20090306 Meeting Sysadms

Present: Wytze, Philipp D, Iang, Mendel
Opened 17:00 closed 21:30
SM=Security Manual
SP=Security Policy

Misc

Wytze/Mendel to propose to board "we will do this after 7 days unless vetoed":
- separate development machine with CVS tree from webserver into a vserver
- cut off ssh access to webserver for everyone except critical sysadmins, with option for case by case access for support purposes
- (argument: implementation of security policy)
DNS
- should be a decision by sysadm team leaders
- is there a need for a policy line?
- point was that both decision by t/l is needed and authorisation to t/l to move the servers outsourced.
- section added to Security Policy that t/l can outsource the DNS.
- Wytze to define the details in the Security Manual.
- iang to point new section to board.
Security Manual / Security Policy as the document and Contract for all Systems Administrators
- in past, an NDA has been used
- NDA has bad clauses in, but could not be found at time. Mendel to find and advise.
- NDA is some document from the net, mostly not relevant
- Some clauses could be incorporated into SM/SP
- iang to look at NDA.
Question of whether SM/SP applies to Oophaga
- if not then audit cannot apply to Oophaga easily
- which means they either have to be audited separately, differently, or provide an alternate audit.
- Occam's razor says SM/SP should replace security areas in MoU
- in effect, Oophaga and access engineers are under SM/SP.
- generally, the answer is yes
- implementation and contract negotiations would be the next question
some outstanding questions in SM to trace.
- key access
- power control
Need for critical services on a VM/host
- set up a VM/host on Sun4 (the remaining unused Sun)
- DNS primary, SSH hopper
- check allocation of Sun4 and start on it
- Mendel to set up VM/hosting environment
general consensus to shift the non-critical servers out of the rack
- there was an offer for an AMS hosting location
- Mendel to ping Teus
- need to split the Tunix firewalls? Or duplicate them?
- currently the Tunix firewalls are bypassed for crit
- why? Unknown. But make changes slowly.
Discussion of Software Development
- change name to Software Assessment?
- we need a software maillist, Philipp D request to Daniel
- discussion of current code state, difficulties in current code base
- provisional discussion to meet and work out future software development team
- current code base is problematic

Priorities

Before summer, says Mendel:

hop has to be moved
separate the crit / non-crit systems
move webserver behind firewall
password cleanup
- SSH keys for user account access (via hop)
- on crit server, local user passwords for sudo only
- disallow password login for remote users (SSH)
- root password only for console access
- agent forwarding / tunnelling on hop only (otherwise hop has to be critical machine)
- (this part into SM Wytze)

HAR2009

Mendel is "in" the HAR2009 administration
- did CCC last year as well
- rg is on papers committee
- looking for good papers
- Mendel to look at iang's paper
- which had some unpresented sections, and could be updated ...
- other things possible
dates
- camping is available 7 - 17
- tent is available 8 - 16
availability
- tent price is maybe 500, better estimates to follow
- rooms also available, cheaper
- bungalows, 8 bunks, are available for 1500 (includes 1 pass).
tickets
- each 150
- food & drink
- laundry
- transport
coordinate with mendel as to requirements
basic issue is software side
- audit has work budget available for this
- this year is the software development year
- last year was sysadm year
If Mendel doesn't get his "summer priorities" completed, he can't go to HAR!?!?!

Admin

food bill for meeting is euros 80x euros.

Advisory/SysadmMinutes20090306 (last edited 2011-04-30 10:13:21 by UlrichSchroeter)