Login
Register
Search
Home
Forums
Jobs
LawsonGuru
LawsonGuru Letter
LawsonGuru Blog
Worthwhile Reading
Infor Lawson News Feed
Store
Store FAQs
About
Forums
General
SOx Compliance
Use of sudo
Home
Forums
Jobs
LawsonGuru
LawsonGuru Letter
LawsonGuru Blog
Worthwhile Reading
Infor Lawson News Feed
Store
Store FAQs
About
Who's On?
Membership:
Latest:
Saef
Past 24 Hours:
0
Prev. 24 Hours:
0
Overall:
5226
People Online:
Visitors:
208
Members:
0
Total:
208
Online Now:
New Topics
User Group Announcements
Carolina User Group Meeting
12/20/2024 3:15 PM
Date & Time: February 6, 2025, 8:30am - 4:00pm
S3 Systems Administration
ADFS certificate - new cert
12/3/2024 9:38 PM
The certificates on the windows boxes expired and
Lawson S3 HR/Payroll/Benefits
Post Tax Benefit Plan Table
11/14/2024 9:16 PM
Hi, totally new to Laswon. I have a repor
Lawson S3 Procurement
ED501 Error: Map 850 not supported by /law/c15vda/lawson/test10/edi/bin/laws_out_91
11/12/2024 3:47 PM
Tried runnning ED501 and getting the atathced erro
Lawson S3 HR/Payroll/Benefits
Error
11/6/2024 9:54 PM
When I try to enroll a retiree in 72.1 health plan
Infor ERP (Syteline)
Syteline: New Data Maintenance Wizard (Error) Need help
11/1/2024 4:24 PM
Hi, I need help with an error on syteline while us
Dealing with Lawson / Infor
Implementing Lawson v10 with Cerner Surginet, Case Cart Picking, and Quick Adds for the OR
10/29/2024 4:20 PM
Hi Everyone, I am wondering if there is any org
Lawson S3 HR/Payroll/Benefits
Canada Tax Calculation (Federal and Provincial) Issue
10/23/2024 5:00 AM
Initially, we had problem with CPP2 calculation is
Lawson S3 HR/Payroll/Benefits
CA Section 125 401k Plan
10/22/2024 10:13 PM
Does anyone have any recommendations on how to fac
S3 Systems Administration
Running AC120 deleted records from ACMASTER table
10/22/2024 3:40 PM
We recently ran the AC120 as normal and somehow it
Top Forum Posters
Name
Points
Greg Moeller
4184
David Williams
3349
JonA
3291
Kat V
2984
Woozy
1973
Jimmy Chiu
1883
Kwane McNeal
1437
Ragu Raghavan
1372
Roger French
1315
mark.cook
1244
Forums
Filtered Topics
Unanswered
Unresolved
Announcements
Active Topics
Most Liked
Most Replies
Search Forums
Search
Advanced Search
Topics
Posts
Prev
Next
Forums
General
SOx Compliance
Use of sudo
Please
login
to post a reply.
4 Replies
1
Subscribed to this topic
2 Subscribed to this forum
Sort:
Oldest First
Most Recent First
Author
Messages
Unix-dude
Basic Member
Posts: 4
10/13/2016 1:52 PM
I'm a consultant, with background as a Unix administrator. My team is doing a security review for a client and looking at a Lawson installation on AIX. My client makes heavy use of sudo, a tool that doles out root privileges to specific users. Looking at the sudo logs, this is what I see dozens of instances of Lawson users executing "sudo su -", effectively becoming root complete with a hash prompt, creating users with the "useradd" command even though the system uses LDAP authentication working with Active Directory (and never deleting those accounts), the Lawson account itself has the ability to su to root, and does with some frequency, as does the Oracle account. I know nothing about Lawson, but I'm an experienced Unix sysadmin, and what I'm seeing raises red flags all over. I'll be talking to members of the Lawson development team, but I wanted to get some thoughts from a disinterested, but Lawson-centric view.
Jeff Shumate
Advanced Member
Posts: 31
10/14/2016 3:49 PM
As a Lawson Systems Administrator, I need to have a mix of root access and lawson ID access, so were you to review my shop, you would see about the same. It is just the way the application is set up and built. That being said, we are still pretty stingy about who has sudo access at our place, and I would not give it out to more than two or three people in the shop, and I don't think the lawson ID should have it. The Lawson application may work on LDAP, but there are many types of users that also need to have OS level IDs that match the AD ID. And they should be cleaning those up as people change user types or leave the organization - we've automated the process, but it is not too much time to handle manually either.
Unix-dude
Basic Member
Posts: 4
10/14/2016 4:52 PM
Thanks for the answer. Can you tell me what a Lawson administrator needs root to accomplish? Starting/stopping processes? Killing hung processes? Adding, deleting, or changing system-owned files? I'm absolutely on-board with the position that the lawson account itself should not have root. That sounds like a recipe for disaster, not to mention a likely audit item.
Jeff Shumate
Advanced Member
Posts: 31
10/14/2016 10:42 PM
I use root for all of those things, plus installing and patching the application and its supporting applications. "Real" Unix folks (and Windows folks for that matter) are always shaking their heads at how much access is needed to support Lawson. Being raised in the Lawson world, I've never known any different, so it has never bothered me. But I've had these conversations before, so expect the "that's just the way it works" argument. The problem with the lawson account and the Oracle account having the ability to sudo to root is that those are static, non-expiring IDs, so even if you follow the sudo logs, you will have a hard time determining who did what. I keep the password for the lawson ID closely held - to the same users that have sudo access. The Oracle ID is harder to keep under wraps, as I'm sure you will find out, so that raises even more alarms for me.
Unix-dude
Basic Member
Posts: 4
10/17/2016 12:37 PM
Wow! I've supported SAP installations, and in one instance, I was asked to provide more access than I was comfortable with. My take was that as a service provider, I was putting my SLA at risk. We ended up having a big meeting with management going up fairly high in the food chain. The "that's the way it works" card was played and got beaten by contract and regulatory requirements. A carefully written sudoers file solved the problem for the few times the SAP account could not manage things. I'll be meeting with the technical team, but I'd be interested to hear what Lawson has to say.
Please
login
to post a reply.