topic Re: Super user acttivity audit in Operating System - HP-UX

Super user acttivity audit

Mario Behring — Wed, 12 Jan 2011 13:58:19 GMT

Hi list,

I have to implement some kind of super user auditing and configure all HPUX servers not to permit direct root logon.

I know I can accomplish some of this using sudo and configuring the OS so that the root user cannot logon...but I would like to know if is there any HPUX utility or third party application that could give me more control and more information about what each superuser is actually doing...

Any help is appreciated.

Mario

Re: Super user acttivity audit

Patrick Wallek — Wed, 12 Jan 2011 14:05:03 GMT

There is a product called Power Broker that can do what you want.

http://www.beyondtrust.com/PowerBroker-Servers-Unix.aspx?section=PowerBroker-Servers-Unix

Re: Super user acttivity audit

Alzhy — Wed, 12 Jan 2011 14:14:01 GMT

The BEST out there is a combination of SUDO and Enhanced Korn Shell (eKsh). And it is really all about capturing user activity.

eKSH or ksh93 allows you to save that shells histoy file to multiple off-site (or local), non-volatile, non-editable (WORM) storage.

configure ksh93 to suite your needs
build/install
restrict root logins to console
set up sudo ("sudo -s -E" only for admins)

This has proven valuable for both the Admin and Governance in "investigating what happened".

Re: Super user acttivity audit

Rita C Workman — Wed, 12 Jan 2011 14:15:54 GMT

There is reason why you have the 'root' account. What if you had a problem on the server and you need to be able to login as root to fix it...but now you can't.

I'm all for security, but I see problems with this line of thought. Some software requires the root account to perform certain functions, not an su to root, but root.

There are some third party softwares out there that will log all keyboard entry and output to a file for you to review. Powerbroker/Symark is one I'm aware of. You can use it on an adhoc basis so you don't wind up with extreme amount of logfiles that nobody ever looks at. So you might just track those 'super users' accounts.
If someone has to be 'root' then Powerbroker might work, but if not they could be required to run 'script' and that would then put their keyboard for the activity to a file.

Just a couple thoughts,
Rita

Re: Super user acttivity audit

Alzhy — Wed, 12 Jan 2011 14:19:32 GMT

This is the official download/build site of eKSH:

http://www2.research.att.com/sw/download/

Re: Super user acttivity audit

Alzhy — Wed, 12 Jan 2011 14:24:20 GMT

Ma'm:

Most corporates these days have a standard of:

1) restricting root access to the console
2) super user fine grained access (RBAC)
3) restrictive FULL root access via SUDO
4) trackable activity (to protect us ADMINS primarily -- beleieve me it is to OUR advantage!)

(4) above is best achieved via AT&T's enhanced korn shell (aka ksh93). It not only allows you to track what you've done but builds your own knowledgebase and protect you from suspicious colleagues and governance)

In fact, I've already seen FULL CHANGE control processes in place for ANY root access. Even Physical Access to servers requier change control.

Emergencies you say? Yep an admin can still access readily the OS/its tools -- but the most important thing here is TRACKED access - for their and OUR protection.

Cheers!

Re: Super user acttivity audit

Alzhy — Wed, 12 Jan 2011 14:28:42 GMT

More:

The riskiest thingy on any UNIX and UNIX Like Operating system is its master being logged in on the root command line.

As anything can happen HOWEVER responsible we think we are:

Issues like:

- accidental PASTE of a nasty command
- accidental PASTE of a CLIPBOARD that contains commands detrimental to the OS
- accidental recall and exec of a SHUTDOWN command
- accidental recall and exec of a nasty rm command
-- the list goes on and on.

;^))

Re: Super user acttivity audit

Rita C Workman — Wed, 12 Jan 2011 14:47:24 GMT

Alzy, I too agree with standards - I agree with being secure - most definitely Sir.

I took his statement "..configure all HPUX servers not to permit direct root logon." as attempting to even inhibit login at even including the console.

There is a point to where you can be so safe you cripple an admin's ability to do a job.

My biggest concern for systems anymore seems to be in the fact that too many untaught, unwilling to open a book and learn, "somebody tell me how to do my job that I can't even explain effectively what the problem is", are sitting behind keyboards with the title UNIX Administrator.

Now that to me is the biggest security threat problem. And all the logs in creation will not protect those systems or those businesses who have chosen to follow the careless route of hiring the unqualified because it's cheaper...or better yet - outsourcing.

Like others, I do try to be good and sudo as a rule, but I must admit that I too have logged in as root and fixed something from the command line when I had to.

Kindest regards,
Rita

Re: Super user acttivity audit

Hakki Aydin Ucar — Wed, 12 Jan 2011 15:29:48 GMT

Hi,
a native approach might be ;

allow/deny root logins with /etc/securetty

Re: Super user acttivity audit

Hakki Aydin Ucar — Wed, 12 Jan 2011 15:31:57 GMT

http://www.faqs.org/docs/securing/chap5sec41.html

Re: Super user activity audit

Victor_60 — Thu, 30 May 2013 03:12:20 GMT

You should use CaclMgr: it comes with the shlog. You can put root account in dual control just in case when direct use of root account is needed, you can still use it provided both information security staff and system admin need be present.

With CaclMgr and shlog, the key strokes will be logged and can later replay back using shlog-replay.

CaclMgr is far more secure than sudo, and its control over environment variables and there value ranges are far better than any other privilege delegation software on UNIX/Linux. Also, the CaclMgr is multi-user friendly, has lot more security features to maintain the security, and can be used by any privilege accounts, such as dba account, to directly grant another account or group to use the account's privilege to execute predefined command.

Re: Super user acttivity audit

rl4518 — Wed, 12 Feb 2014 21:44:53 GMT

I realize this is an older post, but I need to implement this exact senario using sudo and ksh. Does anyone have more information on exactly how to make this happen?

Where do I get eksh and how do I configure it and sudo?

I appreciate any assistance.

-thanks