There are a few things to consider from my experience: 1. It's easy to say "don't use weak passwords", however unless you're using some 2 factor system or systematically forcing random passwords, people are generating the passwords, and history tells us that most people are very bad at that task.
2. Most organizations institute lockout policies for normal user accounts, so generally even a weak user password can't be guessed within 5 or 10 tries. However, root can't generally be locked out, so they are open to brute force attacks. I have first hand experience responding to incidents that resulted from root being successfully brute forced. 3. The concept of individual accountability is becoming increasingly important for many organizations. This doesn't matter much in some, particularly small, environments, but in a setting with dozens or hundreds of administrators, it is quite important. SUDO is about the only effective way of enabling large numbers of admins to operate on a system while maintaining accountability. It is not bullet proof, but it is a quite effective solution generally. So, I am genuinely curious - how does blocking root logins and requiring SUDO weaken a system? I definitely have a lot to learn, and I feel like I am missing something. Regards, Jerry On Nov 10, 2012, at 1:30 PM, Michal Zalewski <[email protected]> wrote: >> I think you've taken that far too literaly. My understanding of it is to >> protect against a) brute force retardation b) dumb attackers. > > The advice weakens the security of your system, because it means I > just need to compromise your unprivileged account (in which you run > your browser, mail client, and so on) to own the entire box. > > As for the benefits, care to elaborate? I'm not sure what a) and b) > really mean. If you're worried about brute-force, don't use trivial > passwords. If you worry about opportunistic attacks, do that and then > patch your stuff every now and then. > > /mz > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
