[BBLISA] Guidelines for giving full root access to DBAs
Jason Qualkenbush
jqualkenbush at gmail.com
Sun Aug 20 12:06:13 EDT 2006
On 8/20/06, Sharon Nagao <sharon.nagao at gmail.com> wrote:
>
> Michael,
>
> Thank you for the excellent suggestions. I will look into tripwire
> immediately.
>
> As for feeling the pain by the DBAs, that will take some time, thinking
> and discussion with the other admins. I would appreciate it if people could
> share their policies/procedures if they have them.
>
> Any other advice by you or others would be most welcomed.
>
I must have well behaved DBAs! We have very well defined roles for system
administrator and DBAs. We, as sys admins, are responsible for the
operating system. So the DBAs send us the requirements, like kernel
parameters for upgrading from Oracle 9 to 10. We add swap space, change
kernel params, and get the operating system all set. We then add them into
the sudo list so they can run their install. When they no longer need sudo,
they call us and we remove access.
I guess it has more to do with environment. Where I work, they have done a
very good job defining roles. Sys admins own the operating system and
therfore responsible for it. Application owners own the application. Sys
admins don't go changing apache config files, just as the web team doesn't
go changing kernel parameters.
One thing is maybe to get the boss or whoever to define who is called or
responsible if the server goes down in flames. If you are the person
called, you can make the argument that the DBA's could (and will) hork a
config killing the server at 3am causing a phone call to you.
A sneaky thing you might try is to casually let who ever does network/cyber
security or audits know about it. If your company has to get audited
(Sarbanes or whatever), this could be something that might raise a flag.
Whoever the person is that gets the brunt of the audit is probably going to
go nuts if he/she has to explain security or policy violations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.bblisa.org/pipermail/bblisa/attachments/20060820/1c4c1077/attachment.htm
More information about the bblisa
mailing list