User administration

1
User administration

• Location
• Find a suitable directory where the users' home
  directories will go (with 100 hosts)
• /site/machine/home
• Decide also where you place software and local
  solutions
• /site/machine/local
• Making accounts
• We need a plan for user registration
• Will everyone have the same account on every host
• Will everyone have the same disc space on every
  host
• Centralized accounts
• Easier to administrate
• Easier to attach actions if they always have the
  same identity (responsibility).
• Easier for the users to understand if they always
  see the same login environment

2
Man vs machine routine tasks

• User demands on the system
• Now we will look at how to protect the well-being
  of the system as a whole and how to oppose the
  activities of selfish users
• Every system has a mixture of passive and active
  users
• Passive users
• They don't really follow what is going on
• Sometimes they don't even know what files they
  have and they seldom make demands other than when
  things go wrong
• Active users
• They follow everything that happens
• They find every error in the system and report it
  to the system administrator(s)
• They demand upgrades of their favourite programs
• System administrator
• Find a balance which address users' needs but
  which keeps the system stable
• Upgrades may annoy users and hinder them in their
  work

3
Man vs machine routine tasks

• Checklist for system policy and config
• Will your setup survive a reinstallation of the
  operating system?
• Is the system easy to understand?
• User freedom vs system security
• Will the network survive if one of your100 hosts
  go down?
• Are you opening any back doors or loopholes which
  would allow a break-in
• Would the same setup work if you had several OS
  types (heterogeneous)?
• Do all users understand their responsibilities in
  relation to the network community?
• Are we observing our responsibilities with
  respect to the larger network community?

4
Network management technologies

• SNMP management
• Simple Network Management Protocol
• A read-write-notify protocol for managing network
  devices like printers, switches and routers that
  have no advanced logic
• Can be used to monitor a router miles away about
  statistics as load, rejected packages
• Can be used to monitor software systems on any
  host

5
Formalizing a system policy

• cfengine
• A software robot which is used in many Unix
  networks.
• Different from many software packages in that it
  is a framework for building one's own solutions
  rather than being a solution in itself.
• Gives hosts a primitive immune system
• Can define and implement a system policy in a
  single file for the whole network
• Interprets rules and decides what needs to be
  done on each host.
• cfengine advantages
• There is only a single place to make changes.
• Changes are automatically documented by writing
  rules in the file.
• We can make abstract rules which model the way
  people think.
• We have the same amount of work to do whether we
  have one or one thousand hosts

6
Formalizing a system policy

• cfengine configuration files
• Our system configuration and policy is coded in a
  set of files in the directory /iu/nexus/local/gn
  u/lib/cfengine/inputs
• This complicated name is kept in the environment
  variable CFINPUTS
• cfengine.conf The main file
• cf.main Definitions and resources
• cf.site Local policy
• cf.services Stuff about network services
• cf.users User policy
• cf.solaris Operating system patches
• cf.linux

7
Formalizing a system policy

• cfengine syntax
• The syntax of the files is made up of definitions
  which are subdivided into targets or recipients
• control
• definitions
• rule-type
• class/target
• rule...
• rule...
• The rule type tells us that the rule is about,
  e.g.
• copy - Copying of files
• file - File permissions
• tidy - Tidying of garbage
• mount - Network disks...

8
Formalizing a system policy

• cfengine syntax
• Classes tell us which hosts the rules apply to,
  or the time at which the rules should be
  performed. Classes may consist of
• Host name
• Groups of hosts
• The time of day
• OS type
• other...

9
Formalizing a system policy

• cfengine syntax
• Classes tell us which hosts the rules apply to,
  or the time at which the rules should be
  performed. Classes may consist of
• Host name
• Groups of hosts
• The time of day
• OS type
• other...
• cfengine classes
• Classes can be combined with the help of logical
  operators
• . AND
• OR
• CLASS APPLIES TO
• Hr00Hr12 Any host at 0000 hrs
  or at 1200 hrs
• (solarislinux).Hr00 Solaris or links hosts
  at 0000 hrs
• solaris.linux No hosts! (No hosts
  are both solaris and linux!)

10
More about httpd.conf

• Extra access control in a file called in every
  directory
• AccessFileName .htaccess
• .htaccess (inside it)
• order deny,allow
• deny from all
• allow from .domain.country
• or
• .htaccess (inside it)
• order deny,allow
• deny from all
• allow from 128.39.89. 128.39.74.