Re: Thanks to all (was Re: Solaris, Sudo, and locking...)

From: Alek O. Komarnitsky (N-CSC) (alek@ast.lmco.com)
Date: 10/01/01 

Date: Sun, 30 Sep 2001 23:39:30 -0600 (MDT)
From: "Alek O. Komarnitsky (N-CSC)" <alek@ast.lmco.com>
Subject: Re: Thanks to all (was Re: Solaris, Sudo, and locking...)
To: focus-sun@securityfocus.com, gewasiuk@gnmc.net
Message-id: <200110010539.XAA15089@goose.ast.lmco.com>

> From: Gordon Ewasiuk <gewasiuk@gnmc.net>
> Subject: Thanks to all (was Re: Solaris, Sudo, and locking...)
> To: focus-sun@securityfocus.com
>
> Thanks to the overwhelming response! Most suggested that locking the root
> account wasn't worth the trouble. Some also suggested that other, more
> detailed methods were available to control user access and actions.
>
> Finally, the sudo config I inherited appears to need some tweaking.
> While we do use command lists, users, and groups, some serious holes
> were pointed out.
>
> Thanks again for all the great info,
>
> -Gordon

FYI FWIW: I wrote a couple of utilities for sudo that may be useful for 'ya.
You can find these from the sudo home page at:
   http://www.courtesan.com/sudo/ -> Sudo Tools
or directly at my web site at:
   http://www.komar.org/ -> Misc. Tech Stuff -> sudo-tools

sudo-tools includes:
     sudolog-usage: Slices/dices the sudolog (syslog output from sudo) better
     than a Ron-ko-Matic from K-tel and summarizes who used sudo on what hosts.

     sudoers-lint: Slices/dices the sudoers files in various ways so you can
     see if any "cruff" has accumulated in there and/or "orphaned" entries.

alek

P.S. I think there are VERY few situations where an "su root" or even
"sudo su root" should be needed ... so hopefully one can convince the
admin staff that using sudo is a "good" idea ... and then the root
password can be shared with a small group that understands that and
used for those VERY few situations where it is truly needed.

BTW, I may have missed this two specific ideas, but for "true" physical
access, why not have a locked/sealed envelope in the server root with the
root passwords - open it when you need it. And if you have console switches,
maybe encrypt those passwords elsewhere (with appropriate security measures
and "locks" on remote root access just in case of compromise) so you can
look 'em up if you HAVE to do something remotely.

Relevant Pages

  • Re: history
    ... very easy to setup but Solaris has a much more powerfull utility called RBAC ... one reason I recommened avoid 3rd party tools is because 1) sudo is setuid ... >> I work on Solaris and on theses hosts everybody is root. ...
    (comp.unix.admin)
  • Re: Card Reader
    ... Running your script ... instead of sudo is worthless because your script *can't do ... And of course it doesn't ask for a root password, ... >> That's just more bullshit Bryan, and you might as well leave ...
    (rec.photo.digital)
  • Re: hi all..
    ... And with sudo, I certainly wouldn't because they already have root. ... If you somehow had access to my account right now, ... install an effective key logger without root. ...
    (Fedora)
  • Re: hi all..
    ... compromise security to achieve it - such as very insecure sudo defaults ... that essentially make any admin group user password a root password. ... IE someone gets your user account password, they can do more than just ...
    (Fedora)
  • Re: [OT] Debian mailinglists [was: RE: Debian or Ubuntu?]
    ... There isn't many times that I want to run *a* command as root. ... and suing to root is functionally identical thus sudo is not needed. ... Also the matter of passwords is moot. ...
    (Ubuntu)