HPE Community
Operating System - HP-UX
1834208 Members
2500 Online
110066 Solutions
New Discussion

Re: security issue

 
Ionut Grigorescu_2
Super Advisor

‎10-31-2002 12:30 AM

‎10-31-2002 12:30 AM

security issue

Hi,

I'm administrating some HP-UX 11.00 machines on which is installed some third party software. The vendor need remote access from time to time to install some new change notes or for solving helpdesk request. They need always the root password for that. My system is accessible via a dial-in server (PC). From there telnet is possible to all my machines (about 10 pcs.) Untill now I have changed each time the root passwd before and after they accessed my system. Is there another better method (for example editing /var/adm/inetd.sec). I want also to know if it's possible to log their activity (don't forget they are root! ).

Thank you,
ionu
If it weren't for STRESS I'd have no energy at all
0 Kudos
Reply
7 REPLIES 7
Balaji N
Honored Contributor

‎10-31-2002 12:43 AM

‎10-31-2002 12:43 AM

Re: security issue

Hi,

I would suggest using sudo. With sudo configured, a user can login using his username / password and then use sudo to execute commands with supervisor priveleges. All commands executed can be logged.

HTH
-balaji
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
0 Kudos
Reply
Ionut Grigorescu_2
Super Advisor

‎10-31-2002 01:33 AM

‎10-31-2002 01:33 AM

Re: security issue

What is sudo?
If it weren't for STRESS I'd have no energy at all
0 Kudos
Reply
Darren Prior
Honored Contributor

‎10-31-2002 01:51 AM

‎10-31-2002 01:51 AM

Re: security issue

Hi Ionu,

You could consider using auditing (for which your system would need to be trusted.) However if your vendor is logged in as root, you cannot determine their activities from any other user logged in as root.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Ionut Grigorescu_2
Super Advisor

‎10-31-2002 02:17 AM

‎10-31-2002 02:17 AM

Re: security issue

What about the dial-in server? How can I see an incoming telnet from its IP address? If somebody perform an action during this telnet session from the dial-in server as root, and is not me - then I still have something. Another question - after modifying /var/adm/inetd.sec do I have to stop-start inetd?
If it weren't for STRESS I'd have no energy at all
0 Kudos
Reply
Paula J Frazer-Campbell
Honored Contributor

‎10-31-2002 04:35 AM

‎10-31-2002 04:35 AM

Re: security issue

Hi

You can set up another root lever user creating a seperate home dir and .sh_history file which is then ftped on a min by min basis to a safe machine.

ie.
roottmp:sqdvvAP3.sZA6:0:3::/use/root-tmp:/sbin/sh

This not perfect but will help.

I would seriously question the root level access requirement and investigate moving their access level to a more normal level either by forcing them to change their software or for you to take control of the root level tasks.

Basicly root is God and one God is more than enough.

Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
T G Manikandan
Honored Contributor

‎10-31-2002 04:50 AM

‎10-31-2002 04:50 AM

Re: security issue

Find the things like
1.Is the root privileges really reqd.?
2.what is the need for the root privileges?

The secure method is to nstall 'sudo'.
Using sudo you can restrict users to some root privileges.

check this link for more about sudo
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/
0 Kudos
Reply
Ionut Grigorescu_2
Super Advisor

‎10-31-2002 05:06 AM

‎10-31-2002 05:06 AM

Re: security issue

Unfortunately the root privileges are really required - some change notes include also HP patches - I'm not allowed to install HP patches by myself - they have to be first tested by Nokia's (the vendor) Product Line against their software :-). You are right Paula - one God and thousand daemons ... :-))
If it weren't for STRESS I'd have no energy at all
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.