A company developed a web application which is sold as a Software as a Service (SaaS) solution to the customer. The application is hosted by a web server running on a specific operating system (OS) on a virtual machine (VM). During the transition phase of the service, it is determined that the support team will need access to the application logs. Which of the following privileges would be the MOST suitable?
To access the application logs, the support team should have administrative privileges on the web server. The web server is responsible for hosting the application and generating the logs. This level of access ensures they can view and analyze the logs without unnecessary access to other parts of the system, which aligns with the principle of least privilege. Administrative privileges on the application folders would be too restrictive, as logs can be located in various locations that might not be contained within the application folders.
Give them access to the only resources they need to do their job. No more no less!
Least privilege
As Humongous1593 has already said. Least privilege rule applies.
Option B involves granting administrative privileges directly to the application folders. While it can provide access to application logs, it also carries additional risks. With access to application folders, changes or modifications can be made to other system files, which could compromise the stability or security of the application if inadvertent or unauthorized modifications are made. Additionally, logs may not be exclusively contained in specific application folders, so limiting privileges to folders only does not guarantee complete access to all necessary logs. For these reasons, option C (administrative privileges on the web server) might be more appropriate as it allows more controlled access to logs without providing direct access to other system components.
A,C,D are managed by cloud vendor
So we have no idea where the application logs are written to. I am a linux admin and some apps write in their own folders, some write to /var/log, the same place the OS writes to. So I don't think this question provides enough info to answer. A best guess would be B, least privilege, but there is no way to know.
I thought the same. Agree with your approach.
The MOST suitable privilege in this scenario would be C. Administrative privileges on the web server. This would allow the support team to access and analyze the application logs without compromising the security of the hypervisor or the underlying OS. Administrative privileges on the application folders or the OS may be too broad and could potentially allow access to sensitive information beyond just the logs.
least privilege guys. You want to give them access to only what they need to do the Job. No more, no less.
B. Administrative privileges on the application folders
The most suitable privilege in this scenario would be administrative privileges on the web server. This is because the web server is responsible for hosting the web application and generating the application logs. By granting administrative privileges on the web server, the support team would be able to access the logs without having complete control over the underlying OS or other applications running on the same VM. Granting administrative privileges on the hypervisor or the OS would give the support team access to more than just the application logs, which could pose a security risk. Granting administrative privileges on the application folders alone may not provide the support team with enough access to view and analyze the logs.
B is correct
B. Administrative privileges on the application folders
B is the right answer. You do not need to have admin privileges to the web server but rather to the app folders. Reason: the principle of least privilege!
Option B is correct . I agree with 629f731.Those of us that have had to scour logs understand that the application does not hold all of the logs. In many cases applications log very little.
Least priv is the key here. Dont give access more than they need. application folders access is what they need. So, C. Administrative privileges on the web server is wrong. you break least priv here