AIX

Hello I am wondering if someone has experience in sudoers stored on LDAP in combination with AIX.

I found this man page, but that's mainly Linux:

https://www.sudo.ws/docs/man/1.9.1/sudoers.ldap.man/

I am working on a new blog series about AIX RBAC and would like to make first a good comparing between sudo (eventually on LDAP) and AIX RBAC.

And experience is welcome!

Thanks in Advance

Greetings Christian Sonnemans

Hello I am wondering if someone has experience in sudoers stored on LDAP in combination with AIX.

I found this man page, but that's mainly Linux:

https://www.sudo.ws/docs/man/1.9.1/sudoers.ldap.man/

I am working on a new blog series about AIX RBAC and would like to make first a good comparing between sudo (eventually on LDAP) and AIX RBAC.

And experience is welcome!

Thanks in Advance

Greetings Christian Sonnemans

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank (Netherlands)
------------------------------

@Tommi Sihvo thank you Tommi for your feedback :-)

Christian,

here is my article on FreeIPA and AIX - https://powerdevops.substack.com/p/connecting-ibm-aix-to-red-hat-identity-419 You can find there some information about connecting AIX sudo to LDAP. If you want to know more, feel free to ping me here or write an e-mail.

Regarding my experience on RBAC and sudo. I prefer using RBAC. It is more AIX integrated and more fine-grained as sudo. I think even Linux guys started understanding that sudo is not so ultimative security tool as they thought. The systemd project announced last month (?) that they want to develop a sudo replacement.

sudo is a single SUID binary with complex syntax configuration. If you a mistake in your sudoers file, you effectively lost your privileged access.

If you use local sudoers files (especially in their standard delivery), you have a security hole on the system. You must control files in /etc/sudoers.d because every file is then interpreted by sudo as a sudoers configuration file. If I need security, I remove the directory and all includes from /etc/sudoers and re-deploy /etc/sudoers using Ansible regularly.

Because of the complex sudoers syntax, most of the administrators do only one thing in /etc/sudoers:

user01 ALL=(ALL) NOPASSWD: ALL

It doesn't make the system really secure. I also saw a lot of installations with

user01 ALL=(ALL) NOPASSWD: su

just because the administrator didn't learn sudo command line options.

The most interesting things in sudoers for me are still vi, cat, grep and similar "harmless" commands. With sudo vi you can always escape to the privileged shell and with cat or grep you can look at /etc/security/passwd and other files to fish for passwords.

If you want to manage sudoers centrally in a LDAP directory, you should install additional sudo-specific schema. Welcome to the fight with your Windows Active Directory administrators! It is relatively good implemented in FreeIPA/RH IdM, but still too complex for a beginner.

The biggest advantage of sudo is that it works everywhere. If you have heterogenous environment and must configure privileges on different UNIX systems, it is better to use sudo to centralize the configuration. There are also some commerical offering from QuestOne (? they changed their name so oft that I can't follow them anymore) the employer of the main sudo developer. AFAIR it allows better integration into Windows domains with group policies, but I may be wrong here because I never deployed it.

RBAC is AIX native and this is the biggest problem if you deploy it in a complex environment. I remember at times of AIX 6.1 some IBMers told that it will be a standard among UNIX systems and HP wanted to introduce some similar RBAC concept into HP-UX. But I didn't see any other similar implementation.

The RBAC concept is not something new invented by IBM. It is based on research paper of Ferraiolo and Kuhn from 1992, which is very worth reading. AFAIK there was some 3rd party RBAC implementation for different UNIX systems before AIX 6.1. But I will not find any documents on it in my archive now. It will take too much time :-)

But I think you know a lot about AIX RBAC and their advantages and disadvantages and I can save the place on the Internet and must not feed AI bots ;-)

------------------------------
Andrey Klyachkin

https://www.power-devops.com

Original Message:
Sent: Mon June 17, 2024 01:08 PM
From: Christian Sonnemans
Subject: Sudoers LDAP and AIX user experience ?

Hello I am wondering if someone has experience in sudoers stored on LDAP in combination with AIX.

I found this man page, but that's mainly Linux:

https://www.sudo.ws/docs/man/1.9.1/sudoers.ldap.man/

I am working on a new blog series about AIX RBAC and would like to make first a good comparing between sudo (eventually on LDAP) and AIX RBAC.

And experience is welcome!

Thanks in Advance

Greetings Christian Sonnemans

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank (Netherlands)
------------------------------

Hello Andrey and also Tommi Sihvo, for reacting to this discussion.

And yes preparing my next blog series about IBM Advanced RBAC I like to compare sudo and RBAC.

Therefore I liked to know a bit more on how to store sudo rules on LDAP, which I am not familiar with.

Thank you Andrey you give me some more amor to explain why sudo can cause very easy expoilts, and can even give you shell access.

>> If you want to manage sudoers centrally in a LDAP directory, you should install additional sudo-specific schema. Welcome to the fight with your Windows Active Directory administrators! It is relatively good implemented in FreeIPA/RH IdM, but still too complex for a beginner.

