On Thu, Jul 7, 2011 at 7:08 AM, Joseph Sinclair
<
plug-discussion@stcaz.net>wrote:
> Most corporate environments are required to disable su entirely due to SOX
> and PCI requirements to audit every action on the server to a particular
> user (eliminating user switching as a permissible action).
> Some companies are even going to the extreme of disabling workaround tricks
> like sudo bash as well (I think reasonably policy is enough to prevent such
> usage).
> It's pretty easy to disable direct root login in RH type servers, and as I
> noted (and you use in Ubuntu), 'sudo su -' works the same without requiring
> the system to have an enabled root password.
>
The new sudo allows for extensive "key style" logging and suid control for
things like bash or vi. The logging is especially impressive, even
providing complete playback of bash sessions. Most shops insanely use sudo
however I have rarely seen all features of the tool implemented securely (to
include allowed commands for instance in a deny all/allow selectively
model). It's a wee bit more than "yum install sudo"... is it not?
In many shops PCI compliance is used as an excuse to deny developers access
to production systems or limit ssh systems keys and require "hubcap" access
portals (with ssh killers) where systems administrators simply add "perl" or
"expect" workarounds to continue automated jobs, further opening additional
security holes, since both models still insanely allow password schemes that
do not include a fully random string of characters (since any word or use of
special characters in patterns can be brute forced with dictionary
attacks/arp cache poisoning from an adjacent web server trivially pwned
since it's running phpBB, WebDAV or PureFTP for instance...)
In fact, even in SOCKS and PCI compliant networks for large corporations,
banks and government, few audits for which I was privy and directly
involved, actually delved deeply into ANY capabilities of linux, unix and OS
X systems for su, group access, or sudo and in many cases I found
"authenication hacks" like changes to pam.d as well.
Reference:
http://www.sudo.ws/sudo/sudoers.man.html
> On 07/06/2011 11:50 PM, Phillip Waclawski wrote:
> > I use su with my students all the time (true, on my ubuntu machine I use
> sudo su) but for redhat based servers (such as CentOS) su is still the main
> way to switch to "root".
> > Phil Waclawski
> >
> > ----- Original Message -----
> >
> > From: "Joseph Sinclair" <plug-discussion@stcaz.net>
> > To: "Main PLUG discussion list" <plug-discuss@lists.plug.phoenix.az.us>
> > Sent: Wednesday, July 6, 2011 7:40:55 PM
> > Subject: Re: RFC - Linux Command Cheatsheet
> >
> > Just a few errata and suggestions:
> > dpkg -[r,P] argument is package-name, not pkg.deb (you specify the
> package name, not the deb file for those operations)
> > apt-get upgrade will only update packages that do not require any other
> package to install/uninstall. apt-get dist-upgrade upgrades all packages.
> > apt-get purge package-name will purge a package without the clumsy
> --purge syntax.
> > I would change the su - to sudo su -, since most distros no longer have
> the root password enabled, and you don't want to encourage your students to
> do that.
> > I would drop su -c command, sudo serves that purpose. Add sudo -u
> username command to run a command as a specific user in it's place.
> > I'm not sure if you can squeeze it in, but lsattr will list extended
> attributes, which is helpful when you encounter things like files even root
> cannot modify. The corresponding chattr changes extended attributes, of
> course, but that may not be a good command to mention due to it's higher
> risk.
> > I would put kill and killall in red, especially since killall will do
> partial match (try "sudo killall -9 in" for some system-killing fun
> sometime) and actually matches on regex.
> > It might be a very good idea to add "-i" to killall, so the new user has
> a slightly higher margin of safety for a mistyped command name.
> > for "program &" you might want to put "program" in italics to make it
> clear it's not a literal command.
> > The 6 tar lines seem a little overkill. Perhaps it would work better with
> fewer repeated lines coupled with a recommendation to check the manual for
> the complex commands (like tar, rsync, ip, grep, etc...) that have several
> common use patterns and really need more room than you have.
> >
> > You might also save some space by removing reboot and halt (which are
> actually the same program, much like egrep/fgrep/grep) in favor of shutdown
> [-r, -h] (which is generally preferred anyway)
> >
> >
> > On 07/06/2011 10:20 AM, Dennis Kibbe wrote:
> >> I've updated the Linux Command cheatsheet I use for my classes at MCC
> >> and would appreciate any comments or corrections before I send it off to
> >> the Copy Center.
> >>
> >> https://s3.amazonaws.com/moodle_data/Linux+Commands.odt
> >> https://s3.amazonaws.com/moodle_data/Linux+Commands.pdf
> >>
> >> It's licensed Attribution-ShareAlike 3.0 United States license,
> >> available at http://creativecommons.org/licenses/by-sa/3.0/us/.
> >>
> >> FYI: Creative Commons has a very easy to use plugin for LibreOffice that
> >> allows you to assign a Creative Commons license to your documents and
> >> insert a license statement automatically.
> >>
> >>
> http://labs.creativecommons.org/2010/12/08/libreoffice-and-cc-openoffice-plugin/
> >>
> >> Moodle 3 also includes support for Create Commons licenses. (Aside
> >> der.hans: Moodle 3 ist super, besser als 2 in jeder Hinsicht!)
> >>
> >> Remember when you create something it's copyrighted All Rights Reserved
> >> (der.hans: Alle Rechte vorbehalten) by default, so if you want to share
> >> your work you need to license it.
> >>
> >> Dennis Kibbe
> >
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> >
> >
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
(602) 791-8002 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
HomeSmartInternational.com <
http://www.homesmartinternational.com>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss