Login or Register to Ask a Question and Join Our Community


UNIX for Advanced & Expert Users

sudo & Sox compliance

 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users sudo & Sox compliance
Prev   Next
# 1  
Old 05-16-2007
Question sudo & Sox compliance
Hello,

I am trying to convince my boss to stop allowing our users to login as root (superuser). Currently our users login to our unix server with their own account, then as needed, they will do an su and put in the root password.

This scares me, for a bunch of reasons. Mainly, one is that we still use telnet, not ssh, which I am also trying to enforce as well. Secondly, some of our users who have root access, have little to no unix knowledge, whatsoever. This can be very dangerous...

What I proposed to my boss is, that we do not give out the root password anymore. Instead, using sudo, give users access to certain commands/scripts. Then they can simply do 'sudo command' ... And then none of them ever have to type in the root password, and everything they do as su, is logged in the sudoers.log file..

My boss wants to know how sudo fits in with SOX , if it is compliant with SOX, if SOX has any restrictions with using sudo, etc.

Also , we need to know how sudo complies with HIPPA. As we are soon to become HIPPA compliant. Which brings me to telnet, which I fear, is not HIPPA, compliant, in that it has no security , and data can be captured with relative ease...

Any information would be greatly appreciated, Thank you
 
Login or Register to Ask a Question

Previous Thread | Next Thread

7 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Remoting sudo commands & bypassing bashrc

What I want to do is not unique, except that our environment has a twist. I want to ssh to a remote server and issue a sudo command to run a script. This isn't working, but you'll get the gist.# ssh remotehost sudo -i -u oracle script.bashThe sudo to oracle is fine. The script.bash sets up the... (4 Replies)
Discussion started by: JustaDude
4 Replies

2. Shell Programming and Scripting

Ssh & sudo

when the following command is issued the command prompt is received, how do I get past this? ssh -t usera@hosta sudo su - userb -c id (4 Replies)
Discussion started by: squrcles
4 Replies

3. Solaris

Sudo Privileges & Sudoers Group

I'm looking for some suggestions to accomplish what a specific user needs, without adding them to the "sudoers" group. I have X user, that is requesting to be able to change file permissions on items owned by others and search directories where X user doesn't have access. I'm open to any... (2 Replies)
Discussion started by: Nvizn
2 Replies

4. UNIX for Advanced & Expert Users

sudo & chdev

I have an error when using chdev with sudo as follows; sudo chdev -l rmt0 -a block_size=512 chdev: 0514-518 Cannot access the CuDv object class in the device configuration database. I've added chdev in sudoers but still get the error, I guess it's something to do with CuDv... (3 Replies)
Discussion started by: gefa
3 Replies

5. Solaris

sudo for solaris 8 & 9

Dear ALL please can anyone tell me from where can i install sudo for solaris 8 & 9 and how i can install it in the solaris server . (1 Reply)
Discussion started by: thecobra151
1 Replies

6. Solaris

Difference between sudo & RBAC

Hello Everybody I would like to know any major difference between sudo & RBAC as I am bit familiar with RBAC but not with sudo (2 Replies)
Discussion started by: girish.batra
2 Replies

7. UNIX for Dummies Questions & Answers

Parsing Powerbroker Logs for SysAdmin Changes (SOX)

I need to identify a list of AIX command strings that can be used to parse Powerbroker logs for changes that are being made by Unix SysAdmins. Need to filter out (as much as possible) inquiry or routine maintenance activity and concentrate on software/security changes. This is for internal... (1 Reply)
Discussion started by: bcouchtx
1 Replies
Login or Register to Ask a Question

LEARN ABOUT LINUX

chfn

CHFN(1) 							   User Commands							   CHFN(1)

NAME

       chfn - change real user name and information

SYNOPSIS

       chfn [-f full_name] [-r room_no] [-w work_ph] [-h home_ph] [-o other] [user]

DESCRIPTION

       The chfn command changes user fullname, office number, office extension, and home phone number information for a user's account. This
       information is typically printed by finger(1) and similar programs. A normal user may only change the fields for her own account, subject
       to the restrictions in /etc/login.defs. (The default configuration is to prevent users from changing their fullname.) The superuser may
       change any field for any account. Additionally, only the superuser may use the -o option to change the undefined portions of the GECOS
       field.

       These fields must not contain any colons. Except for the other field, they should not contain any comma or equal sign. It is also
       recommended to avoid non-US-ASCII characters, but this is only enforced for the phone numbers. The other field is used to store accounting
       information used by other applications.

       If none of the options are selected, chfn operates in an interactive fashion, prompting the user with the current values for all of the
       fields. Enter the new value to change the field, or leave the line blank to use the current value. The current value is displayed between a
       pair of [ ] marks. Without options, chfn prompts for the current user account.

CONFIGURATION

       The following configuration variables in /etc/login.defs change the behavior of this tool:

       CHFN_RESTRICT (string)
	   This parameter specifies which values in the gecos field of the /etc/passwd file may be changed by regular users using the chfn
	   program. It can be any combination of letters f, r, w, h, for Full name, Room number, Work phone, and Home phone, respectively. For
	   backward compatibility, yes is equivalent to rwh and no is equivalent to frwh. If not specified, only the superuser can make any
	   changes. The most restrictive setting is better achieved by not installing chfn SUID.

FILES

       /etc/login.defs
	   Shadow password suite configuration.

       /etc/passwd
	   User account information.

SEE ALSO

       chsh(1), login.defs(5), passwd(5).

User Commands							    06/24/2011								   CHFN(1)