[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is there a way to effectively jail a sudo-er not to breach system lo
|
From: |
Alex fxmbsw7 Ratchev |
|
Subject: |
Re: Is there a way to effectively jail a sudo-er not to breach system logging? |
|
Date: |
Mon, 13 Sep 2021 17:12:36 +0200 |
if you want, that functionality, you gotta implent.c it yourself, with
kernel apis etc
On Mon, Sep 13, 2021, 17:06 conan zhan <conanzhan@onionmail.org> wrote:
> I learnt that a sudo-er can gain root privilege by certain commands like
> sudo
> bashor su -and then shut down any system monitor programs and delete system
> logs. And under this condition even enforcing bash to log is useless.
>
> Therefore, it is very delicate management not to grant server maintainers
> sudo/wheel privilege since both of them are equivalent to root, and it is
> a very
> tiring job to think of a whitelist strategy on what they CAN do rather
> than what
> they CANNOT do.
>
>
> So is there a way to ban a sudo-er from the following actions:
>
> 1) run a command the root does not allow. ETC. A line with both stop &
> rsyslogA
> line withchmod;
>
> 2) use root role;
>
>
> 3) escape current bash environment ?
>
> These three altogether would create a role that gives maintainers Largest
> privileges so long as they CANNOT delete the record in Black-Box.
>
> I don't know how much work needs to be done to create such role, but there
> seems
> to be a way to walk around by enabling a shell with censorship on command
> before
> execution? Since you can limit a user on what shell can be used by useradd
> [someuser] -s
>
> Thanks in advance.
>
>
> https://serverfault.com/questions/1076862/how-can-root-start-a-process-that-only-root-can-kill
> ?
>