While sudo is certainly better than sharing a password, it isn't like Mark 
said, going to provide you with a good audit trail.
If someone managed to get root access on your server to do something malicious, 
you can bet they also know how to remove the audit trail if it's on that server.
And while they are at it, they may as well mess with the sudoers file to make 
some more access for later :)

There are products that centralized the logging and management of the access.
Two that come to mind are ByeondTrust's PowerBroker and Foxt's BoKS.
I'm sure there are others.

Marcy

-----Original Message-----
From: Linux on 390 Port [mailto:[email protected]] On Behalf Of Mark Post
Sent: Monday, December 19, 2016 12:38 PM
To: [email protected]
Subject: Re: [LINUX-390] Root, sudo, su and preserving audit trail

>>> On 12/19/2016 at 09:12 AM, Michael MacIsaac <[email protected]> wrote: 
> Hi,
> 
> We cannot SSH as root in our organization which is good for preserving 
> audit trail because all users must use their own credentials.
> 
> I (but not all users) can then 'su to root', and my login user is 
> preserved in the environment variable SUDO_USER.
> 
> However, then as root I can 'su to another user' and the audit trail 
> seems to be lost.  Has anyone solved this issue?

Some time back Novell had a product called Privileged User Manager.  I don't 
know if it's still around or not.  But, something like that is going to be 
necessary to accomplish a really good audit trail.

One possibility to do exactly what you asked for, that you didn't mention was 
that instead of the root user using su, the scripting (or users) could have 
root use sudo instead.  Also, I don't know if you've tried it or not, but the 
su command has the "-m" and "-p" options to preserve the environment.  In my 
(brief) testing, that seems to do what you want.


Mark Post

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions, send email to 
[email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit http://wiki.linuxvm.org/

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Reply via email to