Linux Workstation Standards

Body

Managing University of Dayton computers is an important part of UDit's overall "defense-in-depth strategy" (a cybersecurity approach that uses multiple layers of security for holistic protection).  In addition to using Active Directory (AD) on the Microsoft side, we are able to manage Windows and Apple computers through Ivanti and JAMF. While Linux doesn’t have the same numbers across campus, there’s no single preferred distribution. Linux users tend to be our most technical users and in some instances manage our infrastructure. Therefore we want to apply similar standards across all three operating system platforms.

Configuration standards

Registration requirement

Appendix A - CrowdStrike Supported Linux Distributions

Appendix B - Ivanti Supported Linux Distributions
 

Configuration standards

The following configuration standards are for users wanting to use a Linux operating system computer at UD.

NOTE: These standards apply to workstations and are insufficient for server operations and maintenance.


Distribution

There are a variety of ways to differentiate Linux distributions - system architecture, kernel, vendor, etc.  We recommend using one that allows use of our CrowdStrike and Ivanti agents.  Supported distributions will be attached as appendices to this document.  In the event an individual wishes to run a distribution that won’t run, use a distribution that is currently supported by the vendor (with updates) and supports the remainder of the requirements.  In those cases where even this isn’t possible, the workstation should not be used on the network.
 

Asset Management

Ivanti clients are available for a number of different Linux distributions. You’ll find a list in Appendix A. Unlike Windows, Ivanti may not be sufficient to maintain the operating system and installed software.  Ivanti will be used for hardware tracking only. Software updates are covered separately.
 

Antivirus (AV) / Endpoint Detection and Response (EDR)

CrowdStrike sensors are available for a number of different Linux distributions. You’ll find a list in Appendix B. In the event a user wishes to run a distribution that does not support CrowdStrike, the user will install ClamAV or an approved alternative, keep its signature databases current and run monthly scans at a minimum.
 

Software Updates

Users are responsible for updating their Linux distributions at least monthly.
 

Encryption / Key Escrow

Users running Linux on laptops will encrypt all disks/volumes with preboot authentication functionality using LUKS or an approved alternative.  An encryption key shall be escrowed with the Linux user’s supervisor.
 

Local Administrator

Privileged accounts such as root will not be used on a day-to-day basis. Use of SU and SUDO is encouraged.
 

Passwords

Passwords for all local accounts shall be strong and will be 8 or more characters. They will not contain common words (whole or part) or parts of the user’s name or University ID (UDID) and will follow the general guidelines outlined at password.udayton.edu.  All passwords, to include root, shall be changed annually.
 

Firewall

Host firewalls shall be enabled and any ports required to be opened will be documented in the Linux Workstation Registration Form.

NOTE: Labs are a special case.  Exceptions to the guidelines may be required and shall be documented.

 

Registration requirement

Users are expected to maintain Linux workstations to the standards listed above.

Complete the Linux Workstation Registration Form. A workstation record is placed into our asset inventory.
 

Appendix A - CrowdStrike Supported Linux Distributions

This information is not publicly available on CrowdStrike’s website but feel free to reach out to the IT Risk Management Office if you have questions.

CrowdStrike Linux support is highly dependent on the kernels used, support of which is updated frequently with new Sensor releases. To ensure your kernel is supported, find this documentation in your Falcon console under Support and resourcesResources and toolsLinux Supported Kernels. A sensor running on a supported Linux distribution but with an unsupported kernel will switch to Reduced Functionality Mode (RFM). In this mode, Linux sensors will only send SensorHeartBeat events at this time.
 

Appendix B - Ivanti Supported Linux Distributions

For the most current list, click this link:

https://help.ivanti.com/res/help/en_US/IA/2021/GS/46300.htm

Details

Details

Article ID: 137188
Created
Tue 3/22/22 2:29 PM
Modified
Fri 5/29/26 4:45 PM

Related Services / Offerings

Related Services / Offerings (1)

Register your University-owned Linux workstation