On Thu, 23 Mar 2006 09:01:08 GMT, [EMAIL PROTECTED] said: > retrys, ... for my understanding it doesnt > make sence to lockout root. there are enought > exploits to gain root access anyway.
This is more an "auditing" requirement than providing extra security. If I get called at 3:02AM because backups failed because some chucklehead made a typo in a config file, which do I want to see in the logs? A) Somebody ssh'ed from the terminal server as root and vi'ed /etc/back.config B) Joe ssh'ed in from the terminal server, and did 'sudo vi /etc/back.config' In the second case, I can call Joe at 3:09AM and ask him what crack he was smoking at 1:15AM.... which is the whole point of the no-root restriction. Remember - the *single* most dangerous thing to the average Cisco router isn't a hacker with a 0-day IOS sploit - it's the "banana eater with enable"(*). The same is true for every other operating system.... (*) "banana eater" - the low level tech staff at a NOC are often referred to as 'NOC monkeys'. 'enable' is the IOS equivalent of a Unixoid 'su'.
pgpQeHP4qsaKG.pgp
Description: PGP signature
