HPE Community
Operating System - HP-UX
1752585 Members
4939 Online
108788 Solutions
New Discussion юеВ

Re: Security Administration on Unix

 
SOLVED
Go to solution
Gustavo_20
New Member

тАО08-28-2003 08:04 AM

тАО08-28-2003 08:04 AM

Security Administration on Unix

Hi all,
Recently we have bought a HP RP5470. We are responsibles for system administration, but other area (security) want to manage the security part.
Does anybody know how can they manage the security whitout a "root" account ? We don??t want to give them the root account.
I am new in Unix environments, but in other platforms (HP Nonstop Himalaya for example) exist products which allow you to manage ACLs, to define a security administrator and that kind of thing.

Regards,

PD: Sorry for my English. I??m learning ...
0 Kudos
Reply
6 REPLIES 6
Steven E. Protter
Exalted Contributor

тАО08-28-2003 08:10 AM

тАО08-28-2003 08:10 AM

Re: Security Administration on Unix

Your English is fine.

There is no way to completely administer security without root access. Its a function of systems adminsitration and the responsibility of the admin who needs root access.

That being said, if managing security is merely managing permissions on a bunch of files, a regular user can do that. That user needs to own the files and have some basic training.

A security administrator is the system administrator in my opinion.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Chris Wilshaw
Honored Contributor

тАО08-28-2003 08:21 AM

тАО08-28-2003 08:21 AM

Re: Security Administration on Unix

You have a number of options, depending on what level of access they need;

You can set up a second root account for them
for example rootsec, which gives them full root access.

To do this, use

useradd -g sys -o -u 0 -m -c "Security root user" -s /sbin/sh rootsec

If that's too much access, you can set them up with a standard user account, using the sudo utility to give them sufficient access to restricted commands. You can download this from

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/

Alternatively, you could look at setting up a Restricted SAM account for them (similar to the sudo idea, but uses the standard SAM interface)
0 Kudos
Reply
Jean-Luc Oudart
Honored Contributor

тАО08-28-2003 08:25 AM

тАО08-28-2003 08:25 AM

Re: Security Administration on Unix

We provide exe and scripts with specific suid and ACL for dedicated people to manage user accounts for example.

This probably goes back to sudo type function.

At the end of the day "root" is doing the job.

JL
fiat lux
0 Kudos
Reply
Victor BERRIDGE
Honored Contributor

тАО08-28-2003 08:33 AM

тАО08-28-2003 08:33 AM

Re: Security Administration on Unix

Hi,
You could define a user, and give him access to a restricted sam where you have given him the privileges you wish, that is by typing as root sam -r then do the config for you user, dont forget to save the privileges...
You can as others mentionned use sudo, or su2 which gives root access to given users....

All the best
Victor
0 Kudos
Reply
Tor-Arne Nostdal
Trusted Contributor

тАО08-29-2003 12:05 AM

тАО08-29-2003 12:05 AM

Solution

Re: Security Administration on Unix

As explained in above answers, there is no way to handle/manage security fully without being root or root equivalent.
Above it is also mentioned how this can be achieved either with making an equivalent user or by using a "frontend" program where you can control/limit some parts of the system.

I would rather propose that the Security Officers gain restricted access to the system - as an ordinary user, and challenges the security on the system.
If they find any "holes" either from the inside as an ordinary user, or from the outside by challenging the different services/programs running on the machine, they could notify you as administrator to get this fixed.

We use external companies to make audits of our system. They can request any kind of information to be delivered them, but they do not get direct access to the system.
example:
- give me a full listing of files with permissions
- give me the passwd and group file
- how many have access to root user password
They will see if you have set the appropriate rights and keep the correct segregation.
They will also see what kind of password policy you are using and try to crack the passwords.
In addition there is used "hacker tools" from outside of the system to challenge the system.

As stated: Findings is reported to system administrator, and [s]he will perform the necessary corrective actions.
I'm trying to become President of the state I'm in...
Reply
Rory R Hammond
Trusted Contributor

тАО08-29-2003 09:50 AM

тАО08-29-2003 09:50 AM

Re: Security Administration on Unix

Not sure what is meant by handling security.

If the groups function is auditing. The task might be easier to implement than you think.

For example. I am auditing file permissions and userid's on all my system right now. I have several scripts that I run as a "regular" user. Later, I go through the output and then email the users on how to tighten up security, following up later to make sure they did fix the problem. I look at things like the ability of "world" to edit or replace executable. I put my self in certain group ID's and validate group permissions for applications. For example: The group cannot modify logs or edit\release executables without being the owner.

Adding user and changing passwords can be implemented in sam.


Rory
There are a 100 ways to do things and 97 of them are right
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.