Setup an unlock account on the Linux system (if it hasn't already been created for controlling the root account).

This account becomes the fail-safe measure to recover access to the strongkey account in the event it is needed for extraordinary administrative actions.

Add the unlock account to /etc/sudoers with the ability to unlock the root account.

Replace the <FQDN> with the fully qualified domain name of the SKFS server:

unlock <FQDN>=/usr/sbin/usermod --unlock strongkey

Add the normal Linux account of the Systems Administrator to /etc/sudoers to perform SKFS-specific SA tasks (as defined by company policy).

This ensures that SAs can perform their day-to-day jobs with the SKFS software—backup, restore, log management, performance management, patching, etc.

These accounts must be the only legitimate means of managing the SKFS software.

For tighter control, depending on company policy, sites may add multi-factor authentication tokens to the system to ensure only legitimate SAs with two-factor tokens can login into SA accounts on SKFS.

Add these watches to audit modifications to various configuration files.

This first watch listed below will monitor for writes, appends, and reads of the /etc/sudoers file and log them. Logged records can be searched with the filter key sudoers.

The second will watch for executions of the sudo command and log them with a filter key of sudo-exec.

auditd should be turned on to monitor access to the sudo command for appropriate authorities for review (third-party reporting tools may also be used for this purpose, if desired). The generic auditctl command is:

auditctl -w <file> -pwar -k  <filter key>

skfs_HOME/etc/skfs-configuration.properties

skfs-configuration

skce_HOME/etc/skce-configuration.properties

skce-configuration

appliance_HOME/etc/appliance-configuration.properties

appliance-configuration

GLASSFISH_HOME/domains/domain1/config/domain.xml

glassfish-config

/usr/sbin/usermod --lock strongkey