Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
bitterandtwisted
Sep 4, 2006




MF_James posted:

Someone lied.

The more I think about it the more I have to come to the conclusion it was my boss who changed it, couldn't find what he changed it to until now, and reset it back while denying it all. Anyone else would have come clean right away but he can simply not admit to being wrong about the most trivial things.

Anyway, now I'm off to make backup admin accounts for all our hosts in case this 'vmware problem' ever happens again.

Adbot
ADBOT LOVES YOU

Guy Axlerod
Dec 29, 2008
Probably a good idea for monitoring to use a different account than people who log in.

AlexDeGruven
Jun 29, 2007

Watch me pull my dongle out of this tiny box


MF_James posted:

Someone lied.

Always.

Thanks Ants
May 21, 2004

#essereFerrari


Surely you can pull the age of a password out of whatever system it is, and when it's less than a week old you know it was changed.

RFC2324
Jun 7, 2012

http 418

Guy Axlerod posted:

Probably a good idea for monitoring to use a different account than people who log in.

The more unique accounts the better. One for monitoring and one for each individual person.

Its not like accounts cost money, you can have as many as you want

The Fool
Oct 16, 2003


RFC2324 posted:

The more unique accounts the better. One for monitoring and one for each individual person.

Its not like accounts cost money, you can have as many as you want

I’d argue that local admin and monitoring are the only local accounts you should be making.

While I agree that every user of a system should have their own account, it needs to be hooked up to an identity store like AD

RFC2324
Jun 7, 2012

http 418

The Fool posted:

I’d argue that local admin and monitoring are the only local accounts you should be making.

While I agree that every user of a system should have their own account, it needs to be hooked up to an identity store like AD

Fair.

I'm used to the linux world where writing a script to go through all the servers and add the missing lines to passwd is still sometimes a thing.

I spent 10 minutes last night trying to ssh into a windows server :negative: I didn't feel nearly as bad when a coworker and the MOD did the se thing, tho

RFC2324 fucked around with this message at 17:54 on Feb 23, 2021

ChickenOfTomorrow
Nov 11, 2012

god damn it, you've got to be kind

RFC2324 posted:

Fair.

I'm used to the linux world where writing a script to go through all the servers and add the missing lines to passwd is still sometimes a thing.

I spent 10 minutes last night trying to ssh into a windows server :negative: I didn't feel nearly as bad when a coworker and the MOD did the se thing, tho

eh it's not like MODs knew

SlowBloke
Aug 14, 2017

RFC2324 posted:

The more unique accounts the better. One for monitoring and one for each individual person.

Its not like accounts cost money, you can have as many as you want

My personal stance is to never create user accounts but to hook as many systems to the central auth hierarchy(ldap/saml/etc) to limit password oversimplification(if you need to remember ten passwords it’s unlikely you will make them all complex and different).

VMware supports ldap on both hosts and vCenter and saml on vCenter. Use a restricted service account for logging and reporting, set up the local root/administrator to a overly complex pass stored on safe and set up everyone with their standard users as admins.

RFC2324
Jun 7, 2012

http 418

SlowBloke posted:

My personal stance is to never create user accounts but to hook as many systems to the central auth hierarchy(ldap/saml/etc) to limit password oversimplification(if you need to remember ten passwords it’s unlikely you will make them all complex and different).

VMware supports ldap on both hosts and vCenter and saml on vCenter. Use a restricted service account for logging and reporting, set up the local root/administrator to a overly complex pass stored on safe and set up everyone with their standard users as admins.

like I said before, I come from linux where just doing it in passwd is still an accepted thing, particularly when you are dealing with hosted services.

Place I worked a little while back had a script that would iterate through the entire 10-15k server global list of N*X servers updating passwd, group, and sudoers files. it was nuts

Thanks Ants
May 21, 2004

#essereFerrari


At least it updated them and kept things consistent

RFC2324
Jun 7, 2012

http 418

Thanks Ants posted:

At least it updated them and kept things consistent

oh yeah, it was pretty good, and way better than the LDAP implementation used by a handful of boxes in germany. Why would you set up an AD server to be the LDAP server for a unix farm, instead of an LDAP server that happened to be referenced by a small handful of windows boxes?

kensei
Dec 27, 2007

He has come home, where he belongs. The Ancient Mariner returns to lead his first team to glory, forever and ever. Amen!


