Computer Security
From BNL Physics Computing
Contents |
This topic describes elements of BNL security policies relevant to the Physics Department.
Overview
BNL's computing resources are organized into a number of computing enclaves. Each enclave is separated from the others by firewall and has a specific set of security controls in place. Two enclaves are relevant to the Physics Department:
- Public Enclave
- This consists of publicly available wireless and wired access. Computing in this enclave requires minimal control but only has access to the Internet.
- Research Enclave
- This consists of the bulk of research oriented computing. Computing in this enclave requires a more restrictive set of controls but has access to most of the internal, campus network. The bulk of Physics computing exists in this enclave.
Requirements for operating in the Public Enclave
- Computer Registration
- The first time a new network interface card is seen on the network its traffic will be diverted to only allow the user to access a registration web page. The user can then open a web browser to any URL and fill out the resulting form.
- Cybersecurity Training
- This is required if the user has a guest or employee appointment. The training page is here.
Requirements for operating in the Research Enclave
For Users
All users of computing have the following responsibilities:
- Cybersecurity Training
- This is required if the user has a guest or employee appointment. The training page is here.
- Incident reporting
- Procedures of responding to and reporting incidents are described here.
- Personal User Agreement
- Read and agree to the agreement found here.
- Password policy
- Follow the Password Policy when using password authentication.
For System Admins
In addition to the user requirements, people with system administration duties have additional requirements that they or their systems must meet:
- Install host based assessment tool
- For Unix-like systems (Linux, Mac OS X, etc) the Ordo tool must be installed. For MS Windows systems SMS must be installed. In addition, it is strongly encouraged that MS Windows systems are part of the BNL Domain.
- Remediate network based findings
- BNL runs a Nessus network scanner to test all network accessible devices for signatures consistent with known vulnerabilities. System administrators are required to remediate all Medium and High findings.
- Install security patches
- Systems must have latest security patches installed. Unsupported operating systems are not allowed to directly connect to the campus network.
- System registration
- All devices attached to the BNL network must be registered. This is documented here
- Login Banners
- All devices must display login banners as described here
- User eligibility
- System administrators must assure that all activated user accounts are held by eligible individuals. This can be checked through this web form. This checking can be automated, if interested contact Brett Viren.
Individual groups in the Physics department may have additional requirements beyond those of the Research Enclave.
More Security Related Topics
Other miscellaneous security topcs are collected here.
How Tos
Forward Web Server Logs
All external servers must forward their syslogs to ITD/CS. Some web servers do not do this by default. This section gives some configuration guidance.
Apache 1.3 and sysklogd
This is for Debian systems but may be close to others
Modify /etc/apache/http.conf:
# Send errors to syslog's local0 facility ErrorLog syslog:local0 # Send normal logs to syslog's local0 facility CustomLog "|/usr/bin/logger -p local0.info" combined # If you have vhosts, you can use up to local7: <VirtualHost vhost1.phy.bnl.gov> ErrorLog syslog:local1 CustomLog "|/usr/bin/logger -p local1.info" combined ... </VirtualHost>
Modify /etc/syslog.conf:
# Space between fields is a TAB # Send everything to ITD *.* @shadow.phy.bnl.gov # But, also keep a local copy local0.error /var/log/apache/error.log local0.info /var/log/apache/access.log local1.error /var/log/apache/vhost1-error.log local1.info /var/log/apache/vhost1-access.log
