diff options
| author | Drew DeVault <sir@cmpwn.com> | 2020-07-24 10:48:16 -0400 |
|---|---|---|
| committer | Drew DeVault <sir@cmpwn.com> | 2020-07-24 10:48:16 -0400 |
| commit | 5217ac11f6b317f3c363fb96f405bea04d46787d (patch) | |
| tree | da46062a9a863993987b4f94bd2a584c400c81c5 /ops | |
| parent | 1c300789da4e0a359fc024003ac351e6a9e1e893 (diff) | |
| download | sr.ht-docs-5217ac11f6b317f3c363fb96f405bea04d46787d.tar.gz | |
Add new sysadmin lecture
Diffstat (limited to 'ops')
| -rw-r--r-- | ops/index.md | 1 | ||||
| -rw-r--r-- | ops/new-sysadmin.md | 36 |
2 files changed, 37 insertions, 0 deletions
diff --git a/ops/index.md b/ops/index.md index 6aaeb95..6bcc8b1 100644 --- a/ops/index.md +++ b/ops/index.md @@ -11,6 +11,7 @@ services which is not hosted in The Cloud™. Additional resources: +- [New sysadmin lecture](/ops/new-sysadmin.md) - [Backups & redundancy](/ops/backups.md) - [Emergency planning](/ops/emergency-planning.md) - [High availability](/ops/availability.md) diff --git a/ops/new-sysadmin.md b/ops/new-sysadmin.md new file mode 100644 index 0000000..ed6fbb0 --- /dev/null +++ b/ops/new-sysadmin.md @@ -0,0 +1,36 @@ +You're a production sysadmin now. That comes with certain responsibilities. + +In short: + +1. Respect the user's privacy, and look at only what you must. +2. Think before you type. +3. With great power comes great responsibility. + +Assorted tips: + +- Practice your changes on localhost first. +- Ask for help if you need it. +- Always run your SQL queries in a transaction. +- `SELECT things, you, want FROM x;` is generally better than `SELECT * FROM x;` + when considering the user's privacy. +- Share information on a need-to-know basis, both with people and with + computers. +- Avoid doing things that cannot be undone. + +## Spear Phishing + +Because you now have access to production systems, you may be a target for spear +phishing. A bad actor may target you directly in a social engineering attack in +an attempt to get you to leverage your access to mistakenly compromise the +system. For example, someone may impersonate another admin and ask you to add an +SSH key to a server. You need to be aware of this risk. + +If you receive a request to leverage your access for any reason, double check +the veracity of the request. Is the person on IRC identified with NickServ for +the correct account? Is the email they sent DKIM signed and verified from the +right sender? If in doubt, ask for a secondary form of authentication, such as a +PGP challenge. + +This also applies to normal requests from users - don't let someone impersonate +another user in an attempt to gain access to or manipulate their account. Be +especially careful with requests from users with 2FA enabled. |