Robust Linux and UNIX security management demands sound UNIX and Linux administration techniques if the implications of recent corporate governance legislation are to be observed

In this document we review the growing interest in Linux and UNIX security techniques which have resulted from the implications of recent legislation on corporate governance. The improvement of security in these similar operating systems is closely related to work performed the areas of UNIX system administration and Linux administration and it is in all these areas that OSM adds significant value.

The problem with Linux and UNIX – two similar multi-user operating systems whose roots are in team-oriented, collaborative computing for research and, later, educational, environments – is that the system administrator was always expected to be "one of the team". Security was not a big issue and administration was amongst colleagues. Now that Linux and UNIX have been adopted for large-scale commercial work, the fact that one or more administrators have complete freedom to view or change any part of the system inevitably means that Linux security (equally UNIX security) is simply not controlled to the necessary extent. It is vital that those supervising UNIX administration and Linux administration somehow audit and control the administrators' activities.

Until the recent past, corporate officers have been allowed wide freedom in the way they implement their internal checking procedures. However, following recent legislation, corporate officers as well as external auditors now face harsh penalties whose consequences are such that regulation of IT processes will be stricter and that fairly low-level techniques will become much more precisely defined.

Linux security and UNIX security – the importance of administration to UNIX and Linux and the connection with legislation

Recent US and European legislation (Sarbanes-Oxley in the USA and similar European Directives) has made compliance a big issue for publicly listed companies – and some private companies who conduct business with the listed sector.

The essence of the legislation is to protect the integrity of the financial information provided to the public. This is difficult to prove when privileged IT users, typically system administrators, have unlimited access rights to critical IT systems. We can see at once that system administration practice has a direct influence on system security. The only way forward is to devise and employ mechanisms for controlling the rights of administrators and auditing their actions continuously. Only by these means can the IT organisation provide irrefutable evidence that all data, including the sensitive financial data, is secure and that IT people are doing all that is asked of them.

A software product of particular value in this area is COSduty-SSA whose use can limit the unrestricted freedoms of systems administrators and audit their activity so as to prove IT services are making their full contribution to data integrity and compliance.

In addition, because of its low implementation costs and other technical advantages, COSduty-SSA can show a positive RoI, even when compliance issues are disregarded.

Some details of the functionality of COSduty-SSA

COSduty-SSA can ensure the use of privileged accounts is reduced to the absolute minimum by:

• encapsulating the majority of privileged routines in menu/forms driven procedures
• enforcing administrators to request privileged sessions on particular systems for particular periods of time
• allocating only that subset of commands required to carry out a requested function
• auditing all activity and reporting on those audit trails

In summary, COSduty-SSA is an unusual product, but one whose scope is quickly becoming more widely acknowledged as the intricacies of the measures which are required to protect corporate officers from the possible consequences of corporate governance legislation are better understood. If this area is new to you and visualising the role of products such as COSduty-SSA remains difficult, please feel free to contact OSM for relevant information at all levels. Alternatively, re-enter the COSduty-SSA web site and help yourself.