[sudo-users] How to prevent editing sudoers-file

Matthew Hannigan mlh at zip.com.au
Sat Dec 2 06:20:59 EST 2006

On Fri, Dec 01, 2006 at 08:48:13AM -0600, Michael Potter wrote:
> Matt,
> Could you clarify your statements.


> -- 
> potter
> On 11/29/06, Matthew Hannigan <mlh at zip.com.au> wrote:
> >
> >On Wed, Nov 29, 2006 at 02:06:38PM -0800, Stephen Carville wrote:
> >> > You've raised the bar a bit, but not much.
> >>
> >> True but trip wire should catch that.
> >
> >.. many hours later.

The tripwire checker only runs typically once a day, at night.
This could be many hours after a intrusion.

> >.. unless you loaded a kernel module to lie to tripwire

Tripwire can be fooled into thinking a file has not been
changed when in fact it has.

This is not easy and I don't want to over emphasise the
risk.   But the fact is this approach of merely making 
the sudoers file not writable is NOWHERE NEAR good
enough to secure the machine.

If you mostly trust your users you might be fine; if not
you need think harder.


More information about the sudo-users mailing list