This is the sequel to my previous TED Talk, Email was a mistake.

This morning our Monthly OPS Review call deteriorated into a discussion of why a user did not get notified when someone externally tried sending them an email with a 130MB attachment. I do not want to get a notice for every email that is not delivered to my mailbox, no way. And yet, that is what some of my peers are asking for. There is not a big enough :sigh:

AlexDeGruven
Jun 29, 2007

Watch me pull my dongle out of this tiny box


kensei posted:

This is the sequel to my previous TED Talk, Email was a mistake.

This morning our Monthly OPS Review call deteriorated into a discussion of why a user did not get notified when someone externally tried sending them an email with a 130MB attachment. I do not want to get a notice for every email that is not delivered to my mailbox, no way. And yet, that is what some of my peers are asking for. There is not a big enough :sigh:

gently caress that noise. Should it also send a notification every time a spam message is blocked? Where do the notifications for undelivered email stop? Tall about slippery slopes.

In other news, the offshoot company that now does our IT services has made a statement to individuals "Any changes without notification or authorization will result in a formal verbal warning... "

So far "any changes" is undefined. So, you know, logging into boxes? Checking something in the vCenter console? Building a new non prod VM?

I get that change controls are important, critical even, but poo poo has to be specific.

RFC2324
Jun 7, 2012

http 418

AlexDeGruven posted:

gently caress that noise. Should it also send a notification every time a spam message is blocked? Where do the notifications for undelivered email stop? Tall about slippery slopes.

In other news, the offshoot company that now does our IT services has made a statement to individuals "Any changes without notification or authorization will result in a formal verbal warning... "

So far "any changes" is undefined. So, you know, logging into boxes? Checking something in the vCenter console? Building a new non prod VM?

I get that change controls are important, critical even, but poo poo has to be specific.

Did something change? Thats a change. Its really only complicated if you are trying to make production changes you shouldn't be.

Logging in and doing fact finding isn't a change. Adjusting a setting to see what hapoens, even if you change it back, is a change.

Guy Axlerod
Dec 29, 2008
Mail fails delivery due to over quota. Better send an email about that.

Finally delete some stuff, the 100s of over quota notifications are piling in putting you back over quota, and generate more over quota notifications.

Thanks Ants
May 21, 2004

#essereFerrari


Guy Axlerod posted:

Mail fails delivery due to over quota. Better send an email about that.

Finally delete some stuff, the 100s of over quota notifications are piling in putting you back over quota, and generate more over quota notifications.

I've changed my mind, you should do this.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

AlexDeGruven posted:

gently caress that noise. Should it also send a notification every time a spam message is blocked? Where do the notifications for undelivered email stop? Tall about slippery slopes.

Barracuda used to send you a little summary email every day with all the messages it blocked and a button to click on to allow them if they weren't spam.

Arquinsiel
Jun 1, 2006

"There is no such thing as society. There are individual men and women, and there are families. And no government can do anything except through people, and people must look to themselves first."

God Bless Margaret Thatcher
God Bless England
RIP My Iron Lady

kensei posted:

This is the sequel to my previous TED Talk, Email was a mistake.

This morning our Monthly OPS Review call deteriorated into a discussion of why a user did not get notified when someone externally tried sending them an email with a 130MB attachment. I do not want to get a notice for every email that is not delivered to my mailbox, no way. And yet, that is what some of my peers are asking for. There is not a big enough :sigh:
Presumably the sender was notified that the mail was rejected?

kensei
Dec 27, 2007

He has come home, where he belongs. The Ancient Mariner returns to lead his first team to glory, forever and ever. Amen!


Arquinsiel posted:

Presumably the sender was notified that the mail was rejected?

Yes, that was my point but I was shouting into the void at that moment so I am just waiting to see what happens with this after the P2 call is over.

