Even though I don't do Linux work...I agree with Robert here. Now, it would be a nice feature on the Linux installs, I would imagine, if RH and Novell and others made it easy to set this up as the install was running. At least as far as setting up one admin account/password etc.
Kevin -----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of RPN01 Sent: Tuesday, April 15, 2008 9:56 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: recover root password By default, sudo expects root's password. But, it can be easily configured to expect the user to enter his own password instead. It's a one line change. RedHat and SuSE expect administrators to use the root account because "It's always been done that way." But, when you have more than one administrator, and especially if you have more than a hand-full, like six to fifteen, then doing so gives you no accountability for what has been done to your systems. Anyone sticking to the "I have to have root!" model of system administration is leaving themselves open to a huge awakening as Sarbanes-Oxley and other regulations overtake us. While we aren't required by law to conform to Sarbanes-Oxley, we've chosen to bring ourselves as close as we possibly can. One of the requirements is that what is done to your systems is done with accountability. To be completely compliant, everything done by / with root will need to be logged, showing what was done, and by whom. Can you do that now, with two or more people logging into root? Can you do it with even one person logging into root? Not on any distribution I know today. So you aren't compliant, and will be pinged on your audit, and if you're required to be S-O compliant, you're leaving your company open to legal action. Just because it's the way RedHat or SuSE does it doesn't make it the standard. You need it for the installation, which may be why both RedHat and SuSE are set up that way. It doesn't mean you have to stay that way once the system is up and running. You change other things on the system after the install, so I don't see the reasoning of holding up the standard that "It comes that way, so it should stay that way." That doesn't make any sense. I stand by my statement: Get out of root as soon as you possibly can after the install, and stay out of root as much as you possibly can. Complain to vendors when they force you to use root to install their products. Complain to vendors that force you to run their product as root. These are practices that shortly will not be acceptable. And the time shortens every time some retailer loses thousands of credit card records. We didn't lose that information, but we're the ones that it is easiest to go to and say "You've got to improve security! You have to have accountability!" So we're the ones that will ultimately pay the price. I predict that this will be one of the costs in the short term. Anyone willing to bet a coke on it? -- Robert P. Nix Mayo Foundation .~. RO-OE-5-55 200 First Street SW /V\ 507-284-0844 Rochester, MN 55905 /( )\ ----- ^^-^^ "In theory, theory and practice are the same, but in practice, theory and practice are different." On 4/14/08 5:34 PM, "John Summerfield" <[EMAIL PROTECTED]> wrote: > RPN01 wrote: >> Would it be the wrong time to suggest that, once you have the system >> installed, up and running, nobody should ever log in as root, except in dire >> or unavoidable circumstances. >> >> Once you have the system, give your system administration group sudo all >> privs. Then just don't log into root at all. This gives you accountability > > Red Hat expects administrators to know and use root's password. That's > what su does. > > SUSE expects administrators to know and use root's password. It > configures sudo to work that way. > > Until the vendors change their approach, administrators are going to be > working that way. > > The only Linux distribution that expects administrators to use their own > password is Ubuntu, and while it's based off Debian that is available > for IBM mainframes, Ubuntu isn't yet. > > > > One can also login as root without password if ssh is so configured. > > > > -- > > Cheers > John > > -- spambait > [EMAIL PROTECTED] [EMAIL PROTECTED] > -- Advice > http://webfoot.com/advice/email.top.php > http://www.catb.org/~esr/faqs/smart-questions.html > http://support.microsoft.com/kb/555375 > > You cannot reply off-list:-) > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
