Account Administration for K-12 School Systems
Accounts can be modified by account administrators or by users. The users can change their passwords, review a security audit of their account, or review potentially inappropriate web use by their account. Account administrators can change passwords and add/remove users to/from groups.
In the rest of this document, I will refer to three different types of computers. The k12admin-server will be the central account administration computer for the district. The k12admin-client computers will typically be Linux servers in the schools that update their account information from the k12admin-server computer. These computers will likely be used as web proxies, file servers, web servers, e-mail servers, etc. Lastly, I will refer to the computers our users sit at as workstations.
K12admin-client computers run updates once an hour. The updates are done using rsync and ssh to securely and quickly copy files from the k12admin-server and run a script, called “setup”, which is part of these files. Password files (passwd/group, shadow/gshadow, smbpasswd, squid.auth, apache.auth) on the client are updated at this time. The hourly update also runs some audits of the school server. Specifically, it scans the log files and generates a synopsis of which accounts have been used and when. This information is sent back to the k12admin-server computer, where it is inserted into an audit database which can be queried by the user. This allows a user to determine if their account is being used inappropriately.
The Squid proxy log files on the k12admin-client computer are also scanned for potential inappropriate use. The log files are scanned for one of a list of keywords. These keywords can be grouped into different categories (porn, chat rooms, gaming, executable downloads) and enabled or disabled on a per-school or per-server basis. Again, this information is transferred to a database on the k12admin-server where it can be reviewed by school administrative staff at any time. A synopsis is also e-mailed to school administrative staff weekly.
Individual k12admin-client servers can be configured from the web page with a variety of options. They can be attached to one or more schools. You can also have more than one server attached to the same school. This allows you to have one server for two small schools connected by Ethernet, or have several servers in a large school. Servers can be configured to update passwd/group files, update smbpasswd files, update Squid-authentication files, update Apache-authentication files, create home directories for new accounts, and clean up old home directories, either by deleting them outright or moving them to a temporary holding area.
The K12Admin system is quite functional as it stands. However, my goal is to create a server appliance which can be placed in a school and administered entirely through the K12Admin interface. What I see happening in schools now is that a teacher is given “release” time to maintain the network in the school. Attempts to “homogenize” the network are difficult when teachers in individual schools have invested significant amounts of time in learning how to run their chosen network operating system and setting up their network. In order to make K12Admin a viable alternative, I see a few obstacles to overcome:
Server administration must be easy to learn. Since K12Admin is geared specifically to a K-12 setting, it should have an advantage over a vanilla, out-of-the-box, network operating system.
The servers must be flexible enough to serve the needs of all users in a K-12 setting. Since I have experience with only one school district's way of doing things, I need feedback from other users to determine which options are required to meet their needs.
When problems do occur, they should be easy to diagnose, both for technical staff and the users in the school. I have some problem-diagnosis tools in place for monitoring disk space, swap space and “stuck” printer spools. These tools need to be expanded. I was hoping to incorporate the “Big Brother” network monitor to take care of some of this, but the license is too restrictive.
Here is a list of planned additions to K12Admin:
Creation of default shares on the client servers (exported by Samba, Netatalk, NFS, Coda, etc.)
Applications: general applications used by client computers, be they Macintosh, Windows, Linux or whatever. There will, of course, be separate shares for each type of client computer.
Library: share for library administration software.
Administration: share for school administration software.
Localgroups: share holds a directory for each local group created within the school, accessible only by members of that group. This share will contain a class folder for which teachers have write access, a drop box, and a public folder to which everyone can write. This makes it easy to share files with the members of your class or some other logical group.
HTML: web server root directory.
CD: a share where CDs can be copied in order to be shared back to client computers.
Default: skeleton files for creating new user home directories are placed here.
Rebuild: share for storing images of client workstations for rebuilding purposes.
More server configuration options, such as the ability to configure the services which should run on a particular server (i.e., dhcpd, Samba, Netatalk, Apache, Squid, etc.).
Monitor the status of services that have been configured to run on each server. Possibly integrate the “Big Brother” network monitoring tool, if its license allows.
Integration with Bruno Vernier's EDUML standard.
Possible integration with the Roster project. Roster is a server configuration system designed for college/university applications. It contains methods for updating server types other than Linux.
Modularize (OOP!) the data layer (Roster has this already and might be usable).
Extend the Squid proxy scan to scan the HTML files in the Squid cache, matching files to URLs using the Squid logs.
Ability to add users to multiple schools. Useful for staff members who teach part time in two schools, or district staff who may work in all schools in the district (this latter case is a special one that should probably be handled differently).
Generic configuration of system files such as Samba configuration, Squid configuration, Netatalk configuration, network configuration (dhcpd, IP masquerading, etc., using private IP addresses).
Support for having “backup” k12admin-server machines that synchronize their databases with the main k12admin-server and can be used for automatic failover protection.
|The True Internet of Things||Sep 02, 2015|
|September 2015 Issue of Linux Journal: HOW-TOs||Sep 01, 2015|
|September 2015 Video Preview||Sep 01, 2015|
|Using tshark to Watch and Inspect Network Traffic||Aug 31, 2015|
|Where's That Pesky Hidden Word?||Aug 28, 2015|
|A Project to Guarantee Better Security for Open-Source Projects||Aug 27, 2015|
- Using tshark to Watch and Inspect Network Traffic
- The True Internet of Things
- September 2015 Issue of Linux Journal: HOW-TOs
- Problems with Ubuntu's Software Center and How Canonical Plans to Fix Them
- Concerning Containers' Connections: on Docker Networking
- Firefox Security Exploit Targets Linux Users and Web Developers
- Where's That Pesky Hidden Word?
- A Project to Guarantee Better Security for Open-Source Projects
- Build a “Virtual SuperComputer” with Process Virtualization
- My Network Go-Bag