TRIUMF rpms

The TRIUMF kickstart-CD for Scientific Linux installs some packages (rpms) that customise the system for use at TRIUMF. The packages are designed to be single-purpose so that the manager of a system can choose to undo any particular customisation by removing the rpm. All the packages are available from http://mirror.triumf.ca/triumf/ but can be installed and uninstalled using yum.

There are also a few optional packages that are not installed by the kickstart.

TRIUMF packages installed by the kickstart 

The following packages are installed by a TRIUMF kickstart installation of Scientific Linux.

 triumf-adobe-release

Get AdobeReader and Adobe flash-plugin updates from the TRIUMF mirror of the Adobe package repository

triumf-amanda

Enables the TRIUMF backup-server (amanda) to perform backups. You must still request that your PC be added to the list of machines to backup.

triumf-automount

Sets up automounting of the following TRIUMF directories.
/triumfcs/linux
/triumfcs/mirror
/triumfcs/sciserv
/triumfcs/trshare

triumf-cacert-nss

Installs the root certificate of the TRIUMF certificate-authority into Mozilla-based web-browsers.

triumf-cacert-openssl

Installs the root certificate of the TRIUMF certificate-authority for use by applications that use openssl encryption libraries. (e.g. alpine).

triumf-ccn-rootkey

Grants root access to TRIUMF-Computing personnel via ssh from the bastion-host syslog.triumf.ca .

triumf-disable-vul_kmod

Disables some kernel modules that are known to be vulnerable to exploitation leading to privilege escalation.  These modules are rarely used on TRIUMF workstation PCs.  For a complete list of the disabled modules see /etc/modprobe.d/disable-vul_kmod .

triumf-greeter

 Puts the hostname on the graphical login screen.

triumf-java-1.6.0-sun

Ensures that SUN Java v1.6.0 and its associated web-browser plugin is installed.

triumf-nodeinfo

Adds a nightly job to send info about the hardware and configuration to a central TRIUMF server.  This enables TRIUMF Computing to identify insecurely configured machines.

triumf-ntp

Use TRIUMF time servers

triumf-printers

Use the TRIUMF print server

triumf-release

This package is required by most other TRIUMF rpms. It adds the configuration file for the TRIUMF package repository, and scripts that are used by other TRIUMF packages for applying and backing-out changes to configuration files.

triumf-sl-yumconf

Get updates via nfs from the TRIUMF mirror of the Scientific-Linux package repository.

triumf-ssh

Modifies the default configuration of ssh to enables forwarding of X11 connections.

triumf-syslog

Send messages of logins, login-failures and other significant notices to a TRIUMF server; for security purposes.

triumf-tcpwrappers

Modifies /etc/hosts.allow and /etc/hosts.deny to disallow all external connections except for ssh from anywhere, and portmap from TRIUMF. If your machine does nfs exporting, then after installation, edit /etc/hosts.allow and uncomment the entry for "mountd".

triumf-workstation

A meta-package that ensures that hostname is fully-qualified and that  triumf-syslog, triumf-printers and triumf-disable-vul_kmod are installed.

Optional Packages

The following packages are not installed by the TRIUMF kickstart but can be added using "yum install".

triumf-sshd-protect_root

Disables password access to the root account over ssh.  ssh-key access remains enabled.

triumf-sshd-verbose_log

Sets the log-level of sshd to VERBOSE.  This is useful for tracking the which key was used for logging in to an account (such as root) that has multiple keys in ~/.ssh/authorized_keys 

triumf-uid_min

Set UID_MIN and GID_MIN to 245 in /etc/login.defs .  There are some TRIUMF accounts with a UID below 500 but nont below 245.  Defining these in /etc/login.defs ensures that there won't be any UID clashes with accounts created by installing some software packages.