Re: Which way is correct to implement sudo
From: Mike S. (Mike_member_at_newsguy.com)
Date: 09/18/05
- Next message: dfvanden: "Setting the entry order in a NIS group file"
- Previous message: Dave: "test - please ignore"
- In reply to: Manager: "Which way is correct to implement sudo"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 18 Sep 2005 14:29:47 -0700
Your application group got it right - go with that..
Consider finding another systems admin service, they have some pretty
strange ideas about security.
good luck
In article <dgdb6902nnb@drn.newsguy.com>, Manager says...
>
>Hello
>
>I am seeking advice from those very experienced with Sun's, Unix, webservers,
>database servers, and setting up sudo in that kind of environment. My objective
>is to ensure security, accountability, auditability, and minimize the impact of
>human error.
>
>I have a difference of opinion between two operational IT groups (one is systems
>admin, the other is applications) regarding the best way to set up sudo.
>
>I have a contracted systems admin service (a couple of people) managing 4
>Solaris servers from a remote location normally (come in by VPN) They are
>responsible for the operating system and hardware only. They are contracted
>from a well established external company that has been around quite a while
>providing IT services and support, and facilties management, but are new service
>providers to us.
>
>I also have an in-house applications group (again a couple of people - with some
>additional contractors as needed). They are responsible for applications now,
>but in the past provided direction and/or direct support on the hardware and
>operating system for these systems.
>
>The machines run production and test for apache (public web), and internal
>application servers and databases (oracle, application servers like 9ias). Each
>of the application software packages has its own dedicated account, e.g. oracle,
>web, appservice1, etc.
>
>The applications group needs the ability to run a few things with higher
>privileges, e.g. need to be able to start and stop apache, and a number of other
>things, hence the need for sudo. In the past they have had the root password,
>and would su to root directly when higher priviledges were required, and then
>back down to the relevant application account.
>
>The systems admin group wants the application group to log onto the machines
>(apps groups come in on the same subnet which is switched) using named accounts
>e.g. based on their personal id (e.g. jbrown), then sudo su to the application
>accounts as required. They have indicated that they wish the only the web
>account (which owns and runs apache out to the public) to be the only account
>that can sudo ALL under the concept of least priviledge. The indicate that they
>are concerned about giving sudo ALL priviledge to the personal accounts for the
>applications group in case that account is compromised.
>
>The applications group want to log onto the machines under their personal named
>account (e.g. jbrown), and have only those types of accounts given the
>priviledge to sudo ALL, and have none of the generic application accounts like
>"web".
>
>In fact the applications group wants "everyone" to have to use sudo ALL from
>only their own named account (both them and the system admin group) so that all
>actions run with higher privileges are logged under sudo against the person who
>ran the command. In the event that a machine goes into single user mode and a
>root logon is required at the machine directly, root password would be in a
>sealed envelope, secured, but available onsite.
>
>Which of these ways to setup and implement sudo is best given the stated
>objectives (from senior management) of security, accountability, auditability,
>and minimizin the impact of human error?
>
>I am looking for frank responses on this from experienced people.
>
>Thanks in advance.
>
- Next message: dfvanden: "Setting the entry order in a NIS group file"
- Previous message: Dave: "test - please ignore"
- In reply to: Manager: "Which way is correct to implement sudo"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
