Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Remove Root Access for administrators

Status
Not open for further replies.
dUbbsNIX

dUbbsNIX

MIS
Jul 10, 2003
70
GB
Hi,

Senior management wish to remove root access for everyone, including the sys admin team of which I am a member. We have,already, in recent weeks removed super-user access for the DBAs and using sudo has allowed us to do the same for the operators.

The problem we are having is trying to find a sensible way we can prevent us (the sys admins)having routine root access but still be able to manage, support and adminster the systems. They are all using Solaris 8 or 9.

Does anyone else work at a place that has managed to achieve this to any exent.

This has to happen, the directive to remove root for everyone, has come the very top! Due to a sys admin at another bank being wrongly acused of stealing but no logs to prove his innoncence!
 
Sort by date Sort by votes
This sounds like a particularly stupid thing to do. Sure, have all their routine stuff be done under their "joe user" account (checking email, etc). But the majority of their job (and what they're being highly paid for) is to do the tasks which require root access.

Also - if you can't trust your admin -- fire them. Don't keep them around while you hamstring their efforts to do their job. They'll just end up getting cheezed-off and will leave for another job that makes it easier on them.

Chip H.


If you want to get the best response to a question, please check out FAQ222-2244 first
 
Upvote 0 Downvote
dUbbsNIX,

We are facing a similar issue where I work. Our business is health care and U.S. federal law requires us to comply with HHS regulations known as HIPAA. One of the requirements from the security regulation requires us to "Assign a unique name and/or number for identifying and tracking user identity".

In many organizations, root is a shared account (multiple people know the password). Ironically, the conventional wisdom has been to make sure more than one person had access to root in case the one person who had root quit, died, or whatever.

One of the things we're testing is sudo. The system admins will likely be configured with ALL=(ALL) NOPASSWD: ALL, which allows us to meet the regulation with only the minimum inconvenience of having to type 'sudo' in front of any commands requiring root privileges. Using sudo is working well in test, and I believe it will continue to work well on a larger, corporate-wide scale. We are contemplating ways to prevent sudoers from changing log files containing sudo timestamps.

Hope that helps,
Jason

 
Upvote 0 Downvote

Thanks for this Jason.

As I said we're also using sudo; tell me, how are you going to manage the actual root passwords themselves? Are they changed and kept locked away in hardcopy or what?

cheers,

Dave.
 
Upvote 0 Downvote
You should look at Security Enhanced Linux.

Read all about it at
From the FAQ:

1. What is Security-enhanced Linux?

Security-enhanced Linux is a research prototype of the Linux® kernel and a number of utilities with enhanced security functionality designed simply to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role-based Access Control, and Multi-level Security.
 
Upvote 0 Downvote
dUbbsNIX,

Oops, I had intended to mention that in my initial post. The current thinking is to have the manager of the system admin group responsible for the root password. If he becomes unavailable for whatever reason, the root password could be reset in single-user mode during a normal maintenance window, or through account management software.

It could be a problem if the sys admin manager had to change the root password on hundreds of systems every so often due to password rotation. Fortunately, we are using account management software (ControlSA) that allows him to change the password on multiple systems at once.

Regards,
Jason

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
799
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
678
XLNTech1
XLNTech1
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
988
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
273
WhosYourDiffie
WhosYourDiffie
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
391
acabezas2014
acabezas2014

Part and Inventory Search

Sponsor

Back
Top