Teaching new users about system security is an
important security tool. It is important to involve users in security
methods and goals; the more they know about the system and how break-ins
occur, the better equipped they are to guard against them.
Include the following topics in your user training:
What is the location of
the user's account? Specifically, which system, where is it located,
what is the proper node name if on a network, and, if the system is
part of a cluster, what other nodes are available?
Which terminals can be
used for logging in, and where are they located?
Is the account restricted
with regard to local, dialup, remote, interactive, network, or batch
operations? If so, describe both permitted use and restrictions.
Can the account be accessed
by dialing in? If so, provide the access telephone number, and describe
the procedure. Specify how many retries are allowed and the maximum
number of seconds allowed between each retry before the connection
Are system passwords implemented
for any terminals that the user may be using? If so, describe which
terminals, how often the system password is changed, and how the user
can learn the new system password.
What is the account duration?
When will it expire? From whom should the user request an extension?
What is the user name?
What identifiers are held by the user, if any? What are the group
and member numbers associated with the user?
What password information
is required? Specifically, what is the initial password? Is the password
locked? If the password is not locked, how often must the password
be changed? What is the minimum length for the password? Is there
a secondary password for this account, and who will know it? Is the
user free to select passwords, or must they be automatically generated?
See “Checklist for Contributing to System Security”"Checklist for Contributing to System
Security" on page 60 for a checklist of good practices for users.
What is the default device
What is the default protection?
Are there quotas on disk
usage? If so, what are the values?
Are there restrictions
on use? For example, are there certain days or hours of the day that
are suggested or enforced? Explain primary and secondary days if applicable.
Are there files or directories
that are shared? If so, provide the details.
Are there ACLs that affect
the user? What identifiers does the user need to know?
Which privileges does
the user hold and what do they mean?
What is the command language
Which type of account
is this: open, captive, restricted, or interactive?
Which nodes permit proxy
logins for this user, if any?
What are the names of
the queues the user may need to use?
What actions should the
user take to ensure physical site security, such as locking up materials?