Re: Separate Root logon Required for HP Support.

Khalil Ahmed · ‎06-10-2003

(Note: I inadvertently posted this to the wrong forum, so I am asking the question again but this time in the correct forum)

We have recently been audited and one of the audit recommendations is for us to create a separate logon for HP Support when they want to jump on to our box. Now we normally let HP login as user ???root???, so should I simply create another user ???hp_root??? (say) with the same settings as the root user ie UID 0 and Primary Group SYS???? or should I be doing something else???? any thoughts on this please.

Kind Regards

Khalil

Massimo Bianchi · ‎06-10-2003

Hi,
what you suggested is a way.

Another way is to create another normal account (let say hproot) and install the sudo utility (downloadale from http://hpux.connect.org.uk/)

Then you set-up sodu to let they switch to user root, with all it logged.

To set-up sudo, there are other threads.

HTH,
Massimo

Michael Tully · ‎06-10-2003

No .... Don't just set it up!

If you have to do something then I would do this.

Create the account as requested. (hp)
Give normal shell access not root
If they need root access (HP engineer) then change it and when they are finished change it back.

I would never do this. They can always give you the commands that they want run and then send them the output. Nothing against HP, but why would you let a total stranger on your system with full access rights ....

Regards
Michael
"When I have trouble spelling, it's called fat finger syndrome."

Anyone for a Mutiny ?

Stefan Farrelly · ‎06-10-2003

Yes, we use this on all our servers. An additional root_hp account with same uid/gid as root. And in the .profile for this account (different home dir) we turn on shell HISTFILE so that when HP use it we get a full log/audit trail of what commands they executed. This was required by our auditors.

Im from Palmerston North, New Zealand, but somehow ended up in London...

Armin Feller · ‎06-10-2003

Hi Khalil,

exactly what you wrote. Please create a further user, e.g. "hp_root" with same UID and GID like "root", this will make all HP logins transparent (command 'last', file 'syslog.log', ...).

Regards...
Armin

Zeev Schultz · ‎06-10-2003

I think sudo is better.You can build a set of
commands for HP support engineers and permit them to run those only.If they should run some command but couldnd (and this command isn't in the HP allowed list) - they would call and you can add this command to the list.

So computers don't think yet. At least not chess computers. - Seymour Cray

Jeff Schussele · ‎06-10-2003

Hi Khalil,

I would never do this. There should be NO direct root or root-equivalent logins. There's no way to know who logged in. If your root/root-equiv PW got cracked you're system would be a sitting duck - a tempting target.
You should set them up a normal account & then require them to su (setting a temp root PW) or sudo to root. Direct root logins should ONLY be allowed from the console - period.

My 2 cents,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!

Bill Douglass · ‎06-10-2003

I prefert a "no root shells" environment, where admins use sudo to execute privileged commands. Better audit trail that way. Also provides a good documentation of what was done during a maintenance window, for recovery or training purposes.

Obviously there are times (like single-user mode or system recovery) when you have to log in as root.

If you do create a seperate root -level id for HP support, keep it disabled when not needed. You don't need extra root accounts sitting around unused.

Bill Hassell · ‎06-10-2003

The first place that a hacker attacks will be the password file by creating an ordinary user and simply changing the UID to zero. NEVER allow multiple UID zeros in /etc/passwd. As mentioned, sudo is the tool of choice. HP logs in as a simple user then issues sudo to run root-only commands. Everything is logged and the root password is not compromised. You don't want the root password to be on a yellow sticky or typed into a call tracking system at some other company.

Bill Hassell, sysadmin

Khalil Ahmed · ‎06-10-2003

Thanks for the feedback guys. Though I was hoping for a clearer answer, instead I have some of you saying it???s ok to do it like that, some of you saying it???s not, and others saying use sudo!??? looks like I???ll have to consider the pros & cons of each approach before deciding what to do.

Khalil

Chris Vail · ‎06-10-2003

This one is easy: if and when anybody other than me or the other sysadmins ever need root access (and are approved so by management) we temporarily change the root password for that system. We'll give them something innocuous like "bite.me" or "brOken", and then we WATCH THEM LIKE A HAWK! Every keystroke is recorded and approved. When they're done, we change the password back to whatever it was when the process started.

Chris

Paula J Frazer-Campbell · ‎06-10-2003

HI

Because the auditors recommended it does not make it right.

Root access to your server must be controlled and one entry point is more than enough.

Paula

If you can spell SysAdmin then you is one - anon

Sean OB_1 · ‎06-10-2003

As others have said, root access should not be allowed other than from the console.

Install SUDO and use it for everything else requiring root authority.

Dario_1 · ‎06-10-2003

Hi!

I also think that root access should be granted only from the console. I have been involved in some situations where I had to be the middle man between HP and the machine because I did not want to allow direct access to our boxes. In my oppinion, I also like to know what they are planning on doing. That way, I am still in control of the box.

Regards,

DR

Victor BERRIDGE · ‎06-10-2003

Hi,
If you dont use or want/cant use sudo, then like what others already said create a generic user and change root passwd before HP intervention, force that user to su - (- important), write a script where you log who does su root or like me modify root's .profile to log:
who which user, from where, at what time
add in the .profile also the script command
with -a option
(with maybe a well placed exit...)
dont forget to check the timestamp of your new .profile hasnt changed

Like that you have a record of what has been done...

All the best
Victor

A. Clay Stephenson · ‎06-10-2003

Okay, you wanted a clear answer, I'll give you one: None of the above. HP doesn't need and shouldn't have root access to any of your boxes.

Whatever goes wrong, whoever did it, ultimately, it's your responsibility. If HP needs certain commands run and the output gathered then YOU run the commands. Even seemingly innocuous commands might cause an application crash be the HP guys didn't know enough about your specific system.

If it ain't broke, I can fix that.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Separate Root logon Required for HP Support.

Separate Root logon Required for HP Support.