OIT Enterprise Server Baseline Standards and Checklist for Operating System¶

This document describes the baseline system standards that conform to the UC IS-3 IT Security Policy, for Windows and Unix enterprise servers run in OIT.

Definitions¶

• An enterprise server is a computer containing programs that serve more than one department.
• A mission critical system is any computer that runs software that is critical to university business, critical IT infrastructure, safety or subject to regulations, is subject to audits, reads/writes/stores financial, confidential or restricted data.
• The scope of this standard addresses operating systems run within OIT. The standards apply to new systems going forward or systems to be upgraded. Non high risk systems are grandfathered. Request exceptions of the OIT Architecture Review Board.

Requirements for OIT Platform Standard¶

• Industry recognized OS for running enterprise level software, is highly scalable, and secure
• Must have technical support and maintenance contracts available for mission critical systems. Commercially unsupported operating systems may be appropriate for non-mission critical systems.
• Robust release management, quality assurance, and testing - both major and minor releases.
• Regular patches and bug fixes that are fully tested. Lifecycle management.
• Must be certified by vendors as a supported OS platform for running applications such as Oracle DB, MySQL, Java, etc.
• Must have current CIS benchmarks

OIT Supported Operating Systems by Purpose:¶

Purpose	Approved OS Versions	Comments
Mission critical applications/systems	OS versions that are under mainstream and long term release support. Microsoft Windows Server Oracle Linux, RHEL, Amazon Linux CentOS (must purchase commercial support *) Solaris	Preferred OS Versions: Latest versions with long term support. Also allowed: OSs within long term support or extended support time frame.
Non-mission critical applications/systems	Any of the above. CentOS does not require commercial support for non-mission critical applications/systems.
Mission critical MS SQL Server, Oracle or mySQL database servers	Microsoft Windows Server Oracle Linux, RHEL, Amazon Linux Solaris	OIT DBA team recommends: Oracle Linux as OIT operating system standard for MySQL and Oracle databases. For MySQL, DBA team recommends Oracle Linux over Solaris because there is limited backup support on Solaris for Networker. MS SQL Server runs only on Windows.

Implementation Checklists¶

• General OIT standards applicable to OSs

References¶

• OIT Center for Internet Security (CIS) baseline standards
  • Benchmarks
• OIT’s Tenable Nessus scans using authenticated “Compliance” module for enforcement of standards
• OIT’s SRAQ

Appendix: Linux Support Costs¶

• Oracle Linux - $119/year/server as of 2013 for patches and updates only
• RHEL - $329/year/dual socket machine as of 2013. $150k campus wide license.
• CentOS Commercial Support example: OpenLogic.com - $25k/year for Gold, $20k/year for Silver per server or VMware. Patches and 24 hour support. Unlimited CPUs/Sockets per server.