[TriLUG] Criteria for superuser access

Ed Warnicke hagbard at physics.rutgers.edu
Tue Jun 18 19:29:53 EDT 2002


1)	Only allow a user root access through a tool like sudo
	that logs what they do, and don't allow them to use 
	sudo to get a root shell.  This means everyone, even you.
	I have yet to find a situation in which sudo was functional
	where it would not allow me to do what I needed done.   

	I would even go so far as to recommend NOT having root 
	passwords if you can manage it.  

2)	All accounts that are authorized to get root access must be
	authenticated with a one time password card ( DES Gold, 
	etc).  Period.  It's just better not to care who sees the 
	password.

3)	People should only be given as much root access as they need.
	If a user needs to execute a small set of specific commands
	as root they should only be able to execute those commands 
	( again, sudo is good for this ).  

4)	If a user MUST have general root access ( and sometimes this 
	will be necessary ) then that person MUST be sufficiently 
	capable with *nix that they will not screw things up.  If they 
	can't convince you that they know what they are doing and 
	are respectful of how dangerous root can be then they 
	shouldn't have general root level access.

5)	Review who has what root access periodically ( once a quarter or 	so
) and reconsider whether they still need it, or whether it 
	would be advisable to let them keep it.  There will be times 
	when someone doesn't still need it but it may be advisable 
	for them to retain root access.  

	I had general root access on ~80 boxes I used to maintain for a 
	couple of years after I ceased maintaining them.  It was 
	advisable to let me keep it because I was willing to come in and 	help
my replacement figure out problems from time to time.

Ed
  
On Tue, 2002-06-18 at 19:00, Janyne Kizer wrote:
> Management has asked me to "define a list of criteria and procedures
> that you deem acceptable for everyone who has root access."  I
> was wondering if any of you have had to do this and what you suggest. 
> Thanks so much!
> -- 
> Janyne Kizer
> CNE-3, CNE-4, CNE-5
> Systems Programmer Administrator I
> NC State University, College of Agriculture & Life Sciences
> Extension and Administrative Technology Services
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20020618/fce4f2d3/attachment.pgp>


More information about the TriLUG mailing list