From: Elaine . (cmap_sec@yahoo.co.uk)
Date: Wed May 01 2002 - 05:38:58 EDT
On Tue, Apr 30, 2002 at 12:55:18PM +0100, Elaine .
wrote:
> I'm looking to get our systems sorted with full
> auditing. That in itself isn't a problem, but
> currently people login with generic logins - oracle,
> iplanet for example to make changes to those files.
> Is there a way I can get it to that the initial
login
> is usera then they su to oracle thus in auditing I
> could see which user it was at that time? also if
only
> one login per username is required?
The answers I got were -
Use Sudo, separate users in dba group (bit wary about
changing things on a live system), setuid only in
admintool, not no shell but lock the account.
I'm going to try the simplest first, password locking
and see how far praudit gets me, and if not happy will
try to do it with sudo.
Special Thanks to Kirk and others who sent me a script
to notify users they can't login as this user.
if [ "`/usr/bin/who am i|awk '{print $1}'`" =
"$LOGNAME" ] ; then
if [ $LOGNAME = "UserOfInterest1" -o $LOGNAME =
"UserOfInterest2" ]; then
echo "Not authorized to login directly."
exec sleep 5
fi
fi
Cheers to all those who replied.
Elaine
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:24:16 EDT