<scroll>
Regards,
George Toft
On 7/3/2024 5:57 AM, [email protected] wrote:
<scroll>
On 2024-07-02 19:05, George Toft via PLUG-discuss wrote:
Okay, I now come begging for more information on why RH thinks sudo
is bad. But first a little background...
Where I work, the first thing we do is remove sudo and replace it
with a shell script that calls our centralized Privileged Access
Management (PAM) system (not naming vendor). The use of sudo requires
and exception and review and is not permanent. So I'm very versed on
the principles and implementation of PAM. Last year our Staff
Architect asked me to compare and contrast sudo against <unnamed
product>. Side-by-side, feature-by-feature, I did so, based on our
POC's on Red Hat Identity Manager (IdM), which uses sudo, and locally
engineered solutions.
I personally detest sudo because it's like chmod 777 * - makes
everything work so much better, and software vendors can just drop in
their own sudo rules in /etc/sudoers.d/ and make magic happen without
you ever knowing what happened. Several times we've had to convert
some vendor's sudo rules to our own system's rules, and I ask the
vendor "Why do you have this rule?" Their answer: "We don't know."
OFFS :(
As far as sudo goes, it is included in the Center for Internet
Security's (CIS) Benchmarks, which is the embodiment of the
information security industry's best practices. I did some work for
them for a couple years, and every change (add/mod/delete) required
consensus approval from 80 organizations around the world, including
thee letter agencies in the US and abroad. Many/most auditors expect
financial institutions to follow this guide, or explain convincingly
why not. So every six months, we get to say: "We don't use sudo.
Instead, we do this." And then we get to do live demos of timed
privileged access. Haven't had a follow-on question in the last 8 years.
---->>>
(OT: I cringe at referring to CIS because of their collusion with the
Arizona Secretary of State and the Department of Homeland Security to
suppress people's First Amendment Right to Free Speech. Proof is in
the Elon Musk Twitter Dump. I do not have a copy of the email on my
computer. I generally don't tell people I did work for them - it's so
embarrassing. Effing Ratbastards.)
So tell us more, please.
https://nclalegal.org/wp-content/uploads/2022/09/Joint-Statement-on-Discovery-Disputes-Combined.pdf
search for "PageID #: 2793"
Other than to say Free Speech is like Free Software - must be cherished.
Whether the speech/software is useful is up to the consumer, not the
government.
End of Line.
So... back to the original question, as I was not able to find
anything saying Red Hat discourages sudo, nor was my favorite AI.
Please toss me a cookie...
Regards,
George Toft
On 6/26/2024 12:23 PM, Rusty Carruth via PLUG-discuss wrote:
Actually, I'd like to start a bit of a discussion on this.
First, I know that for some reason RedHat seems to think that sudo
is bad/insecure.
I'd like to know the logic there, as I think the argument FOR using
sudo is MUCH stronger than any argument I've heard (which,
admittedly, is pretty close to zero) AGAINST it. Here's my thinking:
Allowing users to become root via sudo gives you:
- VERY fine control over what programs a user can use as root
- The ability to remove admin privs (ability to run as root) from
an individual WITHOUT having to change root password everywhere.
Now, remember, RH is supposedly 'corporate friendly'. As a
corporation, that 2nd feature is well worth the price of admission,
PLUS I can only allow certain admins to run certain programs? Very
nice.
So, for example, at my last place I allowed the 'tester' user to run
fdisk as root, because they needed to partition the disk under
test. In my case, and since the network that we ran on was totally
isolated from the corporate network, I let fdisk be run without
needing a password. Oh, and if they messed up and fdisk'ed the boot
partition, it was no big deal - I could recreate the machine from
scratch (minus whatever data hadn't been copied off yet - which
would only be their most recent run), in 10 minutes (which was about
2 minutes of my time, and 8 minutes of scripted 'dd' ;-) However,
if the test user wanted to become root using su, they had to enter
the test user password.
So, back to the original question - setting sudo to not require a
password. We should have asked, what program do you want to run as
root without requiring a password? How secure is your system? What
else do you use it for? Who has access? etc, etc, etc.
There's one other minor objection I have to the 'zero defense'
statement below - the malicious thing you downloaded (and, I assume
ran) has to be written to USE sudo in its attempt to break in, I
believe, or it wouldn't matter HOW open your sudo was. (simply
saying 'su - myscript' won't do it).
And, if you're truly paranoid about stuff you download, you should:
1 - NEVER download something you don't have an excellent reason to
believe is 'safe', and ALWAYS make sure you actually downloaded it
from where you thought you did.
2 - For the TRULY paranoid, have a machine you use to download and
test software on, which you can totally disconnect from your network
(not JUST the internet), and which has NO confidential info, and
which you can erase and rebuild without caring. Run the downloaded
stuff there, for a long time, until you're pretty sure it won't bite
you.
3 - For the REALLY REALLY paranoid, don't download anything from
anywhere, disconnect from the internet permanently, get high-tech
locks for your doors, and wrap your house in a faraday cage!
And probably don't leave the house....
The point of number 3 is that there is always a risk, even with
'well-known' software, and as someone else said - they're watching
you anyway. The question is how 'safe' do you want to be? And how
paranoid are you, really?
Wow, talk about rabbit hole! ;-)
'Let the flames begin!' :-)
On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
wanted sudo not to require a password.
Please reconsider this... This is VERY BAD security practice.
There's basically zero defense if you happen to download/run
something malicious.
On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote:
then I remember that a PLUG member mentioned ChatGPT being good
at troubleshooting so I figured I'd give it a go. I sprint about
half an hour asking it the wrong question but after that it took 2
minutes. I wanted sudo not to require a password. it is wonderful!
now I don't have to bug you guys. so it looks like this is the end
of the user group unless you want to talk about OT stuff.
-- :-)~MIKE~(-:
---------------------------------------------------
PLUG-discuss mailing list: [email protected]
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: [email protected]
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: [email protected]
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: [email protected]
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: [email protected]
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
