User Security Policies

Every user of ARSC systems can rightfully expect his or her e-mail, programs, data, documents, etc., to be inaccessible to others, secure against arbitrary loss or alteration, and available for appropriate use, at all times.To help achieve this goal of protecting system security, ARSC system administrators reserve the right to routinely examine certain features of user accounts, such as the permissions set on environment files, the contents of specific environment files, and encrypted passphrases. ARSC also reserves the right, in cases of suspected security incidents, to inactivate and examine the contents of user accounts, without prior notification.

Contents

• Scope
• Enforcement
• Idle Timeouts and Session Length
• Security Level
• Security Awareness
• SecurID Cards
• Passphrases (or Kerberos Passwords)
• Access to directories and environment files
  • Account Sharing
  • Non-Home Directory/File Permissions
  • Home Directory Permissions
  • Environment (or "Dot") Files/Directories
  • rhosts policy
  • netrc policy
  • Xauthority policy
  • Executables with SUID/SGID Bits Set
• Non-printing Characters in File Names
• Web-Based Mobile Code
• Viruses and Malware
• Tampering
• International Access
• Sabbaticals & Other Absences

Scope

This policy affects all authorized users of ARSC resources.

Enforcement

A violation of standards, procedures, or guidelines established pursuant to these policies may result in disciplinary action, including loss of system privileges and, in the case of criminal activity, legal prosecution.

ARSC employs several mechanisms to enforce its user security policies, including:

• Contacting the user and asking him/her to correct the problem
• Changing the permissions on the user's home directory to 700
• Inactivating accounts on individual ARSC systems
• Disabling Kerberos access to all ARSC systems
• Resetting the user's passphrase (Kerberos password) to its default
• Inactivating and/or recalling the user's SecurID card

Idle Timeouts and Session Length

In order to minimize the exposure of remote login sessions to session hijacking vulnerabilities, ARSC has instituted a timeout daemon that limits both the total amount of time a user can stay logged in to a system and the amount of time that a login session can be idle*.

• The maximum amount of time a user can remain remotely logged in to an ARSC system is 24 hours. This limit is regardless of whether the login session is active or not. All login sessions will be automatically closed when they have been open for more than 24 hours.
• Login sessions will also be automatically closed if a user is idle for more than 4 consecutive hours.

Notes:

- All ARSC systems that provide remote login services (such as ssh or krlogin) will have the timeout daemon running
- The first 6 hours of a login session are considered a grace period. Sessions will not be checked for idle time during the first 6 hours.
- Console logins are not subject to either the 4 hour idle limit or the 24 hour total session limit. Only remote logins will be limited
- Users that need to extend the maximum login time to beyond 24 hours (for example, on the SGIs for a rendering session) will need to contact the ARSC Help Desk

* From the man page for the timeout daemon tool:

"A session is considered idle if it has not received any tty activity (i.e. the user hasn't actively sent any data or
typed any commands, and the system hasn't sent any data back to the user)."

Security Level

ARSC operates an unclassified and non-sensitive computing environment. Do not introduce classified or sensitive work on ARSC systems.

Security Awareness

Report your suspicions. For instance, if a file in your directory seems to have changed, but you don't remember having changed it, contact User Services.

SecurID Cards

To protect the security of your account and the system in general, please guard your SecurID Card as closely as your driver's license and memorize your PIN.

Security Requirements Concerning SecurID Cards

• Don't let anyone else use your SecurID Card.
• Don't share your PIN, write it down, or let anyone see it as you key it in.
• If you misplace your SecurID Card:
  • And it was issued by ARSC:
    Contact ARSC User Services (phone: 907-450-8602 or e-mail: ) immediately. We can provide you with temporary access to your account and block anyone else who might attempt to use your card.
  • And it was issued by another HPCMP DSRC or DC:
    Contact the center that issued your card. If you deem it necessary, you may also contact ARSC, where we can temporarily deny any access to your accounts.
• If your PIN number is compromised, contact ARSC or the center that issued your card. With our or their assistance, you may generate a new PIN number.

