Regards, George Toft On 7/3/2024 5:57 AM, techlists@phpcoderusa.com wrote: > > > On 2024-07-02 19:05, George Toft via PLUG-discuss wrote: >> Okay, I now come begging for more information on why RH thinks sudo >> is bad. But first a little background... >> >> Where I work, the first thing we do is remove sudo and replace it >> with a shell script that calls our centralized Privileged Access >> Management (PAM) system (not naming vendor). The use of sudo requires >> and exception and review and is not permanent. So I'm very versed on >> the principles and implementation of PAM. Last year our Staff >> Architect asked me to compare and contrast sudo against > product>. Side-by-side, feature-by-feature, I did so, based on our >> POC's on Red Hat Identity Manager (IdM), which uses sudo, and locally >> engineered solutions. >> >> I personally detest sudo because it's like chmod 777 * - makes >> everything work so much better, and software vendors can just drop in >> their own sudo rules in /etc/sudoers.d/ and make magic happen without >> you ever knowing what happened. Several times we've had to convert >> some vendor's sudo rules to our own system's rules, and I ask the >> vendor "Why do you have this rule?" Their answer: "We don't know." >> OFFS :( >> >> As far as sudo goes, it is included in the Center for Internet >> Security's (CIS) Benchmarks, which is the embodiment of the >> information security industry's best practices. I did some work for >> them for a couple years, and every change (add/mod/delete) required >> consensus approval from 80 organizations around the world, including >> thee letter agencies in the US and abroad. Many/most auditors expect >> financial institutions to follow this guide, or explain convincingly >> why not. So every six months, we get to say: "We don't use sudo. >> Instead, we do this." And then we get to do live demos of timed >> privileged access. Haven't had a follow-on question in the last 8 years. >> > ---->>> > >> (OT: I cringe at referring to CIS because of their collusion with the >> Arizona Secretary of State and the Department of Homeland Security to >> suppress people's First Amendment Right to Free Speech. Proof is in >> the Elon Musk Twitter Dump. I do not have a copy of the email on my >> computer. I generally don't tell people I did work for them - it's so >> embarrassing. Effing Ratbastards.) > > So tell us more, please. > https://nclalegal.org/wp-content/uploads/2022/09/Joint-Statement-on-Discovery-Disputes-Combined.pdf search for "PageID #: 2793" Other than to say Free Speech is like Free Software - must be cherished. Whether the speech/software is useful is up to the consumer, not the government. End of Line. > > >> >> So... back to the original question, as I was not able to find >> anything saying Red Hat discourages sudo, nor was my favorite AI. >> Please toss me a cookie... >> >> Regards, >> >> George Toft >> >> On 6/26/2024 12:23 PM, Rusty Carruth via PLUG-discuss wrote: >>> Actually, I'd like to start a bit of a discussion on this. >>> >>> >>> First, I know that for some reason RedHat seems to think that sudo >>> is bad/insecure. >>> >>> I'd like to know the logic there, as I think the argument FOR using >>> sudo is MUCH stronger than any argument I've heard (which, >>> admittedly, is pretty close to zero) AGAINST it. Here's my thinking: >>> >>> Allowing users to become root via sudo gives you: >>> >>>  - VERY fine control over what programs a user can use as root >>> >>>  - The ability to remove admin privs (ability to run as root) from >>> an individual WITHOUT having to change root password everywhere. >>> >>> Now, remember, RH is supposedly 'corporate friendly'.  As a >>> corporation, that 2nd feature is well worth the price of admission, >>> PLUS I can only allow certain admins to run certain programs? Very >>> nice. >>> >>> So, for example, at my last place I allowed the 'tester' user to run >>> fdisk as root, because they needed to partition the disk under >>> test.  In my case, and since the network that we ran on was totally >>> isolated from the corporate network, I let fdisk be run without >>> needing a password.  Oh, and if they messed up and fdisk'ed the boot >>> partition, it was no big deal - I could recreate the machine from >>> scratch (minus whatever data hadn't been copied off yet - which >>> would only be their most recent run), in 10 minutes (which was about >>> 2 minutes of my time, and 8 minutes of scripted 'dd' ;-)  However, >>> if the test user wanted to become root using su, they had to enter >>> the test user password. >>> >>> So, back to the original question - setting sudo to not require a >>> password.  We should have asked, what program do you want to run as >>> root without requiring a password?  How secure is your system? What >>> else do you use it for?  Who has access? etc, etc, etc. >>> >>> There's one other minor objection I have to the 'zero defense' >>> statement below - the malicious thing you downloaded (and, I assume >>> ran) has to be written to USE sudo in its attempt to break in, I >>> believe, or it wouldn't matter HOW open your sudo was. (simply >>> saying 'su - myscript' won't do it). >>> >>> And, if you're truly paranoid about stuff you download, you should: >>> >>> 1 - NEVER download something you don't have an excellent reason to >>> believe is 'safe', and ALWAYS make sure you actually downloaded it >>> from where you thought you did. >>> >>> 2 - For the TRULY paranoid, have a machine you use to download and >>> test software on, which you can totally disconnect from your network >>> (not JUST the internet), and which has NO confidential info, and >>> which you can erase and rebuild without caring.  Run the downloaded >>> stuff there, for a long time, until you're pretty sure it won't bite >>> you. >>> >>> 3 - For the REALLY REALLY paranoid, don't download anything from >>> anywhere, disconnect from the internet permanently, get high-tech >>> locks for your doors, and wrap your house in a faraday cage! >>> >>> And probably don't leave the house.... >>> >>> The point of number 3 is that there is always a risk, even with >>> 'well-known' software, and as someone else said - they're watching >>> you anyway.  The question is how 'safe' do you want to be? And how >>> paranoid are you, really? >>> >>> Wow, talk about rabbit hole! ;-) >>> >>> 'Let the flames begin!' :-) >>> >>> >>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote: >>>>> wanted sudo not to require a password. >>>> Please reconsider this... This is VERY BAD security practice. >>>> There's basically zero defense if you happen to download/run >>>> something malicious. >>>> >>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote: >>>>>   then I remember that a PLUG member mentioned ChatGPT being good >>>>> at troubleshooting so I figured I'd give it a go. I sprint about >>>>> half an hour asking it the wrong question but after that it took 2 >>>>> minutes. I wanted sudo not to require a password. it is wonderful! >>>>> now I don't have to bug you guys. so it looks like this is the end >>>>> of the user group unless you want to talk about OT stuff. >>>>> >>>>> -- :-)~MIKE~(-: >>>>> --------------------------------------------------- >>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>> >>>> >>>> --------------------------------------------------- >>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>> To subscribe, unsubscribe, or to change your mail settings: >>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> --------------------------------------------------- >>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>> To subscribe, unsubscribe, or to change your mail settings: >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >> --------------------------------------------------- >> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss --------------------------------------------------- PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss