Thank you everyone for all the great info. mav CCNA, CCA
--- On Wed, 4/9/08, Paul G. Allen <[EMAIL PROTECTED]> wrote: > From: Paul G. Allen <[EMAIL PROTECTED]> > Subject: Re: ubuntu on VMware > To: "Main Discussion List for KPLUG" <[email protected]> > Date: Wednesday, April 9, 2008, 5:49 AM > James G. Sack (jim) wrote: > > Doug LaRue wrote: > >> ** Reply to message from "James G. Sack > (jim)" <[EMAIL PROTECTED]> on Tue, 08 > >> Apr 2008 14:21:38 -0700 > >> > >>> What is the effective difference in terms of > security? > >> /var/log/auth.log > >> > >> all sudo commands( logins, failed attamps, > commands run, etc ) are > >> all logged there. But then again, I don't > know if or where root logins > >> and commands/failures/etc get logged on other > systems. > >> > > > > Ahh, thanks Doug. I forgot to mention that. Having a > complete log of > > commands executed via sudo is another benefit of sudo > vs running from a > > root shell. This is particularly valuable on servers > admin'd by multiple > > users with sudo rights. Even on a home system, it > may turn out handy. > > > > DJA- if you are asking whether there are differences > in what can be done > > via sudo compared to via a root shell -- that's > what sudoers can > > control. See > > man sudoers > > > > The file /etc/sudoers has some helpful comments > within, but I'm sure > > there must be [ie, I haven't looked, though] some > good tutorials on > > configuring sudoer as well. > > > > At Akamai we had some fairly complex sudoers files in order > to control > the amount of control the different admins had over various > systems. > Some admins had no clue how to deal with databases and were > not allowed > to run commands that would affect a DB, others were DBAs > and had full > access to DB servers. The easiest way to control who could > do what was > to not give all admins root access, setup various groups, > and give those > groups the necessary privileges in in the sudoers file. > > Because (as has been stated) all commands issued using sudo > are logged > as to the actual user that executed them, a history was > kept as to which > admin did what and when (as compared to someone logging in > as root, at > which point you have no accountability and limited > history). > > PGA > -- > Paul G. Allen, BSIT/SE > Owner, Sr. Engineer > Random Logic Consulting Services > www.randomlogic.com > > > -- > [email protected] > http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
