On 11/13/2014 09:01 AM, Steve Grubb wrote:
> They could unless use of those utilities are restricted. You could also setup 
> a centralized user name management system to help things. But if you want to 
> tackle this yourself, I think the uids, gids, and hostnames are the main 
> things that need interpreting locally. Everything else can be done after the 
> fact.
This subject is one I I've griped before. I'm amazed that more people
haven't mentioned this.
From an assurance perspective, having the human-understandable names of
the accounts is important.
If auditing systems aggregate records from multiple sources, this is
pretty big.

Until we can easily do something like the following, this isn't dire:

machine:             local aggregator       enterprise aggregator
---------------          ---------------------       
-----------------------------
finance sys1 ->
finance sys2 ->  fin. aggr    \    
finance sys3 ->                     ->

engineering1 ->
engineering2 -> eng. aggr  ->          enterprise aggregator
engineering3 ->

marketing1 ->                      ->
marketing2 -> mark. aggr  /
marketing3 ->

In fact, to me, the ultimate assurance architecture would be to have the
username management system reside on the local auditing aggregator with
a very controlled/audited/secure interface.
Then I'd interpret the uids, gids and hns there.

My $0.02 FWIW,
LCB

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com