<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7652.24">
<TITLE>Re: [CentOS] General questions about security</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=2>Check to see if the town/county has any policies in place for computer systems and networks for public services and follow those guidelines.<BR>
<BR>
Otherwise look at surrounding public library systems to see if they have any you can adopt.<BR>
<BR>
For a LAMP setup your definitely going to want to use selinux to limit what each application can read and write to, and you should use audit too to set auditing on sensitive directories like, /etc, /bin, /lib, /sbin, /usr/bin, /usr/lib, /usr/sbin.<BR>
<BR>
You will probably want to use smartmon to monitor drive health and something else to monitor resource usage (drive space, memory, cpu, mysql db space) with email/sms alerts.<BR>
<BR>
-Ross<BR>
<BR>
<BR>
----- Original Message -----<BR>
From: centos-bounces@centos.org <centos-bounces@centos.org><BR>
To: CentOS mailing list <centos@centos.org><BR>
Sent: Fri Feb 01 06:47:36 2008<BR>
Subject: Re: [CentOS] General questions about security<BR>
<BR>
Les Bell a écrit :<BR>
<BR>
> Policy. It's a drag, writing policies, but without policies, you're in the<BR>
> "Ready! Fire! Aim!" school of security. The top tier of policy is the<BR>
> "Enterprise Security Policy", which establishes the security function,<BR>
> roles, responsibilities, budget, etc. It also gives the power to enforce<BR>
> penalties for breaches of policies. At the next tier, you have system- and<BR>
> issue-specific policies, such as the "Use of corporate email" policy, the<BR>
> "Inappropriate content in the workplace" policy. You may then move down to<BR>
> standards (platforms, SOE, etc.) and procedures (e.g. for provisioning user<BR>
> accounts, resetting passwords, etc.).<BR>
<BR>
<snip><BR>
<BR>
Thanks for your very detailed response. Though I can't help feeling a<BR>
bit like having asked for an identity photo... and getting a 10-foot oil<BR>
painting :oD<BR>
<BR>
Basically, all I'm concerned about security-wise is a modest<BR>
Apache/PHP/MySQL server running a single public library management<BR>
software, and interconnecting eleven (small) public libraries, with a<BR>
total of 60.000 database entries. No (very) big deal.<BR>
<BR>
The configuration is supposed to run on a dedicated server, so my<BR>
question will be more practical:<BR>
<BR>
- Is it worth the hassle to bother with SELinux?<BR>
<BR>
- Is the standard firewall configuration enough, or do I really have to<BR>
fine-tune the thing?<BR>
<BR>
- Basically, what auditing tools besides NMap can you recommend for such<BR>
a thing?<BR>
<BR>
cheers,<BR>
<BR>
Niki<BR>
_______________________________________________<BR>
CentOS mailing list<BR>
CentOS@centos.org<BR>
<A HREF="http://lists.centos.org/mailman/listinfo/centos">http://lists.centos.org/mailman/listinfo/centos</A><BR>
</FONT>
</P>
<P></P>
<HR WIDTH="100%">
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.
</BODY>
</HTML>