Standard Security Environment
Standard CSAIL Linux security practices
minimum password complexity:
-
Minimum password length: 8
-
Minimum number of password character classes: 2
-
Password must not contain username (or vice versa)
This policy is being altered for alignment with NIST SP800-63B v. 4. When the new policy is fully rolled out, we will require:
-
Minimum password length: 15
-
Password must not contain username (or vice versa)
-
No other requirements on password contents
This can be increased per user, however we have no automated way of enforcing non-default policies on new account creation.
Per-host failed ssh connections:
Reactive port filtering blocks remote hosts by IP after 4 failed ssh Reactive port filtering blocks remote hosts by IP after 4 failed ssh authorization attempts within 20min (may be for one user or four different users). Lock clears at minimum of 7 minutes of last failed attempt.
System wide failed password attempts:
To prevent distributed password guessing across a large number of connected systems individual password authentication is centrally blocked using the following policy:
-
Maximum password failures before lockout: 16
-
Password failure count reset interval: 0 days 00:10:00
-
Password lockout duration: 0 days 00:30:00
this policy is also configurable given same caveats as password complexity above.
Linux security patches:
Any vendor updates marks as “security updates” are automatically applied daily and at reboot. Systems are not automatically rebooted for kernel patches though the message of the day displayed on login is updated to indicate if there is a “reboot needed”. Optionally a class of system could be configured to reboot either as soon as kernel updates happen or at a given time of day if a kernel update has been applied.
Physical access
CSAIL Physical access
Server rooms in Stata are prox card controlled cabinets are locked but keying is common (all keys open all racks). After business hours there are two more locked prox carded doors, but during the day these doors are unlocked.
MGHPCC Physical access
It is strongly recommended secured data be stored in MGHPCC
CSAIL also has server space in the Massachusetts Green High Performance Computing Center (MGHPCC https://www.mghpcc.org) which has extensive physical security and access controls, which unfortunately require a facility access account to even see, but the short version is:
There’s a security desk which checks identification against an restrictive access list to check out the following keys:
-
Tenant IT Access: This electronic key operates all the doors necessary to allow a visitor to get into the Computer, IT Staging and Recycling rooms. This key ring also operates the passenger and freight elevators.
-
Cabinet Keys: These keys open cabinets in the computer room.
-
Pod Keys: These keys control the doors at the end of pods.
TIG (or most of TIG) has access. Path to a server involves security check, leaving ID at desk, general access locked door, machine-room locked door, “pod” locked door.