Re: [Hampshire] Result of the Ubuntu Challenge

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Dean Earley at <-
MMSean Gibbins at ->

Reply to this message
Author: Stephen Davies
Date:  
To: Sean Gibbins
CC: Hampshire LUG Discussion List
Subject: Re: [Hampshire] Result of the Ubuntu Challenge
Sean,
The difference is that to get to root (unless you have physical access
to the machine) required cracking two passwords. Direct root logins even
via ssh over a network connection should be disabled thus you have to be
able to logon to one account first and then try to su to root. every su
is logged and as you know (from often bitter experience... :-X ) using
things like Keon & Seos can make auditable access control more easy to
manage.

The 'secure' system I was working on had one and only one account that
could use su to login to root. This account was normally disabled unless
the correct approvals were obtained where upon it was enabled and you
were given a one time password in order to login again. This was a real
pain at one point as we had to apply some patches which required either
a reboot or init 1 followed by init 3. This meant that after the reboot
(it was easier to explain to the security bods) I had to get another one
time password to verify the system.

There are Pros and Cons to both sudo and su. After starting to
understand selinux, I have certainly swung back to su and away from
sudo. A couple of years ago, I was more in favour of sudo than su.

Stephen D

Stephen D


This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-Re: [Hampshire] Ruby on Rails communities in the UKRe: [Hampshire] Ruby on Rails communities in the UK->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)