- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Security Administration on Unix
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2003 08:04 AM
тАО08-28-2003 08:04 AM
Recently we have bought a HP RP5470. We are responsibles for system administration, but other area (security) want to manage the security part.
Does anybody know how can they manage the security whitout a "root" account ? We don??t want to give them the root account.
I am new in Unix environments, but in other platforms (HP Nonstop Himalaya for example) exist products which allow you to manage ACLs, to define a security administrator and that kind of thing.
Regards,
PD: Sorry for my English. I??m learning ...
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2003 08:10 AM
тАО08-28-2003 08:10 AM
Re: Security Administration on Unix
There is no way to completely administer security without root access. Its a function of systems adminsitration and the responsibility of the admin who needs root access.
That being said, if managing security is merely managing permissions on a bunch of files, a regular user can do that. That user needs to own the files and have some basic training.
A security administrator is the system administrator in my opinion.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2003 08:21 AM
тАО08-28-2003 08:21 AM
Re: Security Administration on Unix
You can set up a second root account for them
for example rootsec, which gives them full root access.
To do this, use
useradd -g sys -o -u 0 -m -c "Security root user" -s /sbin/sh rootsec
If that's too much access, you can set them up with a standard user account, using the sudo utility to give them sufficient access to restricted commands. You can download this from
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/
Alternatively, you could look at setting up a Restricted SAM account for them (similar to the sudo idea, but uses the standard SAM interface)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2003 08:25 AM
тАО08-28-2003 08:25 AM
Re: Security Administration on Unix
This probably goes back to sudo type function.
At the end of the day "root" is doing the job.
JL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2003 08:33 AM
тАО08-28-2003 08:33 AM
Re: Security Administration on Unix
You could define a user, and give him access to a restricted sam where you have given him the privileges you wish, that is by typing as root sam -r then do the config for you user, dont forget to save the privileges...
You can as others mentionned use sudo, or su2 which gives root access to given users....
All the best
Victor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-29-2003 12:05 AM
тАО08-29-2003 12:05 AM
SolutionAbove it is also mentioned how this can be achieved either with making an equivalent user or by using a "frontend" program where you can control/limit some parts of the system.
I would rather propose that the Security Officers gain restricted access to the system - as an ordinary user, and challenges the security on the system.
If they find any "holes" either from the inside as an ordinary user, or from the outside by challenging the different services/programs running on the machine, they could notify you as administrator to get this fixed.
We use external companies to make audits of our system. They can request any kind of information to be delivered them, but they do not get direct access to the system.
example:
- give me a full listing of files with permissions
- give me the passwd and group file
- how many have access to root user password
They will see if you have set the appropriate rights and keep the correct segregation.
They will also see what kind of password policy you are using and try to crack the passwords.
In addition there is used "hacker tools" from outside of the system to challenge the system.
As stated: Findings is reported to system administrator, and [s]he will perform the necessary corrective actions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-29-2003 09:50 AM
тАО08-29-2003 09:50 AM
Re: Security Administration on Unix
If the groups function is auditing. The task might be easier to implement than you think.
For example. I am auditing file permissions and userid's on all my system right now. I have several scripts that I run as a "regular" user. Later, I go through the output and then email the users on how to tighten up security, following up later to make sure they did fix the problem. I look at things like the ability of "world" to edit or replace executable. I put my self in certain group ID's and validate group permissions for applications. For example: The group cannot modify logs or edit\release executables without being the owner.
Adding user and changing passwords can be implemented in sam.
Rory