Howto::High Risk: Difference between revisions
No edit summary |
|||
Line 57: | Line 57: | ||
</pre> | </pre> | ||
* Some customization of the configuration might be needed base on the OS | * Some customization of the configuration might be needed base on the OS | ||
* Start the service: <code>systemctl enable --now journalbeat.service</code> | * Start the service: <code>sudo systemctl enable --now journalbeat.service</code> | ||
* Test your configuration by running <code>sudo journalbeat test output</code> |
Latest revision as of 12:37, 15 July 2022
Introduction
Virginia Tech considers your machine high risk if you store any of the following information on the machine:
- Student records (grades with names)
- Social security numbers
- Credit or debit card numbers
- Financial account numbers
- Medical information
- Passport or visa numbers
- Driver's license numbers
- Export controlled information
Required minimum standards
If your machine is considered high risk, then VT requires the machine to meet a minimum security standard. This standard is constantly evolving. The department offers some services to help meet this standard, such as backup services, monitoring services, and help connecting to VT's central logging service. See the minimum standards for the most up to date information: https://it.vt.edu/content/dam/it_vt_edu/policies/Minimum-Security-Standards.pdf
Backups
The department offers a daily backup solution. Contact Techstaff to get a backup created and help setting up the back up. If the backup is going to include high risk data, then please make sure you tell us! The default backup solution does not support encryption and does not meet the high risk standard.
Monitoring
We recommend using a product called Wazuh to monitor your machine. The techstaff is looking into offering Wazuh monitoring as a service.
Central Logging
Sending the machine logs to a central service is required for high risk machines. Virginia Tech offers a central logging service. Contact Techstaff to get help setting this up. Here are some brief instructions to get started in Linux:
- Install the "journalbeat" pacakage. Some instructions are available here: https://www.elastic.co/guide/en/beats/journalbeat/current/journalbeat-installation-configuration.html
- Copy the VT incommon TLS chain file to the machine somewhere. https://people.cs.vt.edu/carnold/incommon_tls_chain.pem
- Configure journalbeat. To get access to the logs, we will need to request that a new index is created for you. If you don't need access to the logs you can use the index
vt_cos-cs
which gives Techstaff only access. - Sample journalbeat configuration:
###################### Journalbeat Configuration Example ######################### # You can find the full configuration reference here: # https://www.elastic.co/guide/en/beats/journalbeat/index.html journalbeat.inputs: - paths: [] fields: index: "vt_cos-cs" tier: "prod" service_id: "edu.vt.cs" group: "laa.cs.techstaff" name: "my-hostname" type: "journalbeat" output.logstash.hosts: - "log-1.it.vt.edu:5045" - "log-2.it.vt.edu:5045" - "log-3.it.vt.edu:5045" output.logstash.ssl.certificate_authorities: ["/etc/journalbeat/certs/incommon_tls_chain.pem"] processors: - add_host_metadata: netinfo.enabled: true cace.ttl: 5m - add_locale: format: offset logging.level: info logging.selectors: ["*"] logging.to_files: false
- Some customization of the configuration might be needed base on the OS
- Start the service:
sudo systemctl enable --now journalbeat.service
- Test your configuration by running
sudo journalbeat test output