02-04-2014
In a Financial Services company, we would be taken to court if we cannot prove who did what where. Basically, that translates that everyone must use a personal normal account. We have groups that can perform security actions and these are highly monitored and anyone requiring root access has a sudo rule for the particular command and logs are generated and monitored by a separate team for auditing.
Huge overhead, but very necessary when the values of money in question are huge and the requirements of Data Protection are high to protect customers. There's no easy way around it, but if you give root access too easily, then someone can remove any restrictions and cover their tracks very easily.
Imagine someone adding a service that they could use as a back-door where the normal protections cease to apply, or setting up at or cron jobs to perform actions that they won't be traced to.
Keep root to (at most) three people in a single team, and then only in an emergency. Have root login restricted to the console only and limit who can access the console.
Like Corona688 says, if you give out root, you've lost all control and therefore the integrity of your server.
Robin
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
Hi,
Does anybody knows is there a way or how to records user logging record?
thanks in advance (4 Replies)
Discussion started by: jennifer
4 Replies
2. Solaris
Dear All,
I want to enable the tracing for a user and logging all things he do in a log file..........
Thaaanks (2 Replies)
Discussion started by: adel8483
2 Replies
3. HP-UX
Hi,
I wonder if anyone is able to assist me.
I have a HP UX server and some HP UX workstations that has been migrated from another network. I have changed the IP Addresses and everything seems to be working fine.
However, the users are complaining that they are unable to login to the UX... (1 Reply)
Discussion started by: michaelgim
1 Replies
4. UNIX for Dummies Questions & Answers
Hi,
I am trying authenticate ssh users login using third party server (radius) instead of local system authentication.
I have modified my /etc/pam.d/sshd with required server auth configuration and able to authenticate user using radius server and the user is able to ssh into this linux... (2 Replies)
Discussion started by: dhandapanik
2 Replies
5. AIX
I want to know how I can turn off and turn on login logging. We have a server that appears to have stopped logging user logins. Running the who command shows nothing and the last command shows no logins for a month. The var/adm/wtmp file isn't full and there is plenty of space in the var file... (2 Replies)
Discussion started by: daveisme
2 Replies
6. Post Here to Contact Site Administrators and Moderators
Hi Everyone. First, I want to thank all of you for letting me participate in this great group.
I am having a bit of a problem.
After I get an email from a responder, I login to make my reply.
In the mean time I get another response by email from another member, I go to reply to them and I... (6 Replies)
Discussion started by: Ccccc
6 Replies
7. UNIX for Dummies Questions & Answers
I have created a linux machine and installed some softwares on it with root user privileges . I used to login with root user credentials for doing the various task.
Later i have realise that this is not the best practice to follow and there should be a new user with less privileges to be created... (1 Reply)
Discussion started by: pinga123
1 Replies
8. UNIX for Advanced & Expert Users
Hello,
I am using a Linux server (Ubuntu 11.04 Server) to host some files and a code repository. Because we are using ssh + svn to connect to the repository, our users have normal ssh access.
What I would like to do is log their user sessions so that I have an audit trail in the event that... (2 Replies)
Discussion started by: chrisb1609
2 Replies
9. UNIX for Dummies Questions & Answers
Hi - I want to log commands typed by oraapps user with time into some log file on runtime.
HISTTIMEFORMAT="%d/%m/%y %T " works but any one with oraapps user can delete the history.
OS : RHEl 5.6
Any help is appreciated. (5 Replies)
Discussion started by: oraclermanpt
5 Replies
10. Linux
When unlocking a Linux server's console there's no event indicating successful logging
Is there a way I can fix this ?
I have the following in my rsyslog.conf
auth.info /var/log/secure
authpriv.info /var/log/secure (1 Reply)
Discussion started by: walterthered
1 Replies
LEARN ABOUT OPENSOLARIS
cron
cron(1M) System Administration Commands cron(1M)
NAME
cron - clock daemon
SYNOPSIS
/usr/sbin/cron
DESCRIPTION
cron starts a process that executes commands at specified dates and times.
You can specify regularly scheduled commands to cron according to instructions found in crontab files in the directory
/var/spool/cron/crontabs. Users can submit their own crontab file using the crontab(1) command. Commands which are to be executed only once
can be submitted using the at(1) command.
cron only examines crontab or at command files during its own process initialization phase and when the crontab or at command is run. This
reduces the overhead of checking for new or changed files at regularly scheduled intervals.
As cron never exits, it should be executed only once. This is done routinely by way of the svc:/system/cron:default service. The file
/etc/cron.d/FIFO file is used as a lock file to prevent the execution of more than one instance of cron.
cron captures the output of the job's stdout and stderr streams, and, if it is not empty, mails the output to the user. If the job does not
produce output, no mail is sent to the user. An exception is if the job is an at(1) job and the -m option was specified when the job was
submitted.
cron and at jobs are not executed if your account is locked. Jobs and processses execute. The shadow(4) file defines which accounts are not
locked and will have their jobs and processes executed.
Setting cron Jobs Across Timezones
The timezone of the cron daemon sets the system-wide timezone for cron entries. This, in turn, is by set by default system-wide using
/etc/default/init. The timezone for cron entries can be overridden in a user's crontab file; see crontab(1).
If some form of daylight savings or summer/winter time is in effect, then jobs scheduled during the switchover period could be executed
once, twice, or not at all.
Setting cron Defaults
To keep a log of all actions taken by cron, you must specify CRONLOG=YES in the /etc/default/cron file. If you specify CRONLOG=NO, no log-
ging is done. Keeping the log is a user configurable option since cron usually creates huge log files.
You can specify the PATH for user cron jobs by using PATH= in /etc/default/cron. You can set the PATH for root cron jobs using SUPATH= in
/etc/default/cron. Carefully consider the security implications of setting PATH and SUPATH.
Example /etc/default/cron file:
CRONLOG=YES
PATH=/usr/bin:/usr/ucb:
This example enables logging and sets the default PATH used by non-root jobs to /usr/bin:/usr/ucb:. Root jobs continue to use
/usr/sbin:/usr/bin.
The cron log file is periodically rotated by logadm(1M).
FILES
/etc/cron.d Main cron directory
/etc/cron.d/FIFO Lock file
/etc/default/cron cron default settings file
/var/cron/log cron history information
/var/spool/cron Spool area
/etc/cron.d/queuedefs Queue description file for at, batch, and cron
/etc/logadm.conf Configuration file for logadm
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Availability |SUNWcsu |
+-----------------------------+-----------------------------+
SEE ALSO
svcs(1), at(1), crontab(1), sh(1), logadm(1M), svcadm(1M), queuedefs(4), shadow(4), attributes(5), rbac(5), smf(5), smf_security(5)
NOTES
The cron service is managed by the service management facility, smf(5), under the service identifier:
svc:/system/cron:default
Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using svcadm(1M). The ser-
vice's status can be queried using the svcs(1) command. Most administrative actions may be delegated to users with the solaris.smf.man-
age.cron authorization (see rbac(5) and smf_security(5)).
DIAGNOSTICS
A history of all actions taken by cron is stored in /var/cron/log and possibly in /var/cron/olog.
SunOS 5.11 4 Feb 2009 cron(1M)