[BBLISA] audit root/sudo users for RHEL 6 server

K. M. Peterson kmp at kmpeterson.com
Sat Apr 18 18:32:04 EDT 2020 

Lois,

The auditors that I have worked with will generally know enough to ask good questions even if they don’t know exactly what technology is specifically in use.  But they also gave me scripts to run to pull information like passwd that I’m pretty sure they _never_ looked at the output... 

John Malloy,

Red Hat IdM will make things different, as it is an additional layer to the host-based files.  You’ll need to find out who manages that in order to get an authoritative list.  That should be based on assigning roles, but you can look at the groups the host is in and work backward with that person; IdM can also determine sudo access (though it may depend on the version - I’ve mostly worked with CentOS 7).  Remember, no one can “log in” via sudo...

The other element to this is what John Stoffel said: it’s really process.  They’ll believe you when you have a good, documented process.  The step of sitting down with a systems admin and asking for this sort of thing is really pretty far along, what they are most likely looking for is “evidence” that a policy is being adhered to.  They aren’t interested in a rat hole any more than you are, and they are trying to help you be compliant, but doing the right thing isn’t of interest to them if it’s not “business as usual” backed by the right “controls”.  And, btw, those should include a statement about the principle of least privilege with respect to access, and that means if you find violations that’s better than not being able to call them as such.

And I have done PCI so if there’s anything I can tell you about that, feel free to ping me directly. It might help if you know what they are auditing “for” (PCI, HIPAA, DoD,…) and if they’re internal v. external auditors, etc.

_KMP


> On 18 Apr 2020, at 15:22, Dean Anderson <dean.anderson71 at yahoo.com> wrote:
> 
> You need to report who has the root passwords and who is in the sudo files, and whether there are any other means of becoming root.  Powerbroker or other tools including Tivoli, puppet etc are included.  If you can run a puppet script as root, you’re root.
> 
> Sent from my iPad
> 
>> On Apr 17, 2020, at 11:56 AM, John Malloy <jomalloy at gmail.com> wrote:
>> 
>> 
>> 
>> What is the best way to provide proof to an audit person who needs to know all the root/sudo users for  a RHEL 6 server?
>> 
>> (I am new at this company, and don't have access to all their resources) 
>> 
>> We can provide the /etc/passwd   &   /etc/sudoers file   (the auditor may not know how to read these files)
>> 
>> We also have the RedHat  Identity Management  running here, but I am not familiar with this tool.
>> 
>> Any suggestions would be appreciated.
>> 
>> Thanks!
>> 
>> 
>> John Malloy
>> jomalloy at gmail.com <mailto:jomalloy at gmail.com>_______________________________________________
>> bblisa mailing list
>> bblisa at bblisa.org
>> http://www.bblisa.org/mailman/listinfo/bblisa
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.bblisa.org/pipermail/bblisa/attachments/20200418/f7c4c25d/attachment.html>

More information about the bblisa mailing list