> > - improves accountability for administrative actions (we know which admin
> > messed up :)
> 
> Nonsense. for non-malicious logins, sudo leaves as much as a trail as
> sshd which tells you which credentials were used to login. For malicious
> logins, once root access is obtained via password-less sudo, the
> evidence is removed from the logs.

… which is why good large-scale setups immediately send logs away from the 
machine to a dedicated log host.

True, given our current design, which does not block the log in on successful 
log write/flush, this becomes a race between sending the logs and the attacker 
logging in and trying to abort the log sending operation.

Also I realize that many (single-user and small data center) setups do not have 
such a log host; still, the OS should be designed to make such auditing at 
least possible, and making it easy enough to eliminate direct logins to the 
root account (whether using a password or a key) would go in that direction.
    Mirek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Reply via email to