View Full Version : security/audit trail
I would like to have multiple admins to manage/access my apps. Are there any methods so that we can maintain an audit trail of who ssh in and also added/ accessed / modified / deleted /renamed apps via browser.
Currently, it seems all users gain access to root. It would be great if there is some way to control, so that ability to su to root is restricted and an audit trail is generated, and not just allow direct ssh into root.
Also, it would be great if there are ways to create group access lists, so that group1 users have access to app #1, 2, 3, and group2 have access to app #4, 5, 6, etc...
Any suggestions is greatly appreciated.
PeterNic
05-23-2007, 12:35 AM
ACW,
At the AppLogic user interface, there is only one access level at this time -- regular full access user, no audit. We are working to design the proper access settings and need more use cases (the one you are asking about is pretty straightforward; others have asked for different level of access to the apps -- edit, view, control). We are trying to balance simplicity vs. flexibility, but some level of access controls will be supported. We can start a discussion here on what access levels would be most appropriate.
Here's what we did to provide restricted access to grids in one case -- essentially, to allow start/stop/restart of apps without full access to the grid UI:
- set up an appliance with a private ssh key, and have the appliance issue ssh commands to the grid controller
- on the grid controller, we created a user (non-human) with the matching public key
- the appliance provides non-root access to lower-level operators (we use a simple web app but a text-based interface is possible as well); the appliance verifies the commands against any restrictions you may want to place; then it forwards the commands to the controller via ssh
If something like this can work for you (the main limitation is that it can't edit the interior structure of apps, but can do everything else), then you can also use the standard log inside the appliance for audit.
A GSC will be the perfect base for this; a catalog appliance will work well if you have multiple such apps or need to manage multiple grids.
Similarly, we built a mobile phone gateway to starting/stopping/restarting applications from a web-enabled cell phone; it can be extended to submit various shell commands.
If something like this can be used for your needs, please post here on what you did.
Regards,
-- Peter
vBulletin® v3.7.5, Copyright ©2000-2012, Jelsoft Enterprises Ltd.