HPE Community
Operating System - HP-UX
1834461 Members
3400 Online
110067 Solutions
New Discussion

Multiple root accts

 
SOLVED
Go to solution
ShivKumar_1
Frequent Advisor

‎06-20-2003 04:34 PM

‎06-20-2003 04:34 PM

Multiple root accts

Hi Experts,
Whats the best way to keep track of the commands being issued by root , as we have multiple root accounts and would like to monitor them.

Thnks
SK
0 Kudos
Reply
8 REPLIES 8
Donny Jekels
Respected Contributor

‎06-20-2003 05:04 PM

‎06-20-2003 05:04 PM

Re: Multiple root accts

hey I feel your pain.

nonetheless. we use sudo and sudoscript.

1. sudo controls who can do what as root or who has rights to su to root.

2. sudoscript uses sudo's security and script to record everything the users do as root or as any other account for that matter.

3. .sh_history you can throw down the drain. anyone with a little hacking skills can srew with this file.


live free or die

peace
Donny
"Vision, is the art of seeing the invisible"
Reply
Bill Hassell
Honored Contributor

‎06-20-2003 05:08 PM

‎06-20-2003 05:08 PM

Solution

Re: Multiple root accts

Multiple root accounts are not what you think they are. They are simply aliases to root because the only important part of a login is the user ID number which is always zero. As you will hear endlessly, multiple root accounts are a terrible security and stability risk. Consider very strongly using sudo. sudo will perform exactly what you need (logging activities) but also allow the sysadmin to restrict the commands (and/or parameters) allowed for a given (ordinary) user.


Bill Hassell, sysadmin
Reply
A. Clay Stephenson
Acclaimed Contributor

‎06-20-2003 06:16 PM

‎06-20-2003 06:16 PM

Re: Multiple root accts

Multiple 'root' accounts is a dumb idea. Strangely, UNIX has no way of telling UID 0 from UID 0. At the very least, you are providing hacker's with multiple chances at guessing root's passwd. As has been said, sudo is probably the least evil way to do what you are trying to do. I would rather have several sys admins share a common passwd than have multiple root accounts.
If it ain't broke, I can fix that.
Reply
Sridhar Bhaskarla
Honored Contributor

‎06-20-2003 06:26 PM

‎06-20-2003 06:26 PM

Re: Multiple root accts

Hi SK,

You are not going to find any message that is going to be encouraging for your idea.

Use sudo. Configure 'sudoers' and configure only what your root users require. If they need to execute everything on the box, give them "ALL" except the execution of shells (/usr/bin/ksh, /usr/bin/csh etc.,). Configure sudoers to log into syslog and then the syslog.conf to log into a syslog server. Syslog server can be a simple workstation with restricted access probably only to your manager.

This way you can accomplish what you need with accountability. Get sudo from

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/

Information about sudo is here

http://www.courtesan.com

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Caesar_3
Esteemed Contributor

‎06-21-2003 07:39 AM

‎06-21-2003 07:39 AM

Re: Multiple root accts

Hello!

Using multiple account of root is the same
that using only root in the end is the same
user.
What you need is planning good your system
and made users for difrent issues that if
you want to give them option made some
commands that only root can do use the SUDO
program that run programs with difrent users.

Caesar
Reply
Siddhartha M
Frequent Advisor

‎06-22-2003 09:25 PM

‎06-22-2003 09:25 PM

Re: Multiple root accts

Hi
You could also use another tool called "PowerBroker". It pretty much has the
same functionality as Sudo,namely alloting
selective superuser priviledges while maintaining an audit log.
More information at http://www.symark.com/powerbroker.htm
Reply
Karthik S S
Honored Contributor

‎06-22-2003 09:32 PM

‎06-22-2003 09:32 PM

Re: Multiple root accts

May be you can enable auditing to keep track of each and every commands issued as root. But it is sure going to overload your system.

- Karthik
For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn
Reply
Karthik S S
Honored Contributor

‎06-22-2003 09:33 PM

‎06-22-2003 09:33 PM

Re: Multiple root accts

May be you can enable auditing to keep track of each and every commands issued as root. But it is sure going to overload your system.

- Karthik
For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.