==========
 Security
==========

Access Control
--------------

Access control on systems is done using ``pam_access``, ``pam_listfile``, etc.
By default, remote access is only granted to certain users/groups configured in
Hiera (see ``profile::aaa`` for details). Local access is currently
unrestricted, ie. every valid PSI Linux account can log in locally.


``root`` login
--------------

- only with keys/Kerberos tickets
- only through bastion hosts (wmgt*, two-factor auth) by default





SELinux
-------

- depends on the role, enforcing by default, enforcing on all infrastructure
  systems


Firewall/tcpwrappers
--------------------

- tcpwrappers yes
- firewall no