[clue] sudoers Cmnd_Alias
Jim Ockers
ockers at ockers.net
Fri Jan 18 20:10:30 MST 2013
Hi David,
This is interesting. So you want them to be able to run lots of
different binaries on the system, but nothing that would let them exec()
or system() a shell? I think sudo is probably the Hard Way to try to do
something like this. May I suggest an alternate approach.
This USENIX paper from LISA11 (Local System Security via SSHD
Instrumentation)
http://static.usenix.org/events/lisa11/tech/full_papers/Campbell.pdf
describes the authors' use of the Bro IDS combined with sshd
instrumentation to detect unauthorized use of their systems. They needed
a way to tell legitimate use apart from hackers or other non-authorized
uses, and it turns out an IDS with pattern-matching is a good tool for
that sort of thing.
I realize this doesn't exactly answer your question but it is an
alternate approach to flexible security which still allows people to do
legitimate work without anything getting in their way, and the admin
gets notified as soon as something "smells" weird to the IDS.
HTH
Jim
--
Jim Ockers, P.E., P.Eng. (ockers at ockers.net)
Contact info: http://www.ockers.net/
David L. Willson wrote:
> Has anyone out there got a sudoers file with a reasonably complete set
> of blocks against shells, etc. ? I realize it's not secure. I'm just
> trying to clearly communicate disapproval for interactive privileged
> sessions.
> ... so that if/when someone circumvents it, and if/when I detect the
> circumvention, the user isn't surprised that I confront them and/or
> report it to their manager.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20130118/c151138f/attachment.html
More information about the clue
mailing list