JLab Guidelines for Stand-Alone, Multi-User Computer Systems

(Last Revised:  April, 2007)

When you register a stand-alone, multi-user computer system at Jefferson Lab (JLab), you are agreeing to the following guidelines.  These have been established to insure the integrity of the systems and data at JLab.  Commitment to implementing these guidelines is required in order to connect your system to the JLab's network or to obtain an IP address in the jlab.org domain.

Maintaining a stand-alone multi-user system that is not in accordance with these guidelines may result in loss of the privilege to connect to the JLab network.

Applicability

This document applies to all multi-user systems not under the management of the Computing and Networking Infrastructure (CNI) group, the Accelerator Controls Systems Group, or the Human Resources department, including but not limited to systems running any form of UNIX (Linux, Solaris, AIX, HP-UX, IRIX, etc.), Novell or Windows server.
 

  • Your computer system will be registered with the in CNI group's Machine Registration database and run a CUE supported OS.
  • The system should have a limited set of login accounts sufficient only for those registered JLab computer users who need the system to perform their mandated tasks. Each user must have a unique account; there should be no shared accounts. Users must use a secure password and not use the same password at JLab that they use at any off-site location. This requirement must be stressed to all users to insure that security intrusions do not spread from other sites to JLab or from JLab to other sites.
  • The secure shell program (ssh) must be installed on the system and all users of the system instructed in its use to prevent the transmission of clear text passwords. Other means of avoiding replayable, clear text passwords during interactive sessions will be considered on a case-by-case basis.
  • DISCUSS WITH BOB -- A monitoring account must be set up to allow routine checks of system and file integrity. See JeffersonLab Host-Monitoring Facility for details.
     
  • The system should not be trusted by any other JLab computer; i.e. this system’s name should not appear in any .rhost or hosts.equiv file on any other JLab system.
  • Any machine providing network services such as anonymous ftp, internet-relay chat, web-pages, net news, and receipt of electronic mail, must be registered as such with the CNI group. Any machine that is to be visible to the Internet (i.e., will accept connections from the Internet) must request wide-area access.
  • The primary user/system manager is responsible for system configuration, backup, and management and should take action to implement any security measures suggested by the CNI group or by security alerts from such authorized security groups as the CIAC or CERT.
  • The CNI group reserves the right to disconnect this machine at any time from the JLab network if an incident arises, security-related or other, even if the primary contact cannot be reached.