20090306 Meeting Sysadms
- Present: Wytze, Philipp D, Iang, Mendel
- Opened 17:00 closed 21:30
Wytze/Mendel to propose to board "we will do this after 7 days unless vetoed":
- separate development machine with CVS tree from webserver into a vserver
- cut off ssh access to webserver for everyone except critical sysadmins, with option for case by case access for support purposes
- (argument: implementation of security policy)
- should be a decision by sysadm team leaders
- is there a need for a policy line?
- point was that both decision by t/l is needed and authorisation to t/l to move the servers outsourced.
- section added to Security Policy that t/l can outsource the DNS.
Wytze to define the details in the Security Manual.
iang to point new section to board.
- Security Manual / Security Policy as the document and Contract for all Systems Administrators
- in past, an NDA has been used
NDA has bad clauses in, but could not be found at time. Mendel to find and advise.
- NDA is some document from the net, mostly not relevant
- Some clauses could be incorporated into SM/SP
iang to look at NDA.
- Question of whether SM/SP applies to Oophaga
- if not then audit cannot apply to Oophaga easily
- which means they either have to be audited separately, differently, or provide an alternate audit.
- Occam's razor says SM/SP should replace security areas in MoU
- in effect, Oophaga and access engineers are under SM/SP.
- generally, the answer is yes
- implementation and contract negotiations would be the next question
- some outstanding questions in SM to trace.
- key access
- power control
- Need for critical services on a VM/host
- set up a VM/host on Sun4 (the remaining unused Sun)
- DNS primary, SSH hopper
- check allocation of Sun4 and start on it
Mendel to set up VM/hosting environment
- general consensus to shift the non-critical servers out of the rack
- there was an offer for an AMS hosting location
Mendel to ping Teus
- need to split the Tunix firewalls? Or duplicate them?
- currently the Tunix firewalls are bypassed for crit
- why? Unknown. But make changes slowly.
- Discussion of Software Development
- change name to Software Assessment?
we need a software maillist, Philipp D request to Daniel
- discussion of current code state, difficulties in current code base
- provisional discussion to meet and work out future software development team
- current code base is problematic
Before summer, says Mendel:
- hop has to be moved
- separate the crit / non-crit systems
- move webserver behind firewall
- password cleanup
- SSH keys for user account access (via hop)
- on crit server, local user passwords for sudo only
- disallow password login for remote users (SSH)
- root password only for console access
- agent forwarding / tunnelling on hop only (otherwise hop has to be critical machine)
(this part into SM Wytze)
Mendel is "in" the HAR2009 administration
- did CCC last year as well
- rg is on papers committee
- looking for good papers
Mendel to look at iang's paper
- which had some unpresented sections, and could be updated ...
- other things possible
- camping is available 7 - 17
- tent is available 8 - 16
- tent price is maybe 500, better estimates to follow
- rooms also available, cheaper
- bungalows, 8 bunks, are available for 1500 (includes 1 pass).
- each 150
food & drink
- coordinate with mendel as to requirements
- basic issue is software side
- audit has work budget available for this
- this year is the software development year
- last year was sysadm year
- If Mendel doesn't get his "summer priorities" completed, he can't go to HAR!?!?!
- food bill for meeting is euros 80x euros.