Operating System - HP-UX
1850082 Members
1980 Online
104050 Solutions
New Discussion

Root authentication for several system administrators

 
marsohst
Occasional Contributor

Root authentication for several system administrators

Hello all,

does anyone know a smart way to
authenticate several individuals who need
root access to a hp-ux server for admin
purposes? Is there a feasable way to use
only one root account and not necessarily
a separate individual account for every
admin user? (maybe using ssh)
One way is definitly to create an individual
account for every person and then use sudo.
Still I would need to track the issued commands
for every root user.

Martin
4 REPLIES 4
Peter Godron
Honored Contributor

Re: Root authentication for several system administrators

Martin,
disable all direct root login bar from the console.
Then the users will have to use their own userids to log onto the system. From there they can use su to switch to root.
All the switches are record in sulog.
Any Help?
Regards
harry d brown jr
Honored Contributor

Re: Root authentication for several system administrators


HP has a new product (FOR FREE) that will do that:

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=AccessControl

live free or die
harry d brown jr
Live Free or Die
Geoff Wild
Honored Contributor

Re: Root authentication for several system administrators

For tracking individual admins - this is what we do for root's .profile:

# Set up logging
HISTFILE=${HOME}/.sh_history_`who am i|awk '{ print $1}'`
date >>$HISTFILE
export HISTFILE
HISTSIZE=500
export HISTSIZE

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Bill Hassell
Honored Contributor

Re: Root authentication for several system administrators

The best solution to track actual commands is to use sudo. While root's .sh_history file will track specific commands, any root user can remove the file or try to edit it (it contains binary codes used by the shell) which will render the file unreadable by the shell. sudo does not require the root password and you can restrict each user to a limited set of commands that they are allowed to use. And every command, whether successful or not, will be recorded in the sudo log entries.


Bill Hassell, sysadmin