SSCC Linux Configuration Requirements

Running a Linux operating system on a desktop connected to SSCC's network imposes certain security risks for both the desktop and the entire SSCC network. The following paragraph from Step by Step Security for Linux published by SANS (System Administration, Networking, and Security) Institute provides a good introduction to the topic:

"Linux is an "Open Source" operating system which means its source code for the kernel and system utilities is available for download, inspection, and modification. This is a double-edged sword: system developers and ordinary users alike have access to the source code so bugs are found and fixed more quickly; but system crackers have access to the code as well, and they can use this knowledge to develop exploits more rapidly and reliably. This does not make Linux less secure than its proprietary competition. On the contrary, bugs are discovered faster in an open environment, and patches and updates are issued for Linux system software very quickly. Unfortunately, most users install Linux from CD-ROM media that quite often contains vulnerable programs by the time the ink dries on the label. Another unfortunate aspect of installing commercial Linux distributions is that, for ease of use, these Linux systems are configured with most, if not all, network services running immediately after the computer is booted up, and without any access controls in place."

To keep security risks to a minimum, all Linux desktops connected to the building network must meet the following configuration requirements:

  1. The Fedora Core distribution of Linux must be installed. Automatic updates must be enabled via YUM.
  2. Full root access will be provided via sudo. sudo keeps a log of all commands issued as root.
  3. IPTABLES software will be installed on the desktop in order to restrict system access to authorized accounts and IP addresses.
  4. The desktop will be configured to run as few network services as possible. Network services include things like web servers and FTP servers.
  5. The desktop will be configured with multiple partitions in order to keep potential file system problems localized. A typical configuration will have six partitions: /, /boot, /var, /local, /tmp, and swap.
  6. The following monitoring and intrusion detection software will be installed:
    • Logwatch - designed to read syslog files on the desktop and generate events based on the content of the messages.
    • Tripwire - generates a database of cryptographic signatures for important system binaries and configuration files and reports changes in any of these files over time.

Please contact Nancy McDermott, SSCC Director (262-3206), if you would like to run Linux on your desktop. Users planning to run Linux should also read SSCC's Desktop Support Policy.