilla services. The Enterprise Information Security team maintains this document as a reference guide for operational teams. Updates to this page should be submitted to the source repository on github. Changes are detailed in the commit history.
|
Services Check-list
This is a baseline to be met or exceeded by all services.
| What to do / What not to do | Examples | |
|---|---|---|
| Limit service exposure | List all services presented to the Internet and Internal network with a rationale and scope of access.
Setup host-firewalls on all systems with default inbound deny. Do not use network access controls for authentication. |
SSH: Used for administrative troubleshooting, accessible only from the bastion hosts - allow SSH in from the host firewall only from the bastion hosts.
HTTPS: The service’s user interface, it is publicly available. |
| Limit privileges | List all users with administrative privileges with a rationale for access.
Use role based access control. Expire privileges automatically when the access is no longer in use. |
|
| Patch and updates | Patch and update systems, libraries, docker images, etc. regularly. | Systems will go offline every Tuesday at 6AM UTC for 1H for updates.
For HA-systems there is no down-time, for non-HA the service will be unavailable with an error message. |
| Meet web standards | On all HTTP/HTTPS interfaces, get a B or higher grade when scanning with https://observatory.mozilla.org/ | https://observatory.mozilla.org/analyze.html?host=www.mozilla.org |
| Encrypt data at rest | All data for the service that is not-public (credentials, user data, etc.) should be encrypted at rest, unless technically infeasible (ex: credentials needed for the service to run). See also https://wiki.mozilla.org/Security/Data_Classification | Credential backups are classified as WORKGROUP CONFIDENTIAL and are encrypted using GnuPG before being backed-up. |
| Encrypt data in transit | Any data exchanged between systems over the network should be exchanged over an encrypted channel regardless of the network configuration, or location. | Use HTTPS, SCP, etc. |
| Logging and auditing | Audisp-json must be running on all Linux systems.
Mig must be running on all systems. Systems’ syslog must send logs to a centralized server. Service security events must be sent to MozDef. |
|
| Inventory: Know thy system | All services must have an RRA.
All systems must be inventoried in the CMDB. All statically allocated IP addresses must be inventoried in the CMDB. All cloud accounts (e.g. AWS) must be mapped to services in the CMDB. |
|
| Authentication | Use Mozilla IAM for all authentication unless not technically feasible.
No direct handling of LDAP user credentials by applications. No authentication without 2FA. Network identity is not authentication (i.e. having a certain IP assigned address may never be used as authentication, see also https://research.google.com/pubs/pub44860.html ) |
The service authentication is handled by Mozilla IAM, which also provides 2FA. In order to troubleshoot the system, the admin must authenticate via SSH+2FA as well. There is no direct service access from the office network or from within the SCL3 data-center. |
