Products that limit the root permission.

[halt]

There are many security products,such as IBM TAMOS,CobraSonic osAegis,
who claim that they can constrain the permission of root.

So even though the hacker or some unauthorized users successfully su to root,
they can't act like root.They say this is a strong and solid protection mechanism.

How should we evaluate this protection mechanism?
Is this mechanism worth investment ?

Thanks in advance.

[Michael]

A product that says it can limit what root can do is either using features already in AIX to limit root (e.g., RBAC), or they are adding a kernel extension.

Disclaimer: I have never seen AIX code for the kernel - but years ago when I had access to the bsd source code access() to resources by root was nearly as simple as:

if ( euid == 0) return(ACCESS_GRANTED)
else {
/* insert complex code for non-root users here */
}

So, to evaluate this I would:
1) setup a test partition according to current (company) standard or policy
2) get an evaluation license of the product
3) run tests as root
4) activate product
5) run tests both as login as root and as regular user that uses su/sudo to root

I would also compare cost of third product with using AIX RBAC - using roles to do what needs to be done without any need to access root user id. (but that is one of my pet projects - I am prejudiced in that regard.)

[Michael]

reading my previous post I realize I never answered the question.

Yes, anything that increases your control of, or access to the super user "powers" is worthwhile. How it does it is secondary. Your evaluation determines whether it's (cost) effective or not.