CYA for System Administrators
Things to keep in mind in our litigious society04/19/2000
In the last Linux in the Enterprise column, Linux Tools For Network Analysis, I mentioned some things to consider when you're using network scanning systems on your company's network. Doing the wrong thing in the cause of making your network "more secure" can land an unlucky administrator in a duel with the legal system. This is more likely when your actions come as a surprise or are viewed in a bad light by others who question your authority or motives to be doing what you're doing. With all the sound and fury in media about evil hackers, it's a good idea to consider how to protect yourself ahead of time.
System Administration is a job with few parallels in the world. In many jobs, individuals have control over systems and infrastructure critical to the lives and jobs of others, including running mass transit systems, police work, air traffic control. However, in very few other professions do the people who control the infrastructure also have the ability to read the e-mail, modify the spreadsheets of, change the credit ratings, or deny access to the people using the infrastructure. Another difference is that in many of those more established fields, regulations are in place to protect the systems' users and the administrators who run the systems.
The sheer power of the systems administration function intimidates many users and management types when they stumble into the realization of just what can be done with root privileges. The question that shakes out of this is pretty simple: How can I do my job, run a system or network safely and securely without winding up on the wrong end of a subpoena?
Know your responsibilities
Some system administrators inherit large systems, others watch them grow up around them. Whichever situation you find yourself in, it's a good idea to make sure that your role and your responsibilities are fully specified.
By "fully specified" I don't mean that you should have your boss tell you what keystrokes you are responsible for typing, but your job description should be complete and list not only the hardware and software you support, but what management areas that role includes. Many administrators have a blanket job description that reads something like:
Manage and maintain workstation and server environment in support of development and production systems.
Sound familiar? Most system administrators work under this kind of job description, but it includes a lot of room for interpretation, which could mean trouble if someone decides to make you a target.
A more complete job description might be along the lines of:
Manage and maintain workstation and server environment in support of development and production systems including:
- Setup of systems
- Backup and recovery of files
- Management of file servers
- Maintenance of printing environment
- Administration of system security
The last item might also include:
- Application of vendor supplied patches
- Basic system security (file permissions, access control lists, etc.)
- System activity reporting
- Work with company security personnel in implementation/investigation of security initiatives and issues
This job description spells out responsibilities clearly without tying the hands of a system administrator. By working within its limits, a system administrator guards against being criticized for over-extending their reach or activities in an unauthorized fashion.
It is important to read between the lines about things not explicitly in the job description. Left out are tasks like "enforcement of password standards" or anything about "network scanning." Of course, your job may include such activities, but it's better to have an explicit understanding between yourself and your management with regard to exactly what kinds of tasks and responsibilities are included in your job.
Pages: 1, 2