Thanks to: Karl Vogel, P Wallis, Gerhard den Hollan, Stephen Waelder, Shankar
Kanabiran, Michael J. Connolly.
I received many responces. Most of them were NOT in favor of CA Unicenters
security module. Most of that majority was not in favor of using CA Unicenter
at all. A few had some good cases for why you *should* use CA.
In general, I think I'll try my best to avoide implementing the CA security
peice on my UNIX hosts. One of the NT guys had to go down the other night at 2
AM and reboot a couple of the server because they crashed. I don't need my
security dependent on NT.
As for the rest of CA... I think it *can* be a good product. I think CA
Unicenter's true weak point is in its people and its business practices. I
thing they are GREAT at sales and hype and *really* light on realy expertise. I
also think they don't really have the customers best interest in mind and are
driven purly by profits. Once we get a few guys of our own trained and they are
not worried about staying as long as they can so that they can pick up more
service money, we'll be OK.
Thanks,
Thomas Lester
Original question:
I appologize for being slightly off topic, but I need to hear from experience
about some issues I'm having with CA Unicenter. We are in the process
of
implementing TNG and are getting close to putting the security piece into
place.
Now, everytime I try to get *any* kind of real information from CA about
exactly
how the security peice is going to work, I get more sales "fluff" than
an answer
and it's starting to scare me a bit. From what I understand so far, there's
not
much it does for me that I can't do as well or better with NIS/NIS+, sudo,
and a
good syslog.conf. Here is what my security team wants:
A thorough audit trail
Single user ID
File level security
extremely limited access to root
It concerns me that to implement CA's security that I have to open my boxes
up.
I concerns me that at that point security is at the whem of an NT box (or
multiple NT boxes). I concerns me that my user database will reside on
MS SQL.
And it REALLY bothers me that for me to do anything administrative to my
machines, I have to get to an NT workstation and use the CA console to
do
anything (like add a user or change a password).
If any of you have worked with this product, I'd love to hear about your
experience. Did you implement, or choose not to. Any that considered
it and
didn't, I'd love to hear why you didn't.
Here's my stats:
Sun shop from Sparc 5 through E6000 (about 90 boxes, 5000 users)
A couple of HP/UX's
A couple of AIX's.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+=+=+=+=+=
Thomas Lester UNIX Systems Administrator
tlester@iakom.com http://www.iakom.com
----------------------------------------------------------------------
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:53 CDT