About FMOS Users

This topic only pertains to FMOS. Users of SIP (Security Manager and other modules) are discussed in the Administration User Guide.

When you first run the FMOS Initial Configuration Wizard you will create an account granting both FireMon Administrator and System Administrator privileges.

  • FireMon Administrator is used to access the FMOS CLI.
  • System Administrator is used to access the Security Intelligence Platform (SIP). This account is managed in the Administration module, not in FMOS.

FMOS uses the related practices of the Principle of Least Privilege and Privilege Separation. Together, these practices help mitigate security risks and trace the origins of attacks that may occur.

The Principle of Least Privilege states that users and program should never be given the capability to perform any task outside what is strictly necessary to perform their primary functions. For example, a program responsible for receiving email messages should not have the ability to reboot the computer.

Privilege Separation is a practice whereby users can operate in one of two roles:

  • Unprivileged—users in this role perform tasks such as web browsing and document editing which do not require any control over the system beyond accepting keyboard and mouse input.
  • Privileged— users in this role perform tasks such as installing new software or making configuration changes that affect multiple users.

 

Unprivileged Users

The FMOS operating system is a type of unprivileged user account. All users on an FMOS system are unprivileged users by default. These users have limited access to system resources and almost no control over system functions. Most daemon processes run as unprivileged users to reduce the risk that they may leak sensitive information to unauthorized users or make changes to themselves or the system.

The FMOS operating system includes:

  • fmjas: FireMon Security Manager Server
  • fmnd: FireMon Normalized Worker
  • fmdc: FireMon Data Collector
  • httpd: Apache HTTPD
  • postgres: PostgreSQL Database Server

FMOS manages its unprivileged users, you cannot do anything with them. These unprivileged users have no password. They cannot be used to log in to the system, and are strictly used for process separation.

 

Privileged Users

FMOS has two privileged user accounts.

FireMon Administrators

  • Users that are authorized to configure and control FireMon Security Manager services are known as FireMon Administrators. These users are allowed to run the FMOS commands.
  • Users who are members of the fmadmin group hold the FireMon Administrator role.

The user created by the FMOS Initial Configuration Wizard automatically holds the FireMon Administrator role, as well as System Administrator.

Backup Operator

  • Users who are responsible for managing and maintaining FMOS backups are known as Backup Operators. These users are allowed to edit the contents of the backup storage directory (/var/lib/backup/firemon).

  • Users who are members of the fmbackup group hold the Backup Operator role.

By default, no users hold the Backup Operator role.