<<O>>  Difference Topic ServerSecurity (r1.20 - 07 Mar 2009 - BenScott)

META TOPICPARENT InternetServer
Our InternetServer will need to be protected against all the Internet nasties (which are legion).
Line: 23 to 23

  • This gives us both enhanced security and traceability (a record of what gets done).
  • Avoid "sudo to shell" if at all feasible. If you must, consider using "script" to record the session.
Changed:
<
<
As a policy, we strictly avoid sudo'ing to a shell (e..g., "=sudo -i=", "=sudo /bin/sh="). This is entirely for traceability -- commands done within a sudo shell are not logged. If it must be done, wrap your session in an invocation of script(1) to log the entire shell session.
>
>
As a policy, we strictly avoid sudo'ing to a shell (e..g., "sudo -i", "sudo /bin/sh"). This is entirely for traceability -- commands done within a sudo shell are not logged. If it must be done, wrap your session in an invocation of script(1) to log the entire shell session.

With this environment of multiple admins from diverse backgrounds who have never worked together before, this is mostly done for record-keeping purposes. Our use of sudo is more about keeping honest people honest then protecting from arbitrary attacks.

Revision r1.19 - 22 Feb 2009 - 22:47 - BenScott
Revision r1.20 - 07 Mar 2009 - 16:39 - BenScott