Hi,
In my previous posting I asked for help and advise on what precautions I
should take if I allow a external person root access to a selected number
of workstations.
I must first thank Lucio Chiappetti, Sean O'Connell, Bruce Taube, Ross
Alexander, Kurt Carlson, Dirk Grunwald and Andrew L. Weston for their
quick and informative responses!
Most people believed that any such decision should be made by, and
responsible to, a manager with sufficient authority. This is sound advice
and one which I shall be seeking.
Assuming I go ahead, the general consensus was to either limit the
external developers powers via SUDO and/or to monitor all activity by
enabling a strong audit software. However, as Kurt Carlson pointed out,
nothing is traceable in single user mode.
Since the external developer would be accessing the machined via
telnet, Ross Alexander suggested I use a secure shell;
http://www.cs.hut.fi/ssh/
which assures the root passwords won't be snoopable. According to the
documentation, 'ssh' can be used as a direct replacement for telnet, rsh,
rlogin and others. This is good advice in general and certainly something
I will investigate.
Dirk Grunwald suggested I should look at 'PBS' from NASA AMES as he has
successfully ported the source over to Digital UNIX.
So then, in view of the advice, I believe the best policy is to isolate 2
workstations from our main cluster. The main steps being:
a) Obtain permission from my senior manager.
b) Get the external developer to sign and return a binding agreement.
1) Rename and reallocate IPs to both workstations.
2) Remove these workstations from NIS.
3) Remove any NFS mounts.
4) Setup /etc/passwd and change root password.
5) Connect both workstations together appropriately ensuring any
sensitive data is unaccessible.
6) Setup NQS between these workstations.
7) Then, allow root access to these isolated workstations.
8) On completion, I simply reinstall Digital UNIX from CD and
re-apply the patch kits (only a couple of hours work). This then
complete wipes any problems.
Step 8) is a bit drastic but one which I am happy with.
Regards,
Rich
/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _ \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\
/_/ Richard A Bemrose /_\ Polymers and Colloids Group \_\
/_/ email: rb237_at_phy.cam.ac.uk /_\ Cavendish Laboratory \_\
/_/ Tel: +44 (0)1223 337 267 /_\ University of Cambridge \_\
/_/ Fax: +44 (0)1223 337 000 /_\ Madingley Road \_\
/_/ (space for rent) / \ Cambridge, CB3 0HE, UK \_\
/_/_/_/_/_/_/
http://www.poco.phy.cam.ac.uk/~rb237 \_\_\_\_\_\_\
"Life is everything and nothing all at once"
-- Billy Corgan, Smashing Pumpkins
Received on Thu Apr 09 1998 - 13:33:37 NZST