[BBLISA] audit root/sudo users for RHEL 6 server

John Miller jorymil at gmail.com
Fri Apr 17 16:03:46 EDT 2020 

If they're unable to read /etc/passwd and /etc/sudoers, that would be a
problem.  But those files are only the start of who might have root
privileges on a system: think about all the members of the sudoers group,
for example, or all the people whose SSH keys allow them to log in as one
of these accounts.  If you're using any sort of directory for
authentication, you'll want to take that into account as well.  The output
of 'getent passwd' and 'getent group' will take you a little closer to
getting all the available system users.

John

On Fri, Apr 17, 2020 at 1:56 PM John Stoffel <john at stoffel.org> wrote:

>
> John> What is the best way to provide proof to an audit person who
> John> needs to know all the root/sudo users for  a RHEL 6 server?
>
> It depends on what they take as "proof" of your audit process.  Our
> current auditors want screen shots of files with a clock in the
> corner, which makes *zero* sense, so we're working to educate them and
> to put a better system in place.
>
> It might be that tripwire is the possible solution, started off first
> in a very targeted way.
>
> John> (I am new at this company, and don't have access to all their
> resources)
>
> John> We can provide the /etc/passwd   &   /etc/sudoers file   (the
> John> auditor may not know how to read these files)
>
> The probably don't *care* what the files say, but more "what is your
> process to monitor and keep track of changes?". And of course
> management of adding and removing acounts.
>
> John> We also have the RedHat  Identity Management  running here, but
> John> I am not familiar with this tool.
>
> Never used it.  Auditing is documenting a process and having controls
> and being able to show you use them and of course can justify them.
>
> John
>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.bblisa.org/pipermail/bblisa/attachments/20200417/444b8f18/attachment.html>

More information about the bblisa mailing list