Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've been breaking my head over the following security issue. The company for which I work has a small number of linux servers hosting some application software. There are a handfull of administrators who use local root accounts of these machines to administrate them. Now, for security reasons I would like them to start using personal accounts which have the same privileges as root except privileges to alter users, groups and privleges, stop or start logging or have write access to the /var/log directories. Say a sort of trimmed root accounts (I would rather have more restrictions obviously, but at least this would be a start). This way, there is still a lot of damage that can be done with these accounts, but at least I can monitor them and trace undesired actions back to a responsible person when I recognise them, without someone using these accounts being able to dodge monitoring.
So far, the only way I can think of realising this is to create a new group, add four personal accounts, and change all the group ownerships for all the system files and commands except chown, chmod, /var/log and so forth. This seems a bit radical and pretty scary however. Any thougts on this problem?
Well in general, you'll want to look towards sudo to handle this I would say, much more graceful than messing with actual permissions. You need to be very careful with all this level of thing though, as there will pretty much *always* be a way around the things you want at that level. There will be a way to run a different shell as a different user to change the things via that account etc.
One angle I find interesting is that the more you technically enforce security within an administrative environment, the more it can be assumed by users that whatever is technically possible is acceptable. This contrasts to a written policy of self governance (to some extent) where the onus is much more on them thinking about what they are doing, and not doing it if they think they shouldn't. This therefore implicitly covers all these hacks and tricks that are hard / not feasible / impossible to cover. You can audit a lot of what's done and keep an eye on it for anomalies, and awareness of local admins that actions are being recorded also helps enforce a personal accountability.
Always rememeber with sudo though that unless you really tie it down, sudo can be used to wipe out your auditing features.
quite. In the last place I worked, an web application level team had sudo rights explicitly only allow a dozen or so things. Including rm, mv, vi and cat. So amongst many other obvious irrelevancies they had 100% technical ability to directly edit the sudoers file itself! Nice!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.