topic Re: security issue in Operating System - HP-UX

security issue

Ionut Grigorescu_2 — Thu, 31 Oct 2002 08:30:12 GMT

Hi,

I'm administrating some HP-UX 11.00 machines on which is installed some third party software. The vendor need remote access from time to time to install some new change notes or for solving helpdesk request. They need always the root password for that. My system is accessible via a dial-in server (PC). From there telnet is possible to all my machines (about 10 pcs.) Untill now I have changed each time the root passwd before and after they accessed my system. Is there another better method (for example editing /var/adm/inetd.sec). I want also to know if it's possible to log their activity (don't forget they are root! ).

Thank you,
ionu

Re: security issue

Balaji N — Thu, 31 Oct 2002 08:43:56 GMT

Hi,

I would suggest using sudo. With sudo configured, a user can login using his username / password and then use sudo to execute commands with supervisor priveleges. All commands executed can be logged.

HTH
-balaji

Re: security issue

Ionut Grigorescu_2 — Thu, 31 Oct 2002 09:33:59 GMT

What is sudo?

Re: security issue

Darren Prior — Thu, 31 Oct 2002 09:51:41 GMT

Hi Ionu,

You could consider using auditing (for which your system would need to be trusted.) However if your vendor is logged in as root, you cannot determine their activities from any other user logged in as root.

regards,

Darren.

Re: security issue

Ionut Grigorescu_2 — Thu, 31 Oct 2002 10:17:16 GMT

What about the dial-in server? How can I see an incoming telnet from its IP address? If somebody perform an action during this telnet session from the dial-in server as root, and is not me - then I still have something. Another question - after modifying /var/adm/inetd.sec do I have to stop-start inetd?

Re: security issue

Paula J Frazer-Campbell — Thu, 31 Oct 2002 12:35:07 GMT

Hi

You can set up another root lever user creating a seperate home dir and .sh_history file which is then ftped on a min by min basis to a safe machine.

ie.
roottmp:sqdvvAP3.sZA6:0:3::/use/root-tmp:/sbin/sh

This not perfect but will help.

I would seriously question the root level access requirement and investigate moving their access level to a more normal level either by forcing them to change their software or for you to take control of the root level tasks.

Basicly root is God and one God is more than enough.

Paula

Re: security issue

T G Manikandan — Thu, 31 Oct 2002 12:50:18 GMT

Find the things like
1.Is the root privileges really reqd.?
2.what is the need for the root privileges?

The secure method is to nstall 'sudo'.
Using sudo you can restrict users to some root privileges.

check this link for more about sudo
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/

Re: security issue

Ionut Grigorescu_2 — Thu, 31 Oct 2002 13:06:55 GMT

Unfortunately the root privileges are really required - some change notes include also HP patches - I'm not allowed to install HP patches by myself - they have to be first tested by Nokia's (the vendor) Product Line against their software :-). You are right Paula - one God and thousand daemons ... :-))