On Wed, May 14, 2008 at 11:06:28PM -0700, Scott Rotondo wrote: > There's another way you might solve the same problem and achieve some > other benefits simultaneously.
Also, provided that root can only log in on console and console access authorization is checked and audited by an external system, then you can still tie audit records to an actual user. The system in question had randomized root passwords that would be changed within some time of their being "checked out," and, as indicated above, those passwords could only be used on the console. I helped deploy such a console access system years ago, so I know people do it. With ILOMs it gets a bit more interesting, but not all that much harder. The problem with this approach is that there's a necessary software component not delivered by us or as part of OpenSolaris, not today anyways. Nico --
