On 04/28/11 22:52, Stefan N wrote:
Hi All,
I would need some suggestions from you. Currently I am setting up OpenBSD
Firewall using PF at my working place.
However, some of my colleagues are not so familiar with the OpenBSD and we would
like to take turn to do that. I have the intention that I would like to limit
the usage and access the root account.
I have intention to give them the 'more than enough' access for them to do daily
administrative tasks as firewall admin like:
1.View/Configure IP Address, Subnet of network interface,VLAN and CARP
2.View/Configure default gateway and static route
3.View/Change the entry of DNS Server IP
4.Configure Syslog
5.Add/Remove PF rule
6.Backup/Restore
8.Viewing traffic using tcpdump
Is that possible to make some CLI Menu which will appear to the fw admin after
the login as long as they can do their job.
Example:
OpenBSD/i386
login:bob
password:xxxxxxxx
Please select the task below:
1>View/Configure IP Address, Subnet of network interface,VLAN and CARP
2>View/Configure default gateway and static route
3>View/Change the entry of DNS Server IP
4>Configure Syslog
5>Add/Remove PF rule
6>Backup/Restore
7>Viewing traffic using tcpdump
8>Logout
Or is there a better way to limit the usage and access of root account by fw
admin?
My intention is: I would like to give enough access for the fw admin to do their
job using a simple way.
Thank you in advance.
Regards,
Stefan
I have seen multiple attempts to do things like this. I've made money,
cleaning
up after people who bungled things with such things.
Really, you'd be far better off teaching them how to actually deal with how
to administrate OpenBSD systems. You could get cheap Dell's ($25 - $40
last time I looked) for each person and let them bang on them and learn.
Root is powerful, and on production systems one little slip can cost a lot
of money. TEACHING people how to deal with things is far better than some
kind of pseudo-jail to keep the animals in their cages.
--STeve Andre'
