Comment by XorNot
1 day ago
It's the same as domain admin in active directory.
You always need it to setup the system initially.
It's like root on Linux: it's an implementation detail that it must be possible.
1 day ago
It's the same as domain admin in active directory.
You always need it to setup the system initially.
It's like root on Linux: it's an implementation detail that it must be possible.
There’s no possible need for an admin-level user that bypasses logging. If anything these users should have additional logging to external systems to make it harder to hide their use.
Root on Linux isn’t exempt from logging. I also don’t know any enterprise that allows admin accounts to bypass logging.
There is no legitimate justification for this request.
root on Linux can just kill the log forwarder and erase the relevant logs, or refill them with junk.
Yes. A more competent hack would have been to use their superuser permissions to do that kind of thing.
But instead they requested that logging be disabled, thus outing themselves as acting in bad faith.
At least at places I've worked, terminating the logger would cause a security incident, and the central logging service have some general heuristics that should trigger a review if a log is filled with junk. Of course with enough time and root, there's ways to avoid that. But that's also usually why those with root are limited to a small subset of users, and assuming root usually requires a reason and is time gated.
1 reply →
That still leaves highly visible log traces if you’re following most security standards (required in .gov) since you’d have the logs showing them disabling the forwarder. The difference here is that this was like an attacker but had backing from senior management to violate all of those rules which would normally get someone fired, if not criminally charged.
That is a very serious design flaw, but I also believe it is a flaw that is addressed by SELinux. (Perhaps someone with a knowledge of SELinux can offer some input here.) That said, I'm not sure how widespread the use of SELinux is and doubt that it would help in this case since the people in question have or can gain physical access.
4 replies →
Assuming the Whistleblower is telling the truth, why would they make the request if they could cover their tracks themselves
The question is whether it needs to be possible to turn off the audit logs for that role. And of course: No.
typically the admin account can createthings like super users, and super users can do anything with the data, but not sure there's a use case where a single account can do both, and why can any of them avoid logging?