Hi Folks,
I'm stumped on this one. I've been asked to configure an area in a filesystem that enforces the concept of requiring two users to agree to remove files from that area. Someone suggested using SeLinux, a system I know very little about.
Does anyone know how to require the permission of two logged-in users to remove a file or directory? How would one prevent root from removing the files?
Thanks, Lew
On 6/18/2015 7:25 AM, Lew Wolfgang wrote:
Hi Folks,
I'm stumped on this one. I've been asked to configure an area in a filesystem that enforces the concept of requiring two users to agree to remove files from that area. Someone suggested using SeLinux, a system I know very little about.
Does anyone know how to require the permission of two logged-in users to remove a file or directory? How would one prevent root from removing the files?
Thanks, Lew
Don't think SELinux supports getting more than one authorization for an action, especially when those authorizations must come from different accounts.
Hard links in different directories owned by different users might work for this.
Basically if you have to worry about root then you have bigger problems.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello Lew,
Interesting question indeed. In my opinion however it is not possible at all (especially for the root user). I'm interested what the others think about this though.
Regards, I. Petrov
On Thu, 18 Jun 2015, Lew Wolfgang wrote:
Hi Folks,
I'm stumped on this one. I've been asked to configure an area in a filesystem that enforces the concept of requiring two users to agree to remove files from that area. Someone suggested using SeLinux, a system I know very little about.
Does anyone know how to require the permission of two logged-in users to remove a file or directory? How would one prevent root from removing the files?
Thanks, Lew
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 18/06/2015 22:28, I. Petrov a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello Lew,
Interesting question indeed. In my opinion however it is not possible at all (especially for the root user). I'm interested what the others think about this though.
depends of what one want to do with the file, switching off an usb disk can prevent the file from being removed, even by root, be it's also unavailable for the others
jdd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
:) With the same success you can turn off the PC and to ask for permition from someone to turn it on. Lew talks about a live system. Sorry if I'm being rude.
Regards, I. Petrov
On Thu, 18 Jun 2015, jdd wrote:
Le 18/06/2015 22:28, I. Petrov a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello Lew,
Interesting question indeed. In my opinion however it is not possible at all (especially for the root user). I'm interested what the others think about this though.
depends of what one want to do with the file, switching off an usb disk can prevent the file from being removed, even by root, be it's also unavailable for the others
jdd
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Does it have to be command-line restrictions? It might be easier if you just used some sort of application or web interface with workflows.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-06-18 22:45, Christopher Myers wrote:
Does it have to be command-line restrictions? It might be easier if you just used some sort of application or web interface with workflows.
That's the only way to do it, from a user perspective. The files are saved on another machine to which they have no access at all, by an application that has an interface requiring double identification.
But the administrator of the machine where the data is actually saved, can delete it all. The way to avoid this is having the data simultaneously saved on two different machines, on different locations, managed by different admin teams.
- -- Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 "Bottle" (Minas Tirith))
Le 18/06/2015 22:41, I. Petrov a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
:) With the same success you can turn off the PC and to ask for permition from someone to turn it on. Lew talks about a live system. Sorry if I'm being rude.
no, I just forgot the smiley :-) jdd
On 06/18/2015 01:31 PM, jdd wrote:
Le 18/06/2015 22:28, I. Petrov a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello Lew,
Interesting question indeed. In my opinion however it is not possible at all (especially for the root user). I'm interested what the others think about this though.
depends of what one want to do with the file, switching off an usb disk can prevent the file from being removed, even by root, be it's also unavailable for the others
Perhaps I should have included the original requirement. Here it is:
"The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process."
It is what it is, but I think it's impossible without a rewrite of kernels, libraries, applications, and whatnot.
Maybe rsyslog could be used to send logs to two external servers operating with different root credentials? Two "roots" would be required to delete all existent copies.
I think I'll just let the customer tell me how to do it...
Regards, Lew
On 6/18/2015 2:22 PM, Lew Wolfgang wrote:
I think I'll just let the customer tell me how to do it...
There is, ultimately, no protection from root. They just have to realize this.
If they are simply referring to non-root users, I've done something similar with hard-links created by an automated process in a separate directory to which the original file owner had no access.
