## page was renamed from Notebook Security Linux
#acl DvGroup:read,write,delete,revert,admin All:read


== Security Guideline for central supported Linux Notebooks in Zeuthen with Scientific Linux Version 4 ==


There are a lot of advantages to run a central supported Linux on your DESY notebook.
The support is available for C400,D410,D600,X300 and X1.

 * Upgrade to the DV supported version. Please contact uco-zn@desy.de 
   /!\ See also [attachment:DZNB_DVSEM.pdf] Stephan Wiesand's Talk !
 * Please do not disable the automatic package updates which works anywhere you have a network connection.

An extract of the Release Notes (S. Wiesand, November 19, 2005):
{{{
  Security
          The  setup  should  be  reasonably  secure  unless  it has been
          tampered  with. Security is however a joke if someone you don't
          trust  has  physical  access  to the device. On the other hand,
          this  fact  allows us to keep the account management simple and
          omit password management altogether.

          Each  time  a  network interface is started, an automated check
          for  available  updates  is performed in the background. If any
          are  found, the user is presented with a pop-up window allowing
          to  either  perform  all updates, exclude certain packages from
          being  updated,  or  not  to  perform any updates at this time.
          Usually,  all  updates  should  be applied as soon as possible.
          Certain  critical  packages will have the "exclude" box checked
          by  default  although even kernel and glibc updates should work
          without  problems  and  have  been  tested successfully. Unless
          you're  at  the other end of the world and critically depend on
          your  notebook  before you can get to our support again, please
          uncheck all of them and click ok.        
          A  local  firewall  is  now  set  up.  It  should not cause any
          problems, and obviously should be kept running at all times.

   Keeping the notebook up to date
          Since  an automatic check for updates runs every time a network
          interface  is started, there's nothing to be done but accepting
          the updates offered.

          nbctl sync can be run to trigger this manually.

          nbctl  yum  (or  you, for backward compatibility) can be run to
          only   update   SL  the  packages,  without  running  the  DESY
          synchronization  (for  example,  known accounts and software in
          /opt/products).
}}}