Peter Tribble wrote: > On Fri, 2006-06-02 at 14:38, Dave Miner wrote: >> Peter Tribble wrote: >>> I'm not sure it's necessary or desirable to register all software >>> in a central repository. As a system administator, if someone has >>> installed some software without involving me first, then that's >>> their problem and I don't want to be involved. From the other side, >>> if as a developer or aplication person I install a piece of software >>> then I would go after a system administrator who fiddled with it >>> with an axe. >> You, as an administrator, would regard it as not your concern if some >> end user has installed Sun Java System Web Server (that would be one of >> the products taking advantage of this, by the way) and we've issued a >> security alert for a gaping root exploit on it? I think the average SOX >> auditor would be concerned by that attitude, because it's your system >> that's at risk. > > Not at all: > > - if someone has installed any piece of software on an audited > machine without my knowledge, then that would already be a > problem > > - something that might run as a service, even worse > > - I would go through the roof if someone installed an open > service running as root without my knowledge > > - I would be interested to know how an unprivileged user > managed to get a privileged application onto the system in > any case. An unprivileged user shouldn't be able to install > anything (irrespective of whether it's a tarball or a > package) that could cause a root compromise. > > In other words, if this sort of thing is an issue then you need > the procedures in place to deal with it, whatever the underlying > mechanism for managing the software. >
Completely agreed, but that leaves the question: how do you find out about these things, and are there things we can do to help you know and manage the lifecycle as needed? That's what I'm trying to identify here. Your comments below are certainly indicative of a need for some level of record-keeping and management. I think it's in everyone's best interest if we don't just punt on helping meet that need. > Note that I said "if someone has installed some software without > involving me first". In this sort of case I would expect to be > involved and the software managed properly. Whether it's > packages or tarballs, a central repository or written down in > the big book, doesn't make much difference. > > > I think that this highlights that there are a variety of > scenarios and that we perhaps need to clarify which scenarios > we're talking about, and what solutions might be relevant for > each scenario. > I'd agree with that. Narrow solutions are fine if the use cases are narrow; when the use cases are broad, the solutions usually are, too. Dave
