Re: {bb} No messages required... and security

To: bb@bb4.com
Subject: Re: {bb} No messages required... and security
From: Ian Diddams <ian.diddams@vf.vodafone.co.uk>
Date: Tue, 01 Feb 2000 16:03:44 +0000
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <200002011526.KAA04356@www.maclawran.ca>
Reply-To: bb@bb4.com
Sender: owner-bb@bb4.com

Sean MacGuire wrote:
> 
> If you've gone to the efforts of tightening up access to the messages
> file, it would be kind of silly to increase risk by running BB as
> root.

Basically my view as well.  And I really don;t like running things as
root if I can avoid it.

> A plausible solution would be to create a bigbrother group, and allow
> the BB group read access to the messages file (or put BB in whatever
> group the messages file is in).  (That's what groups are for).

Unfortunately our security chaps etc don;t agree...  I am just a humble
sys admin...  :-(  

> > Secondly, what would I have to do to disable message checking?
> 
> Comment out the test in bb-local.sh.  Not a good solution.
> Keeping an eye on the messages file is important (otherwise I wouldn't
> have put the test in there). 

In know...  that's why 	I'd prefer a workaround but that doesn't seem
feasible...  :-(

> > Or is there another, simpler solution?  (ie force permanent green
> > status?  ignore ?)
> 
> The second-party demand of "root access only to messages" is a
> suggestion.  Have a chat with whomever is running the tool or doing
> the audit and show them BB.  Ask them about the risks of having BB
> able to read the messages file versus the risks of the file being
> "secure", but never read.  Ask them for a solution.

Yeah.  Too right.  It was actually gonna be my course of attack, but I
wanted to know my alternatives because of course that would be their
first question back to me.

> (Hint - the answer is the group thing).

Too right.

> Um, depends on your policy, really.  Nothing prevents you from
> checking the other boxes on the other side from the other side
> with their own instance of BB, for example...

That's what I'd like to do anyway FWIW, this avoiding losing vsibility
just because a WAN link dies, or a router goes awol (asssuming I have
access to the monitor elsewhere of course :-).  And each monitor would
do its pown paging/SMS-ing.

But even with this solution I was hoping to use a summary on a "master"
bigbrother monitor, which would need the port open, although it would of
course mean that the port could be opened to only a specific few IP
adresses then.

Cheers Sean (as ever!)

Didds
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=
To unsubscribe from this list, or to subscribe to the bb-digest list
send e-mail to mailto:majordomo@bb4.com with unsubscribe bb -and/or-
subscribe bb-digest in the BODY of the message.

Follow-Ups:
- Re: {bb} No messages required... and security
  - From: Kyle Amon <kyle.amon@sagemaker.com>

References:
- Re: {bb} No messages required... and security
  - From: Sean MacGuire <sean@www.maclawran.ca>

Prev by Date: Re: {bb} No messages required... and security
Next by Date: {bb} OFF TOPIC Procs report Cron down!
Prev by thread: Re: {bb} No messages required... and security
Next by thread: Re: {bb} No messages required... and security
Index(es):
- Date
- Thread

Home | Main Index | Thread Index