Re: Securing root password?

• Previous message: Mills, John T (9814): "End of Service dates"
• In reply to: AIX Geek: "Securing root password?"
• Next in thread: cbaker_at_GOODYEAR.COM: "PgSp and Paging Space"
• Reply: cbaker_at_GOODYEAR.COM: "PgSp and Paging Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date:         Wed, 9 Nov 2005 11:53:25 -0500
To: aix-l@Princeton.EDU

        There's really no real one-shot answer to this. No one will ever
think of every angle, every point, so ideas will always be shot down,
especially when it comes to system security issues such as this. First of
all just restricting root access/login to the console tty, is just half
the battle of securing a root logon. I never
suggest that user's "su -" to root from their own accounts. True, it
provides an audit trail for whose logging in as root, but it doesn't
address the real issue. Now, I have come to like one freeware tool:
"sudo". I know I'm not one for freeware, but this thing actually has
proven to be useful to me. I always recommend, people
restrict root to just console, put root in the: "/etc/ftpusers" file to
prevent ftp access, change the root password at least monthly, and change
root's default home directory from: "/" to something like: "/root".
Remember don't make it "/home/root", just "/root", you want to keep
"root"'s home directory on the root/hd4 partition/lv. If you make root's
home directory on for instance the home/hd1 partition/lv, if you ever have
to unmount /home to run an fsck or something, you won't be able too,
because as root, init will spawn processes such as inetd(super server)
from "/home", "fuser -cx /home" will show this, and you can't necessarily
just: "kill -9 PID_NUMBER" those system processes. Now, to your question.
Specifically, to secure "root"'s password, it's simple... The answer
doesn't lie in some encrypted file, or complex C, or Perl module. It lies
in trust and human process. It's simple, no one su's to root ever. You
either grant roles for admins, or you use sudo, and not full (ALL) sudo
either. Take your time find out what files, and/or processes each user
will need access to respectively. Secure the system right. Set root's
password monthly, and be selective to who gets it. Maybe only the manager
of the UNIXSA group, and a trusted manager in another
group in the company. Something like that. Never, ever write it down. Also
if you manage a server farm, try to make the passwords different for each
system. Just in case someone hacks one, only that server is
compromised/exposed, and they don't have the keys to the kingdom at that
point.

Just some thoughts.
Thanks.

--Justin Richard Bleistein
 AIX Systems Administrator

AIX Geek <aixgeek@YAHOO.COM>
Sent by: IBM AIX Discussion List <aix-l@Princeton.EDU>
11/09/2005 11:06 AM
Please respond to
IBM AIX Discussion List <aix-l@Princeton.EDU>

To
aix-l@Princeton.EDU
cc

Subject
Securing root password?

Do you all have a "best practice" for "securing" the
root account?

One of my clients has an auditor suggesting that they
write the password for root on a piece of paper and
put it in a secure vault, and that we have to change
the root password after every login (do we also need
to shoot the person who writes the password on the
paper?).

One of our Sun guys has come up with an way that
stores the encrypted root password in a file on a
central server, encrypted with the hash file from the
Sun box. Basically, after it detects that the
encrypted file has been accessed, it compares the
password with the password on the Sun box to see if it
needs to reset it automatically.

In theory, it works, but I don't see how well it ports
to AIX (I've never seen an AIX server-specific hash
file that could be used to implement this).

We have one client who has opted to prevent
CONSOLE-level root login access (you always have to
log in as a user and su/sudo to root, even at the
console).

How do you all secure the root password and audit who
is logging in as root? Note, I can already check su
and sudo accesses. How do you keep the root password
secure and audit direct root logins?

Thanks.

 
 
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com

• Previous message: Mills, John T (9814): "End of Service dates"
• In reply to: AIX Geek: "Securing root password?"
• Next in thread: cbaker_at_GOODYEAR.COM: "PgSp and Paging Space"
• Reply: cbaker_at_GOODYEAR.COM: "PgSp and Paging Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]