(A customer was getting sued in court, and it was necessary to preserve the entire content of some files, even if the users had reason to erase them. They could erase them from their own directory but the time-stamped hard links made sure the file didn't move). We ran it on cron every 5 minutes. It was crude but it worked).
Working with HIPAA information we used an archival backup. One set of users managed the system storing the information while a different set of users managed the backup server. As long as the data was not modified before being backed up, we could track diffs.
-----Original Message-----From: Lew Wolfgang wolfgang@sweet-haven.com To: opensuse@opensuse.org Subject: Re: [opensuse] Dual Administrative Access? Date: Thu, 18 Jun 2015 14:22:15 -0700
On 06/18/2015 01:31 PM, jdd wrote:
Le 18/06/2015 22:28, I. Petrov a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello Lew,
Interesting question indeed. In my opinion however it is not possible at all (especially for the root user). I'm interested what the others think about this though.
depends of what one want to do with the file, switching off an usb disk can prevent the file from being removed, even by root, be it's also unavailable for the others
Perhaps I should have included the original requirement. Here it is:
"The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process."
It is what it is, but I think it's impossible without a rewrite of kernels, libraries, applications, and whatnot.
Maybe rsyslog could be used to send logs to two external servers operating with different root credentials? Two "roots" would be required to delete all existent copies.
I think I'll just let the customer tell me how to do it...
Regards, Lew
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-06-18 23:22, Lew Wolfgang wrote:
Perhaps I should have included the original requirement. Here it is:
"The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process."
Then you are talking of audit logs, not files.
Maybe rsyslog could be used to send logs to two external servers operating with different root credentials? Two "roots" would be required to delete all existent copies.
Yes. That can be done, I think. Two roots, on different buildings. At least, different rooms.
I think I'll just let the customer tell me how to do it...
Yep. :-)
- -- Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 "Bottle" (Minas Tirith))
On 06/18/2015 05:22 PM, Lew Wolfgang wrote:
On 06/18/2015 01:31 PM, jdd wrote:
Le 18/06/2015 22:28, I. Petrov a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello Lew,
Interesting question indeed. In my opinion however it is not possible at all (especially for the root user). I'm interested what the others think about this though.
depends of what one want to do with the file, switching off an usb disk can prevent the file from being removed, even by root, be it's also unavailable for the others
Perhaps I should have included the original requirement. Here it is:
"The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process."
Damn pointy hair bosses not know the difference between reality and fantasy.
On 06/20/2015 07:06 AM, Ken Schneider - openSUSE wrote:
On 06/18/2015 05:22 PM, Lew Wolfgang wrote:
On 06/18/2015 01:31 PM, jdd wrote:
Le 18/06/2015 22:28, I. Petrov a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello Lew,
Interesting question indeed. In my opinion however it is not possible at all (especially for the root user). I'm interested what the others think about this though.
depends of what one want to do with the file, switching off an usb disk can prevent the file from being removed, even by root, be it's also unavailable for the others
Perhaps I should have included the original requirement. Here it is:
"The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process."
Damn pointy hair bosses not know the difference between reality and fantasy.
I know... The consensus I've taken from this thread is that the best (only?) way to do this has rsyslog sending specified logs to two administratively distinct remote servers. I'll leave it up to the PHB if he wants to pay for this or not. This would be sound policy if there were enough hosts to justify the overhead. Of course, you need to pay someone to analyze tons of audit files, but that's another matter...
Thanks to everyone who chipped in!
Regards, Lew
If you have not already you may want to look at graylog, kibana, or splunk. If analyzing the data is an issue, these applications might help.
-----Original Message-----From: Lew Wolfgang wolfgang@sweet-haven.com Reply-to: wolfgang@sweet-haven.com To: opensuse@opensuse.org Subject: Re: [opensuse] Dual Administrative Access? Date: Sat, 20 Jun 2015 08:38:55 -0700
On 06/20/2015 07:06 AM, Ken Schneider - openSUSE wrote:
On 06/18/2015 05:22 PM, Lew Wolfgang wrote:
On 06/18/2015 01:31 PM, jdd wrote:
Le 18/06/2015 22:28, I. Petrov a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello Lew,
Interesting question indeed. In my opinion however it is not possible at all (especially for the root user). I'm interested what the others think about this though.
depends of what one want to do with the file, switching off an usb disk can prevent the file from being removed, even by root, be it's also unavailable for the others
Perhaps I should have included the original requirement. Here it is:
"The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process."
