[Intrusions] Requested opinions on Access.

Jim Hendrick jrhendri at maine.rr.com
Fri Nov 12 11:12:58 GMT 2004 

Sounds like you have (at least) two separate problems here.


First, the individual running crack either:
  - was *very* misguided and needs a strong disciplinary reminder (at
*least* a written reprimand) that this is unacceptable behavior. (You should
also take this as a real wake-up call and review your security policies to
be certain this type of activity is specifically addressed.)
  - was actually trying to gain unauthorized access, in which case they
should be terminated.

In either case, all passwords on that machine *must* be changed.

Second, you have the issue of separation of responsibility. I don't know how
this is done in your shop, whether you have enough staff to have one group
support the systems (using rootly powers) and the other support the
application (using database authority) or whether you need to share these
roles.

In either case, I strongly suggest sudo. You can not only restrict which
commands can be run as root, but (possibly) have some users do "sudo -u
oracle <command>"... (good luck with this one though. It is usually more
trouble than it is worth for the DBAs).

One thing about sudo however is that it is *not* a guard against anyone who
wants to get full root permissions. Even with restricted commands, it is
pretty simple to gain full root. (in other words, don't give sudo to anyone
you would not trust with the root password). That said, it is an excellent
way to protect the root password itself. I have used it in a moderately
large (6000+) person company where we were able to literally lock the root
passwords away (in sealed envelopes, signed & dated across the seal in a
locked desk) and run for years with only sudo for even the system
administrators.

But anyway. PLEASE - for the security of the company, DEAL WITH THIS CRACK
ISSUE FIRST!!!
(I hope it was just misguided curiosity, but even if so, this individual
needs to be corrected and monitored closely due to their lack of judgment)

Good luck!

Jim


-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Wilson, Mark
Sent: Wednesday, November 10, 2004 10:42 AM
To: intrusions at lists.sans.org
Subject: [Intrusions] Requested opinions on Access.


Ladies and Gentlemen;

I have an issue with our Data Base Admins (DBA's) wanting the root passwords
for their workstations.  We had just recently a DBA run a crack against a
shadow file and move the shadow file from one of the Unix machines to a PC.

We staff separate Systems Administrators that normally admin these
workstations, and I have a "symbiotic" relation on security issues with our
SA's and trust them to perform necessary updates.

Obvious issues aside, I would really like to hear about policies and issues
that others have in relation to DBA's having root access. These DBA's
support our Oracle Financials. (ehhh shiver up my spine) that hold all our
customer financial information.

I would really appreciate responses to this since it has become a very
touchy issue and I'm getting stuck in the middle being the Security person.

Thanks.



Mark Wilson
Communications Analyst / IT Security
Eastern Municipal Water District
2270 Trumble Rd.
Perris Ca.  92572
951.928.3777.4544
www.emwd.org

_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list