[Freeipa-users] Re: How to deal with 'su root'

2017-12-19 Thread Alexander Bokovoy via FreeIPA-users
On ti, 19 joulu 2017, Ronald Wimmer via FreeIPA-users wrote: On 2017-12-19 12:05, Jakub Hrozek via FreeIPA-users wrote: [...] I think the best practice is to restrict the commands the users can run to a bare minimum. Letting them only through sudo (as opposed to sudo su) has the advantage that

[Freeipa-users] Re: How to deal with 'su root'

2017-12-19 Thread Ronald Wimmer via FreeIPA-users
On 2017-12-19 12:05, Jakub Hrozek via FreeIPA-users wrote: [...] I think the best practice is to restrict the commands the users can run to a bare minimum. Letting them only through sudo (as opposed to sudo su) has the advantage that sudo sends all commands to the audit subsystem. Also, if

[Freeipa-users] Re: How to deal with 'su root'

2017-12-19 Thread Jakub Hrozek via FreeIPA-users
On Tue, Dec 19, 2017 at 11:54:12AM +0100, Ronald Wimmer via FreeIPA-users wrote: > We have some users that have ALL sudo permissions. What is the best way of > keeping track of all actions they do after having switched to the root user? > Or would it be better to completely prevent switching to