Try maintaining 900+ servers running a myriad of different software. We maintain the platform, other specialized teams maintain the software.
Indeed. Depending on your circumstances, there may be a multitude of teams with a stake in the management of your systems. These might include:
- the Unix Support team (who do the Unix work);
- the Operating System Monitoring team (who look for Unix-related problems, 24x7);
- the Gateway team (who manage the nexus to the Internet);
- the Developer team (who write the applications);
- the Application Support team (who investigate application problems);
- the Application Monitoring team (who look for application problems, 24x7);
- the Transaction Monitoring team (end-to-end instrumentation of all transactions);
- the Database team (which is just another kind of application);
- the Internal Security team (who watch everyone, including the other watchers);
- the Log Management team (central collection, and analysis of logs);
- the SAN management team (who look after all the storage);
- the Network team (who direct the electrons);
- the Project Management team (who organise and direct multi-disciplinary activities); and
- the Quality Assurance team who co-ordinate all the other teams.
I have worked in places where most of these teams were present, and separately constituted.
Changes to production systems are going to be rigidly controlled. But there still has to be mechanisms for application support people to perform their routine work requiring elevated privilege (e.g. application start, stop, and software release).
The development, test, and hot-fix environments would all require privilege escalations to get a wide range of routine work done by developer, application support, and test teams.
In a security-minded environment, you have to trust the Unix administrators to some extent (
su
still gets logged), but for everyone else, all routine privilege escalations would be controlled by
sudo
(or similar), logged, and analysed automatically for any sign of problems. In these situations the log management team is generally held at length (and often physically separated in a secure situation). All non-routine changes would be raised, approved, and passed, via some formal work management system, to the team(s) with the required authorisations.
And,
su -
by anyone outside Unix support is is
most certainly a clear sign of malfeasance... It would attract a lot of attention...