36 lines
677 B
ReStructuredText
36 lines
677 B
ReStructuredText
==========
|
|
Security
|
|
==========
|
|
|
|
Access Control
|
|
--------------
|
|
|
|
Access control on systems is done using ``pam_access``, ``pam_listfile``, etc.
|
|
By default, remote access is only granted to certain users/groups configured in
|
|
Hiera (see ``profile::aaa`` for details). Local access is currently
|
|
unrestricted, ie. every valid PSI Linux account can log in locally.
|
|
|
|
|
|
``root`` login
|
|
--------------
|
|
|
|
- only with keys/Kerberos tickets
|
|
- only through bastion hosts (wmgt*, two-factor auth) by default
|
|
|
|
|
|
|
|
|
|
|
|
SELinux
|
|
-------
|
|
|
|
- depends on the role, enforcing by default, enforcing on all infrastructure
|
|
systems
|
|
|
|
|
|
Firewall/tcpwrappers
|
|
--------------------
|
|
|
|
- tcpwrappers yes
|
|
- firewall no
|