[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

notes from Wednesdays meeting April 6, 2005



Next meeting is 27 April, Gabrielle moderator

Attending: Gab (next moderator), Jane, Andrew, Sean, Dan, Wes, Kevin,
Katarina (moderating),  Marcus

Radmind security & idle sessions (Gabi) (20 mins)
	PLEASE READ,  and make note of suggestions/opinions for next meeting:
    * idle timeouts on shells to sixthday (radmind) & console servers (1hour?)
    * 'rootnag' on production servers (root left on at console)
    * suggestion to tweak getty: drop connections based on idle time?
    * reasons to have console open? needed for server management in special
	cases? workarounds?
    * propose some desktop security guidelines
        -> locking screen savers
        -> locked office doors (physical security)
        -> Are older OSs insecure or non-compliant
    * propose some laptop security guidelines
        -> locking screen savers
        -> locked office doors or bags? (physical security)
        -> Are laptop OSs up to the most secure version
    * web team deals with this with a policy of "log the heck out" if you
	aren't using the connection
    * bastion hosts (terminator)
    * hosts connected on private networks (physical access to hosts and
	ports?)
    * continuous root sessions to sensitive hosts
    * scope of this discussion
        * radmind server only?
        * include console servers in discussion?
        * this is really a UMCE-wide security question,  with some
	solutions to be implemented on a case by case basis
    * Wes,  Kevin, and  Andrew will solicit input for a policy, and set
	guidelines

Location to store official boot CD ISO images (5 mins)
    * certs, no certs issue revisited. Next gen version should not have
	certs unless they are expiring certs for mass rollouts
    * change log, releases, sym link to track current version
    * retain older versions in case of back out
    * radmind server: for sixthday
       * location: /var/radmind/bootcd (~radmind/bootcd)  --  DONE

LDFLAGS; Openafs, GNU, etc (Dan) (5 mins)
    * By default, should we be building our tools with -g and installing
	them without -s?
    * Size bloat an issue?
    * Try catching -s flag as base is built, only turn on debug as needed
    * Evaluate size increases

UMCE hardware testing (Andrew) (5 mins)
	hardware is here to test for AFS/

AFS client & setcrypt (Andrew) (5 mins)
    * users on systems that care about encryption should use:
        - fs setcrypt on, testing with fs getcrypt (fs help setcrypt, fs
	help getcrypt, for help on those commands)
        - otherwise, encryption on afs clients can be handled on a case by
	case basis

New kernel & new base / re-organization (Wes) (15 mins)
    * build 2.4.30 shared - Kevin, Sean
    * enable SATA options per Michael
    * update system map

* base 1.3.1 testing

    * we should have an official "current" gcc
        - remove old unused versions
        - align ourselves with gcc development efforts
    * Brehm is working on listing the components that are currently in base

Console server load set - octopussy (sp?) (Sean) (5 mins)
    * starting with new hardware - Michael
    * Marcus & Katarina will make octopussy survive reboot
	script out things that need to happen to make the machine
	automatic,  and we need to work out a good production loadset