[SunHELP] Root Password management - How do you do it?
Fogg, James
sunhelp at sunhelp.org
Wed Sep 26 17:17:13 CDT 2001
1) Nobody writes it down.
2) Few know it.
3) Non-few who need root for some function use sudo
4) Minimum 6 characters, use mix of case and alpha/numeric.
5) Use more than one root, divided on lines of department or function (in
case of breach).
6) Make it memorable (to avoid #1).
7) Mnemonic shouldn't be anything related to your
company/person/life/products/etc.).
8) Monitor and trap failed logins.
9) Break knuckles if you find a violation.
10) Make sure everyone knows you'll break knuckles for violations.
11) Define violations in your security policy (you *do* have a policy?).
12) Never use telnet (use ssh). Otherwise you are giving the password to
anybody who cares to look.
13) Don't run risky daemons, like bind (esp non-current versions).
Example of #6...
mnemonic is top notch.
Password is T0pNtch.
Also, make damn sure users cannot perform a root password recovery (don't
leave O/S CD media around, suspect those who bring in their own).
> "The BOFH went on vacation at the same time as PHB.
This should never happen, no exceptions.
> The PFY encountered a situation where he needed the root password for foo.
Nothing was done because neither the BOFH nor the PHB had left instructions
with the PFY on how to be reached.
Sysadmins can *always* be reached, no exceptions. Besides, sudo should be
used.
More information about the SunHELP
mailing list