On 2017-12-19 12:05, Jakub Hrozek via FreeIPA-users wrote:
I think the best practice is to restrict the commands the users can run
to a bare minimum. Letting them only through sudo (as opposed to sudo
su) has the advantage that sudo sends all commands to the audit
subsystem. Also, if someone walks away from a root terminal, it will
still be a root terminal an hour later, sudo at least forces you to
re-authenticate. [...]

Thanks a lot for your reply. It seems that I might not have been specific enough. The users who have ALL sudo permissions are linux admins who should have ALL rights because they usually know what they are doing. My concern is some kind of traceability. I need to keep track of what a user did when he switched to root. (or prohibit switching to root)

What are my options here?

I will have a look at tlog and session recording. Are you referring to sssd-session-recording or to a different solution? I was also pointed to rootsh (https://www.linux.com/news/rootsh-terminal-logger-keeps-watch-root-users ). What about that?

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to