On 9/27/06, Little, Chris <[EMAIL PROTECTED]> wrote:
That really wouldn't work for our environment (at least). Operators have the ability to "logonby". The worst they could do would be a #cp logoff.
Only limited by skills and/or imagination... Not that you would not notice, but when you are logged on you can store in memory, boot another kernel, change the root password, whatever. If you don't trust your operators to have root access, then imho you should not let them at the virtual machine console either. Although with high privileges it is hard to prevent that... I am a strong believer in clear rules and auditing, and I have mostly had security folks support me in that. So privileged VM userids run with console spooled to an archive machine so you can see what your colleague did that caused the operator to page you at night. Or you can see what your own line of thinking was when you did what you should not have done. Discarding your console log or hiding things requires an explanation. Even if it's extra work to type a rename of a file on the command line rather than use filelist against the 190 disk. And there's also RACF auditing and operator log and service machines to fill in the gaps. Translating that to Linux meant no root access except for emergency actions and controlled automated processes (through SCIF, and logged). On Linux we used sudo for system staff, without passwords and no command restrictions. But with logging. And access control through cryptic keys etc. The biggest thing the security folks had with this was that such tight control for Linux on z/VM would imply that other platforms would be unable to meet those standards.
By leaving root logged on at the console -- I shudder to think of the vulnerability there.
I can not think for you and don't want to. Rob ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
