UNIX for Dummies Questions & Answers

Hello!

I run an HP Unix system which I host oracle databases on, as well as oracle based apps used by my company. My IA department needs to scan my files to ensure I am following IA procedures and check for vulnerabilities in scripts etc. The scan is coming from corporate, and they asked for root access initially to scan the entire file system with. I denied the request and instead offered an account in the root group, but not with the permissions. I do not have the ability to change files or mkdir or even touch a file with the account, but am not sure I did it right. I am not an expert in the area, and am looking for a better way to accomplish this, or perhaps enhance what I have done. They will want to run the scan once a week, so having the account disable on a time schedule would be great too.

Any thoughts? Anyone done this before? Thanks!!!

root is a group. Are the files in question all accessible by that group?

What you really want is something akin to sudo, SUDO in HP UX : A small presentation | SYSADMINSHARE.

Then simply write a script that does precisely what is requested, and only that, then create an account that cannot do much else except login and run sudo /path/to/myscript

This way you can control what they are doing, reading only the filelystem in question and not using the root group - which has privilege.

The downside is you will have to install sudo. First. See if it looks like you can use it and are allowed to install it.

Plan B would be to create a chroot jail for that account. And only allow visibility to the mountpoint of that filesystem with readonly access. You will have to supply local copies of whatever commands you/they include in the scanning script. And not allow any write access the script. Ownership has to be other than the account you create.

I don't think I'll be able to install anything on there, we have some pretty tight restrictions. Plan B sounds a lot more doable. The scan itself shouldn't be running any commands, it should only be scanning the files as a file system which means I shouldn't have to add the commands, I hope. I honestly have no information about the type of scan they are going to perform which makes this much harder. I'll find out Tuesday afternoon how it goes and if it fails!