best practices for administration

Chuck Swiger cswiger at mac.com
Wed May 11 11:05:46 PDT 2005


David Bear wrote:
> Since the BSD community seems to be more security conscious than other
> (read windows system administrators) groups, I wanted to see if anyone
> here would have any pointers to best practices documents when 
> administering ANY operating system, not just FreeBSD. I am assuming
> that many of you must manage other operating systems as well.

Sure.  You could start with the networking section of the FreeBSD Handbook, or 
maybe the O'Reilley books (TCP IP Network Admin, Building Internet Firewalls).

If you want to get serious about the matter, follow:

http://www.rfc-editor.org/rfcxx00.html#BCPbyBCP

...until you understand RFC-1149.  (No smiling in the back, there!)

There are lots and lots of other people writing stuff they'd like to sell you, 
such as books and ISO-9000-whatever standards, or MSCE-certs (Novell certs, 
Sun certs, Cisco IOS certs, SANS GIS certs...)-- you name it-- someone will 
charge you to train & test for it.

> The nexus of my query lies in my attempt to have our central IT folks
> issue additional identities for users to have when administering the
> systems versus doing productivity work on them. I'd like to understand
> what is done generally when granting users permissions to do things on
> the operating system that imply 'administration', ie installing
> software, adding printers, modifying system scripts, etc. There are
> some here who think that putting standard user ID's into
> administrative 'groups' is sufficient for granting such priveledges.
> 
> hopefully, I'm not being too obscure.

It would help to have a context.  Are you a manager overseeing a team of 
sysadmins, are you talking about employees managing stuff on the company 
fileserver, or are we talking about an ISP and their customers, or are you 
simply writing a term paper on the subject?  :-)

Anyway, a really good starting point is using sudo to grant people, or groups 
of people, controlled access to superuser capabilities.  Beyond that, consider 
POSIX ACL's or the MAC framework from TrustedBSD...

-- 
-Chuck



More information about the freebsd-questions mailing list