Linux Desktop Support 2.0

Plans for next generation linux desktop support.

Desktop Linux Distributions supported at SLAC

1. Ubuntu 16.04 LTS, codename "Xenial Xerus"

   1. Long term support (LTS) releases are for 5 years. 

   2. 16.04 = YY.MM of release date (released April 2016)
   3. End of Life date is April 2021

   4. It is possible to upgrade (complete reinstall not required) from one LTS distro to the next (eg, 14.04 -> 16.04)

2. CentOS 7
   1. 10 year support lifetime
   2. End of Life date is June 2024
   3. Red Hat sponsors the CentOS project: in 2014 CentOS officially joined forces with Red Hat
      
      

Desktop Linux Authentication Configuration

• Windows Active Directory will be used for authentication
• This aligns with the SCS long term plan to reduce dependence on Unix Heimdal Kerberos
  
  

Security Services/Features needed, based on SLAC MinSec

These will be configured using Chef Configuration Management and Compliance scanning/reporting

1. Anti-virus Software
   1. Install and configure ClamAV (optional, since not in moderate enclave)
2. Application Patches
   1. Configure automatic updates for Applications via apt/yum config
3. Authentication
   1. Global account authentication policy handled by Active Directory
   2. Use Chef Compliance to scan for any enabled insecure protocols such as telnet and ftp
4. Logging
   1. Configure syslog to log to central syslog server, and enable logging locally to /var/log/everything
5. Network Services
   1. Check for inappropriate network services via Chef Compliance
6. Operating System Patches
   1. Configure automatic updates for OS patches via apt/yum 
7. Passwords
   1. Configure local password quality checks and policies (expiration time, etc) according to SLAC password policy
   2. Global account password policy handled by Active Directory
8. Baseline Security Configuration
   1. CIS Level 1 Workstation Profile will be used (modified where appropriate)
   2. Chef Compliance scanning can report on compliance level for our baseline
   3. PDFs are available for the CIS Benchmarks for Ubuntu 16.04 and CentOS 7
9. Training
   1. No additional changes needed (same SLAC Training Assignments are required)
10. Security Scanning
    1. Local scanner account will be enabled to allow authenticated Nessus scans by Cyber Security team
11. Banner
    1. The SLAC DOE login banner will be configured
       
       

Additional Operating System Configuration needed

These will be configured using Chef Configuration Management and Compliance scanning/reporting

Reference Documents

• Published SLAC Policies and Governance SLAC Controlled Documents page:
  https://docs.slac.stanford.edu/sites/pub/Pages/SLAC_Policies.aspx
  
  

• Minimum Security Requirements for Computing
  https://docs.slac.stanford.edu/sites/pub/Publications/701-I02-001-00_Min_Sec_Req_for_Comp.pdf
  
  

• Configuration Management Procedures in the SCS twiki:
  https://novel.slac.stanford.edu/twiki/bin/view/SCCS/ConfigurationManagement

   

• SLAC Password Policy
  http://www2.slac.stanford.edu/computing/security/password/passwordpolicy.htm

   

• CIS Benchmarks
  CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0.pdf
  CIS_CentOS_Linux_7_Benchmark_v2.1.1.pdf
  CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.1.1.pdf
  CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v2.0.2.pdf
  CIS_CentOS_Linux_6_Benchmark_v2.0.2.pdf