[BlueOnyx:21994] Re: 5207R, 5208R and 5209R: EU-GDPR & EU-DSGVO compliance updates released

Janwillem Ronken jw at veritekglobal.eu
Wed May 2 03:23:01 -05 2018 

Hi Michael

None of my 5207/5208 servers seem to have received this, although last yum update was 02.05.2018 (and a manual yum update says no updates available)

A test 5209 does have the option..

Am I missing something? 

Best regards

Janwillem

 

From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> on behalf of Michael Stauber <mstauber at blueonyx.it>
Organization: Team BlueOnyx (www.blueonyx.it)
Reply-To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Date: Tuesday, 1. May 2018 at 04:45
To: <blueonyx at mail.blueonyx.it>
Subject: [BlueOnyx:21992] 5207R, 5208R and 5209R: EU-GDPR & EU-DSGVO compliance updates released

 

Hi all,

 

We already discussed the upcoming deadline of 25th May 2018 until which

EU businesses must certify compliance under the new EU-GDPR (or in

German: EU-DSGVO) regulations.

 

The prior discussion can be found under this headline:

 

[BlueOnyx:21882] Re: EU-DSGVO - anonymize ip addresses in apache

logfiles / other logfiles?

 

I just published YUM updates for 5207Rm 5208R and 5209R which should

assist BlueOnyx server owners in the task of getting their servers

compliant.

 

Now as it is with any legal stuff I'll have to throw in the standard

disclaimer: I am no lawyer nor should anything I say be taken as legal

advice.

 

However: Just ticking a few checkboxes in the GUI will not make any

BlueOnyx "street legal" in the sense of the EU-GDPR/EU-DSGVO. Those who

are already familiar with the topic will know that proper certification

and compliance requires a thorough audit of servers, software, internal

procedures, record keeping, consent tracking and what not. (Am I glad

that I don't live in the EU anymore!)

 

But BlueOnyx now has an extra GUI page and some built in features that

help you to jump the new extra-hurdles that the clowns in Brussels have

set up for you.

 

You can read in detail about it here:

 

https://www.blueonyx.it/index.php?page=gdpr-dsgvo

 

It has also a screenshot of the new GUI page, which you can find under

"Server Management" / "System Settings" / "Data Retention".

 

Once you have these updates installed only two things will change

(mandatory) and all the rest is optional and can be configured via this

new GUI page:

 

Change #1: Logfiles in /var/log will only be retained for 14 days. It

used to be four weeks, but now it has been cut in half to err on the

safe side of things.

 

Change #2: Logfiles stored under Vsites (like: /home/sites/<site>/logs/)

now only inherit logfile snippets related to their Vsites which already

have the IPv4 or IPv6 addresses of visitors already anonymized. IPv4 IPs

get their last octet set to '0' and IPv6 IPs loose their least

significant byte, providing sufficient anonymization, yet still allow

attributability of traffic to some degree. As the data there is only

uses for historical or statistical purpose we can live with that.

 

However: This does NOT affect any data that has already been aggregated

before these updates got installed.

 

Means: You may still end up with Vsites that have 5 years worth of

logfiles with full IP addresses stored in their own logs directory.

 

For that reason the new GUI page allows you to purge both the server as

well as all Vsites of historical log data that was set aside for

statistical reasons.

 

Checkbox "Purge Usage Statistics" wipes the /logs/ directory of Vsites.

 

Checkbox "Purge Webalizer" cleans out all Webalizer directories.

 

Checkbox "Purge AWStas" only shows up if you have our AWStats PKG

installed and likewise allows you to remove all historical AWStats

statistic files.

 

Additionally you can configure SendmailAnalyzer to anonymize whatever

data it gathers for the onboard email statistics by setting a checkbox.

 

That - of course - does not retroactively anonymize any data that has

already been gathered. But there is a separate checkbox for that purpose

which allows you to remove all SendmailAnalyzer data files.

 

Lastly: If the AV-SPAM is installed this GUI page allows you to

configure that the Milter-GeoIP database records will be automatically

expired once they reach a certain age. The age at which it does expire

these SQL records is identical to the one in the "Vsite Usage

Information" pulldown on top of this page.

 

 

"Vsite Usage Information" (Pulldown). The default is 5 years.

--------------------------------------------------------------

 

Means:

 

- The logs of Vsites are kept that long.

- SendmailAnalyzer will keep its records that long.

 

A daily cronjob purges data that is older than that.

 

Individual Vsites might have different retention periods configured for

their logfiles and statistics.

 

However: If you now set this "Vsite Usage Information" to something

different like "1 year", then all Vsites that currently have their

retention period configured for *more* than one year will have it

reduced to "1 year". Furthermore no Vsite may change this value again to

something higher. Lower? Yes. Higher? No.

 

That way you can make sure that your siteAdmins don't keep their

logfiles indefinitely or for longer than you are comfortable with.

 

The AV-SPAM will also use this new maximum for expiring MySQL data if

the checkbox "AV-SPAM data expiry" is ticked.

 

I think that should cover BlueOnyx and EU-GDPR & EU-DSGVO compliance

from a vendor point of view.

 

Let me know if you have any questions.

 

-- 

With best regards

 

Michael Stauber

_______________________________________________

Blueonyx mailing list

Blueonyx at mail.blueonyx.it

http://mail.blueonyx.it/mailman/listinfo/blueonyx

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20180502/00e12306/attachment.html>

More information about the Blueonyx mailing list