Matthew J. Salerno wrote: > I completely agree with your statement. The plan is to go with sudo > but block su. Multi-user machine, everyone has access to "su -", I > only want admins to be able to use it if absolutely needed. If nobody > is watching the security logs, what's to stop a brute force password > cracking script from trying to get the root password? Sure policies > and procedures should be able to prevent it - Log monitoring, root > passwd changed every 30 days, etc. but I feel that locking down su is > just as important, and I know I can't be the only one.
Disable root logins. Ensure administrators use good passwords. Change permissions on /bin/su so only root can use it (but I think the RHEL/Fedora scripts do not). You will need to do this whenever the coreutils package is updated, a daily (or boot time, depending on your procedures) cron or startup script will attend to it.
Finally, if anyone is found trying to crack the system, escort them to the door, and call the cops.
Login failures are recorded, use logwatch to summarise them and read them. If it matters enough, configure syslog to record them to a pipe and monitor them in real time. A package called pop-before-smtp provides model code you could adapt. Basically, it uses regexes to scan the log and does something when it gets a match.
Where I work, we monitor web access and we have a list of sites a particular class of user may not visit, and there are google searches forbidden to them - such as looking for a proxy server. When we detect an infringement, we implement a firewall rule that terminates their internet access. It's quite effective, there's an occasional attempt (and even rarer false positives).
In your case, when scanning the log, your "does something" might to be to kill the user's processes on the spot, email (or SMS or page) "the boss" and, maybe, disable the account pending a manual review.
-- Cheers John -- spambait [email protected] [email protected] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
