LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Giving root access to scanning apps - bad idea? (http://www.linuxquestions.org/questions/slackware-14/giving-root-access-to-scanning-apps-bad-idea-4175477630/)

Ook 09-18-2013 01:04 PM

Giving root access to scanning apps - bad idea?
 
We have spiceworks in our organization, and today someone put the root username/password into spiceworks so it can scan our linux boxes. This strikes me as an extremely bad idea. I'm favoring creating an account that has read-only access to the box, and, and letting spiceworks use that instead.

Anyone care to comment on this? Good idea, bad idea?

TobiSGD 09-18-2013 01:24 PM

I don't quite get what Spiceworks is selling (they are pretty ambiguous on their website), but I would think that giving some random IT reseller root access (even if it is "only" read-access) to all your machines is a very bad idea.
For what exactly do you use Spiceworks?

Ook 09-18-2013 01:37 PM

Quote:

Originally Posted by TobiSGD (Post 5030146)
I don't quite get what Spiceworks is selling (they are pretty ambiguous on their website), but I would think that giving some random IT reseller root access (even if it is "only" read-access) to all your machines is a very bad idea.
For what exactly do you use Spiceworks?

Disclaimer - it wasn't my idea to use it :-)

Spice works is an app that runs on a server on our network that is (or at least wants to be) your do-everything-monitor-everything for IT people. We use it for it's help-desk functions. It also watches your network, looks for software that doesn't belong on your Windows boxes, notifies us when warranties expire or printer toner carts get low, etc., etc. The help-desk part of it is rather nice, btw.

I found out today it also scans the linux boxes, and I'm not sure what all it is looking for but one of the things it does is tell you when a partition is getting low on space. Ubuntu makes a small boot partition, and after 8-10 updates this partition fills up with old kernels and runs out of space and when this happens, updates will fail. So anyhow Spiceworks sent me an email telling me the partition was filling up. OK, this was handy, but I learned the hard way to keep an eye on this after spending freakin' HOURS trying to figure out why I could not update one of our boxes. Changing over to Slackware fixed the problem btw.... :-)

So giving this thing root access just seems to me to be to be an *extremely* bad idea.

Maybe I should ask if there is anyone that would be ok with doing this? The more I think about it, the less I like it. I can see it now - I come in one morning, our app server is dead because Spiceworks found a file it didn't like and deleted it - (we don't need any vmlinuz files in /boot, do we?).

TobiSGD 09-18-2013 01:51 PM

There may also be legal consequences, for example if they have access to customer data or something similar. I personally would just use one of the open source monitor systems or, for simple purposes like checking diskspace, write custom scripts.

I am a little irritated about the
Quote:

looks for software that doesn't belong on your Windows boxes
Do your users work with root permission (or can easily get root permissions), so that they can install software?

saxa 09-18-2013 02:11 PM

Quote:

Originally Posted by Ook (Post 5030153)
Disclaimer - it wasn't my idea to use it :-)
Maybe I should ask if there is anyone that would be ok with doing this? The more I think about it, the less I like it. I can see it now - I come in one morning, our app server is dead because Spiceworks found a file it didn't like and deleted it - (we don't need any vmlinuz files in /boot, do we?).

If you will never reboot then no, but you can have your vmlinuz compressed kernel file wherever you want, enough you tell your lilo where it is.

273 09-18-2013 03:28 PM

I think everything should be set to be set up using the principle of least-privilege. So, if Spiceworks will not (or, more importantly, should not) be making any changes to your Linux machines then it should certainly not run with root privileges, ever.
First principals of security and, far as I was aware, one of the first things an auditor would check.

Richard Cranium 09-18-2013 08:44 PM

You should be able to configure Spiceworks to access the net-snmp daemon that you might be running to get partition usage statistics.

If you can, it doesn't need any access at all (other than the snmp user info which can be totally unrelated to any users on the box).

frieza 09-18-2013 09:15 PM

hmm i agree with the sentiment, if it doesn't need to make changes then root access isn't needed and is indeed a bad idea
however i would say this, no scanning app in the world, no matter how advanced is a good substitute for a well trained IT staff, a well written acceptable use policy and employees that can be trusted to obey the policy.


All times are GMT -5. The time now is 03:26 AM.