Page Comparison

Deployment

...

Diagram - Single Environment

...

...

RAM (GB)

...

...

DISK

...

...

We're planning to use VMware vSphere Essentials Kits to manage the VMs. This will be a Carinet responsibility to setup the Essential Kits on all VMs, SFGov should be able to connect to the VMs remotely via vSphere Client.

Carinet Responsibilities

• Provision hardware
• Provide 3 VMs
• VMWare version 4.1
• install Centos 5 64-bit on each VM
• install package manager (yum or Apt-get)

All other software will be installed by city employees.

Security

We assume the following.

• The data center is physically secure.
• VMware installation has latest kernel updates/patches

Please let us know if any of these assumptions is incorrect.

...

SE Linux

...

Do not enable SE Linux.

...

SSH Access

...

All VMs shall be accessible via ssh.
The city will provide public keys for those that will have linux root access.

...

Services

...

All services shall be disabled unless otherwise requested.
Specifically, the following shall be disabled

...

• outgoing mail
• SSH
• firewall (see below)

...

Firewall Configuration

...

Allow access to the web server VM from

...

• ssh
• port 5432 from web server
• port 5432 from geo server

...

TCP Wrapper Configuration

...

Can we restrict port level access?

...

Is there anything we missed?
Any changes that you recommend?

SFGov Responsibilites

...

Install application software including the following.

...

You (city employees) will need to see the EAS SVN readme for all the excruciating details.

...

• set up nagios
  • what version?
  • monitor and notify for the follow
    • disk space
    • what else?

...

linux admin

...

• set up appropriate new linux users
  • Password & Access security
  • use of public/private keys
• limit root access
• use sudo as needed
• provide file system security
  • umask settings
  • setting up appropriate file permissions

Tests

Test the following application/server connection pairs via SSH tunnel

...