> > - improves accountability for administrative actions (we know which admin
> > messed up :)
>
> Nonsense. for non-malicious logins, sudo leaves as much as a trail as
> sshd which tells you which credentials were used to login. For malicious
> logins, once root access is obtained via password-less sudo, the
> evidence is removed from the logs.
… which is why good large-scale setups immediately send logs away from the machine to a dedicated log host.
True, given our current design, which does not block the log in on successful log write/flush, this becomes a race between sending the logs and the attacker logging in and trying to abort the log sending operation.
Also I realize that many (single-user and small data center) setups do not have such a log host; still, the OS should be designed to make such auditing at least possible, and making it easy enough to eliminate direct logins to the root account (whether using a password or a key) would go in that direction.
Mirek
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