(I am not joining the bridge in fear of saying something I may regret)

Arquinsiel
Jun 1, 2006

"There is no such thing as society. There are individual men and women, and there are families. And no government can do anything except through people, and people must look to themselves first."

God Bless Margaret Thatcher
God Bless England
RIP My Iron Lady
I'm not sure it's possible to politely phrase "you want to make other company's mistakes our problem". Probably best to just hope they forget the idea.

chin up everything sucks
Jan 29, 2012

The sending party would have gotten a rejection notification when the email bounced. If they are sending 130MB files from an automated system, I bet they bounce on MOST of the people they send email to. I'd just get a quick list of how many spam emails are blocked or rejected each day across the organization, and go "Do you want to have X number of notifications blasting out every day, and having people review each one instead of being more productive?"

Guy Axlerod
Dec 29, 2008
The mail can be rejected somewhere else before it even gets to a system you control.

AlexDeGruven
Jun 29, 2007

Watch me pull my dongle out of this tiny box


RFC2324 posted:

Did something change? Thats a change. Its really only complicated if you are trying to make production changes you shouldn't be.

Logging in and doing fact finding isn't a change. Adjusting a setting to see what hapoens, even if you change it back, is a change.

I agree, but without defined barriers on what a change actually entails, it's useless to say 'change'.

Logging into a system itself changes a lot of things. Granted, none of them are significant from an operational standpoint, but it still changes the state of parts of the system.

I'm being purposefully hyperbolic about it because the people making the demands are assholes who don't know poo poo from poo poo, and they have put forth stupidly nebulous requirements before.

Darchangel
Feb 12, 2009

Tell him about the blower!


Guy Axlerod posted:

The mail can be rejected somewhere else before it even gets to a system you control.

Exactly. Our email system at my previous employer would reject sent emails over a certain size before they got out of the network. I assume most do that, to varying degrees.

Renegret
May 26, 2007

THANK YOU FOR CALLING HELP DOG, INC.

YOUR POSITION IN THE QUEUE IS *pbbbbbbbbbbbbbbbbt*


Cat Army Sworn Enemy
I am a broke brained idiot when it comes to change management and will go as far as to submit tickets for updating port descriptions.

You never know when you're going to run some dumb poo poo arris bug.

If for nothing else, you have clear documentation of the before and after in a specific place that will last forever.

kensei
Dec 27, 2007

He has come home, where he belongs. The Ancient Mariner returns to lead his first team to glory, forever and ever. Amen!


Apparently the issue was a concern over our Anti-Spam system accepting an email that was larger than the limit we have set in O365, so those will now match and no extra notices were deemed necessary. Sometimes things work out!

RFC2324
Jun 7, 2012

http 418

Renegret posted:

I am a broke brained idiot when it comes to change management and will go as far as to submit tickets for updating port descriptions.

You never know when you're going to run some dumb poo poo arris bug.

If for nothing else, you have clear documentation of the before and after in a specific place that will last forever.

I am extremely fond of the script command. Record every drat thing I do for CYA purposes? yes please!

Fil5000
Jun 23, 2003

HOLD ON GUYS I'M POSTING ABOUT INTERNET ROBOTS

RFC2324 posted:

I am extremely fond of the script command. Record every drat thing I do for CYA purposes? yes please!

Sounds like entrapment to me

RFC2324
Jun 7, 2012

http 418

Fil5000 posted:

Sounds like entrapment to me

:vince:

Dr. Arbitrary
Mar 15, 2006

Bleak Gremlin

Fil5000 posted:

Sounds like entrapment to me

This joke is still great.

Lord Dudeguy
Sep 17, 2006
[Insert good English here]

RFC2324 posted:

Did something change? Thats a change. Its really only complicated if you are trying to make production changes you shouldn't be.

Logging in and doing fact finding isn't a change. Adjusting a setting to see what hapoens, even if you change it back, is a change.

How do you keep 100% strict change controls while simultaneously being able to get work done? If every single change needs to be reviewed and improved, projects would take centuries to complete.

AlexDeGruven
Jun 29, 2007

Watch me pull my dongle out of this tiny box


Lord Dudeguy posted:

How do you keep 100% strict change controls while simultaneously being able to get work done? If every single change needs to be reviewed and improved, projects would take centuries to complete.

