On Fri, 9 Apr 2021 at 12:40, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: > > > On 4/9/21 11:23 AM, Stephen John Smoogen wrote: > > On Fri, 9 Apr 2021 at 12:19, Stephen John Smoogen <smooge at gmail.com> > wrote: > > > >> > >> > >> On Fri, 9 Apr 2021 at 12:02, Valeri Galtsev <galtsev at kicp.uchicago.edu> > >> wrote: > >> > >>> > >>> > >>> On 4/9/21 10:47 AM, Binet, Valere (NIH/NIA/IRP) [C] wrote: > >>>> The NIST and CIS baselines don't allow su, we have to use sudo on > >>> government computers. > >>>> > >>> > >>> Could you enlighten me on the rationale behind that restriction? As, as > >>> you already noticed, my [ancient, maybe] reasoning makes me arrive at > an > >>> opposite conclusion. (but mine is pure security consideration with full > >>> trust vested into sysadmin, see below...) > >>> > >>> On a second guess: it is just for a separation of privileges, and > >>> accounting of who did what which sudo brings to the table... Right? > >>> > >>> > >> sudo brings into accounting and the ability to restrict a person to a > >> single command. [That is hard to do well but it is possible.] It also > >> allows for an easily auditable configuration file set so that you can > see > >> what should have been allowed and what shouldn't. Versus the usual 'oh > lets > >> make it setgid blah or setuid foo but restricted to this group..' and > >> people forgetting it was done that way or why. > >> > >> That said it is like any tool can be used as a hammer when it should > have > >> remained a phillips head. > >> > >> > > Finally sudo can allow for better RBAC rules where if that is needed you > > had to have multiple su commands that were aligned to each role so that > > people could not escape their jail. [My understanding is that this is > where > > your chosen OS shines > > that should have been written as your chosen OS, FreeBSD, shines ... my apology for dropping the packets as I thought i typed it but didn't > Which one OS would be that? > > Valeri > > > with sudo and this was lifted to other os's laster.] > > By 2005 most .gov/.mil baselines required su to be no longer allowed > > because of this. > > > > > > -- > ++++++++++++++++++++++++++++++++++++++++ > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics > Kavli Institute for Cosmological Physics > University of Chicago > Phone: 773-702-4247 > ++++++++++++++++++++++++++++++++++++++++ > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen.