[On behalf of Kevin M. Gallagher]
I just had a simple question about whether any of the news organizations, or anyone on your team, had been asked if you are compliant with any standards. There’s a whole bunch, of course… FIPS, SOC, PCI, FedRAMP, and on and on. I’d imagine some of these standards might apply to some of the larger media organizations you work with if they are engaged in certain activity (like holding onto PII, especially)… and so their IT department might eventually want SecureDrop servers to be certified like the rest of their stuff at some point and I won’t be surprised if you’re asked about it soon or have been already. I suppose it depends on how they manage hosting and what their business involves whether it would ever become an issue. I don’t know how much news org IT/sec departments even need to think about such stuff. Maybe even very little.
And ironically, I can imagine there being some ridiculous standards would go directly against
the model and security culture of SecureDrop and protecting source metadata… You know, stuff like, “you must keep audit logs for 12 months or more”…
But anyway, if it does arise, there’s stuff like:
- https://www.open-scap.org/ (from NIST)
- https://simp-project.com/ (from NSA)
Those I already knew about off the top of my head, even without having any experience on them, one of those I’m sure we mentioned way back when James was around… just googling around, and cve-search is another tool that looks cool.
If you were to be subject to any such standards imposed from without, then I think the bundled osquery packs would probably get you the most bang for your buck.
When containers come into the picture ever then CoreOS Clair is really cool… Jessie Frazelle has a demo of it up at https://r.j3ss.co/… just click on the container in the list and you’re shown how many vulnerable packages are in it 