TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Hmm, the ability to TAKE master status WHEN SOMEBODY HAS ALREADY GOT IT is controlled as a role (Master Status Manager) but I ASSUMED that anybody could TAKE master status IF IT WAS AVAILABLE without any special privileges other than having their keys copied to the sensor. I've not tested this, however, and I could be wrong. The implication, if the above is true, would be that any user on any console could assume master status if (a) their keys were on the sensor (b) master status was not already taken. That's why, at least with v5, some installations explicity take and hold master status from one particular console. Jason On Thu, 16 May 2002 09:10:04 -0400, you wrote: > >TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to >[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! >---------------------------------------------------------------------------- > >The ability to take master status is controlled in the daemon roles on the >sensor. If you don't set the new console up in the master status manager, >they can't take it. > >Scott > >-----Original Message----- >From: Jason Renard [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, May 15, 2002 12:07 PM >To: [EMAIL PROTECTED] >Cc: Rajesh Vasudevan >Subject: Re: Read only access to WGM Console > > > >TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to >[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any >problems! >---------------------------------------------------------------------------- > >Rajesh > >There are several issues around this - especially if you plan to just have >one >console (eg how you manage the keys for different users). One approach I've >seen >is to have one console which has, and keeps, master status for all sensors - >then have another console which is able to monitor sensors but cannot claim >master status because it is already taken. However you need to back this >process >up with reliable procedures. Whatever you do, whether you just have one or >multiple consoles, you should also bear in mind the possibility of users >editing >policy files on the console themselves (if they're malicious) so even if >they >can't apply the new policy, their changes may be picked up the next time YOU >apply the policy. It depends whether you want to protect against casual >reconfiguration or deliberate malicious reconfiguration. One issue with >multiple >consoles is that you need to co-ordinate where you keep the true/live >policies, >else you risk having multiple policies at different levels. > > >Jason > >On Tue, 14 May 2002 11:38:07 +0530, you wrote: > >> >>HI, >> >>We are using Real secure 6.5 WGM and Network Sensors, we are planning to >>give the console to 24X7 NOC Team for monitoring the events. But I don't >>want them to edit the policies or any events. Is it possible to install >>a console in a separate system with Read Only rights ( like in Firewall >>1 Management console)? >> >>Waiting for your reply >> >>With Regards >>Rajesh Vasudevan >>Security Operations >>Wipro Technologies >>Bangalore >>India >>Ph: 91-080-8520408 Extn: 5138 >> > > >Jason Renard > >Warning - all views expressed are my own. >I cannot guarantee the accuracy of everything >I've said - use it at your own risk. > > > Jason Renard Warning - all views expressed are my own. I cannot guarantee the accuracy of everything I've said - use it at your own risk.
