Root is to *nix as Administrator is to Windows – only worse. You should never logon to Windows using the local Administrator account and the same goes for root on Unix/Linux. In this webinar I’ll explain why, but more importantly I’ll show you how to follow that crucial best practice through the use of sudo – the time-honored administrative application that goes back to 1980.
The nearest thing in Windows to sudo is the Runas feature. Sudo stands for “super user do” and it provides a way to safely execute administrative commands in a controlled and least privilege fashion. I’ll show you how the /etc/sudoers file is used to control who can use sudo, what commands they can perform via sudo and how to configure sudo security such as password requirements and who can actually change sudo policy itself.
We’ll also look at how sudo logging works so that you have an audit of privileged user activity.
But unless you have the luxury of 1-server network, sudo by itself is not a complete solution. First there’s the matter of managing sudo policy across multiple systems. But the much bigger problem is identity and authentication and that is most easily explained by another analogy. I always preach that you should avoid the use of local accounts on Windows servers like the plague. Local accounts are so bad for security in so many ways. The very same issues and risks apply to local accounts on Unix and Linux for the same reasons. The difference, though, is that while it’s very easy to solve this on Windows (just use domain accounts) it’s very hard to address on Unix and Linux.
The native technologies for unifying identity and authentication on *nix are NIS and Kerberos. NIS is the very poor sys admin’s directory but any auditor worth their salt will fail an environment using NIS because of unencrypted traffic subject to sniffing and man-in-the-middle attacks among other things. Obviously getting single-signon to Active Directory is the ticket and both AD and *nix support Kerberos and LDAP. This is the other area I will look at in this webinar: what does it take to integrate *nix with AD via Kerberos and what do you end up with after doing that?
Then I think you’ll love Tyler Reese’s brief presentation on Dell’s extensions to sudo and their AD bridge solution. The current mastermind of the global sudo effort, Todd Miller, works at Dell and that has facilitated some really cool things that Dell has done to make sudo far more powerful, secure and integrated with AD. Then Authentication Services for Unix, Dell’s AD bridge solution, makes integrating *nix with AD as easy as adding a Windows computer to the domain.
Both parts of this webinar will be technical and very cool.
Please register now for this real training for free™!