System administration performed by a sysadmin superuser logged in to a root shell is typical on UNIX systems but creates an exposure to security risks which must be eliminated

Although UNIX and Linux systems have become widespread as the platforms for running large, enterprise-scale applications, system administration techniques remain as they did for their original purpose in laboratory computing with the sysadmin role being performed by a superuser logged in to a root shell and having complete freedom to view, modify or delete programs and data of all types. System administration being conducted by a sysadmin, logged in as a superuser in the root shell is so typical of such arrangements that the high level of risk to which the enterprise is exposed is often simply not recognised.

However, following recent corporate governance legislation, corporate officers as well as external auditors face harsh penalties for failing to protect the integrity of financial and corporate data which underpins the information available to the shareholders and public. In the situation where particular personnel have unrecorded and free access to IT systems (as, for example, where system administration is conducted by an individual sysadmin taking the role of superuser from within the all-powerful root shell), it is impossible to demonstrate that such protection is in place. In order to demonstrate compliance, it is essential to impose access controls, access management and monitoring of administrators’ use of the root account in such a way that all activity is recorded and may subsequently be reported as necessary.

Managing system administration powers and containing the sysadmin superuser, even when logged in to a root shell, by means of COSduty-SSA

Although it may not be immediately obvious to technical IT staff who may have worked in traditional ways for a long time, activity auditing and management, in particular of system administration personnel, sysadmins, superusers and others who access the root shell, is of vital importance in demonstrating an organization's compliance with recent US and European legislation (Sarbanes-Oxley in the USA and similar European Directives) on corporate governance. Without these extra layers of formal and documented management, there is simply no evidence to show auditors that the necessary actions and protections have taken place.

A software product of particular value in this area is COSduty-SSA one of whose functions is widespread and thorough control of all aspects of passwords and the login process. Another of its main functions is to limit the unrestricted freedoms of systems administrators and audit their activity so as to prove IT services are making their full contribution to data integrity and compliance.

In addition, because of its low implementation costs and other technical advantages, COSduty-SSA can show a positive RoI, even when compliance issues are disregarded.

Some details of the functionality of COSduty-SSA

COSduty-SSA can ensure the use of privileged accounts is reduced to the absolute minimum by:

• encapsulating the majority of privileged routines in menu/forms driven procedures
• enforcing administrators to request privileged sessions on particular systems for particular periods of time
• allocating only that subset of commands required to carry out a requested function
• recording all activity and reporting on it

In summary, COSduty-SSA is an unusual product, but one whose scope is quickly becoming more widely acknowledged as the intricacies of the measures which are required to protect corporate officers from the possible consequences of corporate governance legislation are better understood. If this area is new to you and visualising the role of products such as COSduty-SSA remains difficult, please feel free to contact OSM for relevant information at all levels. Alternatively, re-enter the COSduty-SSA web site and help yourself.

OSM is the leading independent specialist supplier of E-DSM solutions for organizations who rely on a UNIX, Linux and Windows infrastructure. Our reputation is one of delivering solutions to problems of all complexities by means of our highly competent Professional Services team.