sudo & Sox compliance Post: 302117843

Sponsored Content

Top Forums UNIX for Advanced & Expert Users sudo & Sox compliance Post 302117843 by jim mcnamara on Wednesday 16th of May 2007 05:13:54 PM

05-16-2007

Registered User

Short answer: your current security as explained is a violation of Sarbanes-Oxley. Furthermore, if you are publicly traded, you're going to look bad in any sox-compliance audit. Get security help.

Test for publicly traded companies including their contractors, vendors or anyone with system access:
If su or sudo lets somebody, like programmers or accountants or data entry clerks or even the company president, have direct unaudited access to any file or data transmission used for input to or generated by AR, AP... any accounting/financial reporting, then it won't fly.

HIPPA - if sudo lets any non-HR person in my business (or doing work for my business as a consultant, contractor, etc.) lookup somebody else's private records without their prior authorization, then I am not in compliance. That is the test you apply. Private records = medical records, drug test records, insurance information, direct deposit information, etc.

Just get security help. Obviously, your boss does not listen to you. He will be forced to listen when it dings his department's budget. That's how it works in small companies - consultants get listened to.

jim mcnamara

View Public Profile for jim mcnamara

Find all posts by jim mcnamara

7 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Parsing Powerbroker Logs for SysAdmin Changes (SOX)

I need to identify a list of AIX command strings that can be used to parse Powerbroker logs for changes that are being made by Unix SysAdmins. Need to filter out (as much as possible) inquiry or routine maintenance activity and concentrate on software/security changes. This is for internal...

2. Solaris

Difference between sudo & RBAC

Hello Everybody I would like to know any major difference between sudo & RBAC as I am bit familiar with RBAC but not with sudo

3. Solaris

sudo for solaris 8 & 9

Dear ALL please can anyone tell me from where can i install sudo for solaris 8 & 9 and how i can install it in the solaris server .

4. UNIX for Advanced & Expert Users

sudo & chdev

I have an error when using chdev with sudo as follows; sudo chdev -l rmt0 -a block_size=512 chdev: 0514-518 Cannot access the CuDv object class in the device configuration database. I've added chdev in sudoers but still get the error, I guess it's something to do with CuDv...

5. Solaris

Sudo Privileges & Sudoers Group

I'm looking for some suggestions to accomplish what a specific user needs, without adding them to the "sudoers" group. I have X user, that is requesting to be able to change file permissions on items owned by others and search directories where X user doesn't have access. I'm open to any...

6. Shell Programming and Scripting

Ssh & sudo

when the following command is issued the command prompt is received, how do I get past this? ssh -t usera@hosta sudo su - userb -c id

7. Shell Programming and Scripting

Remoting sudo commands & bypassing bashrc

What I want to do is not unique, except that our environment has a twist. I want to ssh to a remote server and issue a sudo command to run a script. This isn't working, but you'll get the gist.# ssh remotehost sudo -i -u oracle script.bashThe sudo to oracle is fine. The script.bash sets up the...

LEARN ABOUT LINUX

chfn

CHFN(1) 							   User Commands							   CHFN(1)

NAME

       chfn - change real user name and information

SYNOPSIS

       chfn [-f full_name] [-r room_no] [-w work_ph] [-h home_ph] [-o other] [user]

DESCRIPTION

       The chfn command changes user fullname, office number, office extension, and home phone number information for a user's account. This
       information is typically printed by finger(1) and similar programs. A normal user may only change the fields for her own account, subject
       to the restrictions in /etc/login.defs. (The default configuration is to prevent users from changing their fullname.) The superuser may
       change any field for any account. Additionally, only the superuser may use the -o option to change the undefined portions of the GECOS
       field.

       These fields must not contain any colons. Except for the other field, they should not contain any comma or equal sign. It is also
       recommended to avoid non-US-ASCII characters, but this is only enforced for the phone numbers. The other field is used to store accounting
       information used by other applications.

       If none of the options are selected, chfn operates in an interactive fashion, prompting the user with the current values for all of the
       fields. Enter the new value to change the field, or leave the line blank to use the current value. The current value is displayed between a
       pair of [ ] marks. Without options, chfn prompts for the current user account.

CONFIGURATION

       The following configuration variables in /etc/login.defs change the behavior of this tool:

       CHFN_RESTRICT (string)
	   This parameter specifies which values in the gecos field of the /etc/passwd file may be changed by regular users using the chfn
	   program. It can be any combination of letters f, r, w, h, for Full name, Room number, Work phone, and Home phone, respectively. For
	   backward compatibility, yes is equivalent to rwh and no is equivalent to frwh. If not specified, only the superuser can make any
	   changes. The most restrictive setting is better achieved by not installing chfn SUID.

FILES

       /etc/login.defs
	   Shadow password suite configuration.

       /etc/passwd
	   User account information.

SEE ALSO

       chsh(1), login.defs(5), passwd(5).

User Commands							    06/24/2011								   CHFN(1)