[NCLUG] Re: Who uses SUDO on production machines?

Chad Perrin perrin at apotheon.com
Mon Mar 19 12:36:53 MDT 2007


On Mon, Mar 19, 2007 at 10:37:57AM -0600, Bob Proulx wrote:
> Sean Reifschneider wrote:
> > Of course, that goes without saying...  That's why I didn't say it.  :-)
> > Any time you give someone enhanced access, they could use that both now and
> > in the future.
> > 
> > Of course, you could also be logging the sudo commands to a remote machine
> > which is secured against the untrusted trusted users, and in that way you
> > should be able to detect things that would be the start of a compromise.
> > You'd need to run some things in restricted mode so users can't jump out of
> > vim to run unlogged commands, or at least a shell that acts as a wrapper
> > and logs similarly.
> 
> When I see this type of environment I know the company does not trust
> the employees.  This is a two-way street.  When I am trusted then I
> work extra hard to be trustworthy.  But if big brother is always
> watching and monitoring then I am not motivated.  If I have to justify
> my actions at that level then they can fix things and generally do
> the work themselves and they don't need me in that case.

Not necessarily.  Even when I'm the only person on a network -- such as
when I've built one at home where I was the only resident -- I have
taken similar measures.  The same security measures can protect
simultaneously against external and internal threats.

Besides, I often subscribe to the philosophy that one should trust one's
friends and be prepared for disappointment.  Put another way, hope for
the best and prepare for the worst.  I learned that one the hard way
(several times, because I was a slow learner in this case).


> 
> One of the guys I used to work with was a hacker sort and would poke
> at the security of my machines in a friendly sort of way.  I want to
> stress that it was friendly and I know that he would never have caused
> me more than practical joke trouble.  When we started working together
> I immediately gave him root access.  He said, "Darn!  That takes all
> of the fun out it." and he never abused the privilege.  I worked with
> him and trusted him not to screw me or anyone else over and in return
> he was one of the people I could count on to do a good job.  It was
> then his system as much as it was mine and he became motivated to
> become a protector of it.

In general, I tend to agree.  I still think that, where this level of
security is warranted on a technical level (regardless of purely social
factors), something like a logging server isn't a bad idea.  After all,
the point of a logging server is generally not to monitor someone's
behavior, but to have a trail of breadcrumbs to follow if something goes
wrong.  It's a bit like putting video cameras in a corner store you own.

Yes, it's mostly to provide evidence in cases where outsiders have
broken in and done bad things.  If an employee rips you off, though, it
may provide evidence of that as well -- even if that wasn't really the
intent of the cameras.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
"The measure on a man's real character is what he would do
if he knew he would never be found out." - Thomas McCauley



More information about the NCLUG mailing list