[Freeipa-devel] per-group password policy proposal
Dmitri Pal
dpal at redhat.com
Fri Jun 12 15:08:51 UTC 2009
Simo,
We have some disagreements and some agreements.
The fundamental disagreement is about doing it dynamically by CoS or
putting the policy right into the user entry.
I think we will have troubles with CoS with auditing down the road.
I assume that all the changes are tracked in the audit logs and it would
be much easier to correlate the change of the policy directly on the
user entry than indirectly by changing group membership.
I think this is very important for compliance (PCI, SOX etc) to be able
to correlate the change in the policy to specific security event.
The "update" scheme makes the forensic analysis much easier. This is the
main argument.
But if others do not see it as important I am not going to argue any more.
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list