Hello and Welcome from United States to the UNIX and Linux Forums! Thank You for Visiting and Joining Our Global Community.
|
Hello and Welcome from United States to the UNIX and Linux Forums! Thank You for Visiting and Joining Our Global Community.
|
|
google unix.com
|
|||||||
| Forums | Register | Forum Rules | Links | Albums | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
 |
| UNIX for Advanced & Expert Users Expert-to-Expert. Learn advanced UNIX, UNIX commands, Linux, Operating Systems, System Administration, Programming, Shell, Shell Scripts, Solaris, Linux, HP-UX, AIX, OS X, BSD. |
More UNIX and Linux Forum Topics You Might Find Helpful
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| sudo, or not sudo: that is the question | iBot | UNIX and Linux RSS News | 1 | 02-07-2008 01:40 PM |
| man synopsis standard compliance | vkleban | UNIX for Dummies Questions & Answers | 4 | 12-06-2007 08:18 PM |
| sudo and ssh | jOOc | UNIX for Advanced & Expert Users | 3 | 11-12-2007 04:48 PM |
| Help with Sudo | geomonap | UNIX for Advanced & Expert Users | 1 | 03-29-2006 03:50 PM |
| Using Sudo | ambika | UNIX for Dummies Questions & Answers | 2 | 12-28-2005 09:58 AM |
 |
Powered by 
|
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
|
|
05-16-2007
|
||||
|
||||
sudo & Sox compliance
Hello,
I am trying to convince my boss to stop allowing our users to login as root (superuser). Currently our users login to our unix server with their own account, then as needed, they will do an su and put in the root password. This scares me, for a bunch of reasons. Mainly, one is that we still use telnet, not ssh, which I am also trying to enforce as well. Secondly, some of our users who have root access, have little to no unix knowledge, whatsoever. This can be very dangerous... What I proposed to my boss is, that we do not give out the root password anymore. Instead, using sudo, give users access to certain commands/scripts. Then they can simply do 'sudo command' ... And then none of them ever have to type in the root password, and everything they do as su, is logged in the sudoers.log file.. My boss wants to know how sudo fits in with SOX , if it is compliant with SOX, if SOX has any restrictions with using sudo, etc. Also , we need to know how sudo complies with HIPPA. As we are soon to become HIPPA compliant. Which brings me to telnet, which I fear, is not HIPPA, compliant, in that it has no security , and data can be captured with relative ease... Any information would be greatly appreciated, Thank you |
|
05-16-2007
|
||||
|
||||
|
Short answer: your current security as explained is a violation of Sarbanes-Oxley. Furthermore, if you are publicly traded, you're going to look bad in any sox-compliance audit. Get security help.
Test for publicly traded companies including their contractors, vendors or anyone with system access: If su or sudo lets somebody, like programmers or accountants or data entry clerks or even the company president, have direct unaudited access to any file or data transmission used for input to or generated by AR, AP... any accounting/financial reporting, then it won't fly. HIPPA - if sudo lets any non-HR person in my business (or doing work for my business as a consultant, contractor, etc.) lookup somebody else's private records without their prior authorization, then I am not in compliance. That is the test you apply. Private records = medical records, drug test records, insurance information, direct deposit information, etc. Just get security help. Obviously, your boss does not listen to you. He will be forced to listen when it dings his department's budget. That's how it works in small companies - consultants get listened to. |
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Hybrid Mode
