SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have recently encountered the following problem ... hosting company offering VPS turned off virtual servers running Slackware and refused to turn them back on citing changes in their ToS requiring something like only ISO27001 certified operating systems be installed as GuestOS on their hardware.
And claiming that Slackware as an operating system had no such certification.
AFAIK this was not a singular case...
Is Slackware (14.2) ISO27001 certified? (I couldn't find any info on this.
Will the upcoming 15 release be?
Assuming NO to both questions above, what can one do as deployer of Slackware based server faced with such demands from hosting companies (AFAIK it's becoming a trend - thus ever decreased hosting options) - does such certification rest with the distributor (Slackware Linux Inc) or with the user/deployer, or is it something of a joint thing? (IDK)
As I understand it, ISO27001 certification applies to organisations not products: it's all about internal processes, policies and controls as much as anything else. Now, Redhat may have gone to the trouble of getting themselves, as an organisation, ISO27001 certified, but that doesn't say anything about their product, which lets face it, even if provided by a certified company, could be made insecure with a single config file change.
Having a list of 'sanctioned' distros in their ToS is one thing -- it's kind of silly for the reasons mentioned above, but it's understandable -- Bringing ISO27001 into the picture is just silly. I'd go find a hosting company with a clue.
They don't have the competence to manage access control to their IT resources using Slackware as distribution. Is not about the Slackware, is about their competence, really. Even if Slackware corporation would be ISO27001 certified, your hosting company would still not provide you with Slackware virtual servers.
Reviewing ISO27001, it requires that compliant organizations have documented plans for assessing and responding to security risks.
It sounds like they can't be arsed to figure out how to secure or monitor Slackware VMs, which means they can't document doing it, which means they can't be ISO27001 compliant.
Ridding themselves of your Slackware VM eliminates this obstacle, at a fraction of the cost of learning Slackware security.
I suppose if someone (anyone) were to write up a sufficiently corporate-friendly document describing how to monitor and secure Slackware and make that document generally available, companies seeking ISO27001 compliance could drop it into their own documentation and call it done.
Most of that work is already done in http://slackbook.org/html/book.html#SECURITY I think. It needs something about security monitoring and someone presenting it as a ISO27001 compliance document.
Someone sanity-check me here, please. I feel like I might be missing something.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.