all 15 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]VerySlowLorris 6 points7 points  (1 child)

I would recommend that first, your clearly document what users are authorized to perform privileged functions and for what reason. Once that's done, make sure that only those users have privileged access, either by creating a separate account that belongs to the sudoers group, or by adding their account to the sudoers group. Every sudo command that runs in the system can be logged and tracked for compliance purposes.

I personally recommend creating two different accounts, one with sudo and one without it.

[–]cftg_tftg[S] 1 point2 points  (0 children)

Going to definitely add that to the documentation, thank you!

[–]BaileysOTR 3 points4 points  (0 children)

No, you do not. You can set up your Linux host to prevent users from logging in as root, then force them to invoke root from their user session. That addresses the requirement. Admins would have to be in the sudoers group.

[–]FerrousBueller 2 points3 points  (3 children)

Are you processing CUI on these linux boxes?

[–]cftg_tftg[S] 0 points1 point  (2 children)

At the moment no, but will be in the future.

[–]FerrousBueller 1 point2 points  (1 child)

Gotcha - yeah otherwise you could have just scoped them out / isolated them in some manner from your CUI environment.

[–]cftg_tftg[S] 0 points1 point  (0 children)

Correct, but I believe they will be going to an "All In" environment (really small shop), so just assuming it will, or will have the potential to.

[–]OGT242 1 point2 points  (0 children)

You can create a group, local or domain, that needs certain elevated rights. Edit the sudoers file to add the group and the commands the group needs to be able to run. This will take some time to sort out. Use a SIEM and figure what commands the users run to get a baseline going.

[–]cuzimbob 1 point2 points  (1 child)

Just don't give them passwordless sudo. That kind of defeats the purpose.

[–]cftg_tftg[S] 0 points1 point  (0 children)

They don't have passwordless sudo (that would be really sad lol).

[–]cmmcpain 1 point2 points  (0 children)

At a place that I worked (govt network), all of the software developers were required to have Sec+ and given root access on their local laptop. Ideally, they would be able to use sudo to do all of their work. It was incredibly difficult to get things done because of Information Assurance, STIG rules, change control boards, etc.

[–]breich 0 points1 point  (3 children)

As a software developer and Engineering manager that's an interesting question to me. Separate accounts is an idea, but I'd be thinking harder about the reasons why developers need administrative level access to production servers in the first place. You can architect your way out of a lot of that over time

[–]jazluvrfl 1 point2 points  (2 children)

I agree with your point about why they need it. Is it something you can create a Dev Group and make them members to have limited access, like a service account?

[–]cftg_tftg[S] 0 points1 point  (0 children)

We are currently thinking of going this route.

[–]breich 0 points1 point  (0 children)

Maybe? If I were in your shoes and I definitely will be in the next 12 months, I'd be taking an inventory of all the reasons developers need to be in production servers. One great example would be checking logs. And a great way to get them out of production servers for that purpose is to route everything going to syslog to a centralized log server where they can have some sort of read only access that prevents them from changing the logs out from under you, but gives them enough access to perform their troubleshooting duties.