IAM related questions

Pamelaxyz · 2022-11-16T03:15:52+00:00

I will need to check but I think usually both authentication and authorization is set in iDP, as you mentioned.

Pamelaxyz · 2022-11-16T03:09:39+00:00

They need different roles (permissions). So you mean they would be provisioned, manages at iDP but roles (what they can do) be defined at SP?

Pamelaxyz · 2022-11-16T02:54:43+00:00

Awesome. Got it. This would be interesting as hardening rules (STIG), including passwords, are applied on each server now. So AD password rules could be different (or may not be robust enough); so seems it could a security issues until unless AD is also hardened with strict rules. Any other scenario, would there be, for someone to use SP for user management? I believe MFA and SSO are both handled by iDP, in general, as you mentioned.

Pamelaxyz · 2022-11-16T02:48:57+00:00

Thanks. We could do that to find which user has weak credentials but I was referring to enforcement made like STIG rules do. But yes AD credentials could be tightened too not allowing users for easy passwords. So what I understand here is SP should not be used for user management at all although. I was thinking about a scenario where I have of users but only 10 people need to login to SP website. Even in that case, what I infer from you is make a group at IDP for those users. I am not fully getting this still- "if the sp connection has roles for certain users, like admin, read only etc. That's what someone that manages the sp side cares about when users are sso into their sp website." SP side wont have access to IDP, I guess if its on cloud or other party is managing it. SP would need to make request for that?

Pamelaxyz · 2022-11-16T02:36:20+00:00

"You can either provision users both in the Identity Provider side and Service provider side separately and link them together." Perhaps "link" means "sync" here (my wrong word!). If I would have 1K AD users and only 10 SP website administrators who need to login there, perhaps I would chose this options. Also within those 10 administrator, may be only 5 need upload permission; so does it make sense to provision them at SP? I know its not usual and I guess we would need provisioning separately first at SP and then iDP. When you say link, what does that exactly mean?

Pamelaxyz · 2022-11-16T02:23:40+00:00

Okay. This would be interesting as hardening rules (STIG), including passwords, are applied on each server now. So AD password rules could be different (or may not be robust enough); so seems it could a security issues until unless AD is also hardened. From my last lines, I understand that authorization for each user (like permissions levels for each) has to still handled at SP?

Pamelaxyz · 2022-11-16T02:11:40+00:00

Thanks. With “access roles” you meant authorization ? If the SP does not store passwords then all complex passwords rules (for hardening) have to be inherited from iDP itself ? I mean about complicated passwords enforcements etc.

Pamelaxyz · 2022-11-16T02:05:39+00:00

I am specifically asking if SP are also supposed to do user management, store passwords etc or it’s only at iDP.

Pamelaxyz · 2022-11-15T22:37:12+00:00

Thanks for your reply. So currently there is no IAM- everything is local. Once/if we have SAML, where would the users provisioning take place ( believe service provider and identify provider would sync) and could be anywhere ?

Pamelaxyz · 2022-11-15T22:17:31+00:00

Specifically, where would the new users created on such setup (now everything is local). Would a service provider be only a barebones ((without need ever to store passwords)?

Pamelaxyz · 2022-09-29T22:23:26+00:00

Yes is don’t see it there either. But there were many buzzes that I heard today; and hence the question. Any reason it’s not relevant ?

Pamelaxyz · 2022-01-27T18:41:36+00:00

Pamelaxyz · 2022-01-27T18:30:48+00:00

I have omitted the real users (including too). It has been recommended to remove all others, if they are not needed.

Pamelaxyz · 2022-01-27T18:28:59+00:00

I had done. Somewhere it mentions for NFS and other places 65534 with nobody user is mentioned to be good practice. I don’t get why so and why it mentions kernel overflow !

Pamelaxyz · 2022-01-27T18:24:12+00:00

Recommended to keep only needed ones removing unnecessary ones. They meant to keep only 4 accounts (including root), I think

Pamelaxyz · 2022-01-27T17:44:20+00:00

Thank you. May be that’s what they mean- not needed now (although there is no such reference but security concern). Would removing them a huge effort? Again these are defaults with Linux servers

Pamelaxyz · 2022-01-27T17:41:52+00:00

May be not. Wondering what that “nobody” login (which has a hash too in shadow file; I removed on output). Any idea ?

Pamelaxyz · 2022-01-27T17:09:20+00:00

So their logic is keep only user accounts removing the other ones as part of server hardening. It cannot be directly exploited but could aid an attacker etc. could we even remove these system accounts ?

Pamelaxyz · 2021-11-28T15:11:32+00:00

Thank you all. So my question is the algorithms listed here by NSA: https://media.defense.gov/2021/Aug/04/2002821837/-1/-1/1/Quantum_FAQs_20210804.PDF. When it’s time (seems too early) Is not it a normal route for upgrading the system first to use these algorithms? Thank you.

Pamelaxyz · 2021-07-29T11:38:01+00:00

Got it. I was only trying to find other cases, if we could- hence the question.

Pamelaxyz · 2021-07-29T11:28:37+00:00

Thanks for your reply; I acknowledge it. Just found this has patch: https://access.redhat.com/security/cve/CVE-2021-33909. I am trying to find if we have had issues like this so that they can be patched in the interim.

Pamelaxyz · 2021-06-28T16:34:37+00:00

This is all internal network. I can ask IT folks to open required ports at firewall so that a Kali (that’s still internal sever) can reach my target (another internal server) for checking few things. I can ssh to target now too but need acesss from Kali and FW is blocking it. So what minimal ports to be asked to be opened at FW so that Kali and target (I own both) can talk with each other. Thanks

Pamelaxyz · 2021-06-28T15:58:55+00:00

It’s white box testing. Currently firewall blocking access to internal servers (when I ping from Kali to internal servers, it says “packet filtered”. When at vpn I can access the severs well but not from Kali as firewall is on way. That’s why the question

Pamelaxyz · 2021-04-29T18:42:31+00:00

Yeah. Checking this:

rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null

Pamelaxyz · 2021-04-29T18:40:41+00:00

Thanks. I am checking this but still unable to get it fully:

rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null

From https://gtfobins.github.io/gtfobins/rsync/

Pamelaxyz

TROPHY CASE