Author: Stephen Davies Date: To: Sean Gibbins CC: Hampshire LUG Discussion List Subject: Re: [Hampshire] Result of the Ubuntu Challenge
Sean,
My take on su vs sudo is that with su and giving the root password to a
user is a positive action. Just like in your work environment it can be
positively controlled and even time limited rather than with sudo. Yes
the user (sudo) has to be allowed to use sudo but IMHO, this is still a
weakness only one password needs to be cracked/exosed and ironically a
strength as it is easier to manage for non experts.
The customer I mentioned does require everyone using their systems to be
PV'd so I guess that security is pretty high up their list of must have
and do's. Their policy towards security is totally based upon the
sensitivity of the data that their systems hold. If this was to get
released into he wider domain then all sorts of extreemly smelly brown
stuff would start hitting every wind turbine in the country.
So, they ban sudo from their systems.
I was amazed at the lockdown processes they go through before putting a
system even into UAT. It makes the processes we went through when we
worked together look very elementary. Basicaly there is a rule for
literally every shell script and binary on the system. This is after a
disable all option. (Just like firewalls, disable ALL and then enable
only what is needed)
It took me over a month to get the rules changed so the Message Broker
could run properly. Various IBM bods had to backup my requests to get it
through. IT was this lockdown process that allowed me to understand the
benefits of a properly configured selinux environment.
