Detecting cowboy'd changes in a Juju Env
Mark Shuttleworth
mark at ubuntu.com
Thu May 22 08:56:53 UTC 2014
On 13/05/14 17:45, Joey STANFORD wrote:
>
>> Part of the problem is that each charm is given root access on the
>> machine
>> to configure whatever services are actually needed. And there isn't
>> part of
>> the spec that has them define where the configuration files are
>> going, what
>> things they are installing, etc.
>
> Right. This a feature but also a bit of a challenge to detect when
> something has been changed by hand.
Compliance auditing is moving towards verification of the process, not
the result. So in this case, for auditable and secure environments, it's
best to:
* disallow SSH
* log any "juju run" type commands carefully
Then, auditing the charms themselves is directly verifying the integrity
of the process rather than trying to audit the result.
Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/juju/attachments/20140522/4726d588/attachment.pgp>
More information about the Juju
mailing list