by Hanz Makmur – Sept 8, 2016.
LCSR is now able to provide Computer Science Faculty members virtual machines with full access needed for special projects. Since the person who requested access will have root access, you can potentially install anything you want, as such, we need to to make sure everything is secured. This VM generally will be limited in resources and is normally set at 4 cores, 16GB of memory and 25GB of disk space.
For websites purpose, we suggest you utilize LCSR managed Wordpress system instead of running your own VM.
The University considers LCSR to be responsible for the security of all systems. OIT runs regular security scans. So we need to arrange appropriate protection for any visible services.
Requirement and Guidelines
- By default, only incoming access to HTTP (port 80) and HTTPS (port 443) are open to the Internet. SSH and other services are only accessible from inside Rutgers. You need to use University VPN (Mac or Windows client) or access from other Rutgers machine.
- If you need to run special services or daemons that need to be exposed to the Internet, please let us know ahead of time. You need to have a conversation with the staff about the security impact of such service.
- We don’t give out root passwords, but user can use ‘sudo’ by adding them to a ‘wheel’ group.
Don’t set or change passwords on your machine. We don’t do local password for security reasons. Set/Change your password via http://password.rutgers.edu. If University netid password doesn’t provide enough security for the type of data you’re using, please talk with the Director or LCSR Staff about other options.
Important: Only user registered in the University can have account on your machine. If you must add a guest as a collaborator, you must sponsor your guest as an official Guest of the University. Don’t forget to grant your collaborator University VPN service if they need it.
You MUST know how to administer the system and you need to keep Apps you installed secured.
When you create an account, it’s password MUST be based on the university NetID credential not a local password. This means Users added to this system MUST already have account on other CS Linux machine. See below example on what to do.
- LCSR will setup the latest version of basic Centos7 Linux system with 4 Cores, 4GB of memory, 25GB of backed up disk space and keep security updates for that particular kernel. If a kernel upgrade is required for security reasons, we will do it and a reboot may be required. We will notify you when this needs to be done.
- Major upgrade like Centos7 to Centos8, requires FULL reinstall. Historically, an in place upgrade is not recommended but this can be 3-4 years down the road unless a big security issue happens requiring major upgrade.
- LCSR will do regular and security updates for the OS and any software that’s installed using the normal package management system known as YUM.
- If you install special code, make sure that all services for which you are responsible are updated regularly. There needs to be a way to do at least security updates for all software not via installed standard package management system (YUM). As long as we know what software you’re running, staff will notify you if we receive notifications of security issues.
- LCSR will provide a disk2disk backup with data retention of up to 60 days. Your backups are stored in /rsync-backup/backups. Logs of backup are stored in /rsync-backup/logs.
- LCSR will monitor this machine via Nagios System and will notify responsible person for the VM when something goes wrong with this machine. See example in: http://report.rutgers.edu
Requesting Full Access VM:
Please provide the following info to email@example.com
1. Machine name: your_machine_name.cs.rutgers.edu
if this does not exist, we will request one. if one exist, a temporary name may be needed until the old service can be moved to this new VM.
2. Responsible person1: Email and Cell Phone.
Responsible person2: Email and Cell Phone.
3. Do you need official SSL certificate?
(when completed will be stored in /etc/ssl/)
Please allow at least 5-7 business day for this to be setup.s