On 4/9/21 11:23 AM, Stephen John Smoogen wrote: > On Fri, 9 Apr 2021 at 12:19, Stephen John Smoogen <smooge at gmail.com> wrote: > >> >> >> On Fri, 9 Apr 2021 at 12:02, Valeri Galtsev <galtsev at kicp.uchicago.edu> >> wrote: >> >>> >>> >>> On 4/9/21 10:47 AM, Binet, Valere (NIH/NIA/IRP) [C] wrote: >>>> The NIST and CIS baselines don't allow su, we have to use sudo on >>> government computers. >>>> >>> >>> Could you enlighten me on the rationale behind that restriction? As, as >>> you already noticed, my [ancient, maybe] reasoning makes me arrive at an >>> opposite conclusion. (but mine is pure security consideration with full >>> trust vested into sysadmin, see below...) >>> >>> On a second guess: it is just for a separation of privileges, and >>> accounting of who did what which sudo brings to the table... Right? >>> >>> >> sudo brings into accounting and the ability to restrict a person to a >> single command. [That is hard to do well but it is possible.] It also >> allows for an easily auditable configuration file set so that you can see >> what should have been allowed and what shouldn't. Versus the usual 'oh lets >> make it setgid blah or setuid foo but restricted to this group..' and >> people forgetting it was done that way or why. >> >> That said it is like any tool can be used as a hammer when it should have >> remained a phillips head. >> >> > Finally sudo can allow for better RBAC rules where if that is needed you > had to have multiple su commands that were aligned to each role so that > people could not escape their jail. [My understanding is that this is where > your chosen OS shines Which one OS would be that? Valeri > with sudo and this was lifted to other os's laster.] > By 2005 most .gov/.mil baselines required su to be no longer allowed > because of this. > > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++