On 12/20/2016 12:23 PM, Michael MacIsaac wrote:
>> > You say your audit trail is lost but then cite environment variables.
>> > Don't count environment variables as "audit". Ever.
> With Apache password-protected directories tied to LDAP, this seems to be
> working. Users must authenticate to get in to the system from a browser. We
> then have AUTHENTICATE_UID or REMOTE_USER set.  The user is passed on from
> our scripts that perform operations.  I'm not sure how that can be
> circumvented, at least from the Web.  It's SSH sessions that are trickier.

I missed the CGI connection. Sorry about that.
In that case, you're running in some context (might even be a shell
script, shudder) but not such where a user is entering commands. So
that's good stuff. The server told you what it enforced. Therefore ...

In CGI scripts, the environment may ("does"?, or at least "should")
provide some of the audit you're looking for.
It's the SSH sessions, or any shell/command sessions, where I'd say
"don't ... ever".

Be very wary of 'sudo' in CGI scripts.
'su' should not be used from a CGI script, "ever".   :-)

-- R; <><




----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Reply via email to