<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">As Tim rightfully pointed out, the problem is that they see CUCM as an application that can just be upgraded just like the operating system. They don't see it in reality where it's like a machine with all of its gears tightly pressed against each other. One would never want to replace a gear in the machine while its still moving or replace a gear with a cog that's a different size than the one already present.<br><br>The DoD see it as just another *nix box that they *need* to control. It's silly but I can understand where they're coming from. They have the perception that only Cisco can jump into the box at will and become root when that's not the case at all.<br><br><div style="font-family: times new roman,new
york,times,serif; font-size: 12pt;"><font size="2" face="Tahoma"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Sean Walberg <swalberg@gmail.com><br><b><span style="font-weight: bold;">To:</span></b> Tim Reimers <treimers@ashevillenc.gov><br><b><span style="font-weight: bold;">Cc:</span></b> Matthew Saskin <msaskin@gmail.com>; Paul <asobihoudai@yahoo.com>; cisco-voip@puck.nether.net<br><b><span style="font-weight: bold;">Sent:</span></b> Wednesday, March 25, 2009 10:19:13 AM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [cisco-voip] Usage of superuser account on Linux-based CUCM<br></font><br>Just thinking out loud here, but what are they going to do with root? Cisco will probably drill into their heads the consequences of playing around. They'll log in a couple of times then get bored because they can't do anything.<br>
<br>This is just another example of a corporate policy that doesn't really solve a problem, or wasn't well thought out and affects more things than was attended.<br><br>Sean<br><br><div class="gmail_quote">On Wed, Mar 25, 2009 at 8:55 AM, Tim Reimers <span dir="ltr"><<a rel="nofollow" ymailto="mailto:treimers@ashevillenc.gov" target="_blank" href="mailto:treimers@ashevillenc.gov">treimers@ashevillenc.gov</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">But Paul's question is about the DoD policy requiring that they have the<br>
root password on file, isn't it?<br>
<br>
Hopefully he can correct their perception that this is a vanilla Linux<br>
server that they have to patch and maintain just as any other Linux<br>
server.<br>
<br>
I'd think that Cisco's statements indicating that they require Cisco<br>
approve and provide all patches,<br>
instead doing what many people do - watching security lists or<br>
kernel-dev or some such, and patching according to what info they see<br>
there.<br>
<br>
I've had similar problems with customer perceptions and Linux in the<br>
past-<br>
though those customers were upset that Symantec never listed Linux as<br>
vulnerable to the VOD (virus of the day)<br>
they thought Symantec wasn't doing a good job, and maybe a better<br>
company would properly show that Linux was vulnerable to<br>
things that Windows was.<br>
<br>
<br>
Tim Reimers<br>
Systems Analyst II<br>
Information Technology Services<br>
City of Asheville<br>
70 Court Plaza<br>
Asheville, NC 28801<br>
phone - 828-259-5512<br>
<a rel="nofollow" ymailto="mailto:treimers@ashevillenc.gov" target="_blank" href="mailto:treimers@ashevillenc.gov">treimers@ashevillenc.gov</a><br>
<br>
-----Original Message-----<br>
From: <a rel="nofollow" ymailto="mailto:cisco-voip-bounces@puck.nether.net" target="_blank" href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a><br>
[mailto:<a rel="nofollow" ymailto="mailto:cisco-voip-bounces@puck.nether.net" target="_blank" href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a>] On Behalf Of Matthew Saskin<br>
Sent: Tuesday, March 24, 2009 10:53 PM<br>
To: Paul; <a rel="nofollow" ymailto="mailto:cisco-voip@puck.nether.net" target="_blank" href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
Subject: Re: [cisco-voip] Usage of superuser account on Linux-based CUCM<br>
<br>
Have had to do it with TAC supervision to fix multiple defects,<br>
including 6.0.1 CDR issues, 4x to 6x upgrade issues, etc<br>
<br>
Don't need it for any day-to-day activities, and access via TAC is<br>
typically a very quick process when required,<br>
<br>
-matt<br>
<br>
<br>
On 3/24/09, Paul <<a rel="nofollow" ymailto="mailto:asobihoudai@yahoo.com" target="_blank" href="mailto:asobihoudai@yahoo.com">asobihoudai@yahoo.com</a>> wrote:<br>
><br>
> I'm wondering how many of you out there have felt the need to access<br>
> the superuser account under CUCM? My understanding is that only TAC<br>
> has access to root# and only uses it in the rare case that they need<br>
> to peek into the internals of the appliance.<br>
><br>
> I'm asking this because the US Department of Defense apparently thinks<br>
<br>
> they're required to have root# to all of their boxes, appliance or<br>
> not. I think this is a problem of their perception that Linux-based<br>
> CUCM is a vanilla-application running on top of Linux.<br>
><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> cisco-voip mailing list<br>
> <a rel="nofollow" ymailto="mailto:cisco-voip@puck.nether.net" target="_blank" href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
> <a rel="nofollow" target="_blank" href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
><br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a rel="nofollow" ymailto="mailto:cisco-voip@puck.nether.net" target="_blank" href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a rel="nofollow" target="_blank" href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a rel="nofollow" ymailto="mailto:cisco-voip@puck.nether.net" target="_blank" href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a rel="nofollow" target="_blank" href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Sean Walberg <<a rel="nofollow" ymailto="mailto:sean@ertw.com" target="_blank" href="mailto:sean@ertw.com">sean@ertw.com</a>> <a rel="nofollow" target="_blank" href="http://ertw.com/">http://ertw.com/</a><br>
</div></div></div><br>
</body></html>