They should be required to do audits and pen testing yearly due to requirements of government systems. It sounds like solar winds worked with pen testing firms that that just gave passing grades. Sometimes organizations purposely hire bad security talent so they don't get exposed as doing a bad job.
You mean like how the government hires Solarwinds?
I have a client that uses at least one solar wind product and I shudder....
you're saying that they can't ever be wrong in their releases?
No, I'm saying that whether right or wrong is irrelevant. That it happened is what matters. Deciding if it happened accidentally or on purpose is a different discussion. Things that happen on accident doesn't make them not have happened.
@Dashrender I'm a 3rd party to the end customer here. Acting as the middle man as the customer's IT department wanted to engage outside support to try and vet different products.
I candidly told the customer that while this product will work, it won't work with all of the features they want without some substantial changes to their infrastructure and that the support (at least from this vendor) is pretty awful.
The simple approach here is to not integrate RFID/HID's to the system and simply use the AD Integration with the built-in QR codes that each member is assigned.
Just because something may be supported, doesn't imply that it is support.
Except in this case the vendor very clearly has stated they support you adding custom attributes within AD.
saying Well - Johnny is just better employee than you, so I choose to pay him more, that isn't going to make people happy, it will likely make them less happy...
You are looking at it from the employer's perspective. Of course it doesn't help the employer. It helps the employee when they can see what X work is worth. If employee 1 makes X for a job, and employee 2 wants to know their own value, they have something to go on. If you don't know what others are paid you have almost nothing to go on.
Remember on Spiceworks when loads of people would claim that $65K was the IT industry cap? Imagine if people (and companies) were able to repeat that without anyone speaking up! People would surmise that if $65K is the top for a CIO, that a system admin must cap out at $50K and a helpdesk tech at $9/hr!
But in the real world, we know that CIOs make well into the seven figure range, admins can get well into the multiple six figures. Even good help desk leads can hit six figures. If we didn't have others to compare against, it's easy to see people misunderstanding the scope of the industry by an order of magnitude.
It's been like that since Fedora 31. At least with the netinstall everything iso.
Gotta be the Netinstall because we install this constantly, every few days, and in the Server Edition, it's not there by default.
root account is disabled with the following ISOs:
Must be in 1.9. We do these constantly and haven't seen it yet.
Was there more than one ISO release of Fedora 31? There is not always.
Not sure. I just looked and we are on the 1.9 ISO and it definitely has a different default.
Another really good option is not letting them log directly into the systems at all and forcing them to use a config management tool. So something like Tower or a Jenkins server that logs all of the commands run and has the permissions set there.
Right. Just like the best defense is a good offense (or vice versa?) The most secure port, is a closed port. Locking down SSH, no matter how good, isn't as good as completely closing it.
Or using config management to only open it when necessary, is an "in between" step, too.