On Tue, Dec 19, 2017 at 11:54:12AM +0100, Ronald Wimmer via FreeIPA-users wrote:
> We have some users that have ALL sudo permissions. What is the best way of
> keeping track of all actions they do after having switched to the root user?
> Or would it be better to completely prevent switching to the root user? (if
> yes, what would be the recommended way of doing that?)

I'm not sure if it is possible to restrict the users from getting a root
shell in the first place if you give the user too broad permissions. E.g. if
you give them permissions to run sudo vim, they can just run ":sh" from
the vim window, or if you give them permissiions to run 'sudo rpm' they
can install a custom package that spawns a shell from the rpm scriptlet..

I think the best practice is to restrict the commands the users can run
to a bare minimum. Letting them only through sudo (as opposed to sudo
su) has the advantage that sudo sends all commands to the audit
subsystem. Also, if someone walks away from a root terminal, it will
still be a root terminal an hour later, sudo at least forces you to
re-authenticate.

You might also be interested in the "tlog" package and session
recording.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to