Re: ACL

All security policy that is site specific must be in writing.

SAGE and other organizations have published vetted documents on the ethics
of system/s administration. These documents can be used and, the SAGE
document, is an industry standard.

If the standards are not in writing, you do not have standards.

Unwritten security standards do NOT exist. (Test that in a law court
sometime.)


On Mon, Jul 28, 2008 at 11:25 AM, Broekman, Maarten <
Maarten.Broekman@xxxxxxx> wrote:

This is the point I was trying to make. Sorry if that wasn't clear. If
there's no legal reason for the sysadmins to access the particular data,
then there's no reason for them to object to having SELinux policies in
place to enforce the written (or unwritten) policy.

SELinux in no way reduces the need to hire trustworthy people. It
probably increases the need to do so since you have to hire people you
can trust to correctly implement the policies.

Maarten Broekman
Email: maarten.broekman@xxxxxxx

-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx
[mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Laszlo BERES
Sent: Monday, July 28, 2008 11:20 AM
To: General Red Hat Linux discussion list
Subject: Re: ACL

hike wrote:

It is unethical for sysadmins to access this data without a specific
reason
and approval.
If you cannot trust your sysadmins to act in an ethical fashion, YOU
have
screwed up big-time.

YOU hire trustworthy people.
YOU train trustworthy people.

Well, you're right, but imagine a world, where your sysadmins _cannot_
access the data for legal or national security or other reasons. There's

no place for trustworthiness or 'I swear I won't touch anything', you
_have_ to restrict the access rights.

--
Laszlo BERES RHCE, RHCX
senior IT engineer, trainer

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Relevant Pages

  • RE: SQL Slammer doing the rounds again?
    ... "I used to hate writing assignments, ... this - Is there a valid business reason to expose UDP ... > Security Business Unit ... > at the largest, most highly-anticipated industry ...
    (Incidents)
  • RE: OSSTMM how good is it?
    ... I believe the OSSTMM is a good framework, in an industry with few public ... it is probably one of the few standards the customer can get for ... It is good because it challenges the perception that many IT Security ... Download FREE whitepaper on how a managed service ...
    (Pen-Test)
  • Re: [fw-wiz] iso 17799
    ... I think if we don't share now the marketing droids will win ... > have to battle the standards where they don't make sense (remember ... Though it hasn't been updated in sometime, I bet the firewalls-faq is ... There are tons of books on firewalling and basic security techniques, ...
    (Firewall-Wizards)
  • Re: [SLE] setting multiple user id to 0 (zero) is bad ! Why?
    ... On 6/30/05, Chadley Wilson wrote: ... > again!!), uucp. ... > This reason however has been flawed as we have other sites that work properly ... that it was due to sloppy and lazy security practices. ...
    (SuSE)
  • Re: non-disclosure of infrastructure problem a management issue?
    ... It doesn't seem likely that that was the reason. ... to say that it was about security. ... I did trust the Fedora project. ... and I have the sense not to speculate without the full facts. ...
    (Fedora)