Login
Register
Search
Home
Forums
Jobs
LawsonGuru
LawsonGuru Letter
LawsonGuru Blog
Worthwhile Reading
Infor Lawson News Feed
Store
Store FAQs
About
Forums
General
SOx Compliance
Use of sudo
Home
Forums
Jobs
LawsonGuru
LawsonGuru Letter
LawsonGuru Blog
Worthwhile Reading
Infor Lawson News Feed
Store
Store FAQs
About
Who's On?
Membership:
Latest:
MF
Past 24 Hours:
3
Prev. 24 Hours:
0
Overall:
5180
People Online:
Visitors:
293
Members:
0
Total:
293
Online Now:
New Topics
Top Forum Posters
Name
Points
Greg Moeller
4184
David Williams
3349
JonA
3288
Kat V
2984
Woozy
1973
Jimmy Chiu
1883
Kwane McNeal
1437
Ragu Raghavan
1348
Roger French
1311
mark.cook
1244
Forums
Unanswered
Active Topics
Most Liked
Most Replies
Search Forums
Search
Advanced Search
Topics
Posts
Prev
Next
Forums
SOx Compliance
Use of sudo
Sort:
Oldest First
Most Recent First
You are not authorized to post a reply.
Author
Messages
Unix-dude
Basic Member
Posts: 4
10/13/2016 1:52 PM
I'm a consultant, with background as a Unix administrator. My team is doing a security review for a client and looking at a Lawson installation on AIX. My client makes heavy use of sudo, a tool that doles out root privileges to specific users. Looking at the sudo logs, this is what I see dozens of instances of Lawson users executing "sudo su -", effectively becoming root complete with a hash prompt, creating users with the "useradd" command even though the system uses LDAP authentication working with Active Directory (and never deleting those accounts), the Lawson account itself has the ability to su to root, and does with some frequency, as does the Oracle account. I know nothing about Lawson, but I'm an experienced Unix sysadmin, and what I'm seeing raises red flags all over. I'll be talking to members of the Lawson development team, but I wanted to get some thoughts from a disinterested, but Lawson-centric view.
Jeff Shumate
Advanced Member
Posts: 31
10/14/2016 3:49 PM
As a Lawson Systems Administrator, I need to have a mix of root access and lawson ID access, so were you to review my shop, you would see about the same. It is just the way the application is set up and built. That being said, we are still pretty stingy about who has sudo access at our place, and I would not give it out to more than two or three people in the shop, and I don't think the lawson ID should have it. The Lawson application may work on LDAP, but there are many types of users that also need to have OS level IDs that match the AD ID. And they should be cleaning those up as people change user types or leave the organization - we've automated the process, but it is not too much time to handle manually either.
Unix-dude
Basic Member
Posts: 4
10/14/2016 4:52 PM
Thanks for the answer. Can you tell me what a Lawson administrator needs root to accomplish? Starting/stopping processes? Killing hung processes? Adding, deleting, or changing system-owned files? I'm absolutely on-board with the position that the lawson account itself should not have root. That sounds like a recipe for disaster, not to mention a likely audit item.
Jeff Shumate
Advanced Member
Posts: 31
10/14/2016 10:42 PM
I use root for all of those things, plus installing and patching the application and its supporting applications. "Real" Unix folks (and Windows folks for that matter) are always shaking their heads at how much access is needed to support Lawson. Being raised in the Lawson world, I've never known any different, so it has never bothered me. But I've had these conversations before, so expect the "that's just the way it works" argument. The problem with the lawson account and the Oracle account having the ability to sudo to root is that those are static, non-expiring IDs, so even if you follow the sudo logs, you will have a hard time determining who did what. I keep the password for the lawson ID closely held - to the same users that have sudo access. The Oracle ID is harder to keep under wraps, as I'm sure you will find out, so that raises even more alarms for me.
Unix-dude
Basic Member
Posts: 4
10/17/2016 12:37 PM
Wow! I've supported SAP installations, and in one instance, I was asked to provide more access than I was comfortable with. My take was that as a service provider, I was putting my SLA at risk. We ended up having a big meeting with management going up fairly high in the food chain. The "that's the way it works" card was played and got beaten by contract and regulatory requirements. A carefully written sudoers file solved the problem for the few times the SAP account could not manage things. I'll be meeting with the technical team, but I'd be interested to hear what Lawson has to say.
You are not authorized to post a reply.