Giving root access to scanning apps - bad idea?
 

We have spiceworks in our organization, and today someone put the root username/password into spiceworks so it can scan our linux boxes. This strikes me as an extremely bad idea. I'm favoring creating an account that has read-only access to the box, and, and letting spiceworks use that instead.

Anyone care to comment on this? Good idea, bad idea?

I don't quite get what Spiceworks is selling (they are pretty ambiguous on their website), but I would think that giving some random IT reseller root access (even if it is "only" read-access) to all your machines is a very bad idea.
For what exactly do you use Spiceworks?

Disclaimer - it wasn't my idea to use it :-)

Spice works is an app that runs on a server on our network that is (or at least wants to be) your do-everything-monitor-everything for IT people. We use it for it's help-desk functions. It also watches your network, looks for software that doesn't belong on your Windows boxes, notifies us when warranties expire or printer toner carts get low, etc., etc. The help-desk part of it is rather nice, btw.

I found out today it also scans the linux boxes, and I'm not sure what all it is looking for but one of the things it does is tell you when a partition is getting low on space. Ubuntu makes a small boot partition, and after 8-10 updates this partition fills up with old kernels and runs out of space and when this happens, updates will fail. So anyhow Spiceworks sent me an email telling me the partition was filling up. OK, this was handy, but I learned the hard way to keep an eye on this after spending freakin' HOURS trying to figure out why I could not update one of our boxes. Changing over to Slackware fixed the problem btw.... :-)

So giving this thing root access just seems to me to be to be an *extremely* bad idea.

Maybe I should ask if there is anyone that would be ok with doing this? The more I think about it, the less I like it. I can see it now - I come in one morning, our app server is dead because Spiceworks found a file it didn't like and deleted it - (we don't need any vmlinuz files in /boot, do we?).

There may also be legal consequences, for example if they have access to customer data or something similar. I personally would just use one of the open source monitor systems or, for simple purposes like checking diskspace, write custom scripts.

I am a little irritated about the Do your users work with root permission (or can easily get root permissions), so that they can install software?

If you will never reboot then no, but you can have your vmlinuz compressed kernel file wherever you want, enough you tell your lilo where it is.

I think everything should be set to be set up using the principle of least-privilege. So, if Spiceworks will not (or, more importantly, should not) be making any changes to your Linux machines then it should certainly not run with root privileges, ever.
First principals of security and, far as I was aware, one of the first things an auditor would check.

You should be able to configure Spiceworks to access the net-snmp daemon that you might be running to get partition usage statistics.

If you can, it doesn't need any access at all (other than the snmp user info which can be totally unrelated to any users on the box).

hmm i agree with the sentiment, if it doesn't need to make changes then root access isn't needed and is indeed a bad idea
however i would say this, no scanning app in the world, no matter how advanced is a good substitute for a well trained IT staff, a well written acceptable use policy and employees that can be trusted to obey the policy.