can you share with usw what you use instead of sudo? On Tue, Jul 2, 2024 at 11:42 PM George Toft via PLUG-discuss < plug-discuss@lists.phxlinux.org> wrote:
> Okay, I now come begging for more information on why RH thinks sudo is > bad. But first a little background... > > Where I work, the first thing we do is remove sudo and replace it with a > shell script that calls our centralized Privileged Access Management > (PAM) system (not naming vendor). The use of sudo requires and exception > and review and is not permanent. So I'm very versed on the principles > and implementation of PAM. Last year our Staff Architect asked me to > compare and contrast sudo against <unnamed product>. Side-by-side, > feature-by-feature, I did so, based on our POC's on Red Hat Identity > Manager (IdM), which uses sudo, and locally engineered solutions. > > I personally detest sudo because it's like chmod 777 * - makes > everything work so much better, and software vendors can just drop in > their own sudo rules in /etc/sudoers.d/ and make magic happen without > you ever knowing what happened. Several times we've had to convert some > vendor's sudo rules to our own system's rules, and I ask the vendor "Why > do you have this rule?" Their answer: "We don't know." OFFS :( > > As far as sudo goes, it is included in the Center for Internet > Security's (CIS) Benchmarks, which is the embodiment of the information > security industry's best practices. I did some work for them for a > couple years, and every change (add/mod/delete) required consensus > approval from 80 organizations around the world, including thee letter > agencies in the US and abroad. Many/most auditors expect financial > institutions to follow this guide, or explain convincingly why not. So > every six months, we get to say: "We don't use sudo. Instead, we do > this." And then we get to do live demos of timed privileged access. > Haven't had a follow-on question in the last 8 years. > > (OT: I cringe at referring to CIS because of their collusion with the > Arizona Secretary of State and the Department of Homeland Security to > suppress people's First Amendment Right to Free Speech. Proof is in the > Elon Musk Twitter Dump. I do not have a copy of the email on my > computer. I generally don't tell people I did work for them - it's so > embarrassing. Effing Ratbastards.) > > So... back to the original question, as I was not able to find anything > saying Red Hat discourages sudo, nor was my favorite AI. Please toss me > a cookie... > > Regards, > > George Toft > > On 6/26/2024 12:23 PM, Rusty Carruth via PLUG-discuss wrote: > > Actually, I'd like to start a bit of a discussion on this. > > > > > > First, I know that for some reason RedHat seems to think that sudo is > > bad/insecure. > > > > I'd like to know the logic there, as I think the argument FOR using > > sudo is MUCH stronger than any argument I've heard (which, admittedly, > > is pretty close to zero) AGAINST it. Here's my thinking: > > > > Allowing users to become root via sudo gives you: > > > > - VERY fine control over what programs a user can use as root > > > > - The ability to remove admin privs (ability to run as root) from an > > individual WITHOUT having to change root password everywhere. > > > > Now, remember, RH is supposedly 'corporate friendly'. As a > > corporation, that 2nd feature is well worth the price of admission, > > PLUS I can only allow certain admins to run certain programs? Very nice. > > > > So, for example, at my last place I allowed the 'tester' user to run > > fdisk as root, because they needed to partition the disk under test. > > In my case, and since the network that we ran on was totally isolated > > from the corporate network, I let fdisk be run without needing a > > password. Oh, and if they messed up and fdisk'ed the boot partition, > > it was no big deal - I could recreate the machine from scratch (minus > > whatever data hadn't been copied off yet - which would only be their > > most recent run), in 10 minutes (which was about 2 minutes of my time, > > and 8 minutes of scripted 'dd' ;-) However, if the test user wanted > > to become root using su, they had to enter the test user password. > > > > So, back to the original question - setting sudo to not require a > > password. We should have asked, what program do you want to run as > > root without requiring a password? How secure is your system? What > > else do you use it for? Who has access? etc, etc, etc. > > > > There's one other minor objection I have to the 'zero defense' > > statement below - the malicious thing you downloaded (and, I assume > > ran) has to be written to USE sudo in its attempt to break in, I > > believe, or it wouldn't matter HOW open your sudo was. (simply saying > > 'su - myscript' won't do it). > > > > And, if you're truly paranoid about stuff you download, you should: > > > > 1 - NEVER download something you don't have an excellent reason to > > believe is 'safe', and ALWAYS make sure you actually downloaded it > > from where you thought you did. > > > > 2 - For the TRULY paranoid, have a machine you use to download and > > test software on, which you can totally disconnect from your network > > (not JUST the internet), and which has NO confidential info, and which > > you can erase and rebuild without caring. Run the downloaded stuff > > there, for a long time, until you're pretty sure it won't bite you. > > > > 3 - For the REALLY REALLY paranoid, don't download anything from > > anywhere, disconnect from the internet permanently, get high-tech > > locks for your doors, and wrap your house in a faraday cage! > > > > And probably don't leave the house.... > > > > The point of number 3 is that there is always a risk, even with > > 'well-known' software, and as someone else said - they're watching you > > anyway. The question is how 'safe' do you want to be? And how > > paranoid are you, really? > > > > Wow, talk about rabbit hole! ;-) > > > > 'Let the flames begin!' :-) > > > > > > On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote: > >>> wanted sudo not to require a password. > >> Please reconsider this... This is VERY BAD security practice. There's > >> basically zero defense if you happen to download/run something > >> malicious. > >> > >> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote: > >>> then I remember that a PLUG member mentioned ChatGPT being good at > >>> troubleshooting so I figured I'd give it a go. I sprint about half > >>> an hour asking it the wrong question but after that it took 2 > >>> minutes. I wanted sudo not to require a password. it is wonderful! > >>> now I don't have to bug you guys. so it looks like this is the end > >>> of the user group unless you want to talk about OT stuff. > >>> > >>> -- > >>> :-)~MIKE~(-: > >>> --------------------------------------------------- > >>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > >>> To subscribe, unsubscribe, or to change your mail settings: > >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > >>> > >> > >> --------------------------------------------------- > >> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > >> To subscribe, unsubscribe, or to change your mail settings: > >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > > --------------------------------------------------- > > PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > > To subscribe, unsubscribe, or to change your mail settings: > > https://lists.phxlinux.org/mailman/listinfo/plug-discuss > --------------------------------------------------- > PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > https://lists.phxlinux.org/mailman/listinfo/plug-discuss > -- :-)~MIKE~(-:
--------------------------------------------------- PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss
