From owner-freebsd-questions Thu Nov 8 23:29:22 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mtiwmhc24.worldnet.att.net (mtiwmhc24.worldnet.att.net [204.127.131.49]) by hub.freebsd.org (Postfix) with ESMTP id 52A2237B41C for ; Thu, 8 Nov 2001 23:29:17 -0800 (PST) Received: from columbia ([12.93.212.214]) by mtiwmhc24.worldnet.att.net (InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP id <20011109072914.QUXM19017.mtiwmhc24.worldnet.att.net@columbia>; Fri, 9 Nov 2001 07:29:14 +0000 From: "Andrew C. Hornback" To: "Ted Mittelstaedt" , "FreeBSD Questions" Subject: RE: Lockdown of FreeBSD machine directly on Net Date: Fri, 9 Nov 2001 02:29:14 -0500 Message-ID: <001101c168f0$3b6fb1a0$6600000a@ach.domain> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 In-Reply-To: <000001c168ee$0d696280$1401a8c0@tedm.placo.com> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > -----Original Message----- > From: Ted Mittelstaedt [mailto:tedm@toybox.placo.com] > Sent: Friday, November 09, 2001 2:14 AM > To: Andrew C. Hornback; Anthony Atkielski; FreeBSD Questions > Subject: RE: Lockdown of FreeBSD machine directly on Net > > >> > Most organizations require something like that in > >> > writing, or at least as part of a face to face > >> > conversation. That negates this loophole. > >> > >> I've never encountered an organization that has a policy like > that, but my > >> personal policy is along those lines. If any manager wants me to > >> compromise > >> system security, he needs to put it in writing. This not only > >> protects the > >> organization from hanky-panky, but it protects me and the > >> organization from > >> lawsuits (albeit not prosecution, in most cases). > > > > Having held such positions as Senior System Administrator, > Director of > >Server and Network Operations and (hands on) Chief Operating > Officer of an > >ISP... I'm very surprised that you've never encoutered this. > > > > Such a policy is standard operating procedure for me, period, > >no matter > >where I am employed. > > Same here. However it's not usually done in physical writing. Depending on the severity of the request, I have made substitutions. If it's a small tweak or something like that that won't impact the unity of the network and it's systems, I'd generally just have to have an e-mail. However, if it's something to the point of "Pull this machine off-line, tear it down and rebuiild it in this specific timeframe", then I'm definately going to want something in writing. > I _am_ COO of an ISP Better you than me! *grins* > and _everything_ that is done in the systems > by myself or > the sysadmin touches the e-mail system in some manner. Good policy... as long as your e-mail system doesn't get all coked up... > Either the request > comes > via e-mail to the support list from a customer, or if it comes via phone a > note is sent to the support list, or via add-hoc from one of the > techs it is > written up > in the mail system. In fact one of the daily tasks I do is decide what > requests to permanently archive. It's not necessary to fomalize > things to the > extent your referring to, a simple 3 sentence e-mail that establishes who > made the request and if the request is completed is enough. It's job dependant, as far as I'm concerned. But, like I said, for small things, that's not a problem. > This > establishes > in the archive time and date and tracking. And that doesen't > even cover the > tracking done on the billing system which has it's own tracking system. *nods* I implemented this sytem when I was throw into an ISP environment that had no documentation, no standard operating procedures and a brand new owner that bought half an ISP because he needed some place to store his web pages. Structure is one of the first things that you can use to combat pure chaos. > I have had a lot of experience running IT and there is absolutely > no way to > even start getting a handle on the department if this isn't done. Absolutely. > If you > don't take > the time to track things you spend time running from firedrill to > firedrill > and > you cannot even begin to explain to the CEO or president why so > much of the > company IT time is burned up on bullshit requests. Expecially when management is the group that makes such requests. > I've lost track of the > number > of times at previous companies I've worked at that some puffed-up > department > head has steamed into my office ready to nail my ass to the wall > because some > system they depend on got cocked-up, only to have me show them an > e-mail audit > trail which points the blame for the problem right back to some cockamamie > thing that they or one of their underlings had my department do. *nods* It's CYA time. That's why I like being able to whip out a binder full of memos and show exactly what happened, why, and who's fault it was. It also gives me a quick reference in case something needs to be repeated or undone. > I'll readily admit that there's plenty of products (Notes comes > to mind) that > are out there to do what I do with my e-mail system, but none are > as fast to > enter data to. e-mail is also something everyone, internal and external > employees, vendors and customers read, and I've CC'd more CYA e-mails to > troublemakers than I can remember. *grins* Back when I first landed that hellacious ISP job, I wanted to set up an internal mail server for just employees so we could keep track of tech support stuff, etc. There was nothing like that in existance up until that point, and I figured it would be something good to have in training new employees, etc. I made the proposal to management, and got the biggest "Deer caught in headlights" look that I've ever seen... I still maintain that some people just weren't cut out to own/operate an ISP. Obligatory FreeBSD content: while I was there, it was an all Microsoft shop (running NT 4.0), with the exception of a single FreeBSD machine used as a proxy server. The FreeBSD box was the only one that I don't recall rebooting except to move it. --- Andy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message