0

I've just started my internship in a governmental organisation, and my first assignment is to develop at user system for our internal serverfarm of 120+ Redhat and Windows servers. The internal serverfarm are managed with Puppet. As it is now, everyone logs in with the same root/admin account, which should be self-explanatory why that's a huge problem for various reasons. I don't have the exact numbers, but we're talking about atleast 30 people using the same account - and a lot of their work doesn't require that level of access/privilegies. I've proposed two solutions for the problem, and I would really appreciate some feedback on those from you guys.

1) Authentication through AD to the serverfarm

The idea is to set up an auth server (preferably two for redudancy), that's connected to the governmental AD using SSSD/FreeIPA, and if users are authenticated, they're granted access to the serverfarm, where Puppet is used to manage their privilegies. Managing privilegies through the AD is not an option, because this organisation are managed by a higher instance which controls the AD. My manager and I prefer this solution, because we can let the other administration manage the accounts, and thus don't have two seperate systems. There's a requirement of providing monthly reports about user activity if an governmental organisation has a seperate user system apart from the main AD, and my department are really busy, so we would like to avoid a task like that.

2) Local administration of user privilegies

The other solution is to scrap the auth server, and just manage the user system and their privilegies through Puppet. That way we are in total control, and don't have to rely on the administration. The downside about this is that we would have a seperate user system, which has to be managed. This can of course pose a security threat if old employees/consultants doesn't get deleted in the system, but most importantly - we do not have the time for another time consuming task.

After reading articles and other posts about this subject, I've understood that SSSD/FreeIPA is probably the way to go, but I'm not sure. So, what do you guys think? Which of the proposed solutions are best, and/or is there a third and better solution to the problem?

Thanks in advance!

Frisbee57
  • 27
  • 1
  • 3

1 Answers1

0

Answer from somebody working at a US government lab. Join your systems to the AD domain. realm tools work well with Red Hat 7. Configure sssd for user authentication. Use puppet to manage /etc/security/access.conf to control user access and puppet also controls /etc/sudoers and /etc/sudoers.d. Essentially, use your option 1. Also, set syslog to send all security logs to a central log server with limited access. You now have accounts controlled by the main AD so that is one less headache. All logins and sudo requests are logged to the central syslog server so you have one place to go to pull usage reports from. I would also lock down the root account so that it cannot be logged into through ssh so you force people to use su or sudo. Have the manager discourage su as a routine option.

Good luck with your internship. This is an great project to implement.

doneal24
  • 851
  • 6
  • 14
  • Thanks a lot for your feedback! The next step in the project was indeed to setup a syslog to report exactly about that, because it makes a lot of sense to keep track of what people are doing. I couldn't agree more about the bad habit of using the root/admin user, and they know it's not a good practice at all, so we're all on the same page. They just havn't had the time or knowledge to implement this system by themselves. I really like the project because it gives me a good introduction to the infrastructure and Puppet. Again, thanks a lot :) – Frisbee57 Aug 22 '18 at 12:46