From: davidstacks1964@netscape.net
Date: Tue Dec 28 2004 - 11:33:52 EST
Hello All!
First want to say that I hope all has had a wonderful holiday season.
Also want to say that I did find one solution to the problem that I have, but the solution was not that clear to me. Hopefuly Chris Ford is still a member of the list.
Here is the task that I am working on:
I have serveral UNIX Tru64 servers with Oracle Administrative accounts. What I want to do, is locked down the oracle admin account so no direct login can be done to this account, but will allow the dba's to log in as themselves, then su to the oracle admin account.
I'll cut and past the solution that I found below, and if anyone knows how to incorporate the use of the /etc/securettys file, or has another way of doing this, I'd greatly appricate the help.
I have already tried locking a test account then attempting to su to the test account. Per the man page for su, this is not allowed, and I have found this to be true.
Thanks,
David Stacks
Sr. System Analyst
Entergy Corp.
(870) 543-5436
dstacks@entergy.com
***************************************************************************
Solution that I found:
[SUMMARY] Preventing application account access
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SUMMARY] Preventing application account access
To: "Tru64-Unix-Managers@xxxxx Gov (E-mail)" <tru64-unix-managers@xxxxxxxx>
Subject: [SUMMARY] Preventing application account access
From: "Roberts, Blake" <broberts@xxxxxxxxx>
Date: Thu, 15 Aug 2002 15:40:57 -0500
Delivered-to: tru64-unix-managers@sws1.ctd.ornl.gov
Followup-to: poster
Sender: tru64-unix-managers-owner@xxxxxxxx
Thread-Index: AcJEigcoPesPw3PMQeWW+Hymt0/x0AAASHegAAQnmwA=
Thread-Topic: Preventing application account access
Thanks goes to Chris Ford (Chris.Ford@acxiom.com)
To do this properly, there is no easy way. You have to make an addition to the profile of
each user (will probably add it to /etc/skel) and call a script which reads a file similar
to /etc/securettys. I tested the solution, and it works like a champ!
Best regards,
--Blake Roberts
UNIX Systems Administrator
ERCOT-Austin
512.225.7178
512.695.5071 (cell)
-----Original Message-----
From: Roberts, Blake
Sent: Thursday, August 15, 2002 1:42 PM
To: Tru64-Unix-Managers@Ornl. Gov (E-mail)
Subject: [ADDENDUM] Preventing application account access
I forgot to mention, I have sudo installed on the system, but I have not found a way for it
to prompt me for the password of the administrative account. Since, by default anyway,
it prompts for your own password, if the user's password is compromised (by writing it down
and leaving it on their desk, etc), there is no way to keep people away from the big accounts.
--Blake
-----Original Message-----
From: Roberts, Blake
Sent: Thursday, August 15, 2002 1:32 PM
To: Tru64-Unix-Managers@Ornl. Gov (E-mail)
Subject: Preventing application account access
Folks,
I'm running a Tru64 5.1 PK5 Enhanced Security environment. Per a new (and decent) password
policy that is being implemented, I need to restrict the application admin accounts so that
they will su from a personal account to the administrative account (such as oracle), similar
to what you need to do if root is locked down properly.
My problem is, in base security, if I lock the account, you can log in as a user, then su to
it just fine. In enhanced security, you can't do that. It needs to be unlocked to be able
to log into it. Does anyone know of a trick, edauth flag, etc, that needs to be set for the
account to be able to be su'd to, but not directly logged in to?
Best regards,
--Blake Roberts
UNIX Systems Administrator
ERCOT-Austin
512.225.7178
512.695.5071 (cell)
__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register
Netscape. Just the Net You Need.
New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:50:13 EDT