On Fri, 9 Apr 2021 at 12:02, Valeri Galtsev <galtsev@xxxxxxxxxxxxxxxxx>
wrote:
>
>
> On 4/9/21 10:47 AM, Binet, Valere (NIH/NIA/IRP) [C] wrote:
> > The NIST and CIS baselines don't allow su, we have to use sudo on
> government computers.
> >
>
> Could you enlighten me on the rationale behind that restriction? As, as
> you already noticed, my [ancient, maybe] reasoning makes me arrive at an
> opposite conclusion. (but mine is pure security consideration with full
> trust vested into sysadmin, see below...)
>
> On a second guess: it is just for a separation of privileges, and
> accounting of who did what which sudo brings to the table... Right?
>
>
sudo brings into accounting and the ability to restrict a person to a
single command. [That is hard to do well but it is possible.] It also
allows for an easily auditable configuration file set so that you can see
what should have been allowed and what shouldn't. Versus the usual 'oh lets
make it setgid blah or setuid foo but restricted to this group..' and
people forgetting it was done that way or why.
That said it is like any tool can be used as a hammer when it should have
remained a phillips head.
--
Stephen J Smoogen.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