Passphrases (or Kerberos Passwords)

Please read the following requirements for your Kerberos password (or passphrases). For suggestions on choosing a good passphrase, see our passphrase guidelines document.

Passphrase Requirements

• Passphrase (Kerberos password) length: passphrases must be at least nine characters long. (They may be up to 255 characters long, however, and we encourage you to use at least 24 characters.)
• passphrase composition:
  • At least two characters must be alphabetic (A-Z, a-z).
  • At least one character must be non-alphabetic (digits, punctuation marks, symbols, etc.).
  • The characters in your new passphrase must differ from those in your old passphrase in at least three positions. For comparison purposes, an uppercase letter and a lowercase letter are considered equivalent.
  • Your passphrase may not be any reverse and/or circular shift of your userid.
• passphrase aging: passphrases must be changed at least every six months.

Enforcement

To enforce the above requirements, ARSC analysts periodically run passphrase cracking programs. If your kerberos passphrase is vulnerable, we will attempt to contact you to change it. If you are unreachable, we will reset it and/or inactivate your account.

If you feel that your default passphrase has been compromised, contact User Services immediately and we will issue you a new one.

Access to directories and environment files

While collaboration is important, and we would like to make it as easy as possible, the following policies are designed to:

• Ensure access is only given to the parties intended
• Keep access to an account (and its environment) solely in the hands of its owner

Account Sharing

You may not share your account with anyone under any circumstances.

This requirement makes every user solely accountable for all actions from his or her account. Two examples of account sharing are listed here, both are considered violations:

• passphrase sharing
  Don't give anyone your SecureID Card, PIN, and Kerberos password.
• .rhosts file
  Don't give anyone, other than yourself, rlogin permissions via your .rhosts file. (Please review the .rhosts files policies for details. )

Please note that appropriate methods for sharing data exist, such as project accounts and group access granted by Unix permissions. Contact us for assistance.

Non-Home Directory/File Permissions

(This section does not apply to home directories, which are a special case. For our home directory policy see the following section.)

Permissions in Unix grant three types of access (read,write,execute) to three different groups (account owner,people in the same group,the world). Giving write access to the world is incompatible with the concept of a secure system.

World-write permissions are not allowed on any directories or files in any area of your account. World-write permissions are automatically removed from all user files and directories on all filesystems. Files and directories with world-write permissions:

• increase the risk of an unauthorized person adding files, modifying file contents, or deleting data.
• decrease our ability to maintain overall data integrity
• are unnecessary in all but a very small set of cases

Group permission grants access to a known set of users. As this implies a far greater level of control, this is the recommended method of collaboration. Quite frequently read (and possibly execute) group permission is all that is required. However, when members of a group are trading information (a two-way interchange, as opposed to a one-way dissemination) granting group-level write permission for a specific group of files within the subset of directories that must be write-enabled should be sufficient. This exposes your data to change by a known set of people. We will be glad to work with you to manage group memberships.

Home Directory Permissions

Your home directory must never be group-writable or world-writable. This is a special case because those who can make changes in your home directory can do so many things to destroy the integrity of your account. However, group-read or group-execute permission is acceptable. Collaborators may read the contents of your home directory (with the exception of the dot files listed below) and they may cd through to subdirectories with the appropriate permissions.

Environment (or "Dot") Files/Directories

Because of the potential security risk presented by environment, or "dot" files, ARSC routinely checks the permissions set on all .login, .profile, .cshrc, .kshrc, and other such files to see that they are safe.

Environment files are executed automatically as a consequence of some normal, frequent activity on your part (like logging on). They are a prime target for anyone trying to compromise your account. Thus they must never be group-writable or world-writable. Also, symbolic links that take the place of dot files are not permitted. Further restrictions are described in the table below.

