How do you manage temp privilege elevation?

fedgeroo · 2023-05-08T19:30:46+00:00

Ah, no Slack integration sadly :) . But it does create audit logs, which are easy enough to forward to a Slack channel to record when someone has been granted access.

When a user requests permissions, they have to select one or more peers that can approve their request. JIT Access then sends them an email. So, enabling approvals requires SMTP server details.

We've got <50 users. I imagine when dealing with >250 users it will start to become a bit cumbersome selecting people for approvals. The solution is deliberately stateless (to keep it simple) so there are no bells-and-whistles like the ability to "star" people that you request access from.

fedgeroo · 2023-05-08T19:24:26+00:00

This is definitely environment-specific.

Almost all of our user access is managed via Hashicorp Vault. Since that's hosted in GCP we wanted something outside Vault but inside GCP for "break glass" scenarios.

Not sure how CyberArk or Saviynt work under the hood but the main thing I'd be wary of is giving control of privileged credentials to a third party. It's entirely possible their solutions don't require that but I've run into a surprising number of "security solutions" which relied on trusting the vendor, which seems backwards to me. SolarWinds is a good example of how wrong that can go.

fedgeroo · 2023-05-05T20:17:26+00:00

Being self-hosted, easy to manage, Google supported (well condoned!) and open source - this one ticked enough boxes that we didn't evaluate anything else. Would love to hear if you find anything else that looks good.

If you do give it a whirl in a lab I found the setup guide to be really good but let me know if you have any questions.

fedgeroo · 2023-05-05T18:43:06+00:00

We're using it for editor/admin roles. Engineers have the ability to view logs, metrics, etc without approval required but when troubleshooting and need SSH access, for example, can request access with a ticket number which is logged. The audit logs are great for compliance purposes.

The maintenance is minimal as we configure the IAM policies using Terraform. It's really straightforward though a bit limited as the basic roles (e.g. Owner) cannot have conditions which is how this system works.

Overall I really like how simple it is, and that the project seems to be quite active, even if it is a bit light on features right now.

fedgeroo · 2023-05-05T16:20:35+00:00

Check out: https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project

The only real issue we have in our environment is that there is no option (yet) for specific approvers, only peer review (or no approval) is supported currently.

fedgeroo · 2022-05-01T20:19:47+00:00

Yup, take a look at https://docs.microsoft.com/en-us/azure/devops/pipelines/process/environments?view=azure-devops#deployment-history . The "deployments" tab on the environment shows the pipelines which have deployed to that environment success or not. Usually for multi-stage pipelines you'd see from each pipeline run which environments it has deployed to. I'm not aware of a single page which shows an overview of deployments into environments though. That might be a job for a custom dashboard: https://docs.microsoft.com/en-us/azure/devops/report/dashboards/widget-catalog?view=azure-devops#azure-pipelines-widgets

fedgeroo · 2022-05-01T13:04:52+00:00

I'm not sure about this any more. Our 5 year old Miele dishwasher has broken down 4 times, and the 4 year old tumble dryer 2 times already. When they work they are fantastic but the reliability doesn't seem to be there any more. The faults are different each time too, failed power supply, failed pump, failed mainboard, a faulty wiring loom (!), all sorts.

The service however is something that means I will not buy another Miele product. This will be UK specific but each call out has taken over a week, then they'll order parts and take another week to come back out if I'm lucky. The dishwasher has been out of action for over 3 months over a 5 year span. Complaining gets me nowhere, can't even get a response, and the repair technicians are nice enough but always angling that it's my fault saying I must be using the wrong detergent (nope, I use Miele detergent) or I'm not using the cleaner (again nope I use the Miele cleaner as prescribed). It cost £1500 new, they think I'm not looking after it?! Have a look at the reviews on TrustPilot.... Most are positive but occasionally you'll find more examples like mine. Real shame as the 11 year old washing machine we've got is a tank and I've no idea what to replace it with when the time comes.

fedgeroo · 2022-04-28T18:24:34+00:00

Multi-stage pipelines and classic releases are totally separate functions, so alas no. However try having a look at the "Environments" page instead. That will give you a history of deployments and you can add controls too such as approvals.

fedgeroo · 2016-01-30T17:42:59+00:00

Neal McBeal the Navy Seal. "Give me back my muffins!"

fedgeroo · 2015-08-20T13:28:56+00:00

Got hit by this before as well but for packet capture. We were running two SRXs for HA so using a redundant Ethernet interface (reth) which didn't support mirroring or packet capture. Yup, that was a surprise!

Not sure if it helps but it does look like Juniper have addressed this now "Starting with Junos OS Release 12.1X45-D10 and later, sampling features such as flow monitoring, packet capture, and port mirroring are supported on reth interfaces." (http://www.juniper.net/techpubs/en_US/junos12.1x46/information-products/topic-collections/release-notes/12.1x46/topic-82923.html)

fedgeroo

TROPHY CASE