Forum: CFEngine Help
Subject: Re: Security Tools and Root Access
Author: sauer
Link to topic: https://cfengine.com/forum/read.php?3,23093,23107#msg-23107
Tom Tucker Wrote:
-------------------------------------------------------
> My company has recently purchased a new security
> tool. For this tool to
> operate at maximum efficiency root level
> access is required via login credentials, ssh keys
> or sudo rights .
>
> 1) Are you aware of a wrapper, unique shell or
> simiar tool that could
> provide root level access at a read only level?
> 2) Any recommendations on an open source or
> commerical enterprise level file
> integrity checker similar to Tripwire?
> 3) Is it common for security departments to have
> root level access to all IP
> devices (network, window, unix, etc)?
> If your security department has root acces...
> what level of agreement do you have between the
> various groups (unix,
> windows, etc) and the security team?
People have already answered the other questions ("no/you should use sudo so
it's most easily auditable" and "CFengine/Tripwire/Aide", respectively). But I
wanted to reiterate on the last one that I can't imagine what a security team
without root access does. What kind of organization has a security team which
is not reponsible for managing access control, and who in their right mind
would hire someone to manage security but not trust that person?
My organization (a bank and insurance company - lots of regulation) has
security teams with administrative access upon the platforms they manage. The
teams are broken up into major OS (unix/windows/mainframe) and similar
(application, network, database, etc) teams, and each has admin-level access on
the security component for which they are responsible. The agreement for any
level of access on any platform / application will essentially boil down to
"your access is only granted in order to enable you to perform tasks which are
within the scope of your job duties". There's various auditing / logging /
monitoring in place to identify activities which exceed the scope - and
responses to such activities range from "a stern talking to" to "immediate
termination".
PS - granting Nessus root access is sketchy at best; if you need root to
identify a vulnerability, it is really a vulnerability? ;)
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
