On 4/9/21 1:15 PM, Stephen John Smoogen wrote:
On Fri, 9 Apr 2021 at 12:40, Valeri Galtsev <galtsev@xxxxxxxxxxxxxxxxx>
wrote:
On 4/9/21 11:23 AM, Stephen John Smoogen wrote:
On Fri, 9 Apr 2021 at 12:19, Stephen John Smoogen <smooge@xxxxxxxxx>
wrote:
On Fri, 9 Apr 2021 at 12:02, Valeri Galtsev <galtsev@xxxxxxxxxxxxxxxxx>
wrote:
On 4/9/21 10:47 AM, Binet, Valere (NIH/NIA/IRP) [C] wrote:
The NIST and CIS baselines don't allow su, we have to use sudo on
government computers.
Could you enlighten me on the rationale behind that restriction? As, as
you already noticed, my [ancient, maybe] reasoning makes me arrive at
an
opposite conclusion. (but mine is pure security consideration with full
trust vested into sysadmin, see below...)
On a second guess: it is just for a separation of privileges, and
accounting of who did what which sudo brings to the table... Right?
sudo brings into accounting and the ability to restrict a person to a
single command. [That is hard to do well but it is possible.] It also
allows for an easily auditable configuration file set so that you can
see
what should have been allowed and what shouldn't. Versus the usual 'oh
lets
make it setgid blah or setuid foo but restricted to this group..' and
people forgetting it was done that way or why.
That said it is like any tool can be used as a hammer when it should
have
remained a phillips head.
Finally sudo can allow for better RBAC rules where if that is needed you
had to have multiple su commands that were aligned to each role so that
people could not escape their jail. [My understanding is that this is
where
your chosen OS shines
that should have been written as
your chosen OS, FreeBSD, shines ...
Ah, I couldn't imagine someone remembers I use FreeBSD too. On servers
that is. Number crunchers, workstations, and laptops of my users run
CentOS (7), Ubuntu (laptops), and also Debian these days. Not mentioning
MS Windows and MacOS, though probably should. As these are my choices
too as well as those of my users.
my apology for dropping the packets as I thought i typed it but didn't
No need to apologize. I was indeed a bit puzzled thinking this must be
something obvious - derived from the fact this is CentOS list maybe -
still it was kind of escaping me so I asked ;-)
Yes, I did start rating sudo higher than I did in the past after this
thread (hijacked - my apologies if it was my doing, didn't mean though).
Thanks, everybody, for your insights !
Valeri
Which one OS would be that?
Valeri
with sudo and this was lifted to other os's laster.]
By 2005 most .gov/.mil baselines required su to be no longer allowed
because of this.
--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
