Security Practices question

• Previous message (by thread): Security Practices question
• Next message (by thread): San Diego Colocation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>There is no secure accountability, by default, with sudo either.  The
>sudo log is trivially bypassed, at least in every instance I've ever
>encountered it being used, even when those who installed it claimed it
>was "secure".

Sudo accountability is only as secure as the programs which you allow the 
user to run via sudo.

At least with sudo you have control over allowed commands and logging per 
command.  With uid=0 accounts you have neither.  In any case with someone 
having root, they can circumvent controls.  The point is with uid=0 
accounts there are no controls to circumvent.

>The biggest problem with sudo is that it often makes it a heck of a lot
>easier for an attacker with minimal access to gain increased privileges

How is that??  An attacker needs to not only access the system as a 
sudo-capable user, but also know their password (have cracked it).  With 
additional uid=0 accounts, you've added passwords to root which betters the 
odds for cracking uid=0 as much as sudo-capable accounts do.  At least with 
sudo, they have to first figure out who might have full sudo access.  You 
won't find that in /etc/password like you find uid=0.

>  Oddly only by
>forcing admins to login directly via a trusted path as root can you
>avoid many of those risks

Any time you force someone to login via a trusted path, as root or a 
regular user (for sudo/su), you avoid auth/acct risks.  This is not a 
feature only of logging in as uid=0.  Trusted paths are essential in any 
security scheme.

>, and if that's the approach you take then use
>of multiple UID==0 accounts is the only way to achieve (regain?) at
>least minimal accountability (i.e. the same amount that can be achieved
>with 'su', assuming one has a decently secure logging system, or
>physically secure host with a good and complete securemode
>implementation and append-only log files, etc.).

Your statement seems to make the assumption that a login via a uid=0 
account is somehow better authenticated than a normal user login (who can 
then su/sudo) and thus better then sudo or su.  A login is a login.  It's 
only as good as the trusted path regardless of uid.

If you have a secure logging system, your sudo log can be just as secure as 
login entries.  In fact sudo and su logs are easier to secure than login 
because sudo and su use syslog and login does not.

It seems in your definition of "accountability," you only need to know who 
logged in when.  That's all your getting, if you believe your "trusted 
path." With sudo, even if you don't believe the sudo logs, you still get at 
least who logged in when, but much more as well.

>their managers must not trust the sudo log any more than they would
>really trust any logbook, even on written in indellible pen on
>sequentially numbered pages in a hard-bound volume.

But at least it is something.  The login logging is equally suspect (can 
readily be modified) and contains insufficient information to account for 
activities after login.

Try to figure out who unplugged a computer in a controlled access machine 
room.  You can only make guesstimates by correlating the time of the event 
with the time stamps on the door access logs.  What if the logs show two 
people in the room at the same time and they both claim 
ignorance?  Accounting only for the login event is pretty useless.

...Barb

• Previous message (by thread): Security Practices question
• Next message (by thread): San Diego Colocation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]