Access control and management at the UNIX root and administrator level

Until recent times, access control and management – particularly at the UNIX root level – and management of the root account in general (root management) was left to the IT department of most large enterprises to implement in whatever way was considered best. Trust, custom and practice, and local tradition would all exert an important influence. In the absence of a single company being the supplier of the operating system, there has been no single authoritative source of advice on access management, control over UNIX root access and root management in general.

Now, however, following recent corporate governance legislation, both external auditors and corporate officers face harsh penalties for failing to protect the integrity of financial and corporate data which underpins the information available to the shareholders and public. In the situation where particular personnel have unrecorded and free access to IT systems (as, for example, do system administrators of typical UNIX systems), it is impossible to demonstrate that such protection is in place. In order to demonstrate compliance, it is essential to impose access controls, access management and monitoring of administrators’ use of the root account in such a way that all activity is recorded and may subsequently be reported as necessary.

Implementing access control and management at the UNIX root level with COSduty-SSA

When user access controls and access management are put in place on UNIX systems, it is usually the job of the system administrator who has UNIX root account access to specify the access rights of each individual user. The problem then is, of course, who is responsible for root management. There are no built-in mechanisms for managing the administrator, nor for recording his/her activities. The administrator can do anything, go anywhere on the system and there is no record of it. All data is exposed to being read and to being changed.

A software product of particular value in this area is COSduty-SSA whose use can limit the unrestricted freedoms of systems administrators and audit their activity so as to prove IT services are making their full contribution to data integrity and compliance. In this way, the integrity of data can be not only assured, but also all access to it can be recorded and reviewed at any future time. This information can then be used to demonstrate the way in which the integrity of corporate data is protected and compliance with the regulations maintained.

In addition, because of its low implementation costs and other technical advantages, COSduty-SSA can show a positive RoI, even when compliance issues are disregarded.

Some details of the functionality of COSduty-SSA

COSduty-SSA can ensure the use of privileged accounts is reduced to the absolute minimum by:

• encapsulating the majority of privileged routines in menu/forms driven procedures
• enforcing administrators to request privileged sessions on particular systems for particular periods of time
• allocating only that subset of commands required to carry out a requested function
• recording all activity and reporting on it

In summary, COSduty-SSA is an unusual product, but one whose scope is quickly becoming more widely acknowledged as the intricacies of the measures which are required to protect corporate officers from the possible consequences of corporate governance legislation are better understood. If this area is new to you and visualising the role of products such as COSduty-SSA remains difficult, please feel free to contact OSM for relevant information at all levels. Alternatively, re-enter the COSduty-SSA web site and help yourself.

OSM is the leading independent specialist supplier of E-DSM solutions for organizations who rely on a UNIX, Linux and Windows infrastructure. Our reputation is one of delivering solutions to problems of all complexities by means of our highly competent Professional Services team.