[CentOS] [Fwd: Re: https and self signed]

Sat Jun 18 22:58:37 UTC 2016
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Sat, June 18, 2016 5:20 pm, James B. Byrne wrote:
> On Fri, June 17, 2016 13:08, Valeri Galtsev wrote:
>> We do not expire accounts until the person leaves the Department
>> and grace period passes. Then we do lock account and after some
>> time person's files are being deleted. This is the policy, and
>> this is what we do. The only time when account expiration is being
>> set is for undergraduate students who temporarily work with some
>> professor. For them expiration is being changed when the continue
>> to work with the professor next academic year.
>> Is this not what everybody does?
> Every end-user account, including my own, is given an expiry date six
> to twelve months in the future and that is extended at intervals as
> needed.  The only exception to this are the root users which have no
> expiry date set.
> A forgotten and disused user account that retains access to your
> system is a significant risk in my opinion.

I run [multi-user] systems under assumptions that bad guy is already
inside. Two (or so) incidents when bad guys tried to elevate privileges
(unsuccessfully) I probably mentioned already were from accounts of users
that still were in the Department at those moments. Not from accounts that
shouldn't be in the system already. Probably because though our policies
differ from yours, we still do not have users whose accounts should be
closed - they indeed had been closed.

Most of the servers I run do not allow remote root login (I'm simplifying,
things are a bit more sophisticated here, which I prefer not to describe:
information is first step in long process of compromising your machine).
Now with no root login, imagine one or all regular accounts who _can_ su
onto root just expired. Have you ever locked yourself out with firewall?
Remember: when enabling firewall changes we always were leaving at task
some 10 min in a future that reverts all changes and restarts firewall -
just in case you locked your out by these changes. We always do that,
right? Only when you are locked off your machine because of expired
regular user (the only one who can su into root account) nothing saves
your day: you will need a warm body in your server room with the ability
to become root to extend that your account. Or you have some other plan
for the scenario I described? What is it, I'm really curious.


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247