OT: Dealing with a hosting company with it's head up it's rear end

Tim Daneliuk tundra at tundraware.com
Thu Aug 13 20:02:20 UTC 2020

On 8/13/20 2:10 PM, Steve O'Hara-Smith wrote:
> On Thu, 13 Aug 2020 14:56:43 -0400
> Aryeh Friedman <aryeh.friedman at gmail.com> wrote:
>> The hosting company for one of our clients sent the following reply to
>> us/them when we asked them to setup end user accounts on a dedicated
>> Windows Server, FreeBSD box and CentOS box (all VM's on the same physical
>> machine with no other VM's on the physical machine) and being told we
>> needed scriptable access (not web based non-scriptable) to the windows
>> desktop and shell accounts (including the ability to sudo) and they agreed
>> to provide it:


I cannot speak to hosting companies but this is very common in large
corporate settings - i.e., I have seen this across many enterprises,
especially as regards to sudo or other privilege escalation.

To a large extent the decision to limit forms of access (and thereby
break most forms of automation tooling) is because of two factors:

1) An increased presence of government regulatory involvement
2) An increased fear of losing in a lawsuit or other legal action

I consulted for over 2 years at a large investment bank.  During that time,
they did not produce a single new financial product for their customers.
100% of their discretionary spending was directed at keeping bureaucrats
happy - in this case, GDPR.  This sort of things makes even aggressive
organizations super conservative about ANY risk.

What's really bizarre is that companies that deeply restrict login access,
forbid any kind of root promotion other than "firecall" type access, and
so forth, seem to have no problem installing BigCo's new monitoring or
configuration enforcement agents on these same systems. They trust a vendor's
agent more than they do their own ability to produce a good security practice.

I once had an extended debates with a so-called security "specialist" who
said we couldn't use sudo because it wasn't non-repudiable.  I pointed them
at the deep event and command logging possible if you setup sudo appropriately.
This specialist didn't understand it, held their ground, and all but a few trivial
sudo operations were forbidden.    Try doing LVM disk management that way ....


Tim Daneliuk     tundra at tundraware.com
PGP Key:         http://www.tundraware.com/PGP/

More information about the freebsd-questions mailing list