More OS Security
By Mark Wilcox - CTO - Oracle Consulting Security-Oracle on May 09, 2008
James McGovern responded back with some more questions based on mine and Shaw's feedback:
Here are the questions and my responses:
1. Do you think the open source community will quickly step up and put the
equivalent of Vintela into Linux? Are there vendors that should help
There are already tools to do this in open-source - in fact we just leveraged the tools that are there for OAS4OS. Fundamentally OAS4OS is designed to maximize investment(s) in current technology. The "magic sauce" in the current release is that we helped simplify the configuration of a secure setup.
2. What would you think if there was a way for PAM to talk with an XACML PDP?
I don't think this would make much sense. PAM only deals with authentication. It would make more sense for something like SUDO to leverage XACML.
3. Would you find it interesting if you could log into a Solaris server by using your OpenID or CardSpace?
Sure it would be interesting. However, those of us who find changing how we login to our host systems interesting - did this already in the 90s :). And if you wanted strong auth or SSO - you implement(ed) Kerberos. What is driving many customers to look for a Unix integration like OAAS4OS is compliance requirements. Their company needs to comply with Sarbanes-Oxley (SOX) or similar rules and locally managed passwords for priviliged accounts don't meet those rules (in particular for audit). NIS doesn't meet the requirements either. Managing the data via LDAP does.
Frankly I am a bit surprised James has never mentioned meeting compliance in any of his posts. Surely the challenge of meeting regulatory compliance in a financial company like his employer must be a major challenge? How does he solve these things....
4. Not all applications are PAM-enabled. I think FTP is one of them. So, how should it work in the world?
PAM is purely a back-end system that is abstracted from the application. If the application makes a call to the UNIX (ok, probably POSIX) API login function - Unix/Linux will call the proper PAM module(s). I am sure there is a FTP server out there that can make use of PAM.
That being said - almost nobody uses authenticated FTP for file transfer. Instead Secure Shell (SSH) Copy (SCP) is used because it's much more secure. And SSH can use PAM.
Isn't the concept of logging into a server somewhat dated? Shouldn't
the notion of domain be escalated within Linux community?
Has the enterprise architect forgotten his roots? :) Has he not talked to his actual system admins?
While it is true that most non-system administrator accounts no longer login directly to machines - system administrators must still routinely be able to login to systems (regardless of OS).
Unix systems (in particular Trusted Solaris and SE Linux) have much more stricter/fine grained controls they can employ in their security models within the system than mere "domains".
And the whole concept of domains in Windows - is lifted from Unix to begin with. So I'm not really sure what James is trying to ask here.
If the question is "why are they entering passwords - can't they use Kerberos" - the answer is yes of course. However, that just isn't something many organizations have wanted to implement even though Microsoft AD practically made Kerberos universal (something the Unix world was never able to do even with a several year headstart).