[cabf_netsec] Accounts, Access and Credentials

[Neil Dunbar]

All,

So here's my (current) thinking on the ballot regarding system 
accounts/user accounts.

It seems that many operations have a centralised list of accounts which 
represents the maximum _potential_ set of different access identifiers 
to any given system (example: an enterprise wide LDAP service, and each 
system is configured to use sssd as its system account database 
provider). What this means is that I, as a system administrator, could 
execute:

getent passwd

and get a long list of alice, bob, charlie, dave ... Of whom only bob is 
actually supposed to be using the system. Now, most of those users will 
be assigned to groups, or roles, or some sort of privilege assignment. 
It's that association of account -> privilege which defines the ability 
to use the system, not the existence of an account name per se.

So, when I hear the terms "account" and "credential", I tend to think of 
usernames and passwords, which are not /necessarily /the things that I 
might want to see controlled. It's the association of privileges that I 
want to see demonstrably controlled.

So, when we talk about "deactivating" the account, it seems to me that 
what we want is for the privilege association between the account name 
and the host to be broken; we remove the username from the group 
"sensitive_host_users", or we take them out of "two_factor" roles 
(meaning that their credentials might still work, but are insufficient 
to access the sensitive host, etc.).

But I wonder if this is what others on the group are thinking?

Looking forward to talking this through,

Neil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20200416/8b0ffc2d/attachment.html>