So Trellix did not accept this as a bug in their healthcheck script. We put in a RFE with tem to do this healthcheck invocation using setpriv or su -c. Which doesn't trigger the LDAP queries.
Now we have an open case with RH Tech Support on this. Basically, when sudo is invoked as root and we have early in the /etc/sudoers file: root ALL=(ALL) ALL and then later on in /etc/sudoers file we have: ## Read drop-in files from /etc/sudoers. #includedir /etc/sudoers.d then sudo should not be making group membership queries to enumerate all the various AD groups in /etc/sudoers.d/* files. which is triggering multiple LDAP queries on thousands of servers -- all on the hour and half-hour. Spike On Fri, Oct 6, 2023 at 12:16 PM Larkin, Patrick <[email protected]> wrote: > On 10/6/23, 11:52, "Sam Morris" <[email protected]> wrote: > ______________________________________________________________________ > On 04/10/2023 17:02, Spike White wrote: > > We see in other places in this McAfee script that they run this command > > using 'su' instead of 'sudo'. > > > > su -s /bin/sh -c "LD_LIBRARY_PATH=... ${PROGROOT}/bin/macmnsvc > > status" mfe > … > > Anyway, it's McAfee's problem to fix now. We'll report it and I'm sure > > they'll figure out a solution. > > If they are root and want to drop privileges then they would be better > served by runuser or setpriv. … > > > > …or start out as non-root user to begin with… > > (It’s a peeve of mine when security companies don’t follow best practice > of elevating only if absolutely necessary.) > > > > -- > > Pat Larkin | Manager – LinuxIMO > > Sabre TEO | Texas USA > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
