From owner-freebsd-questions@FreeBSD.ORG Wed May 11 18:05:46 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 783B216A4CE for ; Wed, 11 May 2005 18:05:46 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1726943D7B for ; Wed, 11 May 2005 18:05:46 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id ACD145C54; Wed, 11 May 2005 14:05:44 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62527-01; Wed, 11 May 2005 14:05:42 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-53-96.ny325.east.verizon.net [68.161.53.96]) by pi.codefab.com (Postfix) with ESMTP id D0FF95C50; Wed, 11 May 2005 14:05:41 -0400 (EDT) Message-ID: <42824970.4030301@mac.com> Date: Wed, 11 May 2005 14:05:36 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: David.Bear@asu.edu References: <20050511170133.GD10213@asu.edu> In-Reply-To: <20050511170133.GD10213@asu.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com cc: freebsd-questions@freebsd.org Subject: Re: best practices for administration X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2005 18:05:46 -0000 David Bear wrote: > Since the BSD community seems to be more security conscious than other > (read windows system administrators) groups, I wanted to see if anyone > here would have any pointers to best practices documents when > administering ANY operating system, not just FreeBSD. I am assuming > that many of you must manage other operating systems as well. Sure. You could start with the networking section of the FreeBSD Handbook, or maybe the O'Reilley books (TCP IP Network Admin, Building Internet Firewalls). If you want to get serious about the matter, follow: http://www.rfc-editor.org/rfcxx00.html#BCPbyBCP ...until you understand RFC-1149. (No smiling in the back, there!) There are lots and lots of other people writing stuff they'd like to sell you, such as books and ISO-9000-whatever standards, or MSCE-certs (Novell certs, Sun certs, Cisco IOS certs, SANS GIS certs...)-- you name it-- someone will charge you to train & test for it. > The nexus of my query lies in my attempt to have our central IT folks > issue additional identities for users to have when administering the > systems versus doing productivity work on them. I'd like to understand > what is done generally when granting users permissions to do things on > the operating system that imply 'administration', ie installing > software, adding printers, modifying system scripts, etc. There are > some here who think that putting standard user ID's into > administrative 'groups' is sufficient for granting such priveledges. > > hopefully, I'm not being too obscure. It would help to have a context. Are you a manager overseeing a team of sysadmins, are you talking about employees managing stuff on the company fileserver, or are we talking about an ISP and their customers, or are you simply writing a term paper on the subject? :-) Anyway, a really good starting point is using sudo to grant people, or groups of people, controlled access to superuser capabilities. Beyond that, consider POSIX ACL's or the MAC framework from TrustedBSD... -- -Chuck