On Mon, 2 Nov 2009 21:00:18 -0600
Marcy Cortes <[email protected]> wrote:

> You can restrict them up the wazoo but if someone has written a security law 
> that says "remove unnecessary accounts", you'd like them to stay removed when 
> you remove them.
> And it's pretty darn hard to convince an auditor that "games" are necessary 
> on a server that processes financial transactions.  Can you see the big red 
> flags waving around?
>
> It's not SuSEconfig.  I tried that.
> It must be maintenance to some particular package.
> Right now, we just clean up.  But it would be way better to not have to do 
> that.

You are playing the wrong game ;)

"Remove unneccessary user accounts"
"I've checked carefully. It isn't a user account, it's a file ownership
tag reserving a uid for file system use, it cannot be used to log into the
machine"

(and if need be of course ask your supplier to confirm that and file the
response somewhere safe for the auditbogons)

and if they keep complaining you then say things like

"You realise if I remove the entry then the user id may get reassigned to
something else leaving old files with unsafe ownership and threatening
security" (which btw is *TRUE* - its unlikely to risk security but if the
id is dynamically assigned by your system then not only might it come
back but something else might get that id with bad for system results)

"If I remove this entry then the system is not operating as provided,
I'll need to discuss this with our support vendor and get written
confirmation"

I also loved this response (for telco equipment originally and learned
working for a Telco) and preferably said in the best impression of utter
cluelessness

"Gee I'm glad you know something about this stuff, I just need that in
 writing from you for the change request so we know who to sue if it
 breaks"

Incidentally the origin in audit of a lot of the "delete user accounts"
policies is sound. Historically there were lots of break-ins through
things like VMS system maintenance accounts, stale real user ids and also
things like uucp default configurations left open by vendors.

I don't think anyone would argue about removing spare user accounts, just
that these are not user accounts and fixing that description is how you
fix the problem.

Alan
--
"I tried working for myself, but my boss was an idiot"

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Reply via email to