help-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Is there a way to effectively jail a sudo-er not to breach system loggin


From: conan zhan
Subject: Is there a way to effectively jail a sudo-er not to breach system logging?
Date: Mon, 13 Sep 2021 14:51:32 +0000

I learnt that a sudo-er can gain root privilege by certain commands like sudo
bashor su -and then shut down any system monitor programs and delete system
logs. And under this condition even enforcing bash to log is useless. 

Therefore, it is very delicate management not to grant server maintainers
sudo/wheel privilege since both of them are equivalent to root, and it is a very
tiring job to think of a whitelist strategy on what they CAN do rather than what
they CANNOT do. 


So is there a way to ban a sudo-er from the following actions:

1) run a command the root does not allow. ETC. A line with both stop & rsyslogA
line withchmod;

2) use root role;


3) escape current bash environment ? 

These three altogether would create a role that gives maintainers Largest
privileges so long as they CANNOT delete the record in Black-Box.

I don't know how much work needs to be done to create such role, but there seems
to be a way to walk around by enabling a shell with censorship on command before
execution? Since you can limit a user on what shell can be used by useradd
[someuser] -s

Thanks in advance.

https://serverfault.com/questions/1076862/how-can-root-start-a-process-that-only-root-can-kill?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]