[Freeipa-users] Re: How to deal with 'su root'
On ti, 19 joulu 2017, Ronald Wimmer via FreeIPA-users wrote: On 2017-12-19 12:05, Jakub Hrozek via FreeIPA-users wrote: [...] I think the best practice is to restrict the commands the users can run to a bare minimum. Letting them only through sudo (as opposed to sudo su) has the advantage that sudo sends all commands to the audit subsystem. Also, if someone walks away from a root terminal, it will still be a root terminal an hour later, sudo at least forces you to re-authenticate. [...] Thanks a lot for your reply. It seems that I might not have been specific enough. The users who have ALL sudo permissions are linux admins who should have ALL rights because they usually know what they are doing. My concern is some kind of traceability. I need to keep track of what a user did when he switched to root. (or prohibit switching to root) What are my options here? What I see regularly at various customer sites is a fine-tuned sudoers setup where no wide-open root shell is granted but instead explicit operations allowed. This is admittedly harder to maintain both from security point of view and from the perspective of in-application shell availability, but that's what many admins keep investing their time into. Another approach is pushing more and more towards automated execution of playbooks, using Ansible or other tools, with no direct ability to execute anything but triggering execution through commits to a git repo or a similar store. This moves auditing to a centralized versioning system but makes harder to perform out-of-order operations. I will have a look at tlog and session recording. Are you referring to sssd-session-recording or to a different solution? I was also pointed to rootsh (https://www.linux.com/news/rootsh-terminal-logger-keeps-watch-root-users ). What about that? tlog is promising. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: How to deal with 'su root'
On 2017-12-19 12:05, Jakub Hrozek via FreeIPA-users wrote: [...] I think the best practice is to restrict the commands the users can run to a bare minimum. Letting them only through sudo (as opposed to sudo su) has the advantage that sudo sends all commands to the audit subsystem. Also, if someone walks away from a root terminal, it will still be a root terminal an hour later, sudo at least forces you to re-authenticate. [...] Thanks a lot for your reply. It seems that I might not have been specific enough. The users who have ALL sudo permissions are linux admins who should have ALL rights because they usually know what they are doing. My concern is some kind of traceability. I need to keep track of what a user did when he switched to root. (or prohibit switching to root) What are my options here? I will have a look at tlog and session recording. Are you referring to sssd-session-recording or to a different solution? I was also pointed to rootsh (https://www.linux.com/news/rootsh-terminal-logger-keeps-watch-root-users ). What about that? Regards, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: How to deal with 'su root'
On Tue, Dec 19, 2017 at 11:54:12AM +0100, Ronald Wimmer via FreeIPA-users wrote: > We have some users that have ALL sudo permissions. What is the best way of > keeping track of all actions they do after having switched to the root user? > Or would it be better to completely prevent switching to the root user? (if > yes, what would be the recommended way of doing that?) I'm not sure if it is possible to restrict the users from getting a root shell in the first place if you give the user too broad permissions. E.g. if you give them permissions to run sudo vim, they can just run ":sh" from the vim window, or if you give them permissiions to run 'sudo rpm' they can install a custom package that spawns a shell from the rpm scriptlet.. I think the best practice is to restrict the commands the users can run to a bare minimum. Letting them only through sudo (as opposed to sudo su) has the advantage that sudo sends all commands to the audit subsystem. Also, if someone walks away from a root terminal, it will still be a root terminal an hour later, sudo at least forces you to re-authenticate. You might also be interested in the "tlog" package and session recording. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org