On Fri, Apr 29, 2011 at 6:29 AM, Stefan N <stefanbsd...@yahoo.com> wrote: > Hi guys, > > Noted and thanks for your suggestions.
Probably mostly every so called corporate admin is working with Cisco and there's what? iOS -> terminal -> commands In fact it looks like you need only couple of commands for them so sudo/sudoers will be great for them and they have man pages on web, in system and faq. They will learn a lot from them and they have chance to be good admins because of that (if they want to learn of course). Eg. with RBAC in Solaris you have more fine grained control and there are already profiles for similar tasks prepared so it's quicker to get what you want, but same is possible with sudo and traditional Unix security model (not all). > > Regards, > Stefan > > > > > > ________________________________ > From: Stefan N <stefanbsd...@yahoo.com> > To: misc@openbsd.org > Sent: Fri, April 29, 2011 10:52:32 AM > Subject: Need Suggestion: To limit the access of root account > > > Hi All, > > I would need some suggestions from you. Currently I am setting up OpenBSD > Firewall using PF at my working place. > However, some of my colleagues are not so familiar with the OpenBSD and we would > like to take turn to do that. I have the intention that I would like to limit > the usage and access the root account. > > I have intention to give them the 'more than enough' access for them to do daily > administrative tasks as firewall admin like: > 1.View/Configure IP Address, Subnet of network interface,VLAN and CARP > 2.View/Configure default gateway and static route > 3.View/Change the entry of DNS Server IP > 4.Configure Syslog > 5.Add/Remove PF rule > 6.Backup/Restore > 8.Viewing traffic using tcpdump > > Is that possible to make some CLI Menu which will appear to the B fw admin after > the login as long as they can do their job. > Example: > > OpenBSD/i386 > > login:bob > password:xxxxxxxx > > Please select the task below: > > 1>View/Configure IP Address, Subnet of network interface,VLAN and CARP > 2>View/Configure default gateway and static route > 3>View/Change the entry of DNS Server IP > 4>Configure Syslog > 5>Add/Remove PF rule > 6>Backup/Restore > 7>Viewing traffic using tcpdump > 8>Logout > > Or is there a better way to limit the usage and access of root account by fw > admin? > > My intention is: I would like to give enough access for the fw admin to do their > job using a simple way. > > Thank you in advance. > > Regards, > Stefan