How to hardcode a system's hostname or serialnumber
Hi,
How to hardcode a system's hostname or serialnumber as, dmidecode -s system-serial-number so that no one can change the system's hostname Any solution will be appreciated |
I don't understand what you're asking; anything can be changed if it is
accessible. The systems serial may be changeable if one can swap the motherboard ... |
Why are admins running around changing hostnames?
Or more correctly, why do people have too much access granted to do that task? I suppose you could create a network script that has to be run that checks it. Guess you could create one of those security keys that somehow did it. Anyone with physical access could change it unless the folder was encrypted. |
jefro, I agree with you but i want to restrict changing hostnames from root as some of the users/team require the root access (admin root access) to perform there task. Can you elaborate more or give example to encrypt the folder or create security keys ?
|
How to restrict sudoers file access for root
Hi,
How to restrict sudoers file access for root through pam ? Any solution will be appreciated other then chmod or chattr. |
huh? :confused:
|
Hi,
It would be helpful if you provide a bit more background information on what exactly you want to do. Root is 'all powerful' and has access to everything on a system. So please clarify what you want to obtain since prohibiting root from accessing the sudoers file will not be possible in my opinion. You could limit access using chattr but you indicated that's not what you want. Kind regards, Eric |
Actually there are 3000+ users in my network & some users have the admin access to perform there task so to secure systems in the network were they could not modify hostname & sudoers files.
|
Hi,
Looking at it from that point of view I'd enforce using a configuration controlled by you for sudoers by setting it up with Puppet for example. But again, if they have the admin password they could easily disable the puppet client so you'd have to respawn it which could also be 'edited' by the root user. I strongly suggest you to limit root access to the minimal number of people possible and configure sudo to give extra permissions to additional users but limiting them to the strict minimal commands necessary. I've recently encountered the same problem (with less users) and have it set up with puppet and limiting access with sudo to a limited set of commands. Permissions to files I've set with ACLs. In my situation there are only three guys who have the root password and about 25 who use the same environments with sudo where needed without any problems. Kind regards, Eric |
Thanks for the info.. actually I am using puppet & want to restrict the root user for so that the hostname cannot be changed temporary or permanently because as doing so puppet will pick the modified hostname & due the same the certs will get signed.
|
Hi,
Does that mean that you're automatically signing the certs? In this case you could deactivate autosigning to avoid that problem OR, more adequate, if you have that possibility, would be to force based on domain name. This would force the same sudoers configuration on whatever host in that domain and you can to keep the autosigning active. But you'd still stay in the same vicious circle, they could disable the puppet service. Best solution in my opinion is to change the admin password and limit them by configuring sudo more specific to their needs. Kind regards, Eric |
See this for how to limit these users. They have too much if they can simply just su and go wild. http://www.cyberciti.biz/tips/allow-...s-as-root.html
I never tried it but it may be possible to encrypt that file or folder so that only the OS can open it or some authenticated user. This still goes back to you gave idiots too much power. Who would change a hostname? For what reason? I'd suspect foul play. |
Quote:
|
How about give them sudo access to only the commands they need. You should be able to man sudo for more information on how to use it for that effect.
|
Quote:
to modify the sudoers file so these users w/ elevated privilege levels can do only a few well defined things; sudo - and sudo su <-> shouldn't be among them; EVER! Cheers, Tink |
All times are GMT -5. The time now is 05:27 AM. |