Privacy and Security Notice

CC Home | JLAB Home | JLAB Internal

Helpdesk | Services | Scientific Computing | Networks | Telecommunications | CAD/CAE | Policies

Required Configuration Tasks for all JLab Linux Computers

Required Configuration Tasks for all JLab Linux Computers

Although the Computer Center does not administer every Linux machine at the Lab, we have the duty to ensure that they each comply with DOE policy and are being administered in a manner that promotes good system security.  To help us with this task, the Computer Center requires that administrators of all Unix machines follow a few simple rules and perform a few easy administration tasks.  This document describes what you must do in order to put your Linux system on the JLab network.

Make Sure You're Running Red Hat Enterprise Linux

The Computer Center strongly recommends that you select a supported version of Red Hat Enterprise Linux when  choosing which version of Linux to install on your computer.  JLab provides RHEL 3WS, a workstation-oriented release which is also suitable for most servers.  You can find more information about Linux at the Lab, including full installation instructions, on the JLab Computer Center Linux Services page.

By following the instructions in this document, you can manually configure your machine to comply with the JLab requirements.  However, the Computer Center provides a script to automate the process, which is also described below.  You may choose whether or not to configure your system automatically or manually, but you must do one or the other.

Register Your System With the Lab's Patch Server

If you are running RHEL, you must register your system with the Lab's patch server.  Once you are registered, the Computer Center will be automatically notified whenever Red Hat issues a security patch that needs to be applied to your machine.  They will work together with you to make sure that your system is always up to date with the latest security and bugfixes. 

To configure your system to use the patch server, issue the following commands as root:

# mount jlabsite:/site /mnt
# /mnt/CC/linux/satellite-connect --patchall
The script will prompt you for an activation key, but if you don't know what this is, just hit ENTER and it will use a sensible default.  Depending on how many patches need to be applied to your system to bring it up to the current level, this script may take a very long time to run.  When it finishes, you should reboot your machine to make the new patches take effect.

In most cases, the Computer Center will manage patches for your machine directly, as long as you ensure that the "rhnsd" service is configured to start when the machine boots.  You can ensure that this is the case by issuing the following commands as root:

# /sbin/chkconfig rhnsd on
# /sbin/chkconfig --list rhnsd
rhnsd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
# /sbin/service rhnsd restart
Stopping Red Hat Network Daemon:                           [  OK  ]
Starting Red Hat Network Daemon:                           [  OK  ]
You will also need to add an entry to root's crontab file, to make sure the profile information the patch server stores about your computer is kept current.  Make sure the following command is run every day.  The exact time it runs isn't important, but it must be run by root:
/usr/sbin/up2date -p --hardware
If you do not want the Computer Center to manage patches for your machines, you may request an account on the patch server's web site, which will allow you to manage patches for your machine directly.  This may require a significant amount of time, and failing to patch your machines constitutes a violation of JLab's security policy and may result in your removal from the network until the situation is corrected.  Still, for some users, this is an appropriate option.  Please contact the helpdesk at x7155 if you wish to manage patches for your machine(s).

Set Up Centralized Host Monitoring Access

The Computer Center's network security team monitors each host for signs of possible intrusion or system compromise.  As part of this service, you are required to create an unprivileged account that the monitoring program will use to log in to your machine periodically and check its status.  You can find the full details on the JLab Host Monitoring page.

Configure Login Warning Banners

The DOE requires that all computer systems attached to their networks display the following warning message when users log in:

                         J E F F E R S O N   L A B
 ----------------------------------------------------------------------------
                             NOTICE TO USERS 

 This computer is owned by the Federal Government or is connected to a
 network owned by the Federal Government.  It is for authorized use only.
 Users (authorized or unauthorized) have no explicit or implicit expectation
 of privacy. 
 
 Any or all uses of this system and all files on this system may be
 intercepted, monitored, recorded, copied, audited, inspected, and disclosed
 to authorized site, Department of Energy, and law enforcement personnel, as
 well as authorized officials of other agencies, both domestic and foreign.
 By using this system, the user consents to such interception, monitoring,
 recording, copying, auditing, inspection, and disclosure at the discretion
 of authorized site or Department of Energy personnel. 
 
 Unauthorized or improper use of this system may result in administrative
 disciplinary action and civil and criminal penalties. By continuing to use 
 this system you indicate your awareness of and consent to these terms and
 conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions
 stated in this warning.
 ----------------------------------------------------------------------------

This is most easily accomplished by opening the files /etc/issue and /etc/issue.net in your favorite text editor, then pasting in the text listed above.

Accomplishing All of this Automatically

You can accomplish all of these required steps manually, or you can use the scripts provided by the Computer Center for this purpose.  Using two simple commands, you can complete the entire configuration process at once.

First, you will need to download the RPM package which contains the scripts.  The package is called jlab-config and the most recent version is:

	Name                         	MD5 checksum
	----------------------------------------------------------------
	jlab-config-0.8-1.i386.rpm	307344ec4c0fbfadf1200fe7e380a90d
Once you have downloaded the RPM, simply install it and then run the jlab-linux-config command, as shown below.  This example assumes that you have downloaded the RPM file to /var/tmp:
	# rpm -ivh /var/tmp/jlab-config-0.5-1.i386.rpm
	Preparing...                ########################################### [100%]
   	1:jlab-config            ########################################### [100%]
	# /usr/local/bin/jlab-linux-config
	Checking to see if this system is connected to the JLab network...      [OK]
	Configuring DNS...                                                      [OK]
	Setting date and time...                                                [OK]
	Configuring the patch service...                                        [OK]
	                                                                                
	Applying all relevant patches.  This may take a VERY long time...       [OK]
	Updating root's crontab file...                                         [OK]
	Configuring rhnsd service...                                            [OK]
	Creating the monitoring account...                                      [OK]

	JLab Linux configuration complete!  Please reboot your machine to make the new
	patches take effect.
The /usr/local/bin/jlab-linux-config script will accomplish all of the above tasks.  It will also configure your system to use the JLab DNS servers and send an email to the Computer Center describing some of the machine's hardware and OS configuration data.  After running the script, you should reboot your machine in order to make the new patches take effect.






This document is maintained by {helpdesk@jlab.org}

Copyright Jefferson Lab 2007