-- Tom Webster <webster_at_ssdpdc.lgb.cal.boeing.com> davidstacks1964 wrote: >Hello All! > >First want to say that I hope all has had a wonderful holiday season. > >Also want to say that I did find one solution to the problem that I have, but the solution was not that clear to me. Hopefuly Chris Ford is still a member of the list. > >Here is the task that I am working on: > >I have serveral UNIX Tru64 servers with Oracle Administrative accounts. What I want to do, is locked down the oracle admin account so no direct login can be done to this account, but will allow the dba's to log in as themselves, then su to the oracle admin account. > >I'll cut and past the solution that I found below, and if anyone knows how to incorporate the use of the /etc/securettys file, or has another way of doing this, I'd greatly appricate the help. > >I have already tried locking a test account then attempting to su to the test account. Per the man page for su, this is not allowed, and I have found this to be true. > >Thanks, > >David Stacks >Sr. System Analyst >Entergy Corp. >(870) 543-5436 >dstacks_at_entergy.com > > > >*************************************************************************** > >Solution that I found: > >[SUMMARY] Preventing application account access > >[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] >[SUMMARY] Preventing application account access > > > > To: "Tru64-Unix-Managers_at_xxxxx Gov (E-mail)" <tru64-unix-managers_at_xxxxxxxx> > Subject: [SUMMARY] Preventing application account access > From: "Roberts, Blake" <broberts_at_xxxxxxxxx> > Date: Thu, 15 Aug 2002 15:40:57 -0500 > Delivered-to: tru64-unix-managers_at_sws1.ctd.ornl.gov > Followup-to: poster > Sender: tru64-unix-managers-owner_at_xxxxxxxx > Thread-Index: AcJEigcoPesPw3PMQeWW+Hymt0/x0AAASHegAAQnmwA= > Thread-Topic: Preventing application account access > > > >Thanks goes to Chris Ford (Chris.Ford_at_acxiom.com) > >To do this properly, there is no easy way. You have to make an addition to the profile of > each user (will probably add it to /etc/skel) and call a script which reads a file similar > to /etc/securettys. I tested the solution, and it works like a champ! > >Best regards, >--Blake Roberts >UNIX Systems Administrator >ERCOT-Austin >512.225.7178 >512.695.5071 (cell) > > >-----Original Message----- >From: Roberts, Blake >Sent: Thursday, August 15, 2002 1:42 PM >To: Tru64-Unix-Managers_at_Ornl. Gov (E-mail) >Subject: [ADDENDUM] Preventing application account access > > >I forgot to mention, I have sudo installed on the system, but I have not found a way for it > to prompt me for the password of the administrative account. Since, by default anyway, > it prompts for your own password, if the user's password is compromised (by writing it down > and leaving it on their desk, etc), there is no way to keep people away from the big accounts. > >--Blake > > >-----Original Message----- >From: Roberts, Blake >Sent: Thursday, August 15, 2002 1:32 PM >To: Tru64-Unix-Managers_at_Ornl. Gov (E-mail) >Subject: Preventing application account access > > >Folks, > >I'm running a Tru64 5.1 PK5 Enhanced Security environment. Per a new (and decent) password > policy that is being implemented, I need to restrict the application admin accounts so that > they will su from a personal account to the administrative account (such as oracle), similar > to what you need to do if root is locked down properly. > >My problem is, in base security, if I lock the account, you can log in as a user, then su to > it just fine. In enhanced security, you can't do that. It needs to be unlocked to be able > to log into it. Does anyone know of a trick, edauth flag, etc, that needs to be set for the > account to be able to be su'd to, but not directly logged in to? > >Best regards, > >--Blake Roberts >UNIX Systems Administrator >ERCOT-Austin >512.225.7178 >512.695.5071 (cell) > > > >__________________________________________________________________ >Switch to Netscape Internet Service. >As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register > >Netscape. Just the Net You Need. > >New! Netscape Toolbar for Internet Explorer >Search from anywhere on the Web and block those annoying pop-ups. >Download now at http://channels.netscape.com/ns/search/install.jsp > __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jspReceived on Thu Jan 06 2005 - 16:06:31 NZDT
This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:45 NZDT