[ale] veteran unix admin

Jim Kinney jim.kinney at gmail.com
Tue Feb 15 12:40:24 EST 2011


rootsh is your friend! http://sourceforge.net/projects/rootsh/

Setup a simple script gogoroot that is called from sudo. It logs the
sudo and creates the root shell environment. Now rootsh is on and
associated with the user from the sudo call.

Alternatively, selinux should be set to active and auditd should be
running. Now even if an admin does the su - or even sudo su -, auditd
tracks their REAL UID with each command.

Sudo is for giving limited admin ability to people who are not trusted
to be admins. There are other, better tools for logging admin
transgressions than sudo. Any admin worth their gray beard can edit
logs. auditd can log to a remote machine that records to an
append-only drive. If auditd can't log anymore the system locks up.
That way ALL actions are always logged.

Corporate, audited, government body certified usually means "we use
technology that's 10 years too late to solve problems yesterday." :-)

On Tue, Feb 15, 2011 at 11:34 AM, Jerald Sheets <questy at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On Feb 15, 2011, at 11:20 AM, Jim Kinney wrote:
>
>> Um. yeah. Like the poster "Peters Laws of the Sociopathic
>> Obsessive-Compulsive" I'm afraid to ever let a shrink see this list as
>> well.
>>
>
>
> I saw that article, Jim.  The guy lost all credibility on point #1 alone.  In a corporate, audited, governing-body certified environment, you should NEVER not use sudo.  (with full logging).
>
> I have been in environments where we had to go look up the root pw when a vendor product refused to honor sudo, but aside from that, 97+ % of what you do can (and should) be managed via sudo.  Anything else is pure laziness.
>
> If you don't impose those guidelines on yourself, SAS70, ITIL, ISO, or some other body will.
>
> #!/jerald
> Linux User #183003
> Ubuntu User #32648
> Public GPG Key:  http://questy.org/js.asc
>
> - -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GIT/MU d-@ s++(++)>+++:> a+ C++++(+++)$>++ UBLAVHSC++(on)$>++++ P++(+++)$>++++ L++(++++)$>+++ !E---(---)>--- W+(++)$>+++ N(+)$>++ !o !K-- w(--)>--- O()@> M++(++)$>++ V()>- PS+++()@>-- PE(++)@>+ Y+(+)@>+ PGP++(++)$>+++ t+(++)@>+++ 5(+)@>+ X+(++)@>+++ R+(+)@>++ tv-(+)$>++ b+++(++)$>++ DI++++(++)>+++ D++(++)@>++ G++(++)@>++ e++(++)$>++ h(-)$>- r+++(+++)@>+++ y+(+++)>++++@
> - ------END GEEK CODE BLOCK------
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (Darwin)
>
> iQEcBAEBAgAGBQJNWqsRAAoJEAek0rkZiSvcM9cH/jSLJ04K/o03ip1lOH1HI6cO
> hmlmQv42j+jx9W0xsI4r0n72kcRkOD8IdhQOZtTsYFvZhZZZA9XPN36jl5EXMO0Z
> 7bcz7/SacsiGg8m8j97T2UY7tcUfdqzV2fIX9jAYs5o8Qk3di3uukv1MbpTAfwXl
> KCdiC8UQNFOUfbkwRp9JEem4QahwemNG7Kdtpl0egbAn9vY9JLH3mfeM8ok/mbU9
> wYjRnG5IgIkwkxDxBto/0W2Otdc+xw0QYYTYgHT0dYhQ7dkWm4qwvkY6/zkJAeta
> 4EdvWShHX3qdgvplnXtMdHRma6gf4VceODYT5nZ6+XI4O7ZZ8M61ZY1XRXngUG8=
> =XN5i
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
--
James P. Kinney III
I would rather stumble along in freedom than walk effortlessly in chains.



More information about the Ale mailing list