[NTLUG:Discuss] Virus / Worm problems

schpenke at juicymumpy.net schpenke at juicymumpy.net
Fri Oct 6 14:21:56 CDT 2006 

> -------- Original Message --------
> Subject: Re: [NTLUG:Discuss] Virus / Worm problems
> From: Wayne Walker <wwalker at bybent.com>
> Date: Fri, October 06, 2006 1:22 pm
> To: schpenke at juicymumpy.net
> Cc: NTLUG Discussion List <discuss at ntlug.org>, Eric Waguespack
> <ewaguespack at gmail.com>

> Logging something does not increase security.  Only tracability after
> the fact.

Sure it does.  System security is based on all the whole of all security
functions in a system.  Without logging you lose monitoring,
accountability, and integrity.  Plus if you're using something like
SWATCH, Tripwire, or whatever your favorite system log parser happens
to be you can be notified immediately when something interesting
happens in your logs.  In fact, you can configure your system to be as
reactive to log alerts as you like prior to administrator intervention.

> Having joeuser's passwd control root access, or worse 20 different users
> passwords makes it much more likely that root access can be attained
> through finding a weak password for any one of the users who have sudo
> access, or by dropping a trojan to one of the users with sudo access.

> I LIKE sudo.  I use it a lot.  But having a newbie, who probably chooses
> an unsecure password, have full sudo access makes the root exploitation
> easier.

SUDO isn't made to blindly grant ROOT access.  SUDO is only designed to
tell your system that you intend to execute the command following SUDO
as a privileged user.  If you don't want 20 different users having the
ability to execute certain commands (like SU, for instance) then you
have the ability to restrict their access.  This removes much of the
opportunity for new users on your system to cause any unnecessary or
unintentional damage.

You've made the statement that you are concerned that users with weak
passwords will contribute to system compromise by either cracked
passwords or privileged execution.  It sounds to me that you're in fact
not saying that SUDO is insecure but user account policies are insecure.
 I would guess that you would probably feel much better with restricted
non-default SUDO implementation while using a hardened account policy.

> In a corporate deployment you may change that, but the default is that
> the main user of the machine has unrestricted sudo access.

I'm not sure I'm following your example of a corporate deployment. 
Whether I am administering a system with 1500 users in a corporation, 5
users at my home, or a single user on my laptop SUDO is still always
controlled with VISUDO and a flat text file.  If you are saying SUDO is
less secure than a ROOT account on a single user system because it, by
default, allows that single user all ROOT functions I would argue that
if it did not then the system would then have to provide that single
user the ability to logon as a ROOT account with a password of their
choosing which is still just as insecure.

Also, remember that while logged in as a ROOT account ALL functions can
be executed as privileged without user awareness or intervention.  When
logged in as an end user, even with full SUDO rights, any privileged
execution has to be acknowledged and re-authenticated.

It still sounds to me as if your statement concerning SUDO being
insecure isn't so much to do with SUDO directly as it is with user
awareness and account policies.  Default configurations and careless
users are always a bear.

-S

More information about the Discuss mailing list