Blog
SecuringAIX

« AIX Hardening 101 | Main | Implementing LDAP on AIX Offers a Few Surprises »

April 09, 2013

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83545a5d153ef017d42a0d456970c

Listed below are links to weblogs that reference Good Grief—What Can Be Done About Identity Theft at the *NIX Level?:

Comments

I share your concerns around sudo.
The problem is that I AIX RBAC is currently not capable of replacing it (what would make sense from my point of view). So we are left with commercial products that are not AIX native (IBM withdraw TAMOS from market).
I'm afraid that AIX security is not receiving as much attention as it deserves or I would expect.
Interesting times ahead of us...

Actually, a lot is being done, but is not being talked about enough - imho.

Informally, that is, without my IBM hat on I am very willing, actually eager, to discuss questions and/or work on howto's via a forum i support (http://www.rootvg.net). Much easier to reply than via the blog. However, if and where is your choice.

Thanks for your feedback!

Security should start before you even install the OS (regardless of platform, flavour, etc.).
Before you can understand the security you require you need to create a data map showing how and where your data enters the system, how it is processed and stored, and how it leaves (including archives and backups). Next you should start to think about its value/sensitivity, etc, and from that decide on a plan of action.

Hi Andrew. Thanks for your comment!

I agree completely. IT Security needs to be policy driven. And so an audit of a system is an audit of the policy and how that policy is implemented on systems (i.e., mechanisms are platform dependent while services and goals are not); how well recognized risks are being met and additionally (I hate to say finally when it comes to security - "final" does not really exist for security) - "unknown"/not-addressed risks.
Platform audits also exist - but more as what I would call a risk analysis - rather than "IT Security Audit".
And, just to make sure their is no confusion here: the article is meant to be about the added risk and/or exposure when an organization does not have a policy-driven update policy as well as mechanisms in place to verify adherence to update policy.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.