Many thanks to everyone who has taken the time to reply - lot's of useful info for me to bring to future discussions. Very much appreciated... On 3 Feb 2014, at 18:01, Matthew Zito <matt@xxxxxxxxxxxxxxxxx> wrote: > > Wait - I forgot about one option that I alluded to in the first paragraph of > my email - commercial sudo replacements that offer more advanced capabilities > where they actually intercept systems calls to try to anticipate what users > are (negatively) trying to do. They're expensive, complicated to run well, > and usually people can figure out how to get around them. But they get used > from time to time, especially at really big companies. > > One or two big companies I deal with have an intermediary solution, where > they can "break glass" to get access to root for things like root.sh, but > they have to go to a website, open a ticket with what they're doing, it gets > approved, adn they get the root password, which is actually automatically > generated. Tehy then log in with that password once, run root.sh, and then > the password is changed automatically until the next person requests root > access. > > Again, complicated and expensive. > > Matt -- //www.freelists.org/webpage/oracle-l