Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 9 Nov 2001 02:29:14 -0500
From:      "Andrew C. Hornback" <>
To:        "Ted Mittelstaedt" <>, "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG>
Subject:   RE: Lockdown of FreeBSD machine directly on Net
Message-ID:  <001101c168f0$3b6fb1a0$6600000a@ach.domain>
In-Reply-To: <000001c168ee$0d696280$>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> -----Original Message-----
> From: Ted Mittelstaedt []
> Sent: Friday, November 09, 2001 2:14 AM
> To: Andrew C. Hornback; Anthony Atkielski; FreeBSD Questions
> Subject: RE: Lockdown of FreeBSD machine directly on Net
> >> > Most organizations require something like that in
> >> > writing, or at least as part of a face to face
> >> > conversation.  That negates this loophole.
> >>
> >> I've never encountered an organization that has a policy like
> that, but my
> >> personal policy is along those lines.  If any manager wants me to
> >> compromise
> >> system security, he needs to put it in writing.  This not only
> >> protects the
> >> organization from hanky-panky, but it protects me and the
> >> organization from
> >> lawsuits (albeit not prosecution, in most cases).
> >
> >	Having held such positions as Senior System Administrator,
> Director of
> >Server and Network Operations and (hands on) Chief Operating
> Officer of an
> >ISP... I'm very surprised that you've never encoutered this.
> >
> >	Such a policy is standard operating procedure for me, period,
> >no matter
> >where I am employed.
> Same here.  However it's not usually done in physical writing.

	Depending on the severity of the request, I have made substitutions.  If
it's a small tweak or something like that that won't impact the unity of the
network and it's systems, I'd generally just have to have an e-mail.
However, if it's something to the point of "Pull this machine off-line, tear
it down and rebuiild it in this specific timeframe", then I'm definately
going to want something in writing.

> I _am_ COO of an ISP

	Better you than me!  *grins*

> and _everything_ that is done in the systems
> by myself or
> the sysadmin touches the e-mail system in some manner.

	Good policy... as long as your e-mail system doesn't get all coked up...

> Either the request
> comes
> via e-mail to the support list from a customer, or if it comes via phone a
> note is sent to the support list, or via add-hoc from one of the
> techs it is
> written up
> in the mail system.  In fact one of the daily tasks I do is decide what
> requests to permanently archive.  It's not necessary to fomalize
> things to the
> extent your referring to, a simple 3 sentence e-mail that establishes who
> made the request and if the request is completed is enough.

	It's job dependant, as far as I'm concerned.  But, like I said, for small
things, that's not a problem.

> This
> establishes
> in the archive time and date and tracking.  And that doesen't
> even cover the
> tracking done on the billing system which has it's own tracking system.

	*nods*  I implemented this sytem when I was throw into an ISP environment
that had no documentation, no standard operating procedures and a brand new
owner that bought half an ISP because he needed some place to store his web
pages.  Structure is one of the first things that you can use to combat pure

> I have had a lot of experience running IT and there is absolutely
> no way to
> even start getting a handle on the department if this isn't done.


> If you
> don't take
> the time to track things you spend time running from firedrill to
> firedrill
> and
> you cannot even begin to explain to the CEO or president why so
> much of the
> company IT time is burned up on bullshit requests.

	Expecially when management is the group that makes such requests.

> I've lost track of the
> number
> of times at previous companies I've worked at that some puffed-up
> department
> head has steamed into my office ready to nail my ass to the wall
> because some
> system they depend on got cocked-up, only to have me show them an
> e-mail audit
> trail which points the blame for the problem right back to some cockamamie
> thing that they or one of their underlings had my department do.

	*nods*  It's CYA time.  That's why I like being able to whip out a binder
full of memos and show exactly what happened, why, and who's fault it was.
It also gives me a quick reference in case something needs to be repeated or

> I'll readily admit that there's plenty of products (Notes comes
> to mind) that
> are out there to do what I do with my e-mail system, but none are
> as fast to
> enter data to.  e-mail is also something everyone, internal and external
> employees, vendors and customers read, and I've CC'd more CYA e-mails to
> troublemakers than I can remember.

	*grins*  Back when I first landed that hellacious ISP job, I wanted to set
up an internal mail server for just employees so we could keep track of tech
support stuff, etc.  There was nothing like that in existance up until that
point, and I figured it would be something good to have in training new
employees, etc.  I made the proposal to management, and got the biggest
"Deer caught in headlights" look that I've ever seen...

	I still maintain that some people just weren't cut out to own/operate an

	Obligatory FreeBSD content: while I was there, it was an all Microsoft shop
(running NT 4.0), with the exception of a single FreeBSD machine used as a
proxy server.    The FreeBSD box was the only one that I don't recall
rebooting except to move it.

--- Andy

To Unsubscribe: send mail to
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <$3b6fb1a0$6600000a>