Teaching new users about system security is an important securitytool. It is important to involve users in security methods and goals;the more they know about the system and how break-ins occur, thebetter equipped they are to guard against them.
Include the following topics in your user training:
What is the location of the user'saccount? Specifically, which system, where is it located, what isthe proper node name if on a network, and, if the system is partof a cluster, what other nodes are available?
Which terminals can be used for logging in, andwhere are they located?
Is the account restricted with regard to local,dialup, remote, interactive, network, or batch operations? If so,describe both permitted use and restrictions.
Can the account be accessed by dialing in? If so,provide the access telephone number, and describe the procedure.Specify how many retries are allowed and the maximum number of secondsallowed between each retry before the connection is lost.
Are system passwords implemented for any terminalsthat the user may be using? If so, describe which terminals, howoften the system password is changed, and how the user can learnthe new system password.
What is the account duration? When will it expire?From whom should the user request an extension?
What is the user name? What identifiers are heldby the user, if any? What are the group and member numbers associatedwith the user?
What password information is required? Specifically,what is the initial password? Is the password locked? If the passwordis not locked, how often must the password be changed? What is theminimum length for the password? Is there a secondary password forthis account, and who will know it? Is the user free to select passwords,or must they be automatically generated? See Checklist for Contributing to System Security"Checklist for Contributing to SystemSecurity" on page 60 for a checklist of good practicesfor users.
What is the default device and directory?
What is the default protection?
Are there quotas on disk usage? If so, what arethe values?
Are there restrictions on use? For example, arethere certain days or hours of the day that are suggested or enforced?Explain primary and secondary days if applicable.
Are there files or directories that are shared?If so, provide the details.
Are there ACLs that affect the user? What identifiersdoes the user need to know?
Which privileges does the user hold and what dothey mean?
What is the command language interpreter?
Which type of account is this: open, captive, restricted,or interactive?
Which nodes permit proxy logins for this user, ifany?
What are the names of the queues the user may needto use?
What actions should the user take to ensure physicalsite security, such as locking up materials?