There is no secure accountability, by default, with sudo either. The sudo log is trivially bypassed, at least in every instance I've ever encountered it being used, even when those who installed it claimed it was "secure".
Sudo accountability is only as secure as the programs which you allow the user to run via sudo. At least with sudo you have control over allowed commands and logging per command. With uid=0 accounts you have neither. In any case with someone having root, they can circumvent controls. The point is with uid=0 accounts there are no controls to circumvent.
The biggest problem with sudo is that it often makes it a heck of a lot easier for an attacker with minimal access to gain increased privileges
How is that?? An attacker needs to not only access the system as a sudo-capable user, but also know their password (have cracked it). With additional uid=0 accounts, you've added passwords to root which betters the odds for cracking uid=0 as much as sudo-capable accounts do. At least with sudo, they have to first figure out who might have full sudo access. You won't find that in /etc/password like you find uid=0.
Oddly only by forcing admins to login directly via a trusted path as root can you avoid many of those risks
Any time you force someone to login via a trusted path, as root or a regular user (for sudo/su), you avoid auth/acct risks. This is not a feature only of logging in as uid=0. Trusted paths are essential in any security scheme.
, and if that's the approach you take then use of multiple UID==0 accounts is the only way to achieve (regain?) at least minimal accountability (i.e. the same amount that can be achieved with 'su', assuming one has a decently secure logging system, or physically secure host with a good and complete securemode implementation and append-only log files, etc.).
Your statement seems to make the assumption that a login via a uid=0 account is somehow better authenticated than a normal user login (who can then su/sudo) and thus better then sudo or su. A login is a login. It's only as good as the trusted path regardless of uid. If you have a secure logging system, your sudo log can be just as secure as login entries. In fact sudo and su logs are easier to secure than login because sudo and su use syslog and login does not. It seems in your definition of "accountability," you only need to know who logged in when. That's all your getting, if you believe your "trusted path." With sudo, even if you don't believe the sudo logs, you still get at least who logged in when, but much more as well.
their managers must not trust the sudo log any more than they would really trust any logbook, even on written in indellible pen on sequentially numbered pages in a hard-bound volume.
But at least it is something. The login logging is equally suspect (can readily be modified) and contains insufficient information to account for activities after login. Try to figure out who unplugged a computer in a controlled access machine room. You can only make guesstimates by correlating the time of the event with the time stamps on the door access logs. What if the logs show two people in the room at the same time and they both claim ignorance? Accounting only for the login event is pretty useless. ...Barb
participants (1)
-
Barb Dijker