>There is no secure accountability, by default, with sudo either. The
>sudo log is trivially bypassed, at least in every instance I've ever
>encountered it being used, even when those who installed it claimed it
>was "secure".
Sudo accountability is only as secure as the programs which you allow the
user to run via sudo.
At least with sudo you have control over allowed commands and logging per
command. With uid=0 accounts you have neither. In any case with someone
having root, they can circumvent controls. The point is with uid=0
accounts there are no controls to circumvent.
>The biggest problem with sudo is that it often makes it a heck of a lot
>easier for an attacker with minimal access to gain increased privileges
How is that?? An attacker needs to not only access the system as a
sudo-capable user, but also know their password (have cracked it). With
additional uid=0 accounts, you've added passwords to root which betters the
odds for cracking uid=0 as much as sudo-capable accounts do. At least with
sudo, they have to first figure out who might have full sudo access. You
won't find that in /etc/password like you find uid=0.
> Oddly only by
>forcing admins to login directly via a trusted path as root can you
>avoid many of those risks
Any time you force someone to login via a trusted path, as root or a
regular user (for sudo/su), you avoid auth/acct risks. This is not a
feature only of logging in as uid=0. Trusted paths are essential in any
security scheme.
>, and if that's the approach you take then use
>of multiple UID==0 accounts is the only way to achieve (regain?) at
>least minimal accountability (i.e. the same amount that can be achieved
>with 'su', assuming one has a decently secure logging system, or
>physically secure host with a good and complete securemode
>implementation and append-only log files, etc.).
Your statement seems to make the assumption that a login via a uid=0
account is somehow better authenticated than a normal user login (who can
then su/sudo) and thus better then sudo or su. A login is a login. It's
only as good as the trusted path regardless of uid.
If you have a secure logging system, your sudo log can be just as secure as
login entries. In fact sudo and su logs are easier to secure than login
because sudo and su use syslog and login does not.
It seems in your definition of "accountability," you only need to know who
logged in when. That's all your getting, if you believe your "trusted
path." With sudo, even if you don't believe the sudo logs, you still get at
least who logged in when, but much more as well.
>their managers must not trust the sudo log any more than they would
>really trust any logbook, even on written in indellible pen on
>sequentially numbered pages in a hard-bound volume.
But at least it is something. The login logging is equally suspect (can
readily be modified) and contains insufficient information to account for
activities after login.
Try to figure out who unplugged a computer in a controlled access machine
room. You can only make guesstimates by correlating the time of the event
with the time stamps on the door access logs. What if the logs show two
people in the room at the same time and they both claim
ignorance? Accounting only for the login event is pretty useless.
...Barb