Skip to content

Improve administrative account governance #1721

Description

@cotosso

Description

NethSecurity already supports personal administrative accounts, MFA, administrative access logs, configuration change logs, visited UI pages tracking, and log forwarding.

The goal is to introduce a minimal separation between root and ordinary administrators.

Expected behavior

  • root is the only account allowed to create, remove, or modify administrative users.
  • Ordinary administrators can manage the firewall but cannot manage other administrators.
  • Administrator management restrictions must be enforced by backend/API checks, not only in the UI.
  • When an administrator is removed or disabled, all active sessions for that user must be revoked immediately.
  • Access to the SSH section in the UI must be restricted to root.
  • The UI must warn when default credentials are still in use.
  • Denied administrator management attempts must be logged (already present)

* The setup wizard must include passphrase configuration.
To be evaluated again in the future

* The UI must warn when the passphrase hasn't been configured.
Already present

* The setup wizard must include the creation of an ordinary admin
To be evaluated again in the future

  • The UI must warn if there are no ordinary admins configured

Suggested sub-issues

  1. Restrict administrator management to root.
  2. Revoke active sessions when an administrator is removed or disabled.
  3. Restrict SSH access to root.
  4. Add warning for default password usage.
  5. Add warning for missing ordinary admin

Components

NethSecurity 8.8.0.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Fields

No fields configured for Feature.

Projects

Status
ToDo 🕐

Relationships

None yet

Development

No branches or pull requests

Issue actions