[clue] sudoers Cmnd_Alias

Jim Ockers ockers at ockers.net
Fri Jan 18 20:10:30 MST 2013

Hi David,

This is interesting.  So you want them to be able to run lots of 
different binaries on the system, but nothing that would let them exec() 
or system() a shell? I think sudo is probably the Hard Way to try to do 
something like this. May I suggest an alternate approach.

This USENIX paper from LISA11 (Local System Security via SSHD 
describes the authors' use of the Bro IDS combined with sshd 
instrumentation to detect unauthorized use of their systems. They needed 
a way to tell legitimate use apart from hackers or other non-authorized 
uses, and it turns out an IDS with pattern-matching is a good tool for 
that sort of thing.

I realize this doesn't exactly answer your question but it is an 
alternate approach to flexible security which still allows people to do 
legitimate work without anything getting in their way, and the admin 
gets notified as soon as something "smells" weird to the IDS.


Jim Ockers, P.E., P.Eng. (ockers at ockers.net)
Contact info: http://www.ockers.net/

David L. Willson wrote:
> Has anyone out there got a sudoers file with a reasonably complete set 
> of blocks against shells, etc. ? I realize it's not secure. I'm just 
> trying to clearly communicate disapproval for interactive privileged 
> sessions.
> ... so that if/when someone circumvents it, and if/when I detect the 
> circumvention, the user isn't surprised that I confront them and/or 
> report it to their manager.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20130118/c151138f/attachment.html 

More information about the clue mailing list