Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: sudo & Sox compliance
Top Forums UNIX for Advanced & Expert Users sudo & Sox compliance Post 302117843 by jim mcnamara on Wednesday 16th of May 2007 05:13:54 PM
Old 05-16-2007
Short answer: your current security as explained is a violation of Sarbanes-Oxley. Furthermore, if you are publicly traded, you're going to look bad in any sox-compliance audit. Get security help.

Test for publicly traded companies including their contractors, vendors or anyone with system access:
If su or sudo lets somebody, like programmers or accountants or data entry clerks or even the company president, have direct unaudited access to any file or data transmission used for input to or generated by AR, AP... any accounting/financial reporting, then it won't fly.

HIPPA - if sudo lets any non-HR person in my business (or doing work for my business as a consultant, contractor, etc.) lookup somebody else's private records without their prior authorization, then I am not in compliance. That is the test you apply. Private records = medical records, drug test records, insurance information, direct deposit information, etc.


Just get security help. Obviously, your boss does not listen to you. He will be forced to listen when it dings his department's budget. That's how it works in small companies - consultants get listened to.
 

7 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Parsing Powerbroker Logs for SysAdmin Changes (SOX)

I need to identify a list of AIX command strings that can be used to parse Powerbroker logs for changes that are being made by Unix SysAdmins. Need to filter out (as much as possible) inquiry or routine maintenance activity and concentrate on software/security changes. This is for internal... (1 Reply)
Discussion started by: bcouchtx
1 Replies

2. Solaris

Difference between sudo & RBAC

Hello Everybody I would like to know any major difference between sudo & RBAC as I am bit familiar with RBAC but not with sudo (2 Replies)
Discussion started by: girish.batra
2 Replies

3. Solaris

sudo for solaris 8 & 9

Dear ALL please can anyone tell me from where can i install sudo for solaris 8 & 9 and how i can install it in the solaris server . (1 Reply)
Discussion started by: thecobra151
1 Replies

4. UNIX for Advanced & Expert Users

sudo & chdev

I have an error when using chdev with sudo as follows; sudo chdev -l rmt0 -a block_size=512 chdev: 0514-518 Cannot access the CuDv object class in the device configuration database. I've added chdev in sudoers but still get the error, I guess it's something to do with CuDv... (3 Replies)
Discussion started by: gefa
3 Replies

5. Solaris

Sudo Privileges & Sudoers Group

I'm looking for some suggestions to accomplish what a specific user needs, without adding them to the "sudoers" group. I have X user, that is requesting to be able to change file permissions on items owned by others and search directories where X user doesn't have access. I'm open to any... (2 Replies)
Discussion started by: Nvizn
2 Replies

6. Shell Programming and Scripting

Ssh & sudo

when the following command is issued the command prompt is received, how do I get past this? ssh -t usera@hosta sudo su - userb -c id (4 Replies)
Discussion started by: squrcles
4 Replies

7. Shell Programming and Scripting

Remoting sudo commands & bypassing bashrc

What I want to do is not unique, except that our environment has a twist. I want to ssh to a remote server and issue a sudo command to run a script. This isn't working, but you'll get the gist.# ssh remotehost sudo -i -u oracle script.bashThe sudo to oracle is fine. The script.bash sets up the... (4 Replies)
Discussion started by: JustaDude
4 Replies

LEARN ABOUT CENTOS

sss_usermod

SSS_USERMOD(8)							 SSSD Manual pages						    SSS_USERMOD(8)

NAME

       sss_usermod - modify a user account

SYNOPSIS

       sss_usermod [options] LOGIN

DESCRIPTION

       sss_usermod modifies the account specified by LOGIN to reflect the changes that are specified on the command line.

OPTIONS

       -c,--gecos COMMENT
	   Any text string describing the user. Often used as the field for the user's full name.

       -h,--home HOME_DIR
	   The home directory of the user account.

       -s,--shell SHELL
	   The user's login shell.

       -a,--append-group GROUPS
	   Append this user to groups specified by the GROUPS parameter. The GROUPS parameter is a comma separated list of group names.

       -r,--remove-group GROUPS
	   Remove this user from groups specified by the GROUPS parameter.

       -l,--lock
	   Lock the user account. The user won't be able to log in.

       -u,--unlock
	   Unlock the user account.

       -Z,--selinux-user SELINUX_USER
	   The SELinux user for the user's login.

       -?,--help
	   Display help message and exit.

THE LOCAL DOMAIN

       In order to function correctly, a domain with "id_provider=local" must be created and the SSSD must be running.

       The administrator might want to use the SSSD local users instead of traditional UNIX users in cases where the group nesting (see
       sss_groupadd(8)) is needed. The local users are also useful for testing and development of the SSSD without having to deploy a full remote
       server. The sss_user* and sss_group* tools use a local LDB storage to store users and groups.

SEE ALSO

       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-sudo(5),sss_cache(8), sss_debuglevel(8),
       sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8), sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8),
       sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8),pam_sss(8).

AUTHORS

       The SSSD upstream - http://fedorahosted.org/sssd

SSSD
								    06/17/2014							    SSS_USERMOD(8)
All times are GMT -4. The time now is 09:26 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy