HPE Community
Operating System - HP-UX
1826775 Members
1382 Online
109702 Solutions
New Discussion

Re: Administrator account control

 
SOLVED
Go to solution
Mad_1
Regular Advisor

‎10-03-2004 02:46 PM

‎10-03-2004 02:46 PM

Administrator account control

Security team of my site is reviewing the admin/support account control. They propose to hand over the admin accounts (e.g. root, oracle, etc) to Operation to keep, system admin (as I) can request to use the 'root' when need.

As you know, in UNIX world, almost all of the system admin and support tasks need 'root' to perform. It seems hard to hand over the root account.

I would like to seek your advice and the common practice of your site on this area. Thanks
0 Kudos
Reply
7 REPLIES 7
Steven E. Protter
Exalted Contributor

‎10-03-2004 03:03 PM

‎10-03-2004 03:03 PM

Solution

Re: Administrator account control

If you are the systems administrator you need the root password to do your job.

AS far as oracle and others, root gives you those powers as well.

Our site leaves me the admin with administrative passwords including root. Operations also has them because certain functions have not been converted to sudo. Also being a small shop management wants somebody besides me to know the passwords.

All admin passwords for the organization are kept on an admin password list in operations. As a practical matter, operations rarely uses these passwords unless I tell them too.

An admin can not do his job without root password.

As another practical matter, if the job does not require root, I don't use it. Its too powerful. We have application owners for everything from the oracle database to the print spool.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Sridhar Bhaskarla
Honored Contributor

‎10-03-2004 03:30 PM

‎10-03-2004 03:30 PM

Re: Administrator account control

Hi,

In my view, it depends on your site requirements and how safe and secure, your company wants it's data to be . And it is best to leave it to the business owners. It is not unusual to restrict 'root' access in financial institutions, government organizations etc.,. For them, the person using 'root' is just like anyone in the company that shouldn't have access to sensitive data unless required to.

Not having root access can introduce procedural delays and downtime. But if the business is willing to take that risk, then you will not have a choice.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Mad_1
Regular Advisor

‎10-03-2004 03:35 PM

‎10-03-2004 03:35 PM

Re: Administrator account control

Is there anyone has experience in handing over the root? And anyone has experience to refuse to hand over the root with sufficient reason.
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎10-03-2004 04:47 PM

‎10-03-2004 04:47 PM

Re: Administrator account control

Hi,

Yes. I worked in two such companies so far. In one company which is a bank, the root was always disabled but we could 'su' to it. No normal su was available on the box. We customized Seos's SU such that two SAs will have to authorize to get a successful su to root. And all the root sessions were audited.

In the another company, we never had root password. When we needed root, upon an approved change ticket, access was provided temporarily for the change window. There were quite a few issues with root not readily available but that didn't change their position.

I was really frustated with the first experience as it was the first time I realized that sysadmins could be treated like others. But as I continued to understand their business, I started appreciating the reason behind it.

In other experiences, I never had any trouble having root to myself.

As I said before, it is dependent on the how company wants to protect it's data. While security is very important, they would need to understand the risks behind restricting everything too much and sometimes it can result in bringing down the business.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Andrew Cowan
Honored Contributor

‎10-04-2004 06:56 PM

‎10-04-2004 06:56 PM

Re: Administrator account control

Many companies restrict root access unless there is a specific need for it. In many cases the use of "sudo" and "captive-SSH" can replace about 70% of root usage.

Its all to easy to login as root, or to switch user, when you really don't have to. With a bit of thinking, and skillful manipulation of ownerships, groups, and permissions, a lot can be acheived without it.
More and more OS's are moving towards the SE-Linux style Mandatory-Access-Control, and very soon this will no longer be an issue.
Reply
Mad_1
Regular Advisor

‎10-04-2004 09:37 PM

‎10-04-2004 09:37 PM

Re: Administrator account control

Andrew

Would you please tell me more about the SE-Linux style Mandatory-Access-Control? Thanks.
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎10-04-2004 09:47 PM

‎10-04-2004 09:47 PM

Re: Administrator account control

Hi,

Here are some sources of information:

http://selinux.sourceforge.net/
http://www.nsa.gov/selinux/info/docs.cfm
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.