Page MenuHomePhabricator
Create Task
Maniphest T90951

define in Puppet or remove user account - diederik
Closed, ResolvedPublic
Actions

Description

remove user account - diederik

We're in the process of auditing and cleaning up our access lists to servers. During this audit, we found your user in place on a few sysetms, without having admin module entries. We need to review these systems and confirm you still require access to them, and why. Since we don't have this on record or in puppet, we'll have to go through the normal approval process. As such, please simply have your manager approve on this task which systems you confirm you need to continue to access.

stat1003, stat1002, stat1001, oxygen, & gadolinium

I know that you left the organization last year, but I am not certain if these are left over access from that, or for an ongoing contract or volunteer role. As such, I've CC'd Toby as well; please advise.

Please note what you need to do on each system, as we'll need to ensure you maintain the proper access levels when we add you to the admins module.

Feedback is required, as we'll be removing the access of anyone we don't account for during this audit.

Thanks in advance,

Related Objects
Search...

Event Timeline

RobH created this task.Feb 26 2015, 9:38 PM
RobH assigned this task to drdee.
RobH raised the priority of this task from to High.
RobH updated the task description. (Show Details)
RobH added projects: acl*security, acl*sre-team, SRE-Access-Requests.
RobH added a subscriber: Tnegrin.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 26 2015, 9:38 PM
RobH mentioned this in T90923: Define in Puppet or remove rogue user accounts not currently defined in admin/data.yaml.Feb 27 2015, 6:19 PM
chasemp subscribed.Mar 2 2015, 4:32 PM

@drdee, just a note it looks like your last activity was in 2014 :) I am planning on removing these production accounts during general cleanup if there is no reason to keep them. Thanks.

Tnegrin added a comment.Mar 2 2015, 4:45 PM

I'm fine either way. Diederik has signed the NDA and as such has access to
these systems.

-Toby

chasemp added a comment.Mar 2 2015, 9:17 PM
In T90951#1078480, @Tnegrin wrote:

I'm fine either way. Diederik has signed the NDA and as such has access to
these systems.

-Toby

Understood and in this case the reasoning is more or less that unused access should be removed so that the list of people with access is meaningful. We can always add them back :)

Thanks for responding

Dzahn claimed this task.Mar 3 2015, 5:43 PM
Dzahn added a subscriber: drdee.
Dzahn added a comment.Mar 3 2015, 5:53 PM

I removed the user on the listed hosts: stat1003, stat1002, stat1001, oxygen, & gadolinium
and deleted the home directories. They were empty on oxygen and gadolinium.

On the stat hosts they had:

stat1001: inspect.py settings.pyc settings.xml
stat1002: histogram.py pygeoip pygeoip.tar topk.py

stat1003: many files that i saved in a single .tar.gz which is 873M compressed

I saved these just in case, for now, because i was not sure how to handle them and if Diederik might still want to have them. They seem to be mostly from 2012/2013.

The user account is now removed in these places while it still exists where it is defined in the admins file in puppet:

bast1001, fluorine and terbium from the group: "restricted" with the description: access to terbium, fluorine (private data) and bastion hosts.

That should resolve this ticket, besides the question what to do with the old files.

Dzahn closed this task as Resolved.Mar 3 2015, 6:40 PM

I talked to Diederik on IRC and he confirmed we can delete those files. Resolving the ticket.

chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL