Andy, in answer to your questions by how other companies do it, I'll tell you how the Army does it,
First, you go through a 24 week long training course that takes you from what is a computer, all the way to basic Cisco switch deployment/management (just lightly touching the surface of cisco equipment, basic LAN management and network topologies, windows deployment, information assurance/security, DoD policies, and basic active-directory concepts). I went through a different but similar training program when I entered the service but I was able to demonstrate knowledge in all of these areas during the interview. Once you complete this, you must be Security+ certified and demonstrate knowledge of Windows image deployment, Active-Directory server, exchange server, SCCM, troubleshooting and repair, customer service skills, LAN management, and be able to hold a level-secret clearance before becoming a new sysadmin. A contractor must have similar credentials/experience before becoming a new sysadmin for DoD. And then there is a TON of on-the-job training that you have to go through to include scripting. When it comes to the infrastructure that supports your website and your central database, there is no margin for error. Many companies will require that you possess MSCE/MCSA, Cisco and Comptia certifications of varying levels and/or a college degree in computer science and scripting/coding proficiency just to get noticed, On Tue, Mar 18, 2014 at 12:38 AM, Torrie Fischer <[email protected]>wrote: > On Tuesday, March 18, 2014 00:21:16 Andrew Buczko wrote: > > 1> do we have a processes for issuing Admin rights to new admin's? > > For synhak.org, it involves scrutiny, vetting, keysigning, sending a PGP > signed ssh key, and a lot of proof that you know what you're doing. > > > 2> If no, then How do other companies bring on new admins? > > In most cases, see above > > > 3> Who are our current admins? > > Chris, G, Craig, and myself. Chris and I are the only active ones. > > > 4> What rights do they have for what services/virtual spaces. > > They've got complete access to the synhak.org AWS account. They're free to > rack up our server bill, delete data with reckless abandon, have sudo > access > on all *.synhak.org machines, and get SMSs when system load is too high. > > If its in the physical space at 48 S Summit, thats a different topic. > Anyone > is free to rip open the boxes and reset the root passwords on everything as > per do-ocracy. Nothing has a real connection to synhak.org except through > tightly secured channels that have no chance of escalation of privileges. > The > Kiosk, for example, doesn't even have any access credentials to update the > site. > > In fact, anyone can post some JSON data to > https://synhak.org/auth/v1/sensor/3/, or any other sensor for that matter. > There isn't a real way into the underlying linux system through any exposed > endpoint. Even if they got onto the system, the services running on the web > servers and the administrivia server have AWS credentials that limit them > to > specific operations such as creating new files on S3 (but not deleting!) > and > connecting to the mysql server. > > Actually, S3 and two tables on mysql are the only things the servers are > allowed to touch. They can't kill servers, start up new ones, or wipe the > database snapshots, or even see what backups we have. > > It is, of course, possible to limit AWS user accounts to only a small > subset > of permissions. For example, there exists a Treasurer role in the system > that > Xander previously held that only permitted viewing of the monthly bill and > usage report. > > > > > On Mon, Mar 17, 2014 at 11:00 PM, Omar Rassi <[email protected]> > wrote: > > > As a sysadmin myself, I'd have to agree with the extra scrutiny for > > > digital assets. I don't see it as a personal attack on anyone that > > > regarding this scrutiny, we've spent the past three years fine tuning > this > > > virtual space to what it is now. Our virtual space is not like our > > > physical > > > space at all, you can't walk in to 48 South Summit and accidentally > burn > > > the whole building down with a typo or wrong command with ease, but > that > > > is > > > MUCH easier to do on our virtual space. > > > > > > I've been involved with Synhak since Torrie's garage and in all this > time, > > > I have decided not to get involved with the AWS instances for this > reason > > > since I typo alot, instead I applied my talents elsewhere. Although, it > > > would be nice if anyone who wanted to try their hand at improving our > AWS > > > instance or "Virtual Space" had sudo access to a sandbox duplicate, > then > > > we > > > can only commit changes to the live instance that are proven to work > while > > > only providing