We will attempt to contact you to make the required permission changes in the case of a violation of these dotfile policies. However, because of the seriousness of the exposure that some permissions can impose on the entire system, your account may be inactivated without notice until you call User Services to acknowledge the required change.

rhosts policy

.rhosts files are unnecessary. We recommend the use of ssh and the Kerberized versions of the various r-commands (krlogin,krcp, etc.) instead of the commands which utilize the .rhosts file.

If .rhosts files are used, ARSC policies are:

• .rhosts files may give access only between ARSC systems.
• Host names must be fully qualified domain names, e.g., "system.arsc.edu"
• The userid in the .rhosts file must match the login id of the home directory that contains the .rhosts file.
• .rhosts files must not be writable by anyone: not even the owner.
• file permissions must be 400 or 440.

netrc policy

.netrc files contain login information and configuration data for ftp access to remote machines. When ftp opens a connection to a specified remote machine, it checks for this file in the user's home directory on the machine initiating the file transfer.

ARSC policies on .netrc files are:

• no passwords are permitted in .netrc files unless the username is "ftp" or "anonymous."
• users may not maintain passwords for ARSC systems in .netrc files stored on other computers

Xauthority policy

An .Xauthority file contains keys (magic cookies) used by xauth to authenticate X Window System requests to initiate processes on remote systems. If someone could read this file, they could obtain a key and circumvent the security provided by xauth.

ARSC policies on .Xauthority files are:

• The file permission for the .Xauthority file MUST be 600.

Executables with SUID/SGID Bits Set

When a user executes a file that has the SUID bit set, the program runs with the system access permissions of the user who owns that program and not with the permissions of the user who executed it. Similarly, setting the SGID bit causes programs to run with the group permissions of the file's owner. While this behavior is needed to give root permissions to specific files, it can create security problems when used on a regular user file. Thus, ARSC policy does not permit the SUID and/or SGID bits to be set for regular, user files.

ARSC periodically runs tools to check for the presence of SUID and SGID files. We will contact you if these tools find any SUID or SGID files that are owned by your account and assist you in removing those permissions.

Non-printing Characters in File Names

Non-printing characters, such as ASCII codes for RETURN or DELETE, are occasionally introduced by accident into in file names.

They present a low-level risk to system security and integity, and are disallowed.

They cause problems retrieving files from system backups, and with scripted verification. Almost invariably, they cause confusion for the owner and group owners of the file, who have trouble renaming, deleting, or using the files because the file names simply aren't as they appear to be.

Techniques for dealing with non-printing characters are described in ARSC's "How-To" document, Removing Non-printing Characters from File Names.

Web-Based Mobile Code

Due to regular security issues with web-based mobile code technologies (e.g. Java Applets, Javascript, etc.), ARSC recommends that these technologies be disabled by default when browsing the web. These technologies should be enabled as needed when accessing trusted websites.

Viruses and Malware

ARSC periodically scans systems for viruses and malware. If viruses or malware are detected on an ARSC system, ARSC will quarantine the suspected file(s) and then notify the owner of the file(s).

Tampering

Do not try to break passphrases, tamper with system files, look into anyone else's directories, or otherwise abuse the trust implicit in your account. Your privileges do not extend beyond the directories, files, and volumes which you rightfully own or to which you have been given permission.

International Access

Access to ARSC systems from locations outside of the US requires that an international access form be filed with ARSC. This form must be processed prior to using ARSC systems outside of the United States.

Sabbaticals & Other Absences

You may not let your account sit idle for extended periods of time. Log on every two weeks, and do basic user maintenance, particularly, changing your passphrase and checking for suspicious activity. If this is not possible, contact User Services to inactivate your account during your absence.

Enforcement

ARSC enforces this policy by inactivating accounts after 90 days without user activity.

An inactive account is unchanged except that the owner will not be able to access it. When you try to log onto an inactive account, you will be given a message to contact User Services and will then be logged out. To reactivate your account, contact User Services.

Arctic Region Supercomputing Center
PO Box 756020, Fairbanks, AK 99775 | voice: 907-450-8600 | email:

home | search | about | support | news | science | resources