I agree with all of your points and I will add one. Auditor are in general easy to satisfy. Satisfying an auditor is not the same thing as locking down a system. The approach you've described is reasonable and well balanced. As you have rightly said there are other benefits as well to this type of approach. For the most part, if we would/could follow best practises then a lot of this stuff will already be taken care of.
You are lucky indeed to be included at the out start with your suppliers and be able to make demands on application/administrative functionality for platforms which may not even be used by yourself. In my experience, that type of situation is exceedingly rare. But then I'm a consultant so I usually arrive on the scene after all the mistakes in negotiating the contracts have been made.
Yes but as I said in a previous post, a black-hole type logger will only solve a part of the problem. It will not cover many of the Xwindow and other GUI interfaces. Nor will it cover things an admin with elevated rights might be able to do in the application runtime environment. The truth is, unless you roll all your own systems and build it in from the start, the integration required to lock down and keep locked down the environment is not a trivial task. Try and tell a Nortel or NSN company that you want to lock down the system you've bought from them as tight as this and see how far you get with that. Just using a different shell from that which the product was certified on in some cases will cause support and maintenance problems with your suppliers.
We're talking systems here where the supplier has provided shitty little ftp backup scripts and will not even consider discussing with you the possibility of installing a backup client so you can use the corporate infrastructure already in place.
There are so many ways to spawn a non-logging shell or obfuscate the output. Yes you can lock down the system to a certain extent but there is only so much you can do. When your logging server is down. Does that mean you won't be able to administer the system from the logging shell? I've played with these types of systems before. Send the shell output to a remote server and you can peruse afterwards at your leisure. That get's harder and harder to do. From a logging shell, if I wanted to do something I wasn't allowed, I could prolly get away with it by running find / -print and while the screen is updating, I'll just type in one letter of my command at a time. Have fun sorting through all the output of the logging shell looking for the different characters of my command. It's not as simple has that. What about X applications or administrative consoles running from a web server. Not everything gets managed in a modern environment from a cli. This type of project requires serious investment and in a complex environment, not everything will get solved with singular utilities such as logging shells and sudo.
agreed there is no point locking down the system from someone with physical access. Sudo is a useful tool. System audit however, is not one of those uses. Which was my point. The GP seemed to imply to me that by simply using sudo and following the logs, the original poster's question would be resolved. Which is of course, untrue.
With a team of administrators, you'll have no way of learning for certain who has done what. As you said sudo su - is only one of the many trivial ways. Discretionary access controls as you have described are no better than trusting your admins with the real root password and telling them if you abuse the power you will be fired. At that point, why bother? It's just gonna eat up budget to implement and you are still stuck with the same problem which is accountability. That is to say, who has done what, where and in which manner.
sudo logs are almost useless for system audit. Run sudo su - and have at it. There are no logs to follow what actions you perform. Go ahead and craft a sudoers file that eliminates all the ways to load up a shell. Have fun with that...
Just prefix each command with:; and the capitalization problem goes away. At first that quirk used to drive me crazy, but there's no need to use a secondary console.
There is difference in my mind between stealing stuff and distributing stuff. Stealing a CD is one thing. I disagree however, that downloading a song from a file share is stealing. Unauthorized distribution for the person doing the upload yes but there is no stealing involved in that transaction as far as I can tell.
Nope it's less secure than a numeric password because you have to swipe the points on the touch screen. You can see the password on the screen afterwards from the greasy finger streaks.
You see honey I don't want to beat you but you just wont listen. Now if you go to the police about it, well you will be responsible for destroying our household.
You sir, are the one who should think things through a little more.
Slashdot Mirror
If it was American drivers faults, why then did we not see a rash of similar accidents with other manufacturers vehicles?
As a consultant I often tell my clients that I have principles and if they don't like them, well I have other principles. (-;
I wanted to mod this comment up not down
I agree with all of your points and I will add one. Auditor are in general easy to satisfy. Satisfying an auditor is not the same thing as locking down a system. The approach you've described is reasonable and well balanced. As you have rightly said there are other benefits as well to this type of approach. For the most part, if we would/could follow best practises then a lot of this stuff will already be taken care of.
