Re: best practices for administration

2005-05-12 Thread Joel 
 The nexus of my query lies in my attempt to have our central IT folks
(B issue additional identities for users to have when administering the
(B systems versus doing productivity work on them. I'd like to understand
(B what is done generally when granting users permissions to do things on
(B the operating system that imply 'administration', ie installing
(B software, adding printers, modifying system scripts, etc. There are
(B some here who think that putting standard user ID's into
(B administrative 'groups' is sufficient for granting such priveledges.
(B
(BUsers will always resist anything that will cause them to type in
(Banother password to get their job done.
(B
(BProbably you want to mix approaches a bit. 
(B
(BCertain tasks will warrant a separate login, in part to sandbag against
(Btrojans and other malware. If you do set up such accounts, make sure
(Bbrowsing-type accounts are not allowed to sudo to admin-type accounts,
(Band establish a policy of not using su from the browsing accounts.
(B(Helps keep any keyloggers from getting at abuseable passwords.) I'd
(Beven suggest not allowing login from the browsing accounts, but I
(Bhaven't yet figured out how to effectively
(B
(Bsudo -u joe2 webbrowser .
(B
(BHeh.
(B
(BOne difficulty is getting users into the habit of knowning when to share
(Bfiles with themselves.
(B
(B--
(BJoel Rees   [EMAIL PROTECTED]
(Bdigitcom, inc.   $B3t<02q

best practices for administration

2005-05-11 Thread David Bear 
Since the BSD community seems to be more security conscious than other
(read windows system administrators) groups, I wanted to see if anyone
here would have any pointers to best practices documents when 
administering ANY operating system, not just FreeBSD. I am assuming
that many of you must manage other operating systems as well.

The nexus of my query lies in my attempt to have our central IT folks
issue additional identities for users to have when administering the
systems versus doing productivity work on them. I'd like to understand
what is done generally when granting users permissions to do things on
the operating system that imply 'administration', ie installing
software, adding printers, modifying system scripts, etc. There are
some here who think that putting standard user ID's into
administrative 'groups' is sufficient for granting such priveledges.

hopefully, I'm not being too obscure.
-- 
David Bear
phone:  480-965-8257
fax:480-965-9189
College of Public Programs/ASU
Wilson Hall 232
Tempe, AZ 85287-0803
 Beware the IP portfolio, everyone will be suspect of trespassing
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: best practices for administration

2005-05-11 Thread Chuck Swiger 
David Bear wrote:
Since the BSD community seems to be more security conscious than other
(read windows system administrators) groups, I wanted to see if anyone
here would have any pointers to best practices documents when 
administering ANY operating system, not just FreeBSD. I am assuming
that many of you must manage other operating systems as well.
Sure.  You could start with the networking section of the FreeBSD Handbook, or 
maybe the O'Reilley books (TCP IP Network Admin, Building Internet Firewalls).

If you want to get serious about the matter, follow:
http://www.rfc-editor.org/rfcxx00.html#BCPbyBCP
...until you understand RFC-1149.  (No smiling in the back, there!)
There are lots and lots of other people writing stuff they'd like to sell you, 
such as books and ISO-9000-whatever standards, or MSCE-certs (Novell certs, 
Sun certs, Cisco IOS certs, SANS GIS certs...)-- you name it-- someone will 
charge you to train  test for it.

The nexus of my query lies in my attempt to have our central IT folks
issue additional identities for users to have when administering the
systems versus doing productivity work on them. I'd like to understand
what is done generally when granting users permissions to do things on
the operating system that imply 'administration', ie installing
software, adding printers, modifying system scripts, etc. There are
some here who think that putting standard user ID's into
administrative 'groups' is sufficient for granting such priveledges.
hopefully, I'm not being too obscure.
It would help to have a context.  Are you a manager overseeing a team of 
sysadmins, are you talking about employees managing stuff on the company 
fileserver, or are we talking about an ISP and their customers, or are you 
simply writing a term paper on the subject?  :-)

Anyway, a really good starting point is using sudo to grant people, or groups 
of people, controlled access to superuser capabilities.  Beyond that, consider 
POSIX ACL's or the MAC framework from TrustedBSD...

--
-Chuck
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: best practices for administration

2005-05-11 Thread Erik Nørgaard 
David Bear wrote:
Since the BSD community seems to be more security conscious than other
(read windows system administrators) groups, I wanted to see if anyone
here would have any pointers to best practices documents when 
administering ANY operating system, not just FreeBSD. I am assuming
that many of you must manage other operating systems as well.
You can find some BCP's and FYI's at frc-editor.org. ISO-17799/BS-7799 
is the international standard on information security, and there is the 
ITIL library.

There is no general answer to your question as much is context 
dependent. For example:

What do you need a user to present before giving an account? How do you 
verify that the information presented is valid?

Soon, you are faced with different classes of accounts: Employees, 
consultants, customers, and different levels of privileges. And who has 
privilege to grant others access to what?

Cheers, Erik
--
Ph: +34.666334818   web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: best practices for administration

2005-05-11 Thread Trevor Sullivan 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
David Bear wrote:

 Since the BSD community seems to be more security conscious than
 other (read windows system administrators) groups, I wanted to see
 if anyone here would have any pointers to best practices documents
 when administering ANY operating system, not just FreeBSD. I am
 assuming that many of you must manage other operating systems as
 well.

 The nexus of my query lies in my attempt to have our central IT
 folks issue additional identities for users to have when
 administering the systems versus doing productivity work on them.
 I'd like to understand what is done generally when granting users
 permissions to do things on the operating system that imply
 'administration', ie installing software, adding printers,
 modifying system scripts, etc. There are some here who think that
 putting standard user ID's into administrative 'groups' is
 sufficient for granting such priveledges.

 hopefully, I'm not being too obscure.

A while ago I happened across the CentOS documentation (copied from
RedHat's basically) which you can find here:
http://www.centos.org/docs/4/. This has been quite helpful for me,
especially regarding things such as user notification, problem
resolution etc.

- -Trevor
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (MingW32)
 
iD8DBQFCgoAqoGycRpOgdeERAmRpAKDLu9LWcAZHpB2ke3pB0bl2S91AwQCeIrf3
8kMj+UdYHASQPWViTfqQsDk=
=A0JV
-END PGP SIGNATURE-

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]