UNIX System Administration Handbook - Evi Nemeth [463]
• An availability policy that describes when the system is supposed to be up, lists scheduled maintenance times, gives instructions for reporting problems, and sets expectations regarding response times.
• A maintenance policy that includes rules about outsourcing and specifies procedures for giving access to third-party maintenance personnel.
Noticeably missing from the RFC2196 list is an authorization policy that specifies who can authorize new accounts and extended privileges. The original Site Security Handbook, RFC1244, contained lists of concrete issues rather than types of policies, which might be a bit more useful from the sysadmin’s point of view. The newer RFC includes recommendations for each type of service a machine might run and describes the problems of the services and potential solutions.
Whatever policies you adopt, they must be explicit, written down, understood, and signed by all users and sysadmins. Enforcement must be consistent, even when users are customers who are paying for computing services. Failure to apply policies uniformly weakens their legal and perceived validity.
User policy agreements
At the University of Colorado’s computer science department, user policy is delivered in the form of an initial shell that prints the policy and requires users to agree to and “sign” it before they can get a real shell and use their accounts. This scheme saves time and hassle, but check with your own lawyers before implementing it at your site.
Here are some explicit issues that should be addressed in a user policy agreement:
• Sharing accounts with friends and relatives
• Running password crackers1
on the local passwd file
• Running password crackers on other sites’ passwd files
• Disrupting service
• Breaking into other accounts
• Misusing or forging electronic mail
• Looking at other users’ files (if readable? writable? invited?)
• Posting to Usenet (never? with a disclaimer? any time?)
• Importing software from the net (never? always? if the user checks?)
• Using system resources (printers, disk space, modems, CPU)
• Copying licensed software
• Allowing others to copy licensed software
• Copying copyrighted material (music, movies, etc.)
• Conducting illegal activities (fraud, libel, etc.)
• Engaging in activities illegal in some states but not in others (e.g., porn)
Two sample policy agreements are included on our web site, www.admin.com. One is aimed at undergraduate students in a laboratory where a login is a privilege and not a right. It is the more militant of the two. The other document is for faculty, staff, and graduate students.
As an example of a short and simple policy agreement, we here include the agreement that the computer science department at the University of Melbourne requires students to sign in order to use the university’s computers:
I, the undersigned, HEREBY DECLARE that I will abide by the rules set out below:
• I will use the Department’s computing and network facilities solely for academic purposes directly related to my study of Computer Science subjects.
• I understand that the Department grants computer accounts for the exclusive use of the recipient. Therefore, I will not authorise or facilitate the use of my account or files by any other person, nor will I divulge my password to any other person.
• I will not access, or attempt to gain access to any computer, computer account, network or files without proper and explicit authorisation. Such access is illegal under State and Federal laws, and is contrary to University regulations. I will inform the Computer Science Office immediately should I become aware that such access has taken place.
• I understand that some software and data that reside on file systems that I may access are protected by copyright and other laws, and also by licenses and other contractual agreements; therefore, I will not breach these restrictions.
• I will not use University facilities for obtaining, making,