Security Compliance

In order to maintain our security posture we require Instances to meet the following compliance rules:

Compliance Rules

You must

• Update instances in line with our patching policy.

  • Patching policy of VM’s in openstack

• Send instance logs to the SCD central loggers

  • Rsyslog

• Leave Pakiti installed and configured for vulnerabilities in packages

  • Pakiti

• Have the Wazuh agent running and connected to the STFC Cloud Wazuh server

  • Wazuh

• Update the STFC Cloud Operations Team ssh keys as required

• Migrate or remove instances before communicated deadlines

• Ensure that someone in your project has access to each instance

• Ensure that instances within your project have someone who is responsible for them

• Ensure that a minimal set of security group rules is used

• Let us know if someone leaves or the membership of your project changes at cloud-support@stfc.ac.uk

• Comply with Organisational Information Security Policy particularly regarding the Roles and Responsibilities of System Administrators together with familiarising yourself with the supporting policy framework available at Science and Technology Facilities Council (STFC)  and Acceptable Use Policy | Jisc community  (or for STFC Staff at https://ukri.sharepoint.com/sites/thesource-stfc/SitePages/Information-Security-and-You.aspx Connect your OneDrive account )

• Respond to Security patching or other change notifications and instructions issued by the Cloud Operations Group within the timescales specified in the message.

• Report any suspected or actual security incident or other misuse of the VM immediately to cloud-support@stfc.ac.uk and must not attempt to remedy or investigate yourself.

• Ensure that all applicable license and terms and conditions of use are met.

• Ensure that any secrets (passwords, certificates, ssh keys, kerberos keys etc) are kept secret and apply and maintain appropriate protection to prevent exposure or misuse for all such credentials and NOT export private keys or take any other action which would prejudice credential re-use in future VM instances.

• Inform the STFC Cloud Operations Team immediately if you can no longer abide by the existing or updated Terms of Service at cloud-support@stfc.ac.uk

You must not

• Remove the access of the STFC Cloud Operations Team through any means

• Change the root password changed

• Disable the root or cloud (where present) user accounts

• Store data of a personal, confidential or sensitive nature within the service, which is provided for scientific use only.

• Use the service to store, process or manipulate any medical information or data.

• Use the service for illegal purposes.

• Infringe copyright material or other intellectual property rights.

• Undertake activities that may impact the performance of other projects and services using the STFC Cloud, such as running network sniffer tools

Maintaining Compliance

We reserve the right to take action to maintain compliance and security posture without prior notice. These actions include but are not limited to the following:

We will

• Regularly release compliant and updated images

• Provide an ansible playbook to set a security baseline

• Regularly scan our networks for vulnerabilities and misconfigurations

• Notify users about any vulnerabilities or security issues that we find and set deadlines for remediation

• Notify users about CVEs which affect our images via the mailing list

• Notify users about the end of life of images and flavors with appropriate deadlines

• Notify users about changes to this policy via the mailing list

• Take appropriate actions when responding to a security incident

• Shutdown or remove instances where a pre-agreed deadline has been missed and an exception has not been agreed

We will not

• Take or maintain backups

We can

• Disconnect the instance from the network

• Turn off and lock the instance

• Modify sudo permissions

• Disabling images

• Removing firewall holes

• Make changes to security groups

• Block access from particular user accounts

• Block access from particular IPs

• Log in to Instances to investigate issues

• Apply updated compliance tools

• Collect logs

  • Rsyslog

• Snapshot an instance for analysis purposes

• Add, remove or update packages

• Take action to reapply the security baseline

• Add monitoring to VMs for compliance or accounting purposes

  • Prometheus

Custom images

If you maintain your own custom images you can apply our current compliance posture to any Instance or while building an image by running the vm_baseline role from here: cloud-image-builders/os_builders at main · stfc/cloud-image-builders