2012-11-24

Fedora Infrastructure Security FAD: Day -2

From Monday evening til Thursday morning, various system administrators will be meeting in Raleigh, North Carolina for a Fedora Activity Day (FAD). We will be discussing and working on improving the security of Fedora's Infrastructure to bring in various 2 factor security methods via Yubikeys and Google Authentication. Many of the parts have been worked on in the past, but getting all the people in the same place to focus on them took a lot longer than expected :). Most people will be travelling to North Carolina by plane on Monday, but I decided to come in early and spend the weekend with my parents in South Carolina. Then on Monday I will drive up and pick up people from the airport and get them to the hotel and such.

My original goal was to use my parent's truck and put people in the back, but the laws have changed and system administrators are no longer classified as cattle. So I have had to borrow a different car and people will just have to get in the trunk :). After I get them to the hotel, we will all check in and do an evening get together of what our goals for Tuesday are and anything that is thought hackable starting off.

While I won't be working on the Fedora Account System (FAS) integration of 2 factor, I will be working on mapping our security controls with the top 20 Critical Controls and the Top 35 Mitigation Strategies. These aren't much different from other security documents but I decided to pick something and SANS looked like a good place (and going through the 400+ pages of NIST documents usually makes people insane.) This will basically be a goal of just pointing out our good practices, figuring out what we might want to check, and where we could improve in a way that outsiders can compare with their own tools (if they use those security documents and not one of the myriad other ones). [This isn't about locking down a system but more about how to protect as much as usable and deal with the eventual breakins and problems that occur.]

I also plan to finish off a talk on what  changes in Password Security over the last 3 years have "bought" us as an organization. I want to have this as a finished talk at FUDcon as this all started from FUDcon Phoenix.

Anyway, happy hacking.

No comments: