[sudo-users] How to prevent editing sudoers-file

Stephen Carville stephen at totalflood.com
Sun Nov 26 22:01:07 EST 2006 

Stanley, Jon wrote:
> What if the "bad user" disables said cronjob?  IMHO, it should checkin occasionally to say it ran, and an exception should be generated if it does not run. The exact mechanism is still unclear to me - it needs to be something that involves both the server and the client, since if it's client-only, the malicious user could write a script to emulate the behavior of the real one, sans the actual checking. 

The cron job runs on the secured station not the target box and there 
are some other safeguards on that box since it also a central password 
repository.

The script also sends status to Big Brother and Big Brother look for 
visudo in bb-proctab but that's really trivial to spoof.  Sure this 
could be bypassed.  Any! security can be bypassed.  I'm just suggesting 
an additional and relatively easy to implement layer.

> 
> ----- Original Message -----
> From: sudo-users-bounces at courtesan.com <sudo-users-bounces at courtesan.com>
> To: sudo-users at sudo.ws <sudo-users at sudo.ws>
> Sent: Sun Nov 26 18:47:22 2006
> Subject: Re: [sudo-users] How to prevent editing sudoers-file
> 
> Michael Potter wrote:
>> Claude,
>>
>> This question comes up in many forms many times.
>>
>> This comes down to that you are trying to enumerate all the bad things that
>> a user could do and put in a rule to avoid them.  That strategy does not
>> work.  There are many other ways that your user could do malious things (and
>> not be logged).
> 
> One thing I do is to edit my sudoers file on a workstations that only 
> "sudo admins" have access to.  When the edits are done, a script is run 
>   to push the modified sudoers file to all the machines that use it. 
> This script also writes out a file with the new sudoers file md5sum in 
> it.  A cron job run regularly that checks the md5sum for suders on all 
> of the machine and it if there is difference, notifies the sudo admins.
> 


-- 
Stephen Carville <stephen at totalflood.com>
Unix and Network Admin
Nationwide Totalflood
6033 W. Century Blvd
Los Angeles, CA 90045
310-342-3602

More information about the sudo-users mailing list