For compliance and protecting root access on UNIX and Linux you can’t live without sudo. I’ve written and done several webinars recently on how to implement sudo so that:
- No one ever logs on with root
- You can implement least privilege instead making everyone all powerful
- You can enforce accountability over privileged users with a high integrity audit trail of every command executed But most folks have more than one system to manage. It might be simple to start off using sudo by maintaining a different sudoers file on each system. As you setup sudo on each system you just copy and paste portions of sudoers from another system already set up. But that is a terrible pitfall that you want to stay out of. Usually the differences in sudo policy between each system are subtle but important but subtle – most of your sudoers policy can be re-used across systems. However, creating independent but substantially similar sudoers files leads to management headaches and security risks because files inevitably become out-of-date and inconsistent as roles, users and security needs change. Thankfully sudo is designed to support multiple systems. For instance you can use the Host_Alias directive to define groups of systems and then assign the same rule(s) – ONCE – to all appropriate systems via the Host_Alias. That’s how sudo supports multiple systems within the sudoers file, but how do you get all your systems to share the same sudoers file? One way is maintaining the file on system and using a variety of file copy utilities to physically copy sudoers to each system. But sudo also supports storing your sudoers policy in your
LDAP directory. This isn’t as simple as it sounds because it does involve schema changes which many admins fear.
In my next webinar with BeyondTrust I’ll explore how to manage sudo on multiple systems.
Watch On-Demand | June 3, 2015 | 10am PT / 1pm ET | Speaker: Randy Franklin Smith, Security Expert
Randy Franklin Smith, Microsoft MVP & Windows Security Expert, and CEO at Monterey Technology Group, Inc.
Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active Directory security who specializes in Windows and Active Directory security. He performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies, national, and international organizations.
Randy Franklin Smith began his career in information technology in the 1980s developing software for a variety of companies. During the early 1990s, he led a business process re-engineering effort for a multi-national organization and designed several mission critical, object-oriented, client/server systems. As the Internet and Windows NT took off, Randy focused on security and led his employer's information security planning team. In 1997, he formed Monterey Technology Group, Inc. where he serves as President.