[ale] veteran unix admin
David Tomaschik
david at systemoverlord.com
Tue Feb 15 14:13:01 EST 2011
Jim,
I know you're somewhat of an SELinux guru. In order to learn to
properly implement SELinux, what are the best books/resources? I have
SELinux by Example from Prentice Hall (c. 2007). Any other
recommendations?
David
On Tue, Feb 15, 2011 at 12:40 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
> rootsh is your friend! http://sourceforge.net/projects/rootsh/
>
> Setup a simple script gogoroot that is called from sudo. It logs the
> sudo and creates the root shell environment. Now rootsh is on and
> associated with the user from the sudo call.
>
> Alternatively, selinux should be set to active and auditd should be
> running. Now even if an admin does the su - or even sudo su -, auditd
> tracks their REAL UID with each command.
>
> Sudo is for giving limited admin ability to people who are not trusted
> to be admins. There are other, better tools for logging admin
> transgressions than sudo. Any admin worth their gray beard can edit
> logs. auditd can log to a remote machine that records to an
> append-only drive. If auditd can't log anymore the system locks up.
> That way ALL actions are always logged.
>
> Corporate, audited, government body certified usually means "we use
> technology that's 10 years too late to solve problems yesterday." :-)
>
> On Tue, Feb 15, 2011 at 11:34 AM, Jerald Sheets <questy at gmail.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> On Feb 15, 2011, at 11:20 AM, Jim Kinney wrote:
>>
>>> Um. yeah. Like the poster "Peters Laws of the Sociopathic
>>> Obsessive-Compulsive" I'm afraid to ever let a shrink see this list as
>>> well.
>>>
>>
>>
>> I saw that article, Jim. The guy lost all credibility on point #1 alone. In a corporate, audited, governing-body certified environment, you should NEVER not use sudo. (with full logging).
>>
>> I have been in environments where we had to go look up the root pw when a vendor product refused to honor sudo, but aside from that, 97+ % of what you do can (and should) be managed via sudo. Anything else is pure laziness.
>>
>> If you don't impose those guidelines on yourself, SAS70, ITIL, ISO, or some other body will.
>>
>> #!/jerald
>> Linux User #183003
>> Ubuntu User #32648
>> Public GPG Key: http://questy.org/js.asc
>>
>> - -----BEGIN GEEK CODE BLOCK-----
>> Version: 3.1
>> GIT/MU d-@ s++(++)>+++:> a+ C++++(+++)$>++ UBLAVHSC++(on)$>++++ P++(+++)$>++++ L++(++++)$>+++ !E---(---)>--- W+(++)$>+++ N(+)$>++ !o !K-- w(--)>--- O()@> M++(++)$>++ V()>- PS+++()@>-- PE(++)@>+ Y+(+)@>+ PGP++(++)$>+++ t+(++)@>+++ 5(+)@>+ X+(++)@>+++ R+(+)@>++ tv-(+)$>++ b+++(++)$>++ DI++++(++)>+++ D++(++)@>++ G++(++)@>++ e++(++)$>++ h(-)$>- r+++(+++)@>+++ y+(+++)>++++@
>> - ------END GEEK CODE BLOCK------
>>
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (Darwin)
>>
>> iQEcBAEBAgAGBQJNWqsRAAoJEAek0rkZiSvcM9cH/jSLJ04K/o03ip1lOH1HI6cO
>> hmlmQv42j+jx9W0xsI4r0n72kcRkOD8IdhQOZtTsYFvZhZZZA9XPN36jl5EXMO0Z
>> 7bcz7/SacsiGg8m8j97T2UY7tcUfdqzV2fIX9jAYs5o8Qk3di3uukv1MbpTAfwXl
>> KCdiC8UQNFOUfbkwRp9JEem4QahwemNG7Kdtpl0egbAn9vY9JLH3mfeM8ok/mbU9
>> wYjRnG5IgIkwkxDxBto/0W2Otdc+xw0QYYTYgHT0dYhQ7dkWm4qwvkY6/zkJAeta
>> 4EdvWShHX3qdgvplnXtMdHRma6gf4VceODYT5nZ6+XI4O7ZZ8M61ZY1XRXngUG8=
>> =XN5i
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
>
> --
> --
> James P. Kinney III
> I would rather stumble along in freedom than walk effortlessly in chains.
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
--
David Tomaschik, RHCE, LPIC-1
System Administrator/Open Source Advocate
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
More information about the Ale
mailing list