[Cfat] requested policy change on "georgesv" account on Linux systems

Kelvin Raywood kray at triumf.ca
Mon Sep 8 14:13:17 PDT 2008 

Apologies to all for the lateness of this but here is the explanation of 
the requested policy change on the "georgesv" account on site Linux PCs.

Kel Raywood
TRIUMF Network and Computing Services


Since around 2003, a non-priveleged account called "georgesv" was
created on all new installations of Linux on TRIUMF PCs that were
performed with the kickstart CD provided by CCN. A password was not
set for this account but the a security key (ssh public key) was
installed that enable CCN personnel to login to this account remotely.
The private key for the account is kept securely on the server
"syslog" which, as its name suggests, is also the server that receives
systel logs from TRIUMF Linux PCs.

CFAT approved a policy that made this account mandatory on all new
installations Linux on TRIUMF PCs. There were several reasons for this
policy:

* When requests for assistance with Linux a installation are made to
   CCN, then we are able to use this account to gather info about the
   PC to help in dealing with the request.

* If a PC is suspected of being comprimised in some way, then we can
   login remotely and perform some rudimentary forensics.

* A periodic (cron) job is run on a server that users the georgesv
   account to automatically gather info about site Linux PCs such as
   its confiuration and patch level. In principle, this can be used to
   identify potentially vulnerable systems.

It has now become apparent that there are several problems with the
georgesv policy and we (CCN) request that CFAT rescind the policy.

* In over three years, the account has been used only a couple of
   times for help with providing assistance.

* A non-privileged account is insufficent for doing forensics on
   a comprimised PC.

* It can be problematic for some machines to have unexpected connections
   that look at configurations and possibly log files.

* CCN does not have resources to properly monitor the patching status
   of people's PCs. We do not want to give the impression that we will
   inform people of potential problems. There are many Linux PCs
   on-site which were not installed using the TRIUMF kickstart CD and
   so do not have the georgesv account installed. We feel a better use
   of our limited resources is work on ways to identify potential
   security issues by passive means.


Root access

The TRIUMF installation CDs also installed a security-key that allowed 
CCN personel to have root access to the Linux machines. The private part 
of the key pair is passphrase protected and only installed on syslog. 
The CFAT policy is that this is optional but encouraged so that we can 
do forensics on a live system remotely. We would like to maintain this 
policy and recommendation. The installation CDs that have been produced 
in the last year install the root-access key using an rpm (Linux 
package) that can be uninstalled with a simple command.  The kickstart 
web-page explains this.

The security sub-committee's reccomendation is that if people choose not 
to allow CCN to have root access to their machine, then it is on the 
understanding that their network-port may be switched off if a machine 
is discovered to be mis-behaving and we can't contact its owner.

More information about the CFAT mailing list