> That really wouldn't work for our environment (at least). Operators > have the ability to "logonby". The worst they could do would be a #cp > logoff. > > By leaving root logged on at the console -- I shudder to think of the > vulnerability there.
How so? 1) For Linux on Z, there is no legitimate reason to be using the console for anything but emergencies that have broken network access to the guest. ssh with keyrings and sudo are for normal maintenance and operations access. If the server is so horked that you need the console, you DEFINITELY don't want J Random Luser messing with it. In that scenario, the people who will be working at the console already HAVE the root password or an equivalent security token and can do as much damage as they like. You aren't improving the security of things any by requiring the extra login at the console. 2) You have a authentication method as strong as the Unix login already in place (the VM userid login), assuming that you have decent password policies in place already for the VM side (and if not, why not?). 3) You can audit the living heck out of the VM login with an ESM, and even without one, CP does some fairly decent logging that's really, REALLY hard to circumvent. 4) LOGONBY can be selective -- no need to give them access to *everything*. I guess I'm more confident in the VM side of the world and the audit capabilities there. I think I'd be able to make the case to an hostile auditor. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
