One of the issues I’ve encountered a number of times in
assessments of Linux and AIX environments is the provision of excessive
permissions using sudo. This article is an attempt to highlight those issues
and provide some guidance as to practical resolution.
It is typical in a secured Windows environment that the
administrator username is not used for standard business and that those users
who require elevated privileges are members of the “Domain Admins” Organisation
Unit. The generic windows administrator
account would be renamed, given a randomised long and complex password which
would then be physically secured and access restricted. In Windows, audit trails can be maintained
against each user and users do not execute commands as other users. This is somewhat different in a Linux
environment.
In Linux, it has become more standard to use sudo to
substitute user and do commands. Sudo in its default implementation is
generally in place as (example from CentOS)
wheel ALL = (ALL)
ALL
In Red Hat and CentOS, the members of the wheel group are
provided full sudo privileges. In Ubuntu or Debian this would be the members of
the sudoers group or the admin group.
The above means that a user who is a member of the wheel
group can execute ALL commands as ALL users from ALL terminals. In other words, a member of the wheel group can masquerade
as other users or can drop to a root shell and no longer have a full audit
trail against him.
Users often drop to a root shell to avoid typing sudo before
any command. Dropping to a root shell is usually done doing su -, sudo –i, sudo
–s, sudo bash etc. In order to prevent sudoers from dropping to a root shell,
the shell commands can be removed from the executable files available to the
users. This can be done by editing the sudoers file as follows:
Cmnd_Alias SHELLS
SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, /usr/local/bin/tcsh, usr/bin/rsh, /usr/local/bin/zsh
Cmnd_Alias
SU
SU
= /usr/bin/su
wheel ALL = ALL,
!SHELLS, !SU
In the above members of the wheel group can execute all
commands on all systems except those commands listed in SHELLS and SU. Sometimes it is necessary for users to
drop to a shell when performing administrative functions. Using the above, you
could have a configuration with 1 or 2 users permitted to have root abilities
with other domain admins having the above.
admin ALL = (ALL)
ALL
wheel ALL = ALL,
!SHELLS, !SU
This is a topic that is near to my heart… Best wishes!
ReplyDeleteExactly where are your contact details though? GAS 138