Currently ERP has been implemented on unix. There are certain files which we wish that
nobody withour requisite permission should access .

We know that 'chmod' and file access permissions can work . However the people to be
restricted are the ones with root password (Root password is shared with entire IT team).

I wish to know how best I can restrict the access to these files (not even read permission)
1. Can 'setfacl' prevent root's access to these files
2. Currently we can login as root only from server console and not any other PC . Can we do similar
thing for 'su' also.
3. How far sulog and syslog can help
4.Can we use any encryption tools to encrypt the files automatically (once saved). If yes what
are the encryption tool / techniques available .
5.What is 'make'/ 'makefile'.
6. Can any shellscripts be written to prevent the access to these files by unauthorised people.

>However the people to be
>restricted are the ones with root password (Root password is >shared with entire IT team).
For sure it must be possible for the it team to know the root password in order to do their job. However how many are that? Entire IT team sounds like a lot more: ERP specialist etc, for them it should not be necessary to know that.
Normally just a few, maybe 3 people should know it, the others should have the possiblity to get it in case of emergencies.

What kind of files are you thinking off to restrict access?

Makefile is used to define how a object should be compiled, which sources and libraries are needed. The make command analyses the makefile, looks if the sources are updated and will create a new executable.

Han

1) setfacl: I don't think you can lock out root this way but I am not 100% sure. I would vote against using ACL's on Baan files.

2) There are some ways to limit 'su' depending on your UNIX versions:
For Linux: you can restrict 'su' through /etc/pam.d/su
SUDO allows you to limit access to /usr/bin/su or gives the capabilities to allow users to do super user activities *without* needing root password
Set up a 'wheel' group and make /usr/bin/su group owned by 'wheel' and o-rwx. All users that need to be able to use 'su' should then be in the 'wheel' group.
3) All 'su' switches are normally logged in sulog and/or syslog

4) Why would you want to use encryption? For which files?

5) Already answered

6) You should really look into SUDO or similar tools

I think you should revise your security policies. If you cannot trust everyone that has root access that don't give them root access but use SUDO etc, rather than trying to make a kludge to curb root's powers.