Re: xhost

From: Drew (simonis@myself.com)
Date: 05/29/02


Date: Wed, 29 May 2002 13:27:46 -0400
From: Drew <simonis@myself.com>
To: focus-sun@securityfocus.com


"Small, Jim" wrote:
>
> Hello Everyone,
>
> I am working on a security solution for a network of Solaris servers (7 and
> 8). The network is periodically scanned for vulnerabilities. The problem
> is system admins keep using "xhost +" from their CDE session so they can
> display xclients from other servers. Needless to say, no matter how many
> times I admonish them not to use xhost +, they do anyway.
>
> I need to prevent the possibility of someone doing an xhost +, even if they
> are root. The only solution I can think of is to delete the xhost command,
> and put a script in that notifies admins that its use is forbidden.

I think you are missing a large part of what makes for good security.
You can't have it without buy in from your user base. In this case,
the admins are those users, and they need a bit of hand slapping.

This problem is not a technical one, but one of policy, and the
lack of policy enforcment. A technical solution would be to fully
embrace RBAC, greatly (or totally?) eliminating the need to "be root"
and then enforcing a well defined and known security policy.

Fire the first admin who violates the new rules. I suspect you
shouldn't have to worry about it again...

(ok, so I live in a fantasy world.)



Relevant Pages

  • Re: No Shut Down or Restart for Domain Admins
    ... run rsop.msc from your DC and check which policy is responsible to this. ... I have created a group policy in a development network and imported it ... NT AUTHORITY\Authenticated Users Read (from Security Filtering) No ... Enforce user logon restrictions Enabled ...
    (microsoft.public.windows.server.active_directory)
  • Fwd: Oh Dear, Where to start?!
    ... It seems to me you need two things: an organizational policy, ... finish college and break into the real world of computer security. ... experience in the field of network security and policy ... updates, driver updates, and recommended updates. ...
    (Security-Basics)
  • Re: Oh Dear, Where to start?!
    ... > from some of you with appropriate experience in the field of network ... > main focus and priority has been computer security and policy development. ... install certain updates. ...
    (Security-Basics)
  • RE: Mass Distribution of Security Policies
    ... It could start with a Network usage agreement, (Advisory Policy) to all ... Mass Distribution of Security Policies ...
    (Security-Basics)
  • Re: [fw-wiz] Security and Audit Policy
    ... what policy are you trying to impliment? ... > are no security and audit policies in place. ... > regarding this network. ... Disabled M$ Outlook and IE and replaced these with ...
    (Firewall-Wizards)