[Security_sig] CGL 3.0 security questionaire

Cihula, Joseph joseph.cihula at intel.com
Wed Sep 29 13:52:42 PDT 2004


Since we're not getting any NEP or TEM feedback on our security spec
from security-sig or the cgl_specs mail lists, I think that we might
have better luck with a short survey posted to cgl_discussion mail list.
Of course, it would also be beneficial if each of us could take the
survey to any NEP or TEM customers that we may have a chance to share it
with.

I've tried to capture our outstanding questions in a form that is
concise and easy to answer.  I've also added some questions that I think
will help us.  Below is a first attempt at this.  I'm hoping that we can
iterate to an agreed set of questions and wording in a week or so.

NEP or TEM,

The CGL 3.0 security specifications team would like to collect some
information regarding the security models in use at your company.
<there should be some indication of what the systems are that we're
interested in so that this isn't miscontrued as wanting to collect
IT-type info (this will set the context for the questions below)--I'm
not sure how to phrase this, though>  This information will help us to
set a proper baseline for the specification.

If you are not the right person to answer these questions can you please
take them to the appropriate person in your company and forward the
response to this list or to the following individuals (<joe and Ge'
email addresses?>).  You help is greatly appreciated and will contribute
to a specification that meets your needs.

1.  Do non-administrative users have access to the systems?
	If so:
		What functions do they typically perform and/or what
applications are they using?
		Are these system-level accounts or do these users only
access the system through applications with their own access control
mechanisms?
	If not:
		How many classes/groups of administrators with different
privileges do you typically have?
2.  Where are these systems in the network topology?  Are they edge
systems, in DMZs, internal, etc?  If they are placed in multiple
locations then please indicate all that apply.
3.  Do you manage these systems through a dedicated management network
(which may have remote connectivity)?
4.  What security-related packages do you typically add to your
distribution?
5.  How do you ensure system integrity (HIDS, module checksums,
chroot/jails, virtualization, etc.)?

Joe


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux-foundation.org/pipermail/security_sig/attachments/20040929/e6f2678a/attachment-0001.htm


More information about the security_sig mailing list