[ale] veteran unix admin

Jerald Sheets questy at gmail.com
Tue Feb 15 13:37:22 EST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I like these sorts of tools.  I've used Powerbroker (commercial) and sudosh (open source) as well.  

sudo is an extremely useful tool, though.  

Assume also a mature environment where logs are being of-boxed either into a Splunk like thing or centralized through rsyslog.  I'd rather just use sudo than have to clean up logs in those disparate places.  :)


On Feb 15, 2011, at 12:40 PM, Jim Kinney wrote:

> rootsh is your friend! http://sourceforge.net/projects/rootsh/
> 
> Setup a simple script gogoroot that is called from sudo. It logs the
> sudo and creates the root shell environment. Now rootsh is on and
> associated with the user from the sudo call.
> 
> Alternatively, selinux should be set to active and auditd should be
> running. Now even if an admin does the su - or even sudo su -, auditd
> tracks their REAL UID with each command.
> 
> Sudo is for giving limited admin ability to people who are not trusted
> to be admins. There are other, better tools for logging admin
> transgressions than sudo. Any admin worth their gray beard can edit
> logs. auditd can log to a remote machine that records to an
> append-only drive. If auditd can't log anymore the system locks up.
> That way ALL actions are always logged.
> 
> Corporate, audited, government body certified usually means "we use
> technology that's 10 years too late to solve problems yesterday." :-)
> 
> On Tue, Feb 15, 2011 at 11:34 AM, Jerald Sheets <questy at gmail.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> 
>> On Feb 15, 2011, at 11:20 AM, Jim Kinney wrote:
>> 
>>> Um. yeah. Like the poster "Peters Laws of the Sociopathic
>>> Obsessive-Compulsive" I'm afraid to ever let a shrink see this list as
>>> well.
>>> 
>> 
>> 
>> I saw that article, Jim.  The guy lost all credibility on point #1 alone.  In a corporate, audited, governing-body certified environment, you should NEVER not use sudo.  (with full logging).
>> 
>> I have been in environments where we had to go look up the root pw when a vendor product refused to honor sudo, but aside from that, 97+ % of what you do can (and should) be managed via sudo.  Anything else is pure laziness.
>> 
>> If you don't impose those guidelines on yourself, SAS70, ITIL, ISO, or some other body will.
>> 
>> #!/jerald
>> Linux User #183003
>> Ubuntu User #32648
>> Public GPG Key:  http://questy.org/js.asc
>> 
>> - -----BEGIN GEEK CODE BLOCK-----
>> Version: 3.1
>> GIT/MU d-@ s++(++)>+++:> a+ C++++(+++)$>++ UBLAVHSC++(on)$>++++ P++(+++)$>++++ L++(++++)$>+++ !E---(---)>--- W+(++)$>+++ N(+)$>++ !o !K-- w(--)>--- O()@> M++(++)$>++ V()>- PS+++()@>-- PE(++)@>+ Y+(+)@>+ PGP++(++)$>+++ t+(++)@>+++ 5(+)@>+ X+(++)@>+++ R+(+)@>++ tv-(+)$>++ b+++(++)$>++ DI++++(++)>+++ D++(++)@>++ G++(++)@>++ e++(++)$>++ h(-)$>- r+++(+++)@>+++ y+(+++)>++++@
>> - ------END GEEK CODE BLOCK------
>> 
>> 
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (Darwin)
>> 
>> iQEcBAEBAgAGBQJNWqsRAAoJEAek0rkZiSvcM9cH/jSLJ04K/o03ip1lOH1HI6cO
>> hmlmQv42j+jx9W0xsI4r0n72kcRkOD8IdhQOZtTsYFvZhZZZA9XPN36jl5EXMO0Z
>> 7bcz7/SacsiGg8m8j97T2UY7tcUfdqzV2fIX9jAYs5o8Qk3di3uukv1MbpTAfwXl
>> KCdiC8UQNFOUfbkwRp9JEem4QahwemNG7Kdtpl0egbAn9vY9JLH3mfeM8ok/mbU9
>> wYjRnG5IgIkwkxDxBto/0W2Otdc+xw0QYYTYgHT0dYhQ7dkWm4qwvkY6/zkJAeta
>> 4EdvWShHX3qdgvplnXtMdHRma6gf4VceODYT5nZ6+XI4O7ZZ8M61ZY1XRXngUG8=
>> =XN5i
>> -----END PGP SIGNATURE-----
>> 
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>> 
> 
> 
> 
> -- 
> --
> James P. Kinney III
> I would rather stumble along in freedom than walk effortlessly in chains.
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

#!/jerald
Linux User #183003
Ubuntu User #32648
Public GPG Key:  http://questy.org/js.asc

- -----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT/MU d-@ s++(++)>+++:> a+ C++++(+++)$>++ UBLAVHSC++(on)$>++++ P++(+++)$>++++ L++(++++)$>+++ !E---(---)>--- W+(++)$>+++ N(+)$>++ !o !K-- w(--)>--- O()@> M++(++)$>++ V()>- PS+++()@>-- PE(++)@>+ Y+(+)@>+ PGP++(++)$>+++ t+(++)@>+++ 5(+)@>+ X+(++)@>+++ R+(+)@>++ tv-(+)$>++ b+++(++)$>++ DI++++(++)>+++ D++(++)@>++ G++(++)@>++ e++(++)$>++ h(-)$>- r+++(+++)@>+++ y+(+++)>++++@ 
- ------END GEEK CODE BLOCK------



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iQEcBAEBAgAGBQJNWsfiAAoJEAek0rkZiSvcdJ4H/37kMl2Gd8mhcFWyRMnXMcWb
gt7b6OkPInpNxXAOxNGnn0nE2HNi3VHimR5pcIkWTtEYlfHNo4PHHHjPyBBCBi7q
3VWlKc0M21MOPfLXDXVX9QJ+0ZGXdXiGU4S9jtJmjGnMNJPiq+H4ze2sCml9JHBc
hZmLspuvLAN6vIQAb8OTJ8W2jYbA4T0+gIAQSq0ci1nD6Fu9uqwHU/WqKlTbWqNH
NSxlamE3fhjzZhhYi2/IZdZGKFsX7xZbjahaAjfZdChn0dVqCrVIIzBjAPSBT5Jg
sli0w7hJaz8/mAw1A+SF2ySaFWQoJkEHzTzwSJp4kCK5iXC5M0EjhsXdIxcBexo=
=WF6S
-----END PGP SIGNATURE-----



More information about the Ale mailing list