Date: Wed, 11 May 2005 14:05:36 -0400 From: Chuck Swiger <cswiger@mac.com> To: David.Bear@asu.edu Cc: freebsd-questions@freebsd.org Subject: Re: best practices for administration Message-ID: <42824970.4030301@mac.com> In-Reply-To: <20050511170133.GD10213@asu.edu> References: <20050511170133.GD10213@asu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
David Bear wrote: > Since the BSD community seems to be more security conscious than other > (read windows system administrators) groups, I wanted to see if anyone > here would have any pointers to best practices documents when > administering ANY operating system, not just FreeBSD. I am assuming > that many of you must manage other operating systems as well. Sure. You could start with the networking section of the FreeBSD Handbook, or maybe the O'Reilley books (TCP IP Network Admin, Building Internet Firewalls). If you want to get serious about the matter, follow: http://www.rfc-editor.org/rfcxx00.html#BCPbyBCP ...until you understand RFC-1149. (No smiling in the back, there!) There are lots and lots of other people writing stuff they'd like to sell you, such as books and ISO-9000-whatever standards, or MSCE-certs (Novell certs, Sun certs, Cisco IOS certs, SANS GIS certs...)-- you name it-- someone will charge you to train & test for it. > The nexus of my query lies in my attempt to have our central IT folks > issue additional identities for users to have when administering the > systems versus doing productivity work on them. I'd like to understand > what is done generally when granting users permissions to do things on > the operating system that imply 'administration', ie installing > software, adding printers, modifying system scripts, etc. There are > some here who think that putting standard user ID's into > administrative 'groups' is sufficient for granting such priveledges. > > hopefully, I'm not being too obscure. It would help to have a context. Are you a manager overseeing a team of sysadmins, are you talking about employees managing stuff on the company fileserver, or are we talking about an ISP and their customers, or are you simply writing a term paper on the subject? :-) Anyway, a really good starting point is using sudo to grant people, or groups of people, controlled access to superuser capabilities. Beyond that, consider POSIX ACL's or the MAC framework from TrustedBSD... -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42824970.4030301>