Revoking permissions of leaving members

We grant access to our servers, admin accounts and passwords to employees, contractors and other contributors on a need and trust basis. When someone leaves, we need to revoke important permissions to reduce the risk of compromised accounts. Usually, we still trust the leaving person but passwords and keys can get leaked without anyone’s fault. For example, a new security vulnerability could be used to intrude a developer’s laptop. And you may forget to notify all your past employers about such an incident, if you even know about the leak.

Anyway, I’m proposing a permission removal process, which should be triggered as soon as somebody doesn’t need the permissions any more.

  • Private Slack channels
    As Slack admin, go to every private Slack channel and check the members.
    Risk: Leak of sensitive information.
  • Server access
    Use ofn-install to remove access from all managed servers. There are two ways. One is ad-hoc to remove access for a given person, the other one is permanent and requires a code change.
    # Remove any known key (in files/keys):
    ansible-playbook playbooks/remove_ssh_keys.yml --limit all_prod,all_staging -e "{'remove_users_sysadmin':[alice,bob]}"
    
    # Remove key permanently:
    # Edit inventory/group_vars/all.yml
    # Move key from core_devs to retired_core_devs
    
    Risk: Manipulation of payment methods to steal money. Leak of sensitive information.
  • Github teams
    • Visit Open Food Foundation members on Github
    • Choose the leaving person.
    • Change role from owner to member.
    • Remove from teams they are no longer in.
    • Remove any other unneeded permissions.
      Risk: Manipulation of source code to gain access to our servers. Then steal money and personal data.
  • Superuser access from OFN application
    People may have several accounts on production and staging accounts. Review accounts:
    sql='SELECT spree_users.id, spree_users.email FROM spree_users INNER JOIN spree_roles_users ON spree_roles_users.user_id = spree_users.id INNER JOIN spree_roles ON spree_roles.id = spree_roles_users.role_id WHERE spree_roles.name = $$admin$$'
    ansible all_prod -u openfoodnetwork -a "psql -h localhost openfoodnetwork ofn_user -c '$sql'"
    ansible all_staging -u openfoodnetwork -a "psql -h localhost openfoodnetwork ofn_user -c '$sql'"
    
    For any unneeded admin accounts, visit the user admin page on that instance and remove the admin flag.
    Risk: Steal money and personal data.
  • Bitwarden password change
    We have some shared Bitwarden accounts. If the leaving member had access to these accounts, we need to change the password and re-distribute it amongst the authorised members to revoke access.
    Risk: Social engineering to gain access to servers or devices of members. Steal money and personal data.
  • Email address
    Some instances provide work email accounts. Each instance may have their own process for this.
    Risk: Social engineering for privilege escalation.
1 Like