[NCLUG] Re: Who uses SUDO on production machines?

Sean Reifschneider jafo at tummy.com
Mon Mar 19 23:34:56 MDT 2007


On Mon, Mar 19, 2007 at 10:37:57AM -0600, Bob Proulx wrote:
>When I see this type of environment I know the company does not trust
>the employees.  This is a two-way street.  When I am trusted then I

There was a time when I probably would have thought this.  Now if I were to
see it I would imagine that there are some sort of external auditing
requirements due to the environment, something like sarbox.

While I don't do that level of logging, I wouldn't object to it.  In fact,
I'd welcome it.  If a box has something happen to it, and it looks like I
did it, I'd *WANT* to know what happened.  Was it one of the commands my
account ran?  If so, was it a command I actually ran (did I make a
mistake?), or did someone compromise my account?  If it wasn't a command I
ran, we can start looking elsewhere for the source of the compromise.  If I
screwed up, I *WANT TO KNOW*, I don't want to be worrying that there's an
attack vector if I made a mistake.

When you say that your impression of an environment like this is that the
company doesn't trust you, I would say that the problem lies not in the
logging, but in the fact that you are in an environment where this sort of
think would make you feel untrusted.

In some ways, a system that logs every command you do requires even more
trust.  If, for example, I see that your account has done a command which
resulted in some damage, I have to trust that if I come to you about it you
can have the cojones to admit it if you did it (so I don't have to go on a
search for non-existent attackers), or if you say you didn't do it I have
to trust that so I can go on a hunt for the real attack vector and not be
suspicious that it was actually you.

So, there are at least two ways to look at it.

Sean
-- 
 vi vi vi:  The editor of The Beast.
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability
      Back off man. I'm a scientist.   http://HackingSociety.org/




More information about the NCLUG mailing list