From: 'Benjamin Shayne' (shayne@hackedtobits.com)
Date: Thu Jun 30 2005 - 17:06:19 EDT
First of all, I would like to thank everyone who responded to me regarding
limiting the ability of root to su to "normal" user accounts in regards to
Sarbanes-Oxley. I had some enlightening conversations and learned some new
things.
I can break down the responses I received into three categories: 1. Many
people expressed their belief that the requirements that I am being passed by
my auditors are insane/stupid/just plain impossible. This is mostly true.
I am currently attempting to tell my auditors/non-technical management about
the limitations I would encounter while attempting to implement their
requirements. An informed management (and auditors) is a happy management. I
believe that log monitoring for privilege use should meet the standards of
SOX.
Also, while some people mentioned the removal of the su executable, I don't
like the feeling of hamstringing my servers like that.
2. Several people recommended eTrust from CA. My feelings for CA aside, I am
wary of mucking around with such basic things as user roles on a HP-UX
system with third party software. I am also loathe to spend money on a
solution I don't truly feel we need.
3. Many people, like Gary (seen below), recommended an addition to the shell
resource file that would limit a user's access when su'ing. While the script
below would limit access to root, something similar could be done to keep
root out of another account. If I am forced to implement a solution rather
than getting away with the promise to monitor (and have other people monitor)
su and other logs that contain privilege usage info, I will most likely take
this route.
* Paveza, Gary [2005-06-24, 11:49 -0400]:
> You could always add code to root's .profile:
>
> ORIG_USER=$(who am i | awk '{print $1}')
>
> if [ "${ORIG_USER}" = "user who is allowed access" ]
> then
> echo "You are allowed access"
> else
> echo "You are not allowed to su to root"
> exit 1
> fi
>
> Make sure you also add appropriate traps to the .profile to prevent a user
> from escaping the script.
>
[personal info snipped]
> -----Original Message-----
> From: hpux-admin-owner@DutchWorks.nl [mailto:hpux-admin-owner@DutchWorks.nl]
> On Behalf Of Benjamin Shayne
> Sent: Friday, June 24, 2005 11:38 AM
> To: hpux-admin@DutchWorks.nl
> Subject: [HPADM] SOX Account Question
>
> Due to Sarbanes-Oxley here in the US I am required to limit root access to
> certain user accounts (i.e. database account used by Sybase). Is there a way
> to limit root's ability to su to an account while allowing certain other
> users to su to that account?
>
> I know that using sudo rather than su would be a good solution in this
> case, but our SOX auditors are insisting that we limit su ability for root.
--
+ Benjamin Shayne
+ System Administrator
+ UNIX, Windows, and Mac OS
--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
Name: hpux-admin@dutchworks.nl Owner: owner-hpux-admin@dutchworks.nl
Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse & search)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 11:02:48 EDT