Home » Content » Blogs » hcoyote's blog

Auditors

Submitted by hcoyote on Wed, 2008-07-09 10:08.

Someone on #lopsa recently asked what he should tell an auditor who wants the root account completely disabled on a Unix system. The analogy I could come up with is:

Disabling root would be akin to cutting the master key to a building in half and making parts of the building unusable at certain times. You wouldn't be able to access things in emergencies to fix them, for example.

What other ways would you use to describe this?

Bookmark/Search this post with:
delicious delicious | digg digg | technorati technorati

Trackback URL for this post:

http://lopsa.org/trackback/1646
hcoyote's blog | add new comment | 700 reads

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Auditors
Submitted by Patrick Barnes on Thu, 2008-07-10 10:58.

"Your arteries have full access to your entire body. I'm going to need you to shut them down to prevent the spread of disease."

reply
Auditors
Submitted by marius on Thu, 2008-07-10 09:12.

Putting my former auditor hat back on...

The auditor is (or, at least, should be) looking for ways to mitigate a risk that they've identified. For the first step, I'd ask the auditor in question to clearly spell out the risk or implication that they've identified.

Second, in audit terms, there's a concept of a mitigating control. Say management says the risk is acceptable to them, then you would want to demonstrate mitigating technologies/processes/etc. that reduce the risk that the auditor identified for having the root account in place.

Things like audit trails of who uses the root account (maybe you only let local users switch to root through `su` instead of permitting network based logins that you can't identify the source user through), automated tools that reset the root password when someone needs to use the account (i.e., Bob requested root for this purpose, so the system will set the password for him and regenerate/scramble the password after a certain time window), etc.

-M

reply
Auditors
Submitted by hcoyote on Thu, 2008-07-10 09:24.

Oh, I recognize that. Good auditors are hard to come by. In this particular case, (from the description of the event), the auditor was just following a rote list of bullet points without understanding what they really meant or what the effects really were.

reply
Auditors
Submitted by leonvs on Thu, 2008-07-10 06:57.

What do you mean by "completely disabled"? As in, gone? Yeah, you can't do that. But I have often run environments where I star out the root password, disallowing any form of password-based authentication. As long as you have a method to boot single-user, this works well. Access to the root shell then requires SSH from a trusted host, or "sudo su" or the like from an account on the box itself. You might even be able to get away with disabling root's shell, but that's something I haven't tried.

reply
Auditors
Submitted by hcoyote on Thu, 2008-07-10 09:26.

Yeah, that's what I took away from the conversation. "completely gone".

The SA understood the effects and hassles of doing this but couldn't come up with an analogy that the auditor would understand.

reply