Closed
Bug 1139582
Opened 11 years ago
Closed 7 years ago
Require Duo MFA for MAXIMUM security hosts
Categories
(Infrastructure & Operations :: RelOps: Puppet, task)
Infrastructure & Operations
RelOps: Puppet
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Unassigned)
Details
(Whiteboard: [relsec] [RRA-todo])
Even if this would require multiple MFAs for those bouncing through a jumphost, it will help protect these critical hosts.
This may not be possible on OS X (mac signing servers).
|
Reporter | |
Updated•11 years ago
|
Assignee: dustin → relops
|
||
Updated•11 years ago
|
Whiteboard: [relsec]
Boilerplate from RRA review:
In an RRA[1], "MFA directly on the master" was proposed as a security improvement for PuppetAgain. PuppetAgain is rated as having an impact of MAXIMUM.
This bug is to:
a) propose an implementation for "MFA directly on the master"
b) estimate the effort of implementing "MFA directly on the master"
c) estimate the risk reduction provided by "MFA directly on the master"
d) make a recommendation on implementation.
[1] https://drive.google.com/open?id=1Fi8Ojmdazo2dxX2c00flad5ao540ydDeLpDZlTBNFZE&authuser=0
Whiteboard: [relsec] → [relsec] [RRA-todo]
Proposal: Use the 2nd opinion system spelled out in https://mana.mozilla.org/wiki/display/SECURITY/IAM#IAM-Keyarchitecturetechnologies (see tech diagram)
|
|
||
Comment 3•7 years ago
|
||
Access to all releng hosts now go via a set of jumphosts with Duo that's separate from IT's Duo.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•