[CentOS] CentOS 8

Fri Apr 9 16:39:58 UTC 2021
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On 4/9/21 11:23 AM, Stephen John Smoogen wrote:
> On Fri, 9 Apr 2021 at 12:19, Stephen John Smoogen <smooge at gmail.com> wrote:
>> On Fri, 9 Apr 2021 at 12:02, Valeri Galtsev <galtsev at kicp.uchicago.edu>
>> wrote:
>>> On 4/9/21 10:47 AM, Binet, Valere (NIH/NIA/IRP) [C] wrote:
>>>> The NIST and CIS baselines don't allow su, we have to use sudo on
>>> government computers.
>>> Could you enlighten me on the rationale behind that restriction? As, as
>>> you already noticed, my [ancient, maybe] reasoning makes me arrive at an
>>> opposite conclusion. (but mine is pure security consideration with full
>>> trust vested into sysadmin, see below...)
>>> On a second guess: it is just for a separation of privileges, and
>>> accounting of who did what which sudo brings to the table... Right?
>> sudo brings into accounting and the ability to restrict a person to a
>> single command. [That is hard to do well but it is possible.] It also
>> allows for an easily auditable configuration file set so that you can see
>> what should have been allowed and what shouldn't. Versus the usual 'oh lets
>> make it setgid blah or setuid foo but restricted to this group..' and
>> people forgetting it was done that way or why.
>> That said it is like any tool can be used as a hammer when it should have
>> remained a phillips head.
> Finally sudo can allow for better RBAC rules where if that is needed you
> had to have multiple su commands that were aligned to each role so that
> people could not escape their jail. [My understanding is that this is where
> your chosen OS shines

Which one OS would be that?


> with sudo and this was lifted to other os's laster.]
> By 2005 most .gov/.mil baselines required su to be no longer allowed
> because of this.

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247