Exactly. There are things we do on a day to day basis, but they don't specify what qualifies as that. Therefore, every system touch should be catalogued and approved until those specifications are defined.

But this group doesn't want to do that. They want to have people "exercise common sense" and then slap people down when it's easy to make management look good.

RFC2324
Jun 7, 2012

http 418

Lord Dudeguy posted:

How do you keep 100% strict change controls while simultaneously being able to get work done? If every single change needs to be reviewed and improved, projects would take centuries to complete.

By planning ahead, doing more than one thing in a single downtime, and having a competent review board. I work in hosting, which means I frequently have to get changes past 2 review boards(ours and the customers) and even those situations rarely last more than a week from "we need to schedule" to actually executing.

It can be hell if your review board is poo poo tho. I was at one place that required we CAB reviews for fact finding missions, and that our submitted plans detail the exact commands we planned on running. If we had to run a single command not on the plan or not exactly as detailed on the plan, we had to cancel and back out.

And I just got a message from our security team yesterday for accessing a console in an unplanned event, so these things are actually checked on to some degree.

Arquinsiel
Jun 1, 2006

"There is no such thing as society. There are individual men and women, and there are families. And no government can do anything except through people, and people must look to themselves first."

God Bless Margaret Thatcher
God Bless England
RIP My Iron Lady

RFC2324 posted:

By planning ahead, doing more than one thing in a single downtime, and having a competent review board. I work in hosting, which means I frequently have to get changes past 2 review boards(ours and the customers) and even those situations rarely last more than a week from "we need to schedule" to actually executing.

It can be hell if your review board is poo poo tho. I was at one place that required we CAB reviews for fact finding missions, and that our submitted plans detail the exact commands we planned on running. If we had to run a single command not on the plan or not exactly as detailed on the plan, we had to cancel and back out.

And I just got a message from our security team yesterday for accessing a console in an unplanned event, so these things are actually checked on to some degree.
If your security team is good this was a "hey is this due to <planned change> that we know about?". If your security team is not good... :smithicide:

xsf421
Feb 17, 2011

Arquinsiel posted:

If your security team is good this was a "hey is this due to <planned change> that we know about?". If your security team is not good... :smithicide:

I work for the same company as he does, and had an infosec engineer tell me guids are pii and need to be protected.

mllaneza
Apr 28, 2007

Veteran, Bermuda Triangle Expeditionary Force, 1993-1952




xsf421 posted:

I work for the same company as he does, and had an infosec engineer tell me guids are pii and need to be protected.

Bah ! It's anonymized data at most.

AlexDeGruven
Jun 29, 2007

Watch me pull my dongle out of this tiny box


xsf421 posted:

I work for the same company as he does, and had an infosec engineer tell me guids are pii and need to be protected.

I got told we needed encryption at rest for a message queue...

The best part was that he basically told me he wanted me to teach him how to do his job, by way of refusing to review other requests with the exact same details, and refusing to contact the people I pointed him to that could accurately and concisely answer the application level questions he had.

Arquinsiel
Jun 1, 2006

"There is no such thing as society. There are individual men and women, and there are families. And no government can do anything except through people, and people must look to themselves first."

God Bless Margaret Thatcher
God Bless England
RIP My Iron Lady

mllaneza posted:

Bah ! It's anonymized data at most.
The problem lies in whether or not it can be de-anonymised, and what value of "protected" he means.

Adbot
ADBOT LOVES YOU

RFC2324
Jun 7, 2012

http 418

Arquinsiel posted:

If your security team is good this was a "hey is this due to <planned change> that we know about?". If your security team is not good... :smithicide:

it was actually unplanned, and I forgot to open a ticket specifically for it. Server was unresponsive, so I rebooted and they wanted to know why I was in the console(checking for the black screen)

xsf421 posted:

I work for the same company as he does, and had an infosec engineer tell me guids are pii and need to be protected.

I'm gonna say you don't work with me, given I am not a he :)

  • 1
  • 2
  • 3
  • 4
  • 5