Questions !
Wadiyar, Umakant
UWADIYAR at PacificLife.com
Tue Mar 21 19:22:36 EST 2000
That Helps .
Thanks a Lot .
-----Original Message-----
From: George Meharry II [mailto:gmeharry at yahoo.com]
Sent: Tuesday, March 21, 2000 4:22 AM
To: Wadiyar, Umakant
Subject: Re: Questions !
Umakant,
Here's how we're going about this ...
1) /etc/sudoers
We actually automount this file to all of our clients
(it's also in a non-"standard" location).
Here's what we gain (and why) ...
a) obvious - sudoers in non-standard location.
b) ONE rule file to maintain (call me lazy :-).
c) directory/device containing sudoers is not "root
shared" to client machines. As a result, modifications
to sudoers cannot be performed on client machines.
d) server that contains the master rules file is a
secure machine - limited number of users allowed
access.
e) Only security personnel are allowed to run the
visudo command - this of course doesn't keep
authorized users on the server from making mods on the
fly; but we're a small enough group that it's "good
kind of trust".
2) sudo logs ...
Here again, sudo logs both to file and syslog. So
there's going to be a copy of "local" commands on the
client (the log is also in a non-standard location) as
well as a copy in an "enterprise" log which is on our
secured server. The backdoor to this is that the user
a) makes mods to syslog.conf to prevent capture of log
events; b) is able to compile his own copy of sudo
that doesn't log; c) runs sudo once switching his ID
to root and then all commands from that point aren't
captured.
Again, this becomes a trust issue when you start
giving out various "privileges" to users. The only
advice that can really be offered here is BE WISE. Joe
user doesn't need full root access. You might also get
the "sudo utilities" and start reviewing your logs.
That's it for now ... :-)
Best.
George
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
More information about the sudo-users
mailing list