The “two man rule” (also sometimes called the “four eyes rule”) has its origins in military protocol although for quite some time it has been welcomed into the stockpile of IT security controls used by organizations around the world. The “two man rule” specifies that there must be two individuals that must act in concert in order to perform some action.
This has really interesting implications even outside of hard-core military settings. For example, with all the new-found reporting on data thefts, having two people doing “root” activities would 1) reduce the incidences of stupid mistakes 2) provide a more interrogatable human paper trail 3) make it harder for one-man inside jobs to succeed. For big credit agencies, banks, and hospitals, a ‘two person’ rule could be good policy.
Agreed
Reminds me of the silo crew scene in WarGames.
We, in the military, call it a ‘no-lone-zone’ for working in certain areas – eg crypto or server rooms and for doing certain tasks no matter what the location.
Funny you brought up ‘no-lone-zone’. I was watching the military channel earlier tonight, and right there before you entered the two-man ICBM silo-pods was a sign that ‘No Lone Zone’
linux linux/bsd/PAM be configured to prompt for two admin user passwords, both of which must be correctly entered within 5 seconds of each other?
Thank you for this article, i wish there yould be more like this one posted.Easy to follow and fun.
From my Navy days it is called Two Person Integrity (TPI), normally used for handling classified materials in a space not specifically designed for the level of materials being handled (non-SCIF).
What I find interesting is that AIX had this capability for some time. You could craete an account in AIX 4.3 that required two users to login in order to access it. In some situations it could be handy, like performing certain root functions without the presence of a system administrator.
Agree with Robert here very nice article.
On the AIX mention in the article he mentions that the same techniques can be applied in solaris 8 and 9 so I guess Sun have had this for a while to outsite of Trusted Solaris
Hopefully the timeout period for the Linux solution is not fixed, otherwise it is pretty useless with complex passwords (which should be used in this scenario).
[computer] Recognize Picard, Jean-Luc, Captain
[computer] Recognize Riker, William T., First Officer
[computer] Initiating auto-destruct sequence…
I’ve never worked anywhere that had the manpower or money to dedicate two flippin’ people to a single task. I’m lucky if I’m not remoted into several different servers when I’m at home at night. Should I bring my “buddy” home with me so I can monitor the network?
The last place I worked at only had Unix admins available for 18 hours a day, and “unskilled” operators to handle the balance. The idea was to “save money” by not having administrators around “doing nothing”. Well we all know how that works.
In a case like this there are some things that can be done without having a Unix admin present, using TPI through RBAC would allow an operator and night supervisor to run limited commands while the Unix admin is on his way in. Of course there are a lot things that would have to be worked out in advance but it is an option.
In a case like this there are some things that can be done without having a Unix admin present, using TPI through RBAC would allow an operator and night supervisor to run limited commands while the Unix admin is on his way in. Of course there are a lot things that would have to be worked out in advance but it is an option.
Have you ever worked in a shop that was that organized as to allow this kind of setup without the potential of a major catastrophe?
Actually, no I haven’t. Of the four positions I have held (three of them as a Unix admin), none of them had what I would consider a compehensive user policy. In order for something like this to actually work there would have to be a lot of consideration given to what users actually needed in terms of access and permissions. Only one place I worked at even used RBAC (NMCI).
More often than not what I have seen is variations of root or administrator (Windows) and users divided into various groups. It doesn’t provide great security but it is “easy” to manage.
What about providing a GPG kind of authentication that you would activate by plugging in two people’s GPG keys on USB pen drives. They would have to provide passphrases for their GPG keys of course.
In a case like this there are some things that can be done without having a Unix admin present, using TPI through RBAC would allow an operator and night supervisor to run limited commands while the..
Isn’t this delegated at the sadm console?
Solaris RBAC and pam does not use GPG, unless someone is willing to write custom pam modules, hooks to RBAC, and modify the Device Allocation policy to accomodate this.
That depends on whether you are using RBAC or not. As I said earlier, most people do not use RBAC (in my experience).
Correct me if I am wrong, but I believe in Star Trek you needed three people to start the auto-destruct.
In relation to the original thread:
One admin logged on – allowed to do only simple tasks that does not touch the original data. IE clearing print queues for example.
Two admins logged on – can change user rights, move files around, configure backups, delete files that have been archived.
Three admins logged on – can do anything, including editting files without changing timestamps, delete files that are not archive … etc.
Silly idea I know, but the data recovery companies would lose half thier business if single dumb admins could not delete mission critical files.
———————————————————-
Damn, I just thought about the above. Most times if the system admin is at fault it is because he was never trained for the job and it was cheaper to hire him than a properly trained person. If you need two or three admins to do major work on your system you can be sure that most companies will try to cut costs but hiring the three cheapest admins they can get.
Three idiots at the controls are no better than one idiot, unless they always get in each other’s way to prevent anything getting done.
And you know this will be the one time they all agree that delete file xxxx is a good idea.
Three idiots at the controls are no better than one idiot, unless they always get in each other’s way to prevent anything getting done.
I disagree, because I have seen that, in practical life, three idiots still manage to do a better job, at anything, than one idiot. This is strange, but true.
Unless the idiots are really utterly clueless, but that should be close to dementia.
I’ve never worked anywhere that had the manpower or money to dedicate two flippin’ people to a single task. I’m lucky if I’m not remoted into several different servers when I’m at home at night. Should I bring my “buddy” home with me so I can monitor the network?
It’s not routine in most businesses, but it is routine in some areas, notably defense and other industries.
It’s surreal walking into a locked room, with several engineers sitting around empty desks doing nothing with a flashing red light going off solely because YOU are in the room (escorted).
But that’s the protocol.
A simple real world example is that at our company, any check worth more than N dollars has to be signed by two of the three partners. Just the way it works.