Disclaimer: Im not just employed by Veeam Software. Im the author of the free Veeam RootAccess utility.
To my surprise, the utility is becoming pretty popular
So the question goes: What are the real (technical) reasons behind disabling root access in ESX 3 by default?
I know one reason: auditing. A few people in my Company know the root (or equivalent) credentials. This means enabling remote root would sort of encourage people to use it and do stuff like reconfig, patching and alike. I then wouldnt know Who did What and When (3 Ws of the auditing) on my esx. Other than that are there any reasons to disable the root access?
Sniffing answer sounds like a non point to me: First, I dont see the difference between using root directly and sodoing. Second, our network is switched and sniffers are no concern.
Does anyone know any good technical reason (other than auditing) to disable root shell access by default?
Thanks,
Andrei
I second the added security layer opinion.
Also with sudo you can have a much more fine-grained authorization scheme. In the sudoers file you can specify who can do what on your esx server with root rights.
If you let people log in as root, then they can do anything on your system (including changing the password for root, which would lock others using that account out...).
Check out the sudo man page for all options!
It is an added layer of security. If its disabled there is no chance of a script kiddie running a dictionary attack, someone logging in that learned the password, etc.
Its much harder to make a mistake when you always have to use sudo or su to make a root level change. There are really no good reasons to log into a system as root rather than a normal user level account.
I second the added security layer opinion.
Also with sudo you can have a much more fine-grained authorization scheme. In the sudoers file you can specify who can do what on your esx server with root rights.
If you let people log in as root, then they can do anything on your system (including changing the password for root, which would lock others using that account out...).
Check out the sudo man page for all options!
Thanks,
I think the sudo point is good.
Andrei