Cyber Security Awareness Month - Day 10 - Standard Sudo - Part Two
It is Day 10 of Cyber Security Awareness Month. I am continuing with Part Two of my entry from Day 3 on Standard Sudo - Part One. We will cover some technical implementation options of sudo with pros and cons of the given examples.
Some Sudo Good Ideas
A. Central Distribution
The distribution control of your sudoers file is key to controlling the risk of your UNIX servers.
1. LDAP [1]
Cons
- Large environments may have challenges to update and true up software on all flavors of UNIX;
- Sudoers LDAP support began with Sudo v1.6.8;
- LDAP client software is required for Sudo to work with LDAP support;
- Potental for a significant work effort to port existing sudo command sets into LDAP sudo schema;
Pros
- May make auditors happy;
- Ideal for small start up environments;
- Opportunities for provisioning teams become easier;
2. Central Server
- Use/develop a sync mechanism like CVS, rsync, scp, nfs, etc.;
B. Single File / 1:Many
Use of ONE standardized sudo command file to be used on every server lightens the distribution burdens. (sync scripts are an easy fix...) This does come with risks and each environment needs to measure the tolerance of this idea. The biggest gap to consider is unused sudo commands will likely exist on a server. For intance, if rule to restart the Apache web server was maintained by the UNIX group "webteam" and it existed on every server, then the servers without Apache may not end up with the "webteam" group. In many cases the process and procedure that already exists will easily dictate whether this is condition is acceptable.
Cons
- Requires deliberation of risk; a potential barrier;
- Potential for unused sudo command sets to be present on any given server;
- 1 mistake, Many failures; An undetected critical mistake gets distributed every where.
Pros
- May make auditors happy;
- No minimum version requirement; (if command sets are kept basic)
- One file to manage; (a potentially large file, but a BIG pro..)
- Easy distribution; (sync scripts easy to develop)
C. File Based Command Sets / Few:Many
The #includedir directive was released between Sudo v1.7.1 and v1.7.2 in early 2009.[2] This feature allows the configuration to be managed with multiple files. For instance, all web/app admin command sets can be placed into a file and distributed separately. An update to one command set does not necessarily jeopardize remainder of command sets. This method can easily be 'profiled'. For instance, the sync scripts can keep track of which file is pushed to which server with configuration/list files. This way, only webservers get the 'web admin' command sets.
Cons
- Large environments will need to true up to 1.7.2 or higher; a potentiallly significant effort;
- Potential for unused sudo command sets to be present on any given server
- Adds complexity; (not much mind you...)
D. Structured Formatting
The idea is to create a XML'ish format of the file using comment hashes (#). A copy of each sudoers file is stored centrally, and each section is managed locally at the central point, and distributed to the remote server as needed. The purpose of standard format (illustarated below) is to provide many opportunities to control, audit, and report on the sudoers environment.
<< standard_OS >>
Cons
- Potentially significant effort to implement;
- Potential for unused sudo command sets to be present on any given server;
- Adds much complexity;
- Development effort required to implement;
Pros
- May make auditors happy;
- Creates efficiencies;
- Provides the following opportunities;
- Sudoers file integrity checking;
- Reporting of compliance;
- Standardized provisioning of new sudo adds;
- Distribute provisioning responsbilities of sudo mods;
- No minimum version requirement; (if command sets are kept basic)
STANDARD SECTION
PROFILES SECTION
NATIVE SECTION
Summary
In summary, (if you're still with me) the sudo environment in your organization may not be very complicated, thus much of this may seem overkill. However, there is much listed above to take away to any sized organization. Sudo solves MANY problems, while creating some high risk ones. How it is configured, much like everything on your UNIX servers, really matters to the security of your environment. When sudo is setup and managed in a standard framework, it keeps the risks under control, the efficiencies high, and the auditors happier. The underlying main message is that no one solution fits all, yet Standard Methods of implementation lower your risks.
Please keep in mind, I only know what I know. There is always much to learn. Please share any ideas, gaps, or even questions you have about the diary above. We all benefit from the sharing.
[1] http://www.sudo.ws/sudo/sudoers.ldap.man.html
[2] http://www.gratisoft.us/sudo/maintenance.html#1.7.2
-Kevin
--
ISC Handler on Duty
Comments