-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, Aug 04, 2005 at 09:22:24PM +1000, Ken Foskey wrote:
> Got this one today, strange one:
>
> "Do you know if it is possible to setup a Linux redhat server to require
> two passwords to gain root access? The responsibilities for the server
> are going to be split over two different teams and we don't want either
> to have root access without the other team knowing about it. Please let
> me know if you can come up with something."
If all that matters is the other team "knowing about it" then I would
suggest that you send the syslog messages out to two different
machines on the network and let each team monitor their copy of the logs.
Then they know that if someone logged in as root and it wasn't one
of their guys then they should be checking up with the other guys.
On top of that, you add a polite procedure which says that each team
promises to notify the other team by email before they do a root login
so that if either team sees a login that they don't have notification
for then they know the politeness has been broken. This forces both
groups to prove that they can do simple organisational tasks like
keeping track of notifications and checking them off against observed
reality.
Of course, if they ever get hacked, the attacker is unlikely to use
a regular login thus won't leave a regular log entry but they might
leave something in the logs somewhere... and with two teams who are
actually forced (by their day to day procedure) to read the dang logs,
there is just a chance it will get noticed. Also, sending the logs
out across the network makes it harder for the intruder to edit history.
- Tel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iQIVAwUBQvKc4MfOVl0KFTApAQJNwA//fbnKJ9yq6Ml3aS6mQ+zRDvtVkC/JYVD3
FM0kis0nhK3XQaEkfBqhoZaeQOKzwqOeFz2hVxDDUlLFsLqIwpUK5x6OVq1tqeta
aNwoYsUYP2CTrS/gr95mSij+tXnGF78xI2Fu37w7bH40gora1n3/PQdNBycWhjWv
iJ8NmKeu9oYYEVnydIvUjthms7TXocZPlZGgWMhQs7ZCGgTEgyAv5NpAl2thTFR/
hP7nZclMoVvuhWgeKV0FkVDEREQC9iVz/4Mhk2tKVE3/8s9TAjTKQOHk9xqxGaQ4
6HLQtvZEgLJgArAE+O875aEkoRinuE1yONrjfDUrC8rc9pfJK8WB1rP70x6emxVR
hQjhICPe+DB1NeVChMmOA/bJVFzrnYLGLbKm31mD2au95auyt0+TKqW4LYz//e6t
JiJ1K+ALdzTR5LChlp85FLasbrzhptTwq4t+7nyBBlECPGcsUD9tKMOHldXGVnc6
GuGhoe06I3Flo9qbSxwvzSeWV0ixTlUj3oS8l0FV9mN/2rONEBl5ZXmGw2N52ggP
awsTH8bb6CNDwfsevMUHyIGfeozyUmBljm+dGlQX7GCx3WA2Zue6G/5Ffh+eRWoL
P1pGQmbGgtuA9JnM9KE10GsmfiEW3wtRPZMEdYHFfSLstKfeJJUMtvK5RP5ZgRD8
8OoiRgQySxo=
=mMc+
-----END PGP SIGNATURE-----
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
