Securing root password?

From: AIX Geek (aixgeek_at_YAHOO.COM)
Date: 11/09/05

  • Next message: Mills, John T (9814): "End of Service dates" 
    Date:         Wed, 9 Nov 2005 08:06:29 -0800
To: aix-l@Princeton.EDU

    Do you all have a "best practice" for "securing" the
    root account?

    One of my clients has an auditor suggesting that they
    write the password for root on a piece of paper and
    put it in a secure vault, and that we have to change
    the root password after every login (do we also need
    to shoot the person who writes the password on the
    paper?).

    One of our Sun guys has come up with an way that
    stores the encrypted root password in a file on a
    central server, encrypted with the hash file from the
    Sun box. Basically, after it detects that the
    encrypted file has been accessed, it compares the
    password with the password on the Sun box to see if it
    needs to reset it automatically.

    In theory, it works, but I don't see how well it ports
    to AIX (I've never seen an AIX server-specific hash
    file that could be used to implement this).

    We have one client who has opted to prevent
    CONSOLE-level root login access (you always have to
    log in as a user and su/sudo to root, even at the
    console).

    How do you all secure the root password and audit who
    is logging in as root? Note, I can already check su
    and sudo accesses. How do you keep the root password
    secure and audit direct root logins?

    Thanks.

            
                    
    __________________________________
    Yahoo! Mail - PC Magazine Editors' Choice 2005
    http://mail.yahoo.com

  • Next message: Mills, John T (9814): "End of Service dates"

    Relevant Pages

    • Re: how to access remote CUPS printer?
      ... On the remote machine, FC5, I am root. ... On the clients, FreeBSD and FC3, I am not root, ... and you must have port 631 tcp and udp open on the CUPS server. ... That is absolutely the wrong way to share printers using CUPS. ...
      (Fedora)
    • Re: Distro with NFS Root Clients
      ... This would be for clients ... running full desktop distributions that use their local disks just for ... single NFS repository. ... But if you're not married to the use of NFS for root, ...
      (comp.os.linux.setup)
    • Re: jail() House Rock
      ... Think carefully about exactly what kind of privileges your clients get. ... normal user account on the main server, and root inside the jail. ...
      (FreeBSD-Security)
    • Re: .NET question about the customErrors Tag
      ... the software must be working because the majority of my clients don't ... file to the root directory will help. ... now I got it that your application is in a sub folder under the root ... it'll derive the configuration from the Root Application(which may derive ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: how to access remote CUPS printer?
      ... On the remote machine, FC5, I am root. ... CUPS printing and the machines are on the same lan nothing needs to be ... done except the existence of a client.conf file on the clients. ...
      (Fedora)