Re: Auditing usage of GAM delegate user command

[Jay Lee]

Hi Jordan,

  The CPanel audit log is written by Google on admin changes and is immutable, there's no API that can write to it or modify it. So GAM doesn't really do anything special to get actions like create user, delete user, etc audited. Unfortunately, mailbox delegations are not an item that Google audits. This would be a feature request into Google to add mailbox delegations to the audit log. Note that any tool could perform the mailbox delegation API calls, so the risk you pointed out is there whether you're using GAM or not. Be careful who you give super admin access to.

  If you'd like to discuss this more, shoot us an email at in...@ditoweb.com and we can setup a time to talk about what you're trying to accomplish and how it can be done securely.

Jay

On Tuesday, February 19, 2013 4:08:39 PM UTC-5, Jordan Anderson wrote:

I love GAM - the command line interface is so much more flexible than the control panel, and I haven't found another management solution that can replace it. However, GAM's abilities can also come at a price. While most functions GAM performs can be monitored in the Google Apps Audit Log (https://www.google.com/a/cpanel/yourdomainhere/DomainSettings#Reports/subtab=audits&subtabchild=cpanel), I don't see a record of mailboxes I have delegated. 

As a result, anyone who has access to this tool could view any mailbox in my domain, without any other users knowing the difference. This creates a huge opening for abuse (of this otherwise very useful feature). I want to be able to use GAM without someone being able to accuse me of such abuse. 

1) Any other ideas about how to audit this command?

2) Alternatively, is there a way to have GAM report this action to the Google Apps audit log in a future build?

[Schmidt, Randal]

Is there a way for GAM to retrieve the cpanel audit log for parsing and exception notification via a script?

 

Randy Schmidt

IT Operations - BCP Specialist

-----------------------------------------------------------

Direct 641-357-2710 ext 2229

 

TeamQuest Corporation

641-357-2700

teamquest.com | LinkedIn | ITSO Blog

------------------------------------------------------------

Specializing in IT Capacity Management

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Jordan Anderson]

Jay,

Thanks for your reply, it unfortunately makes a lot of sense. Looks like restricting access to GAM and/or Google APIs is my best option at this point. I'll file a feature request with Google, so hopefully they will address it down the road.

Jordan

On Tuesday, February 19, 2013 4:55:00 PM UTC-5, Jay Lee wrote:

Hi Jordan,

  The CPanel audit log is written by Google on admin changes and is immutable, there's no API that can write to it or modify it. So GAM doesn't really do anything special to get actions like create user, delete user, etc audited. Unfortunately, mailbox delegations are not an item that Google audits. This would be a feature request into Google to add mailbox delegations to the audit log. Note that any tool could perform the mailbox delegation API calls, so the risk you pointed out is there whether you're using GAM or not. Be careful who you give super admin access to.

  If you'd like to discuss this more, shoot us an email and we can setup a time to talk about what you're trying to accomplish and how it can be done securely.