Previous Page: 1 of 4 Next
Lessons learned while working in Information Security.
moc.navat@ymerej
I’m sorry if the title of this post sounds like I’m going to get all philosophical and start discussing the skills and personal characteristics that make someone a true Linux administrator. That’s not what this is about. Instead, it’s a lot more prosaic. If you’re using endpoint management software to track servers, and you want to audit the list of accounts with administrative privileges on a system, how do you do it?
In both Windows and MacOS, the definition of an “administrator” account is fairly easy. Under Windows, you look at the Administrators group. On MacOS there are a few ways to enumerate admins, but it all boils down to the users who have the “Allow user to administer this computer” checkbox checked. Of course, as Unix systems, Macs also are subject to many of the criteria in the definition below. Under Linux, things aren’t so straightforward. How would one define a Linux admin account for purposes of inventory and monitoring? I started thinking about this recently and came up with the following definition, which is definitely a work in progress:
An administrator of a Linux server is any user that meets any of the following definitions: I know the oldschool UNIX admins are going to yell at me for the group names in (2). Sorry.
wheel or admin or administrators or root 3. Exists in the sudoers file with an ALL permission line.k5login file of any user account meeting any of criteria 1-4There are certainly other criteria which would be functionally equivalent to the above (for example, any user that can edit the sudoers file), but this seems like a good place to start for machines that are set up somewhat normally and not already compromised. I have BigFix relevance code for 1-4 on the list, which is complicated enough, and support for inspecting /root/.k5login, but haven’t yet implemented the full (5) successfully.
It’s so simple!
Previous Page: 1 of 4 Next