On 4/9/21 11:23 AM, Stephen John Smoogen wrote:> On Fri, 9 Apr 2021 at 12:19, Stephen John Smoogen <smooge at gmail.com> wrote: > >> >> >> On Fri, 9 Apr 2021 at 12:02, Valeri Galtsev <galtsev at kicp.uchicago.edu> >> wrote: >> >>> >>> >>> On 4/9/21 10:47 AM, Binet, Valere (NIH/NIA/IRP) [C] wrote: >>>> The NIST and CIS baselines don't allow su, we have to use sudo on >>> government computers. >>>> >>> >>> Could you enlighten me on the rationale behind that restriction? As, as >>> you already noticed, my [ancient, maybe] reasoning makes me arrive at an >>> opposite conclusion. (but mine is pure security consideration with full >>> trust vested into sysadmin, see below...) >>> >>> On a second guess: it is just for a separation of privileges, and >>> accounting of who did what which sudo brings to the table... Right? >>> >>> >> sudo brings into accounting and the ability to restrict a person to a >> single command. [That is hard to do well but it is possible.] It also >> allows for an easily auditable configuration file set so that you can see >> what should have been allowed and what shouldn't. Versus the usual 'oh lets >> make it setgid blah or setuid foo but restricted to this group..' and >> people forgetting it was done that way or why. >> >> That said it is like any tool can be used as a hammer when it should have >> remained a phillips head. >> >> > Finally sudo can allow for better RBAC rules where if that is needed you > had to have multiple su commands that were aligned to each role so that > people could not escape their jail. [My understanding is that this is where > your chosen OS shinesWhich one OS would be that? Valeri> with sudo and this was lifted to other os's laster.] > By 2005 most .gov/.mil baselines required su to be no longer allowed > because of this. > >-- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Fri, Apr 09, 2021 at 11:39:58AM -0500, Valeri Galtsev wrote:> > > On 4/9/21 11:23 AM, Stephen John Smoogen wrote: > > On Fri, 9 Apr 2021 at 12:19, Stephen John Smoogen <smooge at gmail.com> wrote: > > > > > > > > > > > On Fri, 9 Apr 2021 at 12:02, Valeri Galtsev <galtsev at kicp.uchicago.edu> > > > wrote: > > > > > > > > > > > > > > > > Finally sudo can allow for better RBAC rules where if that is needed you > > had to have multiple su commands that were aligned to each role so that > > people could not escape their jail. [My understanding is that this is where > > your chosen OS shines > > Which one OS would be that?I suspect that it's because you are known as the FreeBSD user on this list. :) (I also prefer it, and have been fortunate enough to be at a FreeBSD shop for yearse now.) Note that FreeBSD can also use OpenBSD's doas command, though on FreeBSD, there is no persist option, so one must type the password each time--which in a production environment isn't necessary a bad thing. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6
On Fri, 9 Apr 2021 at 12:40, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> > > On 4/9/21 11:23 AM, Stephen John Smoogen wrote: > > On Fri, 9 Apr 2021 at 12:19, Stephen John Smoogen <smooge at gmail.com> > wrote: > > > >> > >> > >> On Fri, 9 Apr 2021 at 12:02, Valeri Galtsev <galtsev at kicp.uchicago.edu> > >> wrote: > >> > >>> > >>> > >>> On 4/9/21 10:47 AM, Binet, Valere (NIH/NIA/IRP) [C] wrote: > >>>> The NIST and CIS baselines don't allow su, we have to use sudo on > >>> government computers. > >>>> > >>> > >>> Could you enlighten me on the rationale behind that restriction? As, as > >>> you already noticed, my [ancient, maybe] reasoning makes me arrive at > an > >>> opposite conclusion. (but mine is pure security consideration with full > >>> trust vested into sysadmin, see below...) > >>> > >>> On a second guess: it is just for a separation of privileges, and > >>> accounting of who did what which sudo brings to the table... Right? > >>> > >>> > >> sudo brings into accounting and the ability to restrict a person to a > >> single command. [That is hard to do well but it is possible.] It also > >> allows for an easily auditable configuration file set so that you can > see > >> what should have been allowed and what shouldn't. Versus the usual 'oh > lets > >> make it setgid blah or setuid foo but restricted to this group..' and > >> people forgetting it was done that way or why. > >> > >> That said it is like any tool can be used as a hammer when it should > have > >> remained a phillips head. > >> > >> > > Finally sudo can allow for better RBAC rules where if that is needed you > > had to have multiple su commands that were aligned to each role so that > > people could not escape their jail. [My understanding is that this is > where > > your chosen OS shines > >that should have been written as your chosen OS, FreeBSD, shines ... my apology for dropping the packets as I thought i typed it but didn't> Which one OS would be that? > > Valeri > > > with sudo and this was lifted to other os's laster.] > > By 2005 most .gov/.mil baselines required su to be no longer allowed > > because of this. > > > > > > -- > ++++++++++++++++++++++++++++++++++++++++ > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics > Kavli Institute for Cosmological Physics > University of Chicago > Phone: 773-702-4247 > ++++++++++++++++++++++++++++++++++++++++ > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- Stephen J Smoogen.