LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Slackware and ISO27001 (https://www.linuxquestions.org/questions/slackware-14/slackware-and-iso27001-4175696604/)

andrixnet 06-18-2021 03:14 AM
Slackware and ISO27001
 
I have recently encountered the following problem ... hosting company offering VPS turned off virtual servers running Slackware and refused to turn them back on citing changes in their ToS requiring something like only ISO27001 certified operating systems be installed as GuestOS on their hardware.
And claiming that Slackware as an operating system had no such certification.
AFAIK this was not a singular case...
  1. Is Slackware (14.2) ISO27001 certified? (I couldn't find any info on this.
  2. Will the upcoming 15 release be?
Assuming NO to both questions above, what can one do as deployer of Slackware based server faced with such demands from hosting companies (AFAIK it's becoming a trend - thus ever decreased hosting options) - does such certification rest with the distributor (Slackware Linux Inc) or with the user/deployer, or is it something of a joint thing? (IDK)

GazL 06-18-2021 04:04 AM
As I understand it, ISO27001 certification applies to organisations not products: it's all about internal processes, policies and controls as much as anything else. Now, Redhat may have gone to the trouble of getting themselves, as an organisation, ISO27001 certified, but that doesn't say anything about their product, which lets face it, even if provided by a certified company, could be made insecure with a single config file change.

Having a list of 'sanctioned' distros in their ToS is one thing -- it's kind of silly for the reasons mentioned above, but it's understandable -- Bringing ISO27001 into the picture is just silly. I'd go find a hosting company with a clue.

rkelsen 06-18-2021 04:11 AM
Yeah, seems like a lame excuse to me.

As above, vote with your wallet.

Didier Spaier 06-18-2021 05:17 AM
I am a happy Linode customer and they provide ready-made Qemu Slackware images.

Bindestreck 06-18-2021 05:36 AM
They don't have the competence to manage access control to their IT resources using Slackware as distribution. Is not about the Slackware, is about their competence, really. Even if Slackware corporation would be ISO27001 certified, your hosting company would still not provide you with Slackware virtual servers.

philanc 06-18-2021 01:25 PM
Quote:
Originally Posted by andrixnet (Post 6260068)
(...) citing changes in their ToS requiring something like only ISO27001 certified operating systems be installed as GuestOS on their hardware.
Could you give us a link to their TOS (assuming they have an english version)? - just curious :-)

ttk 06-18-2021 06:58 PM
Yeah, what they said.

Reviewing ISO27001, it requires that compliant organizations have documented plans for assessing and responding to security risks.

It sounds like they can't be arsed to figure out how to secure or monitor Slackware VMs, which means they can't document doing it, which means they can't be ISO27001 compliant.

Ridding themselves of your Slackware VM eliminates this obstacle, at a fraction of the cost of learning Slackware security.

I suppose if someone (anyone) were to write up a sufficiently corporate-friendly document describing how to monitor and secure Slackware and make that document generally available, companies seeking ISO27001 compliance could drop it into their own documentation and call it done.

Most of that work is already done in http://slackbook.org/html/book.html#SECURITY I think. It needs something about security monitoring and someone presenting it as a ISO27001 compliance document.

Someone sanity-check me here, please. I feel like I might be missing something.


All times are GMT -5. The time now is 11:01 AM.