Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Alek O. Komarnitsky (N-CSC) (alekast.lmco.com)
Date: Mon Oct 01 2001 - 00:39:30 CDT
> From: Gordon Ewasiuk <gewasiukgnmc.net>
> Subject: Thanks to all (was Re: Solaris, Sudo, and locking...)
> To: focus-sunsecurityfocus.com
> Thanks to the overwhelming response! Most suggested that locking the root
> account wasn't worth the trouble. Some also suggested that other, more
> detailed methods were available to control user access and actions.
> Finally, the sudo config I inherited appears to need some tweaking.
> While we do use command lists, users, and groups, some serious holes
> were pointed out.
> Thanks again for all the great info,
FYI FWIW: I wrote a couple of utilities for sudo that may be useful for 'ya.
You can find these from the sudo home page at:
http://www.courtesan.com/sudo/ -> Sudo Tools
or directly at my web site at:
http://www.komar.org/ -> Misc. Tech Stuff -> sudo-tools
sudolog-usage: Slices/dices the sudolog (syslog output from sudo) better
than a Ron-ko-Matic from K-tel and summarizes who used sudo on what hosts.
sudoers-lint: Slices/dices the sudoers files in various ways so you can
see if any "cruff" has accumulated in there and/or "orphaned" entries.
P.S. I think there are VERY few situations where an "su root" or even
"sudo su root" should be needed ... so hopefully one can convince the
admin staff that using sudo is a "good" idea ... and then the root
password can be shared with a small group that understands that and
used for those VERY few situations where it is truly needed.
BTW, I may have missed this two specific ideas, but for "true" physical
access, why not have a locked/sealed envelope in the server root with the
root passwords - open it when you need it. And if you have console switches,
maybe encrypt those passwords elsewhere (with appropriate security measures
and "locks" on remote root access just in case of compromise) so you can
look 'em up if you HAVE to do something remotely.