osdf-devteam team mailing list archive

Thread
Date

Re: RFC: Access List

To: Andrew Ettinger <sillydeveloper@xxxxxxxxx>
From: Adam Sheesley <myddrn@xxxxxxxxx>
Date: Sat, 11 Dec 2010 20:08:59 -0500
Cc: osdf-devteam@xxxxxxxxxxxxxxxxxxx
In-reply-to: <9BF005ED-73C7-4DBE-B5C4-5D5B69C3D362@gmail.com>

I would suggest administrators need to use some kind of password store,
lastpass(handy browser integration), keepass, passwordsafe.  The idea is to
prevent people from having to type in 24 character passwords while
eliminating the need to keep them written down somewhere in easily viewable
plaintext.

On Fri, Dec 10, 2010 at 6:51 PM, Andrew Ettinger
<sillydeveloper@xxxxxxxxx>wrote:

> Well, we're growing. And as we grow we should probably evaluate our
> security operation to make sure we don't hand out administrator access all
> over the place. And we should probably have a 'hit by a bus' list.
>
> So here's the current bus list (please let me know if I need to make
> corrections):
>
> http://www.theundermine.info/wiki/index.php/Access_List
>
> (Anybody got a better idea on a place to put this list other than the wiki?
> Or is the wiki sufficient? Or is that a security hole in and of itself? =)
>
> <http://www.theundermine.info/wiki/index.php/Access_List>Proposal:
>
> For each service, there should be at least 2 people with administrative
> access, preferably 3, so we have redundancy (the hit by a bus clause). So if
> you are installing something that requires an administrator type of account,
> you need to add it to the list and find someone else to grant access to.
>
> I also propose that (from now on) in order to be granted administrative
> access on this list, they:
>
> (a). need to already be on the list; or
> (b). if they are new, that they need to have at least 3 people vouch for
> them or something -- some sort of safeguard to make sure that people that
> make it onto this list are trusted by others, and others know that they are
> getting access to that service.
>
> I say we request access formally through the mailing list so that it's
> documented in the archive.
>
> Also, if you are on this list you *MUST* have a strong password for the
> service you are listed for. Your username may or may not match what is on
> that list. But we don't want to be brute forced.
>
> Do we have anyone here that is a security expert that would like to help
> drive measures like these?
>
> Thoughts? This will probably change as we grow, but we should probably set
> a baseline as we get more interest.
>
> ~ Andrew
>
> _______________________________________________
> Mailing list: https://launchpad.net/~osdf-devteam
> Post to     : osdf-devteam@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~osdf-devteam
> More help   : https://help.launchpad.net/ListHelp
>
>

References

RFC: Access List
From: Andrew Ettinger, 2010-12-10