Self-Managed Machine Responsibilities

The goal of this document is to educate prospective users of the trade-offs involved in having a self-managed Linux machine. The CLAS Linux Group provides various levels of support for Linux machines. Full details can be found under the Linux Support Policy page.

To summarize, there are three tiers of support offered by the CLAS Linux Team:

  • Self-administered. User does OS load, user installs and maintains software and patches.
  • Self-administered with CLAS Linux Group load. CLAS Linux Group to provide image-based initial load. Primary user must install and maintain all software (CLAS Linux Group) may be requested to perform OS patching.
  • CLAS Linux Group-administered. CLAS Linux Group has exclusive root/administrator privileges. CLAS Linux Group is responsible for software updates, patching and maintenance.

What responsibility am I taking by choosing to self manage my machine?

  1. Administration. You are the administrator. Research and maintain OS patches to ensure the device is patched and rebooted (or choose a semi or fully managed support offering).  Comply with ALL of the UI Core Security Standards.
  2. Comply with the UI Backup and Recovery Policy. The easiest way to comply with this is to store all of your work on the CLAS Linux file server (See Appendix 1 for details). Otherwise, there are requirements for off site storage and minimum retention policies.  Backup any applications, data or configuration data. CLAS Linux Group does not perform client backups, though we can be contracted for this service.
  3. Install and configure all 3rd party hardware. Diagnose hardware compatibility issues and recover from hardware failures including data recovery.
  4. Ensure system does not become compromised and reload the machine should it become compromised including coordination with ITS on port re-enablement. This involves regularly reviewing your systems log files (syslog or windows event log). Remember, there is no firewall at the University. All systems and their TCP/IP ports are accessible from the Internet.  Remediate any security issues the IT Security Office finds from their security scanning tool.  
  5. All license agreements must be reviewed and approved by the technology review process.
    • Acquire, install, configure, and maintain all software applications and the OS. Acquire software from ITS software central site for the software. Licensing and configuration will be the user’s responsibility.
  6. Configure networking including name resolution (DNS) and default route. See Appendix 1 for details.  Configure the firewall and harden the system shutting off all unnecessary services, restricting access via IP. See Appendix 1 for details. Do this before you connect to the network otherwise there is a good chance your machine will be infected before you even finish the load if it is running a Windows operating system!
  7. Comply with Board of Regent guidelines on Log Retention  (minimum, & maximum per log type).
  8. Samba mount the file shares to access your home directory. See Appendix 1 for details.
  9. Optionally configure your mail client.
  10. Create/maintain print queues. See Appendix 1 for details.
  11. User account administration. Create and maintain user accounts for the system in accordance with the Enterprise Password Policy and Enterprise Authentication Policy

ITS has their own version of this document here.  Use it as a means of assessing your information security and to identify areas you can improve. More items completed translates to less institutional and personal risk.

Appendix 1

How do I set-up a mount point to my home directory?

For Linux please see the instructions at: Remote File Access from Linux.
For MacOS please see the instructions at: Remote File Access from MacOS.
​For Windows please see the instructions at: Remote File Access from Windows.

How do I set-up print queues?

What is the DNS, networking, and routing information needed to configure my system?

# cat /etc/resolv.conf
search divms.uiowa.edu cs.uiowa.edu math.uiowa.edu stat.uiowa.edu chem.uiowa.edu campus.divms.uiowa.edu psychology.uiowa.edu uiowa.edu
nameserver 128.255.64.11
nameserver 128.255.1.8
nameserver 128.255.64.5
nameserver 128.255.1.3
nameserver 128.255.64.3
options rotate
options timeout:1

The default router for MLH is 128.255.44.1 and for SH is 128.255.132.1. The subnetmask for MLH is 255.255.254.0 and for SH is 255.255.255.0 .

Setup NTP (network time protocol).  Here's some campus NTP servers that can be used:

server ntp1.uiowa.edu
server ntp2.uiowa.edu
server ntp3.uiowa.edu

What do you mean by "harden my system"?

For a general overview on security, visit https://itsecurity.uiowa.edu/resources/everyone/self-managedcomputers for minimum security steps. For details on hardening Linux, see https://itsecurity.uiowa.edu/securing-your-linux-system. For Linux, this as a minimum would involve creating a root password that is long and hard to remember, disabling all inetd services not required and setting up your /etc/hosts.allow and /etc/hosts.deny. Here is an example of the /etc/hosts.deny and /etc/hosts.allow:

# cat /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
sendmail: 127.0.0.1
sshd: .uiowa.edu
# cat /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
ALL: ALL