read only access to the live instance. Keep in mind that > > > the > > > "Virtual Space" you are talking about does not just contain the > website, > > > as > > > I understand it, Spiff is also on AWS, which handles, among other > things, > > > our membership database. Let's please try to keep admin rights to this > on > > > a > > > "need to know" basis. I feel the term "positive control" (I know I use > it > > > alot) applies well in this scenario. > > > > > > On Mon, Mar 17, 2014 at 7:50 PM, Torrie Fischer > <[email protected]>wrote: > > >> On Monday, March 17, 2014 18:22:38 Justin Herman wrote: > > >> > NOTE: Chris and Torrie were able to decrypt it with their private > > >> > key's. > > >> > > > >> > In order to avoid extra noise and virtual conflict I have opted to > > >> > > >> answer > > >> > > >> > any questions during our meeting. I will be available to answer any > > >> > questions during that time. This is equivalent in conditions met to > > >> > > >> acquire > > >> > > >> > a Physical Space key. > > >> > > >> Noise implies useless information. I'm certain that SYNHAK would find > > >> someone's reason for wanting access to AWS and all of our servers to > be > > >> useful > > >> and even important information. > > >> > > >> I'm concerned about this "virtual conflict" you perceive. Why would > you > > >> think > > >> that an open discussion about security would create conflict? > > >> > > >> You're also aware that meeting in person during a meeting aren't the > > >> conditions for getting a key, right? It involves a proposal for > > >> Consensus. > > >> There's also the fact that a physical door key is completely different > > >> from > > >> having administrative access to synhak.org. > > >> > > >> I will block any proposal to grant you AWS access on the grounds that > you > > >> haven't demonstrated why I should trust you, and that you're currently > > >> demonstrating some interesting interpretations of protocols. > > >> > > >> > On Mon, Mar 17, 2014 at 6:10 PM, Torrie Fischer > > >> > > >> <[email protected]>wrote: > > >> > > On Monday, March 17, 2014 17:05:56 Justin Herman wrote: > > >> > > > SOME KIND OF BLOB > > >> > > > > >> > > Ok. Right. > > >> > > > > >> > > You sent a SSH key signed with a PGP key that I have not verified. > > >> > > The > > >> > > signed > > >> > > key was encrypted with my public key, meaning that only I could > > >> > > >> decrypt > > >> > > >> > > it. > > >> > > > > >> > > Justin, are you aware that we are also asking you questions and > not > > >> > > >> just > > >> > > >> > > asking for an SSH key? I'll copy them again: > > >> > > > > >> > > VVVV QUESTIONS VVVV > > >> > > > > >> > > 1.) What is your primary purpose for requesting access to AWS? > > >> > > 2.) What problems with the current website and online > infrastructure > > >> > > >> do > > >> > > >> > > you > > >> > > currently see that require AWS root and sudo access to solve? > > >> > > 3.) What improvements can you offer to the overall infrastructure? > > >> > > 4.) Are you familiar with Ansible, the configuration-management > > >> > > >> software > > >> > > >> > > used > > >> > > to configure, deploy and maintain servers? If not, do you intend > to > > >> > > >> learn > > >> > > >> > > about it? > > >> > > > > >> > > ^^^^ QUESTIONS ^^^^ > > >> > > > > >> > > In case they kept getting lost in the noise of this thread, I've > also > > >> > > trimmed > > >> > > out the rest of the inline quotes. > > >> > > > > >> > > There seems to be a pattern of not answering any questions when > > >> > > >> directly > > >> > > >> > > asked. Would you prefer that I ask them in private instead of on > > >> > > >> discuss@? > > >> > > >> > > I'm > > >> > > often at the space, so I can handle either e-mail or in person. I > > >> > > >> would > > >> > > >> > > still > > >> > > need to relay the answers to a public forum such as noc@ to > preserve > > >> > > transparency about our site security and keep everyone else up to > > >> > > date > > >> > > with > > >> > > who has unlimited and absolute power over synhak.org. > > >> > > > > >> > > If you're not able to make this work, then I can't really give you > > >> > > >> access. > > >> > > >> _______________________________________________ > > >> Discuss mailing list > > >> [email protected] > > >> https://synhak.org/mailman/listinfo/discuss > > > > > > _______________________________________________ > > > Discuss mailing list > > > [email protected] > > > https://synhak.org/mailman/listinfo/discuss > > _______________________________________________ > Discuss mailing list > [email protected] > https://synhak.org/mailman/listinfo/discuss >
_______________________________________________ Discuss mailing list [email protected] https://synhak.org/mailman/listinfo/discuss
