Differences between revisions 9 and 10
Revision 9 as of 2005-12-09 12:27:40
Size: 2618
Editor: WaltrautNiepraschk
Comment:
Revision 10 as of 2005-12-12 12:00:13
Size: 1542
Editor: WaltrautNiepraschk
Comment: second version
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
== Security Guideline for central supported Linux Notebooks in Zeuthen with Scientific Linux Version 4 == == Security Guideline for DESY Notebooks centrally supported by DV Zeuthen with Scientific Linux Version 4 ==
Line 8: Line 8:
There are a lot of advantages to run a central supported Linux on your DESY notebook. There are a lot of advantages to run a centrally supported Linux on your DESY notebook.
Line 11: Line 11:
 * Upgrade to the DV supported version. Please contact uco-zn@desy.de You have to upgrade to the DV supported version (SL4). Please contact uco-zn@desy.de
Line 13: Line 13:
 * Please do not disable the automatic package updates which works anywhere you have a network connection.
Line 15: Line 14:
An extract of the Release Notes (S. Wiesand, November 19, 2005):
{{{
  Security
          The setup should be reasonably secure unless it has been
          tampered with. Security is however a joke if someone you don't
          trust has physical access to the device. On the other hand,
          this fact allows us to keep the account management simple and
          omit password management altogether.		 Before traveling and always when your notebook is attached to the network:
Line 24: Line 16:
          Each time a network interface is started, an automated check
          for available updates is performed in the background. If any
          are found, the user is presented with a pop-up window allowing
          to either perform all updates, exclude certain packages from
          being updated, or not to perform any updates at this time.
          Usually, all updates should be applied as soon as possible.
          Certain critical packages will have the "exclude" box checked
          by default although even kernel and glibc updates should work
          without problems and have been tested successfully. Unless
          you're at the other end of the world and critically depend on
          your notebook before you can get to our support again, please
          uncheck all of them and click ok.
          A local firewall is now set up. It should not cause any
          problems, and obviously should be kept running at all times.		  * login with your acoount with an empty password (possible only in front of the notebook). If this is not possible use the guest account the first time.
 * Connect to the network by running the command
  using cable based interface with: lan start
  using the wireless interface: wlan start
 * Each time a network interface is started, an automated check for avalaible updates is performed in the background. There's nothing to be done but accepting the updates offered.
  * manually: nbctl sync
  * without DESY synchronization: nbctl yum
 * if you notice suspicious files or activities please contact uco-zn@desy.de
Line 39: Line 25:
  Keeping the notebook up to date
          Since an automatic check for updates runs every time a network
          interface is started, there's nothing to be done but accepting
          the updates offered.		 Recommendations:
 * Lock the screen with a special xlock-password for which you will be asked the first time
 * Arrange for secure password-less access to the notebook with ssh key authentication
Line 44: Line 29:
          nbctl sync can be run to trigger this manually.

          nbctl yum (or you, for backward compatibility) can be run to
          only update SL the packages, without running the DESY
          synchronization (for example, known accounts and software in
          /opt/products).
}}}		 Please read the [file:///afs/ifh.de/project/linux/Notebook/SL4/RelNotes.html Release Notes]

Security Guideline for DESY Notebooks centrally supported by DV Zeuthen with Scientific Linux Version 4

There are a lot of advantages to run a centrally supported Linux on your DESY notebook. The support is available for C400, D410, D600, X300 and X1.

You have to upgrade to the DV supported version (SL4). Please contact uco-zn@desy.de

  • /!\ See also [attachment:DZNB_DVSEM.pdf] Stephan Wiesand's Talk !

Before traveling and always when your notebook is attached to the network:

  • login with your acoount with an empty password (possible only in front of the notebook). If this is not possible use the guest account the first time.
  • Connect to the network by running the command
    • using cable based interface with: lan start using the wireless interface: wlan start
  • Each time a network interface is started, an automated check for avalaible updates is performed in the background. There's nothing to be done but accepting the updates offered.
    • manually: nbctl sync
    • without DESY synchronization: nbctl yum

  • if you notice suspicious files or activities please contact uco-zn@desy.de

Recommendations:

  • Lock the screen with a special xlock-password for which you will be asked the first time
  • Arrange for secure password-less access to the notebook with ssh key authentication

Please read the [file:///afs/ifh.de/project/linux/Notebook/SL4/RelNotes.html Release Notes]

NotebookSecurityLinux (last edited 2008-10-30 11:40:13 by localhost)