Disaster Recovery root access

Hi

I've just set up a Disaster Recovery location for my Company with
backup systems to provide critical services should our main location
fail.

I need to come up with a method to permit IT staff who do not normally
have access to these important servers to have root console and webmin
access in an emergency (they have no access at all at present).

I did think of adding relevant user accounts with a uid/gid of 0 and a
password chosen by the user. Some form of tripwire would send an email
or similar to those appropriate to immeadiately alert that access has
been granted using an emergency only account - the person responsible
would have no place to hide if they had abused this.

There must be a need for this solution elsewhere - and I think mine is
better than nothing but not the cleanest or secure. I'd like to follow
best practices if I can.

TIA for any suggestions

Luke

crapbollox@yahoo.co.uk writes:

> I need to come up with a method to permit IT staff who do not
> normally have access to these important servers to have root console
> and webmin access in an emergency (they have no access at all at
> present).

Why not use "sudo /bin/bash" (+ adapt /etc/sudoers, of course). This
way the access gets logged and the user even uses his own
password. However for the webmin access, I don't know what to do.


tom

--
as seen in a signature:
"In an open world without walls and fences,
who needs Gates and windows?"

In article <1110298836.895335.65020@l41g2000cwc.googlegroups. com>,
crapbollox@yahoo.co.uk wrote:

>I've just set up a Disaster Recovery location for my Company with
>backup systems to provide critical services should our main location
>fail.

A fairly common procedure, well documented in many textbooks. For example,
see "Practical Unix & Internet Security 3rd edition", by Garfinkel, Spafford
and Schwartz, O'Reilly & Assoc, ISBN 0-596-00323-4, 984 pgs, Feb. 2003, US$55.

>I need to come up with a method to permit IT staff who do not normally
>have access to these important servers to have root console and webmin
>access in an emergency (they have no access at all at present).

"emergency" access. Who's watching the fort normally? What precise access
do they need? Or are these the staff at the remote facility?

>I did think of adding relevant user accounts with a uid/gid of 0 and a
>password chosen by the user.

Not no, but HELL NO! As this is emergency access, you give them ordinary
accounts. For those situations where they need root access, they can then
use su (or perhaps 'sudo') using a difficult password that is provided in
a sealed envelope. Depending on the security needs, you might even look at
one time passwords, or password token devices like SecureID.

>Some form of tripwire would send an email or similar to those appropriate
>to immeadiately alert that access has been granted using an emergency only
>account - the person responsible would have no place to hide if they had
>abused this.

Logging, or mail are not difficult to defeat if they wanted, especially as
they will be root. Choose the staff wisely.

>There must be a need for this solution elsewhere - and I think mine is
>better than nothing but not the cleanest or secure. I'd like to follow
>best practices if I can.

I don't think you've put much thought into this, Have you even scanned the
security related HOWTOs? If this is a remote staff situation, you may want
to check with your legal staff to review agreements with the hosting company.
Or primary disaster facility (servers) are half way across the country, at a
different company facility. The data backups (tapes, etc.) are in a bonded
data warehouse about 20 miles away - accessible with reasonable delays, but
under a completely isolated threat model (fire, flood, earthquake, what-ever).

Old guy