[sudo-users] How to prevent editing sudoers-file
Michael Potter
pottmi at gmail.com
Sat Dec 2 11:42:53 EST 2006
Thanks for the clarification Matt.
I whole hearted agree with all of your statements.
On 12/2/06, Matthew Hannigan <mlh at zip.com.au> wrote:
>
> On Fri, Dec 01, 2006 at 08:48:13AM -0600, Michael Potter wrote:
> > Matt,
> >
> > Could you clarify your statements.
>
> OK
>
> > --
> > potter
> >
> > On 11/29/06, Matthew Hannigan <mlh at zip.com.au> wrote:
> > >
> > >On Wed, Nov 29, 2006 at 02:06:38PM -0800, Stephen Carville wrote:
> > >> > You've raised the bar a bit, but not much.
> > >>
> > >> True but trip wire should catch that.
> > >
> > >.. many hours later.
>
> The tripwire checker only runs typically once a day, at night.
> This could be many hours after a intrusion.
>
> > >.. unless you loaded a kernel module to lie to tripwire
>
> Tripwire can be fooled into thinking a file has not been
> changed when in fact it has.
>
> This is not easy and I don't want to over emphasise the
> risk. But the fact is this approach of merely making
> the sudoers file not writable is NOWHERE NEAR good
> enough to secure the machine.
>
> If you mostly trust your users you might be fine; if not
> you need think harder.
>
> Matt
>
More information about the sudo-users
mailing list