Damn pointy hair bosses not know the difference between reality and fantasy.
I know... The consensus I've taken from this thread is that the best (only?) way to do this has rsyslog sending specified logs to two administratively distinct remote servers. I'll leave it up to the PHB if he wants to pay for this or not. This would be sound policy if there were enough hosts to justify the overhead. Of course, you need to pay someone to analyze tons of audit files, but that's another matter...
Thanks to everyone who chipped in!
Regards, Lew
On 21/06/15 00:06, Ken Schneider - openSUSE wrote:
On 06/18/2015 05:22 PM, Lew Wolfgang wrote:
On 06/18/2015 01:31 PM, jdd wrote:
Le 18/06/2015 22:28, I. Petrov a �crit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello Lew,
Interesting question indeed. In my opinion however it is not possible at all (especially for the root user). I'm interested what the others think about this though.
depends of what one want to do with the file, switching off an usb disk can prevent the file from being removed, even by root, be it's also unavailable for the others
Perhaps I should have included the original requirement. Here it is:
"The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process."
Damn pointy hair bosses not know the difference between reality and fantasy.
But you know what they asked for is not really a fantasy but a legitimate request for security of data.
If you have a safety deposit box at a bank you need two (2) keys to open that box - one key used by "The Keeper of the Boxes" and the other which you have.
The request made to Lew is nothing more than trying to implement the same requirement to data held in files located on computers (be they servers or otherwise).
BC
This is an interesting problem
"The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process."
But you know what they asked for is not really a fantasy but a legitimate request for security of data. If you have a safety deposit box at a bank you need two (2) keys to open that box - one key used by "The Keeper of the Boxes" and the other which you have. The request made to Lew is nothing more than trying to implement the same requirement to data held in files located on computers (be they servers or otherwise).
I'd look at using hardware encrypted flash or SSD either attached directly to the existing system or via a small SBC (raspberry pi) mounted in a 3.5" disk bay or directly onto the chassis. That might even do for a rsyslogd approach. Depends on how much disk space you need and lots of other factors so it's only my 2p worth.
I could easily spend some time working a solution
Happy Solstice to all!
Phil Vossler
"......sooner or later that day comes and you can't hide from the things that you've done anymore." William Adama BSG
On 2015-06-21 09:14, Basil Chupin wrote:
But you know what they asked for is not really a fantasy but a legitimate request for security of data.
Yes, absolutely.
The operating system is what it is, but at the application you can do whatever you like - or rather, what you have money to pay the programmers to do :-)
I have worked with a complex machine (5ESS), based on Unix, on which all access was done via a user interface with lots of security measures (optionally activated). Like defining teams that could do lists of commands (and not others), and of course record who did what, all the time. Double authorization I didn't see, but it might be done. Just /ask/ the supplier to design it...
But one of the commands was "get to the Unix terminal", and then I was root... just imagine.
My point is that you can overlay a user interface over the operating system, on which you can indeed do anything you can imagine. I suppose that on banks, the programs that the employers use might have these type of things. The clerk doing an operation, which has to be checked and accepted by his boss. This can be better ensured because the interface runs remotely.
But the database administrator could fake entries, and the administrator of the machine(s) could destroy the entire database...
Which makes me suppose that they distribute the databases.
On 06/18/2015 11:22 PM, Lew Wolfgang wrote:
Perhaps I should have included the original requirement. Here it is:
"The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process."
If your audit system writes audit logs as archives - for example hourly, then you could manage to do this with attributes.
The audit system writes the archive files in a archive directory and then sets the immutable flag:
chattr +i archive_file
Then you create 2 unix users and use sudo to give one the permission to alter the immutable flag by using chattr [+-]i /path/to/archive/* and the other one the permission to delete these files.
root is still almighty.
-
Basil Chupin -
Carlos E. R. -
Christopher Myers -
Florian Gleixner -
I. Petrov -
jdd -
Joel Gordon -
John Andersen -
Ken Schneider - openSUSE -
Lew Wolfgang -
Philip Vossler