TGCSO Master Validator Challenge Checklist
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAABACAD
1
TGCSO Master Validator Challenge ChecklistStandard Points Possible120
2
Points Earned
0
3
Bonus Points
0
4
Total Points
0
5
6
ControlMaximum PointsMeasurementPoints
7
Colo - DataCenter300
8
Redundant Power6Survey
9
Redundant Cooling6Survey
10
Redundant Networking6Survey
11
Physical Cage/Gated Access6Survey
12
Remote Alerting Security Camera6Survey
13
General System Security90
14
Operating System appropriately patched
Confirm kernel version
2Script
15
Auto-updates configured (for OS)
Confirm toolkit for automatic upgrades exists (auter, yum-cron, dnf-automatic, unattended-upgrades)
2Script
16
Security Framework Enabled
SELinux||AppArmor||Tomoyo||Grsecurity Enabled
Framework installed, enabled and enforcing
2Script
17
No Insecure Services Installed
No telnet, rsh, inetd, etc ...
1Script
18
GRUB boot loader password
Grub2 configured with password
1Script
19
Root permissions on core system files secure1Script
20
Account Security & Remote Access100
21
Password Policy Enforced
22
Use PAM2Script
23
No Blank Passwords1Script
24
PAM Modules exist 1Script
25
PAM Modules configured1Script/Manual
26
Remote Access (SSH)
27
Do NOT Permit Root Login2Script
28
Allow Only Specified Users/Groups1Script
29
No password based login
(DO NOT LOCK YOURSELF OUT!)

UsePAM yes

PasswordAuthentication no

ChallengeResponseAuthentication no
2Script / Manual
30
Networking300
31
Network throughput test ( 32 Mbps upload, 32 Mbps download)
Speedtest confirms throughput
5Script (Speedtest-cli)
32
Individual systems appropriately firewalled
Confirm iptables configured, active and INPUT set to DROP with no overly permissive rules
10Script / Manual
33
External DDOS protection configured for Attestation Service5Survey / Manual
34
Intrusion Detection System Installed / Configured
Confirm Fail2Ban installed along with either (OSSEC or Snort)
10Script
35
Container Security10
36
Docker File Permissions
Docker files owned by root

/var/run/docker.sock
root:docker (owner:group)
not world writable
1Script
37
Key Management100
38
Demonstration of rotating validator keys (provide auditor with transaction hash)5Script/Manual
39
Ledger Nano S or X used for transaction signing for account key*
Support is still being built for this, but proving you have the device will grant points.
5Script / Manual
40
Redundancy200
41
Hot Standby Validator Machine
Auditor will confirm machine configured (further 5 points earned in Key Management section)
5Survey
42
Hot Standby Validator Machine - Physically in Colo5Survey
43
System Monitoring and Alerting Setup
Provide auditor with overview of monitoring and alerting set-up to include at a minimum Validator health and IDS alerting (if configured)
10Survey
44
Celo Stack100
45
Attestation Service Instance Available and Functioning10Manual/Survey
46
Bonus200
47
Lynis Score >= 9010Script (Lynis)
48
Ledger Nano X for validator ECDSA and BLS signing*10Script / Manual
49
TOTAL SUM (Including possible bonus)0
50
* = Hardware wallet support may or may not be available in good time for the start of security audits. If you prove you have a Ledger available on your Validator machine a follow-on audit may grant more points.
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...