Jefferson Lab Guidelines for Stand-Alone, Multi-user Computer Systems

JLAB Guidelines for Stand-Alone, Multi-user Computer Systems

Updated April, 2007

When you register a stand-alone, multi-user computer system at Jefferson Lab, you are agreeing to the following guidelines. These have been established to insure the integrity of the systems and data at the Laboratory. Commitment to implementing these guidelines is required in order to connect your system to the Lab's network or to obtain an IP address in the JLAB.ORG domain.

Maintaining a stand-alone multi-user system that is not in accordance with these guidelines may result in loss of the privilege to connect to the Jefferson Lab network.

Applicability

This document applies to all multi-user systems not under the management of the Computer Center, the Accelerator Controls Systems Group, or the Human Resources department, including but not limited to systems running any form of UNIX (Linux, Solaris, AIX, HP-UX, IRIX, etc.), Novell or NT server.

Your computer system will be registered with the Jefferson Lab Computer Center. The registration form must be signed by the local primary user and/or system manager of the system as well as his or her JLab supervisor/sponsor.

The system should have a limited set of login accounts sufficient only for those registered JLab computer users who need the system to perform their mandated tasks. Each user must have a unique account; there should be no shared accounts. Users must use a secure password and not use the same password at Jefferson Lab that they use at any off-site location. This requirement must be stressed to all users to insure that security intrusions do not spread from other sites to Jefferson Lab or from the Lab to other sites.

The secure shell program (ssh) must be installed on the system and all users of the system instructed in its use to prevent the transmission of clear text passwords. Other means of avoiding replayable, clear text passwords during interactive sessions will be considered on a case-by-case basis.

A monitoring account must be set up to allow routine checks of system and file integrity. See JeffersonLab Host-Monitoring Facility for details.

The system should not be trusted by any other Jefferson Lab computer; i.e. this system’s name should not appear in any .rhost or hosts.equiv file on any other Jefferson Lab system.

Any machine providing network services such as anonymous ftp, internet-relay chat, web-pages, net news, and receipt of electronic mail, must be registered as such with the Computer Center. Any machine that is to be visible to the Internet (i.e., will accept connections from the Internet) must request wide-area access.
The primary user/system manager is responsible for system configuration, backup, and management and should take action to implement any security measures suggested by the Computer Center or by security alerts from such authorized security groups as the CIAC or CERT.

The Computer Center reserves the right to disconnect this machine at any time from the JLab network if an incident arises, security-related or other, even if the primary contact cannot be reached.

This document is maintained by {helpdesk@jlab.org}