Howto::High Risk

From Computer Science Wiki
Jump to navigation Jump to search

Introduction

Virginia Tech considers your machine high risk if you store any of the following information on the machine:

  • Student records (grades with names)
  • Social security numbers
  • Credit or debit card numbers
  • Financial account numbers
  • Medical information
  • Passport or visa numbers
  • Driver's license numbers
  • Export controlled information

Required minimum standards

If your machine is considered high risk, then VT requires the machine to meet a minimum security standard. This standard is constantly evolving. The department offers some services to help meet this standard, such as backup services, monitoring services, and help connecting to VT's central logging service. See the minimum standards for the most up to date information: https://it.vt.edu/content/dam/it_vt_edu/policies/Minimum-Security-Standards.pdf

Backups

The department offers a daily backup solution. Contact Techstaff to get a backup created and help setting up the back up. If the backup is going to include high risk data, then please make sure you tell us! The default backup solution does not support encryption and does not meet the high risk standard.

Monitoring

We recommend using a product called Wazuh to monitor your machine. The techstaff is looking into offering Wazuh monitoring as a service.

Central Logging

Sending the machine logs to a central service is required for high risk machines. Virginia Tech offers a central logging service. Contact Techstaff to get help setting this up. Here are some brief instructions to get started in Linux:

###################### Journalbeat Configuration Example #########################
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/journalbeat/index.html

journalbeat.inputs:
- paths: []
  fields:
    index: "vt_cos-cs"
    tier: "prod"
    service_id: "edu.vt.cs"
    group: "laa.cs.techstaff"
    name: "my-hostname"
    type: "journalbeat"

output.logstash.hosts:  
  - "log-1.it.vt.edu:5045"
  - "log-2.it.vt.edu:5045"
  - "log-3.it.vt.edu:5045"

output.logstash.ssl.certificate_authorities: ["/etc/journalbeat/certs/incommon_tls_chain.pem"]
processors:
  - add_host_metadata:
      netinfo.enabled: true
      cace.ttl: 5m
  - add_locale:           
      format: offset
logging.level: info
logging.selectors: ["*"]
logging.to_files: false
  • Some customization of the configuration might be needed base on the OS
  • Start the service: sudo systemctl enable --now journalbeat.service
  • Test your configuration by running sudo journalbeat test output