Security Compliance
In order to maintain our security posture we require Instances to meet the following compliance rules:
Compliance Rules
You must
Update instances in line with our patching policy.
Send instance logs to the SCD central loggers
Leave Pakiti installed and configured for vulnerabilities in packages
Have the Wazuh agent running and connected to the STFC Cloud Wazuh server
Update the STFC Cloud Operations Team ssh keys as required
Migrate or remove instances before communicated deadlines
Ensure that someone in your project has access to each instance
Ensure that instances within your project have someone who is responsible for them
Ensure that a minimal set of security group rules is used
Let us know if someone leaves or the membership of your project changes at cloud-support@stfc.ac.uk
Comply with Organisational Information Security Policy particularly regarding the Roles and Responsibilities of System Administrators together with familiarising yourself with the supporting policy framework available at Science and Technology Facilities Council (STFC) and Acceptable Use Policy | Jisc community (or for STFC Staff at https://ukri.sharepoint.com/sites/thesource-stfc/SitePages/Information-Security-and-You.aspx Connect your OneDrive account )
Respond to Security patching or other change notifications and instructions issued by the Cloud Operations Group within the timescales specified in the message.
Report any suspected or actual security incident or other misuse of the VM immediately to cloud-support@stfc.ac.uk and must not attempt to remedy or investigate yourself.
Ensure that all applicable license and terms and conditions of use are met.
Ensure that any secrets (passwords, certificates, ssh keys, kerberos keys etc) are kept secret and apply and maintain appropriate protection to prevent exposure or misuse for all such credentials and NOT export private keys or take any other action which would prejudice credential re-use in future VM instances.
Inform the STFC Cloud Operations Team immediately if you can no longer abide by the existing or updated Terms of Service at cloud-support@stfc.ac.uk
You must not
Remove the access of the STFC Cloud Operations Team through any means
Change the root password changed
Disable the root or cloud (where present) user accounts
Store data of a personal, confidential or sensitive nature within the service, which is provided for scientific use only.
Use the service to store, process or manipulate any medical information or data.
Use the service for illegal purposes.
Infringe copyright material or other intellectual property rights.
Undertake activities that may impact the performance of other projects and services using the STFC Cloud, such as running network sniffer tools
Maintaining Compliance
We reserve the right to take action to maintain compliance and security posture without prior notice. These actions include but are not limited to the following:
We will
Regularly release compliant and updated images
Provide an ansible playbook to set a security baseline
Regularly scan our networks for vulnerabilities and misconfigurations
Notify users about any vulnerabilities or security issues that we find and set deadlines for remediation
Notify users about CVEs which affect our images via the mailing list
Notify users about the end of life of images and flavors with appropriate deadlines
Notify users about changes to this policy via the mailing list
Take appropriate actions when responding to a security incident
Shutdown or remove instances where a pre-agreed deadline has been missed and an exception has not been agreed
We will not
Take or maintain backups
We can
Disconnect the instance from the network
Turn off and lock the instance
Modify sudo permissions
Disabling images
Removing firewall holes
Make changes to security groups
Block access from particular user accounts
Block access from particular IPs
Log in to Instances to investigate issues
Apply updated compliance tools
Collect logs
Snapshot an instance for analysis purposes
Add, remove or update packages
Take action to reapply the security baseline
Add monitoring to VMs for compliance or accounting purposes
Custom images
If you maintain your own custom images you can apply our current compliance posture to any Instance or while building an image by running the vm_baseline
role from here: cloud-image-builders/os_builders at main · stfc/cloud-image-builders