[CLUE-Tech] Sys Admin security and user directory security

[Brandon N]

--- Adam_Bultman at gmx.net wrote:
> I had a beautifully orchestrated email last nhight that I didn't
> send.
> Anyway, I'll re-create a thumbnail version:
> 
> If you take root from root, you aren't root anymore.  The sysadmin
> needs
> access to EVERYTHING.  You take that away, and you can't do your job.
>  I need
> ready access to everyone's /home/, /var/spool/mail, etc. If I didn't,
> I
> wouldn't have realized that /var/ was at 95 percent because of two
> users with 400 MB
> mail spools.  As well, I wouldn't know that /home/ was filling up
> with misc.
> graphics stuff.  Same goes for windows-- where is 33 GB going on this
> RAID ?
>  oh, well!
I don't know that I entirely agree with this.  you can enforce quotas
to keep home directories to a managable size, without looking in to the
directories.  Most companies do have an email policy that states email
should be business related, and is open to being read, so if you don't
want that, encrypt it.  

There are basically two departments that root shouldn't have access to,
Finance and HR, the last company I worked for used an encrypted
database for Quickbooks accounting, and HR had a separate computer that
only she had access too, and if it needed admin work, she would be
there watching while it was worked on.  I do like the Zip disk idea as
well, in my old job at a uni math dept, ZIP disks were quite common for
the teachers to store records on.

Brandon

 
> Anyway, if you don't want root in your stuff, encrypt it, or don't
> keep it
> on there.  This guy I worked with did this:
> 1. Encrypt data
> 2. Put data on zip disk, remove from hard drive.
> 3. Put zip disks in locked cabinet.


__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com