This article describes a number of best practices for protecting root accounts when implementing BoKS in your organization.
Protecting the root account
Protecting a Unix system is much about controlling access to the root account.
Commonly, a group of system administrators (SAs) have to be able to access programs that require super-user privileges. Typically, these SAs have to share a list of passwords for the common machines or sometimes they even have personal accounts with UID 0 so that they can perform privileged tasks and still use their personal password.
Recommended best practice:
Have the administrators have regular, non-privileged accounts and control their ability to gain super-user privileges by su or suexec that are controlled by BoKS.
Furthermore, to remove the need for the SAs to share (or know) the super-user password, consider using the BoKS feature of allowing users to su/suexec by using their own password or even do su/suexec without password.
Of course, su/suexec to root without password is a less secure approach since an unattended terminal may be used by an unauthorized person to gain super-user privileges. The use of su/suexec without password should therefore be combined with terminal session timeouts.
This feature of using the "from" user password also works with one-time password tokens like SecurID where an administrator can use their personal token to gain access to another account (e.g. root).
Due to its ability to allow only a controlled set of commands to be run as a privileged user, xRBAC is an alternative to, or can be used in combination with, su/suexec.
Still have questions? We can help. Submit a case to Technical Support.