[Freeipa-devel] per-group password policy proposal
Simo Sorce
ssorce at redhat.com
Fri Jun 12 15:20:18 UTC 2009
On Fri, 2009-06-12 at 11:08 -0400, Dmitri Pal wrote:
> Simo,
>
> We have some disagreements and some agreements.
> The fundamental disagreement is about doing it dynamically by CoS or
> putting the policy right into the user entry.
> I think we will have troubles with CoS with auditing down the road.
> I assume that all the changes are tracked in the audit logs and it would
> be much easier to correlate the change of the policy directly on the
> user entry than indirectly by changing group membership.
> I think this is very important for compliance (PCI, SOX etc) to be able
> to correlate the change in the policy to specific security event.
> The "update" scheme makes the forensic analysis much easier. This is the
> main argument.
>
> But if others do not see it as important I am not going to argue any more.
The point is this, if auditing is the only issue, which I recognize it
is important, I think we should simply add auditing to the password
change plugin. Upon a password change request we log not only what user
asked a password change, but also what password policy was used in the
process.
I think this would much better satisfy any auditing request than any
correlation mechanism.
What do you think ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list