Hardware and Software Installation Policy

Policy Summary

This policy addresses the installation and configuration of hardware and software at SCS and privileged access to those systems. This policy applies to all equipment (software and hardware) supported by SCS and purchased with university funds, be they contract and grant funds or state funds. The Local Systems Committee (LSC) will mediate in situations where there are disagreements regarding the interpretation of the following policy and will clarify an existing policy and/or develop new policy as needed. Questions or concerns regarding the following policy should be sent to the LSC lsc@csit.fsu.edu.

Definitions

• Area Research Server: A computer that serves a specialized research function. This typically refers to computer allocated to or purchased by a particular faculty or staff member. Access to these computers is usually limited to a subset of the SCS community and is usually made via a network connection.
• Personal Computer: A computer used primarily by one individual. This typically refers a computer allocated to or purchased by a particular faculty or staff member. Personal computers generally function as standalone units to which primary access is made via a locally attached keyboard, mouse, and monitor. Personal computers include IBM-compatible PCs, Unix/Linux workstations, and Macintosh machines.
• Floor Desktop Computer: A desktop computer (see above) available on a first come first serve basis or on a scheduled basis in a SCS classroom.
• Floor Network Server: A computer used to indirectly support the research activities of the SCS community. This definition includes machines such as the SCS web, file, and mail servers.
• Floor Research and Training Server: A computer used for research and instructional/training activities that is available to the SCS research community and qualified students on a first come first serve basis. Access to this class of machines is usually made via a network connection.

Guidelines

Purchasing

• The TSG is responsible for purchasing Floor Systems (i.e., Floor Network Servers, Floor Research and Training Servers, and Floor Desktop Computers) and the software installed on these machines.
• Faculty members are responsible for purchasing Area Research Servers, Personal Computers and the software installed on these machines.
• Faculty members are required to inform the TSG of hardware and software purchases so that the TSG can maintain an inventory of software licenses and plan for setup, network, and power resource requirements. Faculty members are required to consult with the TSG prior to purchasing hardware and/or software that will require major changes to the CSIT computer infrastructure (i.e., the network, firewalls, and/or shared file systems).
• To facilitate purchasing, TSG will post (on the web) the machine configurations and software currently in use at CSIT.
• TSG will assist in researching and purchasing hardware and software when faculty members request such assistance.
• TSG will install hardware and software expeditiously.

System Set Up and Configuration

• The TSG is responsible for the setup and configuration of all Floor Systems (i.e., Floor Network Servers, Floor Research and Training Servers, and Floor Desktop Computers). Anyone involved in the setup, configuration, and subsequent administration of Floor Systems will need to coordinate with the TSG.
• The TSG will maintain basic sets of systems configuration images for platforms commonly used by SCS faculty and staff. The standard system images ensure functionality of general services such as file sharing and printing. In addition, the standard images preclude software and system services that are known to be inherently insecure (see below). Faculty and staff with less commonly used platforms should expect to accept greater responsibility for the setup, configuration, and administration of their systems. Faculty and staff are permitted to setup and configure Area Research Servers and Personal Computer provided insecure software is not installed on the system and insecure services are disabled (see below).
• Inherently insecure software and system services will be disabled and/or removed from machines. The LSC is responsible for approving a list of insecure software and services. Ideally, it will be possible to replace insecure software and services with a secure counterpart without the loss of functionality. When it is impossible to find a secure replacement, it may be necessary to move a machine outside of the "trusted" SCS network. TSG will do all it can to accommodate a user's need for a specific application or system service weighed against the need to maintain a reasonably secure general user environment.

Root Access and System Security

Access to root or administrative privileges on SCS machines is controlled by the "sudo" command (Macintosh, LINUX and UNIX systems) or by adding users to administrative groups (Windows systems). Using commands such as "sudo" or assigning users to privileged groups is useful for the following reasons.

Privileged access is allowed for the following people:

• TSG staff and those working with TSG staff to perform system administration tasks on all SCS computers.
• All faculty members are allowed to have privileged access on their Personal Desktop Computers and Area Research Servers.
• Visiting faculty, students working with CSIT faculty, and postdoctoral fellows can have privileged access on their Personal Desktop Computers and Area Research Servers. Privileged access on SCS systems will not be given without the permission of the sponsoring SCS faculty member.
• All others can have privileged access on CSIT machines with sufficient justification. The LSC is responsible for approving requests for privileged access. Faculty and/or staff members responsible for the computer system will agree to the mechanisms and policies governing privileged access.

Privileged access requires the following:

• Agree to the terms given in this policy
• Practice good password management. For example:
  • Password is composed of at least eight letters, numbers and special characters or alternating cases
  • change password regularly
  • do not transmit password in plaine text (e.g., via POP, FTP, RSH, or Telnet)
• On LINUX/UNIX systems do not use the sudo command to run a shell (e.g., “sudo bash”) unless there is no other alternative. Such a practice defeats the purpose of using the sudo command. Continue using the “sudo” command if you have started a root shell.
• Do not use privileged access to log on to a system as another user unless you have first received permission from the user.
• Report system changes to the TSG. TSG will work diligently to restore a user’s system in the event of a system failure; however, if the system has been highly modified and the TSG was not aware of the changes made to the system, then the only option may be to reinstall the host operating system from the standard system image.
• Those persons granted privileged access to work on a “Floor system” must consult with the TSG before making system level changes.
• Do not change the root password on system.
• Do not install software or activate system services that are inherently insecure (e.g., pass plaintext passwords).
• All systems on which faculty and staff have administrative privileges must maintain a TSG privileged account. If the TSG privileged account is used interactively, the owner of the computer will be contacted by TSG as soon as possible. Those using the TSG privileged accounts will use the sudo command whenever executing privileged commands. TSG will consult with the owner of the computer before making major system changes.
• All systems on which faculty and staff have administrative privileges may be periodically scanned for insecure software and services.

Failure to follow these guidelines may result in the loss of privileged access and/or the computer being denied access to basic network services (e.g., printing and NFS to the main SCS file server).

Add a Comment

• Set ALLOWTOPICCHANGE = LscGroup

Last changed: 01 Nov 2005