I did say "not naming vendor." Trade secret. We don't discuss our
vendors. Sorry, Mike.
> can you share with usw what you use instead of sudo?
>
> On Tue, Jul 2, 2024 at 11:42 PM George Toft via PLUG-discuss
> <plug-discuss@lists.phxlinux.org> wrote:
>
> Okay, I now come begging for more information on why RH thinks
> sudo is
> bad. But first a little background...
>
> Where I work, the first thing we do is remove sudo and replace it
> with a
> shell script that calls our centralized Privileged Access Management
> (PAM) system (not naming vendor). The use of sudo requires and
> exception
> and review and is not permanent. So I'm very versed on the principles
> and implementation of PAM. Last year our Staff Architect asked me to
> compare and contrast sudo against <unnamed product>. Side-by-side,
> feature-by-feature, I did so, based on our POC's on Red Hat Identity
> Manager (IdM), which uses sudo, and locally engineered solutions.
>
> I personally detest sudo because it's like chmod 777 * - makes
> everything work so much better, and software vendors can just drop in
> their own sudo rules in /etc/sudoers.d/ and make magic happen without
> you ever knowing what happened. Several times we've had to convert
> some
> vendor's sudo rules to our own system's rules, and I ask the
> vendor "Why
> do you have this rule?" Their answer: "We don't know." OFFS :(
>
> As far as sudo goes, it is included in the Center for Internet
> Security's (CIS) Benchmarks, which is the embodiment of the
> information
> security industry's best practices. I did some work for them for a
> couple years, and every change (add/mod/delete) required consensus
> approval from 80 organizations around the world, including thee
> letter
> agencies in the US and abroad. Many/most auditors expect financial
> institutions to follow this guide, or explain convincingly why
> not. So
> every six months, we get to say: "We don't use sudo. Instead, we do
> this." And then we get to do live demos of timed privileged access.
> Haven't had a follow-on question in the last 8 years.
>
> (OT: I cringe at referring to CIS because of their collusion with the
> Arizona Secretary of State and the Department of Homeland Security to
> suppress people's First Amendment Right to Free Speech. Proof is
> in the
> Elon Musk Twitter Dump. I do not have a copy of the email on my
> computer. I generally don't tell people I did work for them - it's so
> embarrassing. Effing Ratbastards.)
>
> So... back to the original question, as I was not able to find
> anything
> saying Red Hat discourages sudo, nor was my favorite AI. Please
> toss me
> a cookie...
>
> Regards,
>
> George Toft
>
> On 6/26/2024 12:23 PM, Rusty Carruth via PLUG-discuss wrote:
> > Actually, I'd like to start a bit of a discussion on this.
> >
> >
> > First, I know that for some reason RedHat seems to think that
> sudo is
> > bad/insecure.
> >
> > I'd like to know the logic there, as I think the argument FOR using
> > sudo is MUCH stronger than any argument I've heard (which,
> admittedly,
> > is pretty close to zero) AGAINST it. Here's my thinking:
> >
> > Allowing users to become root via sudo gives you:
> >
> > - VERY fine control over what programs a user can use as root
> >
> > - The ability to remove admin privs (ability to run as root)
> from an
> > individual WITHOUT having to change root password everywhere.
> >
> > Now, remember, RH is supposedly 'corporate friendly'. As a
> > corporation, that 2nd feature is well worth the price of admission,
> > PLUS I can only allow certain admins to run certain programs?
> Very nice.
> >
> > So, for example, at my last place I allowed the 'tester' user to
> run
> > fdisk as root, because they needed to partition the disk under
> test.
> > In my case, and since the network that we ran on was totally
> isolated
> > from the corporate network, I let fdisk be run without needing a
> > password. Oh, and if they messed up and fdisk'ed the boot
> partition,
> > it was no big deal - I could recreate the machine from scratch
> (minus
> > whatever data hadn't been copied off yet - which would only be
> their
> > most recent run), in 10 minutes (which was about 2 minutes of my
> time,
> > and 8 minutes of scripted 'dd' ;-) However, if the test user
> wanted
> > to become root using su, they had to enter the test user password.
> >
> > So, back to the original question - setting sudo to not require a
> > password. We should have asked, what program do you want to run as
> > root without requiring a password? How secure is your system? What
> > else do you use it for? Who has access? etc, etc, etc.
> >
> > There's one other minor objection I have to the 'zero defense'
> > statement below - the malicious thing you downloaded (and, I assume
> > ran) has to be written to USE sudo in its attempt to break in, I
> > believe, or it wouldn't matter HOW open your sudo was. (simply
> saying
> > 'su - myscript' won't do it).
> >
> > And, if you're truly paranoid about stuff you download, you should:
> >
> > 1 - NEVER download something you don't have an excellent reason to
> > believe is 'safe', and ALWAYS make sure you actually downloaded it
> > from where you thought you did.
> >
> > 2 - For the TRULY paranoid, have a machine you use to download and
> > test software on, which you can totally disconnect from your
> network
> > (not JUST the internet), and which has NO confidential info, and
> which
> > you can erase and rebuild without caring. Run the downloaded stuff
> > there, for a long time, until you're pretty sure it won't bite you.
> >
> > 3 - For the REALLY REALLY paranoid, don't download anything from
> > anywhere, disconnect from the internet permanently, get high-tech
> > locks for your doors, and wrap your house in a faraday cage!
> >
> > And probably don't leave the house....
> >
> > The point of number 3 is that there is always a risk, even with
> > 'well-known' software, and as someone else said - they're
> watching you
> > anyway. The question is how 'safe' do you want to be? And how
> > paranoid are you, really?
> >
> > Wow, talk about rabbit hole! ;-)
> >
> > 'Let the flames begin!' :-)
> >
> >
> > On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
> >>> wanted sudo not to require a password.
> >> Please reconsider this... This is VERY BAD security practice.
> There's
> >> basically zero defense if you happen to download/run something
> >> malicious.
> >>
> >> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote:
> >>> then I remember that a PLUG member mentioned ChatGPT being
> good at
> >>> troubleshooting so I figured I'd give it a go. I sprint about
> half
> >>> an hour asking it the wrong question but after that it took 2
> >>> minutes. I wanted sudo not to require a password. it is
> wonderful!
> >>> now I don't have to bug you guys. so it looks like this is the
> end
> >>> of the user group unless you want to talk about OT stuff.
> >>>
> >>> --
> >>> :-)~MIKE~(-:
> >>> ---------------------------------------------------
> >>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> >>> To subscribe, unsubscribe, or to change your mail settings:
> >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>>
> >>
> >> ---------------------------------------------------
> >> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> >> To subscribe, unsubscribe, or to change your mail settings:
> >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> > ---------------------------------------------------
> > PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> > To subscribe, unsubscribe, or to change your mail settings:
> > https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> ---------------------------------------------------
> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
>
> --
> :-)~MIKE~(-:
>
> ---------------------------------------------------
> PLUG-discuss mailing list:PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)