- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Looking for suggestions for a poor man's power...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-11-2008 05:21 AM
тАО09-11-2008 05:21 AM
Looking for suggestions for a poor man's powerbroker
sudo su -
command but use every each command with a sudo prefix to it when we need to run it as root. Considering we are spending a very good part of 8 hours every day, typing these commands, it is a big inconvenience if not more detrimental to adapt this sudo prefixing the commands.
I know powerbroker can log whatever you typed or passes through the screen buffer to a file located on a remote server. We have suggested use of this utility but it looks like it will only be licensed for the critical (i.e. financial information bearing) servers due to the licensing costs. Yet, we are still expected to be accountable via sudo prefixing on all servers in our landscape.
My question is, can there be a way to tell sudo to create a subshell where the screen and keyboard buffers will be captured and sent to a different server on the network ? This could be by recompling sudo or using another similar, license free (or very close to free) utility.
Has anyone implement something similar ?
Thanks for all the input.
UNIX because I majored in cryptology...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-11-2008 05:42 AM
тАО09-11-2008 05:42 AM
Re: Looking for suggestions for a poor man's powerbroker
Alternatively, you could reduce your typing with s as an alias for sudo.
Mark Syder (like the drink but spelt different)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-11-2008 05:45 AM
тАО09-11-2008 05:45 AM
Re: Looking for suggestions for a poor man's powerbroker
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-11-2008 05:45 AM
тАО09-11-2008 05:45 AM
Re: Looking for suggestions for a poor man's powerbroker
I think alias will possibly work.
So for SOX purposes root login is being forbidden altogether?
We are under SOX here (US ownership) and we don't have such a restriction.
We're a security company. We secure content for delivery to consumers from content producers (tv, movies).
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-11-2008 06:07 AM
тАО09-11-2008 06:07 AM
Re: Looking for suggestions for a poor man's powerbroker
We have thought of aliasing commands but creating alias for every each obscure command that one uses daily is simply not feasible. Solution should be transparent.
And the answer to if root login is prohibited. The answer is yes and no, as expected. Root password is a random string of 30+ characters, changed monthly by one of the sysadmins and kept in 3 locations in a safe in a sealed envelope and direct root login is only allowed through the console as any sane sysadmin does. On the other hand, people like me, who have sysadmin group privileges are able to access a root shell via
sudo su -
but the caveat is, once you are in the root shell using this command, there is no way that auditors can tell what commands you have executed. And since there are more than one person with this level of access privileges, if 2 people were using root shell at the same time (by the way limiting number of admin user logins is not an option) and something bad happens to the system, the question of "who to blame ?" turns into a finger pointing match. This has never happened but at least, this is the mentality why we need this accountability. Also, using powerbroker in the past saved my rear end more than once, by checking the pb.log files on the master server to figure out what went wrong. But again pb is way too expensive to deploy on all our servers.
What I am looking for by the way of sudo is:
1. user issues "sudo su -" command and gets authorized
2. sudo spawns a subshell with logging enabled as in "script" command"
3. output of the script command goes to a remote server
this approach above is one way I can envision this could be done, although quite hard.
second way I see this happen:
1. user issues "sudo su -" command and gets authorized
2. sudo allows every command typed, to go to syslog, not only failures and errors. This could even be configured by syslog.conf file but I have not investigated this option.
3. by means of syslog.conf, server sends the logs to a remote server simultaneously.
4. on remote server, a perl or similar script can be utilized to skim out the sudo directives out of the whole syslog file.
On this approach, I see a need for recompilation os sudo binaries but not being a programmer myself, I am not even sure if this mechanism can be built into the application.
Again thanks for all the responses in advance.
UNIX because I majored in cryptology...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-11-2008 06:19 AM
тАО09-11-2008 06:19 AM
Re: Looking for suggestions for a poor man's powerbroker
Fortunately our SOX controls are more lenient in this reguard. But I did add this to root's profile because I got tired of trying to figure out who was doing what. Granted this isn't fool proof, but it may spark some other ideas:
# Setup history file
WHOAMI=$(who am i | awk '{print $1}')
touch ~/.${WHOAMI}_sh_history
HISTFILE=~/.${WHOAMI}_sh_history
export HISTFILE
echo "# Open: $(date)\n\0000\c" >> $HISTFILE
This creates a separate history for each user but it can be circumvented as you know.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-11-2008 06:20 AM
тАО09-11-2008 06:20 AM
Re: Looking for suggestions for a poor man's powerbroker
What if you were to add something like:
/usr/bin/script root.$(date +%m%d%y).$(date +%H%M%S)
to root's .profile? That would then record everything root does. You could have a log directory that the logs are kept it.
Caveats: 1) Being root, you could turn off the script command ; 2) Being root you could potentially blow away the script log, or the entire log directory ; 3) I honestly hate the SOX audits because they have the mentality of guilty until proven innocent and cause management not to trust their administrators.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-11-2008 06:31 AM
тАО09-11-2008 06:31 AM
Re: Looking for suggestions for a poor man's powerbroker
Sounds like you need sudosh:
http://sourceforge.net/projects/sudosh/
Never tried it myself, but seems pretty close to what you're looking for - not sure whether it is still a maintained product as can't see much action on it in the last 3 years but...
Without looking at what it does, make sure it won't end up screwing up single-user mode!
Looking in the notes is appears people have got it to compile on HP-UX.
HTH
Duncan
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-11-2008 07:28 AM
тАО09-11-2008 07:28 AM
Re: Looking for suggestions for a poor man's powerbroker
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-11-2008 07:56 AM
тАО09-11-2008 07:56 AM