Security hardening checklist

[laeti-tia]

We should provide a list of 3rd party software perfSONAR depends on along with instructions or pointers and maybe a checklist to harden the setup and configuration of those tools. This can be added or referenced from http://docs.perfsonar.net/manage_security.html

From GN4-SA2T1 report 2.2.3, 2.2.4 and 2.2.5.

[laeti-tia]

Listing all 3rd party software used by perfSONAR will result in a very long list (lots of dependencies) that will not be particularly useful to people. Instead, it's most probably sufficient to do the following:

• (re-)Mentioning that we recommend using auto-updates and that we rely on the OS security policy (which is known to be good)
• Listing all the daemons that are listening on local ports only.
• Keeping listing all other open ports that are used by the different perfSONAR components and tools as we currently do.

[laeti-tia]

List of all local only daemons is:

• postgresql on port 5432 (tcp)
• cassandra on port 7000, 7199, 9042, 9160 and one ephemeral/higher order port (tcp)
• maddash on port 8881 (tcp)
• toolkit_config_daemon on port 9000 (tcp)
• memcached on port 11211 (udp+tcp)
• httpd24 (as esmond proxy) on port 11413 (CentOS 6 only, so probably no need to list as we don't support it anymore)

[laeti-tia]

Can any of @szymontrocha @arlake228 @mfeit-internet2 or @schevali double check what I've listed above is complete? If yes, I'll add a Local Daemons section to the https://docs.perfsonar.net/manage_security.html page just before the Adding Your Own Firewall Rules section.

And maybe the page can be re-titled to something like "perfSONAR security practices"