During discussion about VMWare ESXi security with @DorianWinty,
Dorian suggested we use 2FA for hypervisor access.
From that, I've checked the use of second factor on DevCentral (a)
and this shows we need to draft a 2FA policy.
Groups with extra privileges
The members of the following groups should enable 2FA:
- https://devcentral.nasqueron.org/project/members/50/ Trusted users -> can send code to Jenkins CI, push code in non-ops repositories
- https://devcentral.nasqueron.org/project/members/68/ Nasqueron Operations Squad -> can see security issues, approve code on ops repository
We can prepare a report to know who to contact about that (b).
Useful queries:
- (a) SELECT count(*) FROM devcentral_user.user WHERE isEnrolledInMultiFactor = 1;
- (b) A query on devcentral_user.user and devcentral_project.edge can help
Users who need to enable 2FA
SELECT DISTINCT userName FROM devcentral_project.edge LEFT JOIN devcentral_user.user ON user.phid = edge.dst WHERE src IN ( "PHID-PROJ-2gmvzczbipg5amctzsjd", -- Trusted users "PHID-PROJ-puoemrjignrbd2eilwpo" -- Ops ) AND type = 13 -- PhabricatorProjectProjectHasMemberEdgeType AND isSystemAgent = 0 -- avoid bot accounts like Alken-Orin AND isEnrolledInMultiFactor = 0 ORDER BY userName;