topic Re: Security Administration on Unix in Operating System - HP-UX

Security Administration on Unix

Gustavo_20 — Thu, 28 Aug 2003 15:04:51 GMT

Hi all,
Recently we have bought a HP RP5470. We are responsibles for system administration, but other area (security) want to manage the security part.
Does anybody know how can they manage the security whitout a "root" account ? We don??t want to give them the root account.
I am new in Unix environments, but in other platforms (HP Nonstop Himalaya for example) exist products which allow you to manage ACLs, to define a security administrator and that kind of thing.

Regards,

PD: Sorry for my English. I??m learning ...

Re: Security Administration on Unix

Steven E. Protter — Thu, 28 Aug 2003 15:10:09 GMT

Your English is fine.

There is no way to completely administer security without root access. Its a function of systems adminsitration and the responsibility of the admin who needs root access.

That being said, if managing security is merely managing permissions on a bunch of files, a regular user can do that. That user needs to own the files and have some basic training.

A security administrator is the system administrator in my opinion.

SEP

Re: Security Administration on Unix

Chris Wilshaw — Thu, 28 Aug 2003 15:21:31 GMT

You have a number of options, depending on what level of access they need;

You can set up a second root account for them
for example rootsec, which gives them full root access.

To do this, use

useradd -g sys -o -u 0 -m -c "Security root user" -s /sbin/sh rootsec

If that's too much access, you can set them up with a standard user account, using the sudo utility to give them sufficient access to restricted commands. You can download this from

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/

Alternatively, you could look at setting up a Restricted SAM account for them (similar to the sudo idea, but uses the standard SAM interface)

Re: Security Administration on Unix

Jean-Luc Oudart — Thu, 28 Aug 2003 15:25:42 GMT

We provide exe and scripts with specific suid and ACL for dedicated people to manage user accounts for example.

This probably goes back to sudo type function.

At the end of the day "root" is doing the job.

JL

Re: Security Administration on Unix

Victor BERRIDGE — Thu, 28 Aug 2003 15:33:32 GMT

Hi,
You could define a user, and give him access to a restricted sam where you have given him the privileges you wish, that is by typing as root sam -r then do the config for you user, dont forget to save the privileges...
You can as others mentionned use sudo, or su2 which gives root access to given users....

All the best
Victor

Re: Security Administration on Unix

Tor-Arne Nostdal — Fri, 29 Aug 2003 07:05:21 GMT

As explained in above answers, there is no way to handle/manage security fully without being root or root equivalent.
Above it is also mentioned how this can be achieved either with making an equivalent user or by using a "frontend" program where you can control/limit some parts of the system.

I would rather propose that the Security Officers gain restricted access to the system - as an ordinary user, and challenges the security on the system.
If they find any "holes" either from the inside as an ordinary user, or from the outside by challenging the different services/programs running on the machine, they could notify you as administrator to get this fixed.

We use external companies to make audits of our system. They can request any kind of information to be delivered them, but they do not get direct access to the system.
example:
- give me a full listing of files with permissions
- give me the passwd and group file
- how many have access to root user password
They will see if you have set the appropriate rights and keep the correct segregation.
They will also see what kind of password policy you are using and try to crack the passwords.
In addition there is used "hacker tools" from outside of the system to challenge the system.

As stated: Findings is reported to system administrator, and [s]he will perform the necessary corrective actions.

Re: Security Administration on Unix

Rory R Hammond — Fri, 29 Aug 2003 16:50:50 GMT

Not sure what is meant by handling security.

If the groups function is auditing. The task might be easier to implement than you think.

For example. I am auditing file permissions and userid's on all my system right now. I have several scripts that I run as a "regular" user. Later, I go through the output and then email the users on how to tighten up security, following up later to make sure they did fix the problem. I look at things like the ability of "world" to edit or replace executable. I put my self in certain group ID's and validate group permissions for applications. For example: The group cannot modify logs or edit\release executables without being the owner.

Adding user and changing passwords can be implemented in sam.

Rory