<div dir="ltr">Do we have a recording of this discussion? There was a lot of stuff that we covered, and I'm wondering if listening to it again could help clarify where we need to go with the draft system account ballot?<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 16, 2020 at 11:08 AM Neil Dunbar via Netsec <<a href="mailto:netsec@cabforum.org" target="_blank">netsec@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>All,</p>
<p>So here's my (current) thinking on the ballot regarding system
accounts/user accounts.</p>
<p>It seems that many operations have a centralised list of accounts
which represents the maximum _potential_ set of different access
identifiers to any given system (example: an enterprise wide LDAP
service, and each system is configured to use <tt>sssd </tt>as
its system account database provider). What this means is that I,
as a system administrator, could execute:</p>
<p><tt>getent passwd</tt></p>
<p>and get a long list of <tt>alice, bob, charlie, dave</tt> ... Of
whom only <tt>bob </tt>is actually supposed to be using the
system. Now, most of those users will be assigned to groups, or
roles, or some sort of privilege assignment. It's that association
of account -> privilege which defines the ability to use the
system, not the existence of an account name per se.</p>
<p>So, when I hear the terms "account" and "credential", I tend to
think of usernames and passwords, which are not <i>necessarily </i>the
things that I might want to see controlled. It's the association
of privileges that I want to see demonstrably controlled.</p>
<p>So, when we talk about "deactivating" the account, it seems to me
that what we want is for the privilege association between the
account name and the host to be broken; we remove the username
from the group "<tt>sensitive_host_users</tt>", or we take them
out of "<tt>two_factor</tt>" roles (meaning that their credentials
might still work, but are insufficient to access the sensitive
host, etc.).</p>
<p>But I wonder if this is what others on the group are thinking? <br>
</p>
<p>Looking forward to talking this through,</p>
<p>Neil<br>
</p>
</div>
_______________________________________________<br>
Netsec mailing list<br>
<a href="mailto:Netsec@cabforum.org" target="_blank">Netsec@cabforum.org</a><br>
<a href="http://cabforum.org/mailman/listinfo/netsec" rel="noreferrer" target="_blank">http://cabforum.org/mailman/listinfo/netsec</a><br>
</blockquote></div>