PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 10/17/2016 8:37 AM by  Unix-dude
Use of sudo
 4 Replies
Sort:
You are not authorized to post a reply.
Author Messages
Unix-dude
Transition Architect
Private
Basic Member
(10 points)
Basic Member
Posts:4


Send Message:

--
10/13/2016 9:52 AM
    I'm a consultant, with background as a Unix administrator. My team is doing a security review for a client and looking at a Lawson installation on AIX. My client makes heavy use of sudo, a tool that doles out root privileges to specific users. Looking at the sudo logs, this is what I see dozens of instances of Lawson users executing "sudo su -", effectively becoming root complete with a hash prompt, creating users with the "useradd" command even though the system uses LDAP authentication working with Active Directory (and never deleting those accounts), the Lawson account itself has the ability to su to root, and does with some frequency, as does the Oracle account. I know nothing about Lawson, but I'm an experienced Unix sysadmin, and what I'm seeing raises red flags all over. I'll be talking to members of the Lawson development team, but I wanted to get some thoughts from a disinterested, but Lawson-centric view.
    0
    Jeff Shumate
    Private
    Private
    Advanced Member
    (87 points)
    Advanced Member
    Posts:29


    Send Message:

    --
    10/14/2016 11:49 AM
    As a Lawson Systems Administrator, I need to have a mix of root access and lawson ID access, so were you to review my shop, you would see about the same. It is just the way the application is set up and built. That being said, we are still pretty stingy about who has sudo access at our place, and I would not give it out to more than two or three people in the shop, and I don't think the lawson ID should have it. The Lawson application may work on LDAP, but there are many types of users that also need to have OS level IDs that match the AD ID. And they should be cleaning those up as people change user types or leave the organization - we've automated the process, but it is not too much time to handle manually either.
    0
    Unix-dude
    Transition Architect
    Private
    Basic Member
    (10 points)
    Basic Member
    Posts:4


    Send Message:

    --
    10/14/2016 12:52 PM
    Thanks for the answer. Can you tell me what a Lawson administrator needs root to accomplish? Starting/stopping processes? Killing hung processes? Adding, deleting, or changing system-owned files? I'm absolutely on-board with the position that the lawson account itself should not have root. That sounds like a recipe for disaster, not to mention a likely audit item.
    0
    Jeff Shumate
    Private
    Private
    Advanced Member
    (87 points)
    Advanced Member
    Posts:29


    Send Message:

    --
    10/14/2016 6:42 PM
    I use root for all of those things, plus installing and patching the application and its supporting applications. "Real" Unix folks (and Windows folks for that matter) are always shaking their heads at how much access is needed to support Lawson. Being raised in the Lawson world, I've never known any different, so it has never bothered me. But I've had these conversations before, so expect the "that's just the way it works" argument. The problem with the lawson account and the Oracle account having the ability to sudo to root is that those are static, non-expiring IDs, so even if you follow the sudo logs, you will have a hard time determining who did what. I keep the password for the lawson ID closely held - to the same users that have sudo access. The Oracle ID is harder to keep under wraps, as I'm sure you will find out, so that raises even more alarms for me.
    0
    Unix-dude
    Transition Architect
    Private
    Basic Member
    (10 points)
    Basic Member
    Posts:4


    Send Message:

    --
    10/17/2016 8:37 AM
    Wow! I've supported SAP installations, and in one instance, I was asked to provide more access than I was comfortable with. My take was that as a service provider, I was putting my SLA at risk. We ended up having a big meeting with management going up fairly high in the food chain. The "that's the way it works" card was played and got beaten by contract and regulatory requirements. A carefully written sudoers file solved the problem for the few times the SAP account could not manage things. I'll be meeting with the technical team, but I'd be interested to hear what Lawson has to say.
    0
    You are not authorized to post a reply.