SE managed server sudo policy

SE managed server sudo policy

SE sudo standard (Linux)

DoIT-SE grants administrative access to servers for the purposes of installing, configuring and maintaining customer applications. Changes to the operating system configuration required by any application should only be made by SE staff.  If you're unsure whether or not you are permitted to make a specific change, contact your primary systems administrator and operating system team.

When SE does grant super-user, or root, privileges to our users, we do so with a number of additional caveats to their use:

  • Do not use sudo to obtain a root shell without prior approval from SE.

  • Do not use sudo to invoke any system package manager to install software without prior approval from SE.

  • Do not use sudo for account modifications without prior approval from SE.  This includes adding, removing, or modifying users and groups, resetting passwords, and making changes to account security policies.

  • Do not use sudo to modify the operating system configuration or server resource controls.  Operating system configuration is loosely defined as files that were on a server when it was handed over to a customer.

  • Do not use sudo to shutdown or reboot a server.

  • Do not use sudo to modify the firewall configuration of a server.

  • Do not use sudo to circumvent the agreed upon policies and terms of service.

Our goal is to ensure that our sudo configuration enables our customers to do their job while at the same time protecting both the function of their server and the integrity of their data.  Below are some examples of tasks that can be performed with sudo:

  • Compile and install customer applications from source into application specific filesystems.  Contact your primary systems administrator and operating system team to determine the appropriate location.

  • Start and stop customer applications

  • Create, modify, and delete files and directories used by a customer application

  • Switch to an application user to perform customer application tasks

If you believe that you need a root shell to accomplish a specific task, please contact your primary sysadmin and operating system team.  In most cases alternate methods for completing tasks without the need for a root shell are available.  If it is determined that a root shell is required, SE will work with you to grant the necessary access.  Please note that some requests may need additional approval from DoIT Security.

See also



Keywords:
server sudo root 
Doc ID:
38235
Owned by:
Steve T. in Systems Engineering
Created:
2014-03-06
Updated:
2020-03-02
Sites:
Systems Engineering