HPE Community
Operating System - HP-UX
1824000 Members
4037 Online
109667 Solutions
New Discussion юеВ

su only login

 
Don Larson
Advisor

тАО11-15-2005 04:21 AM

тАО11-15-2005 04:21 AM

su only login

With Sarbanes Oxley requirements we are implementing su only IDs. Since HP doesn't have any way to do this, one workaround is putting logic in the /etc/profile to catch a su only ID.
Anyone out there ever had luck with a su only shell? Basically create the user id with a shell /usr/bin/SU_ONLY. I've tried a simple script in /usr/bin/SU_ONLY that checks whoami against logname. if they are equal then it should exit with a message to us only. Otherwise the last line is /usr/bin/ksh. I'm getting "su: No shell errors" Not certain if tehre is a way to fool the system. Anyone know?
0 Kudos
Reply
3 REPLIES 3
Steven E. Protter
Exalted Contributor

тАО11-15-2005 04:37 AM

тАО11-15-2005 04:37 AM

Re: su only login

Doesn't Sarbanes Oxley require that for admnistrative users?

Its quite possible to implement that for root.

In order to do an su - username, you have to log on as someone right?

So your /etc/profile fix won't work without a user id for initial login.

Another way to handle it is to integrate Unix with a Windows ADS server and let Winblows DNS server handle non admin unix login.

For admin users or any you wish to configure this way entries in /etc/securetty will be required.

http://unix.derkeiler.com/Mailing-Lists/HP-UX-Admin/2005-01/0005.html

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Don Larson
Advisor

тАО11-15-2005 04:48 AM

тАО11-15-2005 04:48 AM

Re: su only login

Actually can kick someone out in /etc/profile. It's just cumbersome and in my opinion unsafe in that file. I was able to get the following to work as a shell:
/usr/bin/SU_ONLY
#!/usr/bin/ksh
####################################################
## NO LOGIN Added for SU only to certain accounts ##
USER101=`/usr/bin/whoami`
UserName=`/usr/bin/logname`
echo USER101 $USER101
echo UserName $UserName
if [ $USER101 = $UserName ]
then
print "\n\n*********************************************************"
print "\n\t$i can only be access with the su command!"
print "\n\t Please Log on with your personal account first.\n\n"
print "*********************************************************"
exit 1
fi
HOME=/home/$USER101
echo "Made it here"
. /etc/profile
. ~/.profile
/usr/bin/ksh
0 Kudos
Reply
Dave La Mar
Honored Contributor

тАО11-15-2005 07:18 AM

тАО11-15-2005 07:18 AM

Re: su only login

Don -
As part of our SOX requirements (via and independent auditing firm) we were requested to allow su only on 'certain' accounts and no direct login for other accounts.

To aacomplish this we:

1. Set up a script that would give the common user two options, su - to a particular user or exit.
2. The script from #1 was place as a call in each of the user's .profile and permissions changed on .profile so they couldn't edit, remove, or replace it.
3. The script from #1 has traps to prevent someone from breaking out.
4. All user commands are captured in a user unique history file which they cannot edit, replace or remove.
5. The su command was moved to another name called by a wrapper script called su which performs other checking/auditing.
6. /etc/profile was modified to use a nodirectlogin file. (See forums search engine for many entries on doing this.) Only the admins and root can login directly (outside of the normal user that can only get to that described in #1.)

With only two people having root access, this "independent" auditing firm did not require us to force su only for root login.

Best of luck on your journey for compliance.

On another note, since the Act is so vague, should the people auditing you request something out rageous of your business, simply say "Show me where the SOX Act states that."

Regards,

dl
"I'm not dumb. I just have a command of thoroughly useless information."
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.