To protect the University’s IT environment from malicious intrusion activities, a Server Compliance Project is set up to enforce compliance of all computer servers connected to the campus network to a set of security technical standards. The set of standards to be enforced are adopted from international security standards and practices. To enforce the standards, a piece of agent software will need to be installed on each campus server to carry out compliance assessment and detect security vulnerability on the server (the cost is HK$200 for each physical CPU core).
A server is defined as a computer system (hardware and software) that responds to requests across the network to provide, or help to provide, a network service. Examples of servers are web server, database server, print server, file server, email server, application server, DNS server, etc. All servers connected to HKU network are required to install the agent software. Its monitoring tool will start to check the system configuration according to the established HKU Server Compliance Baseline Policies. For newly applied computer servers, the system administrators will be asked to install the agent software on these servers upon the assignment of a fixed IP address by ITS.
A Compliance Management System is gathering information via the agent software on the status of compliance of the server and compliance reports are generated quarterly for departments to carry out remedial actions where necessary.
The Compliance Management System checks the compliance status of the computer servers. Departments have been kept informed of the status through quarterly reports sent to them since October 2014. The report consists two parts-
An overview report to show all servers monitor by the Compliance Management System and their compliance level. The compliance level is represented using percentage to indicate how well each server complies with the HKU Servers Baseline Policies. It is desirable to reach 100% and ITS is currently marking 50% as alarm level.
A detailed list of non-compliance items of all servers owned by a department. System Administrators are recommended to reconfigure their servers based on the suggested guidelines to rectify the non-compliance items.
The Compliance Management System will generate an annual report to each of the departments. The first annual report will be issued on December 2015. It contains an overview of-
The servers registered by a department.
The servers monitored by the Server Compliance System.
An overview of how well the servers comply with the HKU Server Compliance Baseline Policies.
Requirements for Servers to Connect to HKU Network
It is crucial to identify each servers running on HKU Network. The requirements to connect your server to HKU network are-
All servers must be registered under the Server Compliance Program.
All servers must install the agent software when appropriate ones is available (Please refer to the section "Page Related to This Service").
The installed agent software must be online.
The Compliance level of each server must not be lower than the alarm level for two consecutive Quarterly Reports (please refer to the alarm level in the Quarterly Reports section).
All servers must install OS that is supported by the service provider.
For security reasons, server’s IP will be blocked by ITS for the following situations-
Servers not registered under the Server Compliance Program.
Servers registered under the Server Compliance Program (and appropriate agent software are available to install) but not appearing in two consecutive Quarterly Reports.
Servers which compliance levels are lower than the alarm level for two consecutive Quarterly Reports.
System Administrators are responsible to justify the compliance level of the servers according to the HKU Server Baseline Policies if their servers are running OS which the Server Compliance Program does not provide an appropriate agent software for installation. Such servers are still required to be registered under the Server Compliance Program. In case the servers are being hacked, ITS will block them from access to the HKU Network immediately. In order for ITS to release the blocking, the servers must satisfy the requirements as described above.
HKU Server Compliance Baseline Policies
Baseline policies are hardening checklist formulated based on the Policy Statement and Checklists produced by DISA (Defense Information Systems Agency) (reference link http://www.stigviewer.com/check/). Our Baseline Policies are distilled from the DISA lists which only include the most critical items. These Policies are specific to individual operating systems and the currently available Policies are listed below-
HKU Server Compliance Baseline Policies for Microsoft Windows Platforms
(Supported Microsoft Windows Platforms include: Windows 7, Windows 8, Windows Server 2008 and Windows Server 2012.)
HKU Server Compliance Baseline Policies for Unix/Linux Platforms
(Supported Unix/Linux Platforms include: CentOS 6-7, RHEL 6-7, AIX 6-7, Solaris 10-11 and HP-UX 11.31)
ITS recommend departments to install OS which is supported by HKU Server Compliance Baseline Policies.
Download of agent software installation package-
- Windows platforms supported by HKU Server Compliance Baseline Policies:
- Unix/Linux platforms supported by HKU Server Compliance Baseline Policies
- IEM Agent Packages for RedHat/CentOS (6.x - 7.x, 64bits)
Other platforms with agent available but no HKU Server Compliance Baseline Policies:
For servers running the platforms below, there is agent software available for monitoring system patch level but the HKU Baseline Policy for these platforms is not available or under development. If there is any industry good practice policy available, we shall configure your system to check against such policy and generate report for your reference. For systems belonging to these platforms, software agent must still be installed but the overall department compliance statistics will exclude these systems.
(Currently, the software agent only covers the most commonly used operating systems. For servers running other operating systems, we will notify departments concerned once the agent software for those operating systems become available)