HPE Community
Operating System - HP-UX
1849597 Members
6523 Online
104044 Solutions
New Discussion

Re: sudo or other type access

 
SOLVED
Go to solution
Dan Matlock_1
Regular Advisor

‎12-20-2005 06:42 AM

‎12-20-2005 06:42 AM

sudo or other type access

Just curious as to what is the most popular why to restrict/monitor/allow root access. We have some systems configured to use sudo, and before I continue to move forward I want to research to see if there is a better alternative...
0 Kudos
8 REPLIES 8
Pete Randall
Outstanding Contributor

‎12-20-2005 06:47 AM

‎12-20-2005 06:47 AM

Re: sudo or other type access

The two most popular options continue to be sudo, of course, and restricted SAM (sam -r).


Pete

Pete
0 Kudos
Victor Fridyev
Honored Contributor

‎12-20-2005 06:47 AM

‎12-20-2005 06:47 AM

Solution

Re: sudo or other type access

Hi,

IMHO, sudo is the best. It's almost a standard in many flavours.
In HPUX you can also create a restricted SAM access, if needed.

Regards
Entities are not to be multiplied beyond necessity - RTFM
0 Kudos
Rick Garland
Honored Contributor

‎12-20-2005 06:48 AM

‎12-20-2005 06:48 AM

Re: sudo or other type access

sudo is popular for a couple of reasons; 1 because it works and 2 because it is free. Just a download.

There is an application called PowerBroker but this is a cost product. Lots of good with the package and lots of configuration is needed.

There is an application called 'rootsh'. Use this is conjuction with sudo. You will have the logging from sudo indicating that userA invoked sudo to execute the command. Once in rootsh another log file is appended to. This rootsh log file captures all input and output. Nothing missing in these log files.

0 Kudos
Rick Garland
Honored Contributor

‎12-20-2005 06:49 AM

‎12-20-2005 06:49 AM

Re: sudo or other type access

BTW, depending on the tasks to be executed, you may find restricted SAM a viable option as well.

0 Kudos
Darrel Louis
Honored Contributor

‎12-20-2005 06:53 AM

‎12-20-2005 06:53 AM

Re: sudo or other type access

Hi,

Sudo is the way to go.
HP and SUN are promoting RBAC, but I'm still in favour of SUDO.

What also can do to prevent root usage:
Restrict root logins to system console
echo console > /etc/securetty
chown root:sys /etc/securetty
chmod 600 /etc/securetty

Check if there are other users than root with uid=0
logins -d | grep ' 0 '
GoodLuck

Darrel
0 Kudos
Sanjay_6
Honored Contributor

‎12-20-2005 07:16 AM

‎12-20-2005 07:16 AM

Re: sudo or other type access

Hi,

I think sudo is most popular, primarily because it is free. But becasue it is free it is decentralised, you have to manage it seperately on each server.

The other alternative that i have worked with is powerbroker from symark. This is a very good product but costs $$$'s. The benefit is centralised manaagement and losts of features for a person to explore and use. since it can be configured from a central location, makes management of the policies easier.

Powerbroker site: http://www.symark.com

Hope this helps.

regds
0 Kudos
Paul Sperry
Honored Contributor

‎12-20-2005 09:42 AM

‎12-20-2005 09:42 AM

Re: sudo or other type access

I tend to like super it's free too
The source code can bo downloaded here:

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/super-3.9.7/
0 Kudos
Dan Matlock_1
Regular Advisor

‎12-20-2005 10:21 AM

‎12-20-2005 10:21 AM

Re: sudo or other type access

Thanks all, it appears sudo was put on by IBM Global back in 2004 on about 10% of servers here, so I will continue with the sudo route.... Thanks all and happy holidays!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.