 |
||
 |
||
 |
||
 |
||
 |
||
 |
||
 |
||
 |
||
Sudo Agreement
Computer Facilities Usage Agreement -- Privileged Access
Department of Computer Science -- University of Colorado
The purpose of this agreement is to maintain a secure computing environment for all users. CSops has the authority to disable logins immediately and take additional disciplinary action, including termination, for failure to comply with this agreement. The department must be strict in these matters, because the integrity and security of its computing resources is critical for the research and instructional activities of the faculty, staff, and students.
1) Privileged access to any system is to be used only for the purpose it was given. Use of privileged access for any unauthorized purpose is expressly prohibited. This expressly forbids activities such as accessing other users' files or performing any system commands as a privileged user that are not necessary for conducting CU/CS related work or research. In responding to user questions, it is appropriate to access the data minimally necessary to resolve the problem.
2) Any account which has privileged access by virtue of sudo or special groups (staff, source, etc) is considered a privileged account. All privileged accounts (this means yours since you are signing this) must be protected as follows:
- Password must be changed at least once per semester (2x/year) and immediately if guessed by a password cracker or seen by another person, even partially.
- Password must be sufficiently difficult to guess and must be different on non-cs machines (some sites do archive passwords used).
- Passwords or use of the account must not be given to anyone under any circumstances. "Window borrowing" is acceptable provided it is completely supervised by the lender, or the lender has very good cause to completely trust the borrower.
- ~/.rhosts must not contain any non-cs hosts; all entries must be fully qualified (except on those machines that don't yet understand).
- Information gained by privileged access is privileged and should not be given to any non-privileged user.
- Root shells are not appropriate unless absolutely necessary. When a root shell is used, use sudo to log commands you do as root.
3) These facilities may only be used for lawful purposes. Use of privileged access for transmission of any material in violation of any US or state regulation is prohibited. This includes, but is not limited to: copyrighted material (unless authorized by the copyright holder), threatening material, or material protected by trade secret.
4) When users make changes to their machines, it becomes impossible for CSops to perform system upgrades, distributions, and regular maintenance, as we cannot predict how they will interact with unknown changes made outside of CSops. The only way we can effectively manage hundreds of machines (more than 350 hosts, and growing) with a comparatively small staff is by making things as homogeneous as possible, and ensuring that a machine's *personality* is either logically separate from its generic components, or well documented.
Therefore,
All permanent state changes to a machine must be implemented by CSops, and users should not make any changes to the filesystem outside of their research group directories. In cases of real EMERGENCY, a change may be made immediately. However, the change MUST be discussed with CSops as soon as possible, at which point it will be decided whether the change will remain.
In reality, CSops is held accountable for the security, functionality, and interoperability of a very large installation of computing resources. CSops cannot live up to this accountability without control over the changes to these resources. In the past we have tried the 'You break it, you fix it approach'. However, this has not worked because no matter how many times people are warned, when someone breaks something and they do not know how to fix it, in the end it becomes our responsibility.
5) This agreement is in addition to the agreement governing general use of accounts.
I understand and will abide by the above terms and conditions for use of these facilities. If the propriety of any situation is unclear, I will ask for clarification from the CS Ops committee rather than making assumptions. I understand that my sudo privileges may be revoked if the terms and conditions are not adhered to.
Login: ______________________ Printed name: ______________________ Signature: ______________________ Date: ______________________
 |
|
|
|
|
| Unix System Administration Handbook | | Linux Administration Handbook |
Hosting for admin.com provided by Applied Trust Engineering.  |
|
|
|