Differences between revisions 1 and 15 (spanning 14 versions)
Revision 1 as of 2005-12-06 11:21:45
Size: 2549
Editor: WaltrautNiepraschk
Comment: initial version
Revision 15 as of 2008-10-30 11:40:13
Size: 1628
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
#acl DvGroup:read,write,delete,revert,admin Known: All: ## page was renamed from Notebook Security Linux
#acl DvGroup:read,write,delete,revert,admin All:read
Line 4: Line 5:
== Security Guideline for central supported Linux Notebooks in Zeuthen with Scientific Linux Version 4 == == Security Guideline for DESY Notebooks centrally supported by DV Zeuthen with Scientific Linux Version 4 ==
Line 6: Line 7:
||<tablestyle="width:100%; background-color: #FFA0A0;"> <!> Support by - DV - for linux on notebooks is scheduled to end in summer 2006.||
Line 7: Line 9:
There are a lot of advantages to run a central supported Linux on your DESY notebook.
The support is available for C400,D410,D600,X300 and X1.		 The support is available for C400, D410, D600, D610, X300 and X1.
Line 10: Line 11:
 * Upgrade to the DV supported version. Please contact uco-zn@desy.de
   See also [attachment:DZNB_DVSEM.pdf: the Stephan Wiesand's Talk]!
 * Please do not disable the automatic package updates which works anywhere you have a network connection.		 You have to upgrade to the DV supported version (SL4). Please contact uco-zn@desy.de
   /!\ See also [[http://www-zeuthen.desy.de/~schoene/unter_texte/texte/DZNB_DVSEM.pdf|Stephan Wiesand's Talk]] !
Line 14: Line 14:
An extract of the Release Notes (November 19, 2005): Before traveling and always when your notebook is attached to the network:
Line 16: Line 16:
  Security
          The setup should be reasonably secure unless it has been
          tampered with. Security is however a joke if someone you don't
          trust has physical access to the device. On the other hand,
          this fact allows us to keep the account management simple and
          omit password management altogether.		  * login with your acoount with an empty password (possible only in front of the notebook). If this is not possible use the guest account the first time.
 * Connect to the network by running the command
  using cable based interface with: lan start
  using the wireless interface: wlan start
 * Each time a network interface is started, an automated check for avalaible updates is performed in the background. There's nothing to be done but accepting the updates offered.
  * manually: nbctl sync
  * without DESY synchronization: nbctl yum
 * if you notice suspicious files or activities please contact uco-zn@desy.de
Line 23: Line 25:
          Each time a network interface is started, an automated check
          for available updates is performed in the background. If any
          are found, the user is presented with a pop-up window allowing
          to either perform all updates, exclude certain packages from
          being updated, or not to perform any updates at this time.
          Usually, all updates should be applied as soon as possible.
          Certain critical packages will have the "exclude" box checked
          by default although even kernel and glibc updates should work
          without problems and have been tested successfully. Unless
          you're at the other end of the world and critically depend on
          your notebook before you can get to our support again, please
          uncheck all of them and click ok.
          A local firewall is now set up. It should not cause any
          problems, and obviously should be kept running at all times.		 Recommendations:
 * Lock the screen with a special xlock-password for which you will be asked the first time
 * Arrange for secure password-less access to the notebook with ssh key authentication
Line 38: Line 29:
   Keeping the notebook up to date
          Since an automatic check for updates runs every time a network
          interface is started, there's nothing to be done but accepting
          the updates offered.

          nbctl sync can be run to trigger this manually.

          nbctl yum (or you, for backward compatibility) can be run to
          only update SL the packages, without running the DESY
          synchronization (for example, known accounts and software in
          /opt/products).		 Please read the [[http://a.ifh.de/Notebook/SL4/RelNotes.html|Release Notes]]

Security Guideline for DESY Notebooks centrally supported by DV Zeuthen with Scientific Linux Version 4

<!> Support by - DV - for linux on notebooks is scheduled to end in summer 2006.

The support is available for C400, D410, D600, D610, X300 and X1.

You have to upgrade to the DV supported version (SL4). Please contact uco-zn@desy.de

Before traveling and always when your notebook is attached to the network:

  • login with your acoount with an empty password (possible only in front of the notebook). If this is not possible use the guest account the first time.
  • Connect to the network by running the command
    • using cable based interface with: lan start using the wireless interface: wlan start
  • Each time a network interface is started, an automated check for avalaible updates is performed in the background. There's nothing to be done but accepting the updates offered.
    • manually: nbctl sync
    • without DESY synchronization: nbctl yum

  • if you notice suspicious files or activities please contact uco-zn@desy.de

Recommendations:

  • Lock the screen with a special xlock-password for which you will be asked the first time
  • Arrange for secure password-less access to the notebook with ssh key authentication

Please read the Release Notes

NotebookSecurityLinux (last edited 2008-10-30 11:40:13 by localhost)