On Fri, 2006-06-02 at 14:38, Dave Miner wrote: > Peter Tribble wrote: > > I'm not sure it's necessary or desirable to register all software > > in a central repository. As a system administator, if someone has > > installed some software without involving me first, then that's > > their problem and I don't want to be involved. From the other side, > > if as a developer or aplication person I install a piece of software > > then I would go after a system administrator who fiddled with it > > with an axe. > > You, as an administrator, would regard it as not your concern if some > end user has installed Sun Java System Web Server (that would be one of > the products taking advantage of this, by the way) and we've issued a > security alert for a gaping root exploit on it? I think the average SOX > auditor would be concerned by that attitude, because it's your system > that's at risk.
Not at all: - if someone has installed any piece of software on an audited machine without my knowledge, then that would already be a problem - something that might run as a service, even worse - I would go through the roof if someone installed an open service running as root without my knowledge - I would be interested to know how an unprivileged user managed to get a privileged application onto the system in any case. An unprivileged user shouldn't be able to install anything (irrespective of whether it's a tarball or a package) that could cause a root compromise. In other words, if this sort of thing is an issue then you need the procedures in place to deal with it, whatever the underlying mechanism for managing the software. Note that I said "if someone has installed some software without involving me first". In this sort of case I would expect to be involved and the software managed properly. Whether it's packages or tarballs, a central repository or written down in the big book, doesn't make much difference. I think that this highlights that there are a variety of scenarios and that we perhaps need to clarify which scenarios we're talking about, and what solutions might be relevant for each scenario. -- -Peter Tribble L.I.S., University of Hertfordshire - http://www.herts.ac.uk/ http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