You are lucky indeed to be included at the out start with your suppliers and be able to make demands on application/administrative functionality for platforms which may not even be used by yourself. In my experience, that type of situation is exceedingly rare. But then I'm a consultant so I usually arrive on the scene after all the mistakes in negotiating the contracts have been made.
regards
undoing an erroneous mod
Yes but as I said in a previous post, a black-hole type logger will only solve a part of the problem. It will not cover many of the Xwindow and other GUI interfaces. Nor will it cover things an admin with elevated rights might be able to do in the application runtime environment. The truth is, unless you roll all your own systems and build it in from the start, the integration required to lock down and keep locked down the environment is not a trivial task. Try and tell a Nortel or NSN company that you want to lock down the system you've bought from them as tight as this and see how far you get with that. Just using a different shell from that which the product was certified on in some cases will cause support and maintenance problems with your suppliers.
We're talking systems here where the supplier has provided shitty little ftp backup scripts and will not even consider discussing with you the possibility of installing a backup client so you can use the corporate infrastructure already in place.
regards
There are so many ways to spawn a non-logging shell or obfuscate the output. Yes you can lock down the system to a certain extent but there is only so much you can do. When your logging server is down. Does that mean you won't be able to administer the system from the logging shell? I've played with these types of systems before. Send the shell output to a remote server and you can peruse afterwards at your leisure. That get's harder and harder to do. From a logging shell, if I wanted to do something I wasn't allowed, I could prolly get away with it by running find / -print and while the screen is updating, I'll just type in one letter of my command at a time. Have fun sorting through all the output of the logging shell looking for the different characters of my command. It's not as simple has that. What about X applications or administrative consoles running from a web server. Not everything gets managed in a modern environment from a cli. This type of project requires serious investment and in a complex environment, not everything will get solved with singular utilities such as logging shells and sudo.
regards
agreed there is no point locking down the system from someone with physical access. Sudo is a useful tool. System audit however, is not one of those uses. Which was my point. The GP seemed to imply to me that by simply using sudo and following the logs, the original poster's question would be resolved. Which is of course, untrue.
regards
p.
With a team of administrators, you'll have no way of learning for certain who has done what. As you said sudo su - is only one of the many trivial ways. Discretionary access controls as you have described are no better than trusting your admins with the real root password and telling them if you abuse the power you will be fired. At that point, why bother? It's just gonna eat up budget to implement and you are still stuck with the same problem which is accountability. That is to say, who has done what, where and in which manner.
regards
sudo logs are almost useless for system audit. Run sudo su - and have at it. There are no logs to follow what actions you perform. Go ahead and craft a sudoers file that eliminates all the ways to load up a shell. Have fun with that...
Just prefix each command with :; and the capitalization problem goes away. At first that quirk used to drive me crazy, but there's no need to use a secondary console.
How is this modified as a troll? This is the writing on the wall and it will be too late to be disappointed once it has come to pass.
You are not surprised I hope. The election didn't remove the asshats from their jobs in homeland security did it? Same asshats, same asshatholery.....
There is difference in my mind between stealing stuff and distributing stuff. Stealing a CD is one thing. I disagree however, that downloading a song from a file share is stealing. Unauthorized distribution for the person doing the upload yes but there is no stealing involved in that transaction as far as I can tell.
regards
I'm confused. When on slashdot did copyright infringement become stealing? I've seen similar comments all though this thread...
I'd give my right arm to be ambidextrous.
undoing an erroneous mod
Nope it's less secure than a numeric password because you have to swipe the points on the touch screen. You can see the password on the screen afterwards from the greasy finger streaks.
You see honey I don't want to beat you but you just wont listen. Now if you go to the police about it, well you will be responsible for destroying our household.
You sir, are the one who should think things through a little more.
regards
Those are good points, but they scare the cr*p out of me.
This implies that the pentagon gives out high level security clearance to dumb mouth breathers (doing that at the pentagon no less).
Do these people not get any training on proxies, What not to do with email and all that stuff that goes along with a high level security clearance?
No matter how cynical I get, I just can't keep up )-:
Several dozen contractors and high level officials at the pentagon? It hardly seems credible. What if it's a frame up?
but then of course, one of the others sees Jessica Alba writhing there naked and alone... You have to admit it makes an inviting picture (-;
I suspect the placebo effect.
Whatever it does, it will most likely eat more battery. So it's one tradeoff for another.
Do you have to agree to have your location information sold to unspecified third parties before you can get the patch?
It has happend to me with Microsoft and Sony and with Apple in the past. I stopped using their update services because they are not trustworthy.
I'd rather take my chances with the wild and woolly Internet than except downloads from suppliers that abuse my trust in them.
regards