Yes I liked to do this exercise but that with IBM Ldap. And was wondering if someone already got this working?

Thanks also for the link Role-Based Access Controls (nist.gov)

Thank you all for your response, within a few weeks my first part of AIX RBAC will be posted.

@Tommi Sihvo thank you Tommi for your feedback :-)

Christian,

here is my article on FreeIPA and AIX - https://powerdevops.substack.com/p/connecting-ibm-aix-to-red-hat-identity-419 You can find there some information about connecting AIX sudo to LDAP. If you want to know more, feel free to ping me here or write an e-mail.

Regarding my experience on RBAC and sudo. I prefer using RBAC. It is more AIX integrated and more fine-grained as sudo. I think even Linux guys started understanding that sudo is not so ultimative security tool as they thought. The systemd project announced last month (?) that they want to develop a sudo replacement.

sudo is a single SUID binary with complex syntax configuration. If you a mistake in your sudoers file, you effectively lost your privileged access.

If you use local sudoers files (especially in their standard delivery), you have a security hole on the system. You must control files in /etc/sudoers.d because every file is then interpreted by sudo as a sudoers configuration file. If I need security, I remove the directory and all includes from /etc/sudoers and re-deploy /etc/sudoers using Ansible regularly.

Because of the complex sudoers syntax, most of the administrators do only one thing in /etc/sudoers:

user01 ALL=(ALL) NOPASSWD: ALL

It doesn't make the system really secure. I also saw a lot of installations with

user01 ALL=(ALL) NOPASSWD: su

just because the administrator didn't learn sudo command line options.

The most interesting things in sudoers for me are still vi, cat, grep and similar "harmless" commands. With sudo vi you can always escape to the privileged shell and with cat or grep you can look at /etc/security/passwd and other files to fish for passwords.

If you want to manage sudoers centrally in a LDAP directory, you should install additional sudo-specific schema. Welcome to the fight with your Windows Active Directory administrators! It is relatively good implemented in FreeIPA/RH IdM, but still too complex for a beginner.

The biggest advantage of sudo is that it works everywhere. If you have heterogenous environment and must configure privileges on different UNIX systems, it is better to use sudo to centralize the configuration. There are also some commerical offering from QuestOne (? they changed their name so oft that I can't follow them anymore) the employer of the main sudo developer. AFAIR it allows better integration into Windows domains with group policies, but I may be wrong here because I never deployed it.

RBAC is AIX native and this is the biggest problem if you deploy it in a complex environment. I remember at times of AIX 6.1 some IBMers told that it will be a standard among UNIX systems and HP wanted to introduce some similar RBAC concept into HP-UX. But I didn't see any other similar implementation.

The RBAC concept is not something new invented by IBM. It is based on research paper of Ferraiolo and Kuhn from 1992, which is very worth reading. AFAIK there was some 3rd party RBAC implementation for different UNIX systems before AIX 6.1. But I will not find any documents on it in my archive now. It will take too much time :-)

But I think you know a lot about AIX RBAC and their advantages and disadvantages and I can save the place on the Internet and must not feed AI bots ;-)

------------------------------
Andrey Klyachkin

https://www.power-devops.com

Original Message:
Sent: Mon June 17, 2024 01:08 PM
From: Christian Sonnemans
Subject: Sudoers LDAP and AIX user experience ?

Hello I am wondering if someone has experience in sudoers stored on LDAP in combination with AIX.

I found this man page, but that's mainly Linux:

https://www.sudo.ws/docs/man/1.9.1/sudoers.ldap.man/

I am working on a new blog series about AIX RBAC and would like to make first a good comparing between sudo (eventually on LDAP) and AIX RBAC.

And experience is welcome!

Thanks in Advance

Greetings Christian Sonnemans

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank (Netherlands)
------------------------------

I looked today at sudoers schema and attempted to apply it to IDS - unsuccessful. Even if IDS is iPlanet compatible, iPlanet schema couldn't be applied...

Many years ago I had experience developing own schema for IDS, so I try to rewrite sudoers schema to be IDS-compatible. I love such challenges!

If it works, my Friday newsletter will come with the schema :-)

Hello Andrey and also Tommi Sihvo, for reacting to this discussion.

And yes preparing my next blog series about IBM Advanced RBAC I like to compare sudo and RBAC.

Therefore I liked to know a bit more on how to store sudo rules on LDAP, which I am not familiar with.

Thank you Andrey you give me some more amor to explain why sudo can cause very easy expoilts, and can even give you shell access.

>> If you want to manage sudoers centrally in a LDAP directory, you should install additional sudo-specific schema. Welcome to the fight with your Windows Active Directory administrators! It is relatively good implemented in FreeIPA/RH IdM, but still too complex for a beginner.

Yes I liked to do this exercise but that with IBM Ldap. And was wondering if someone already got this working?

Thanks also for the link Role-Based Access Controls (nist.gov)

Thank you all for your response, within a few weeks my first part of AIX RBAC will be posted.

@Tommi Sihvo thank you Tommi for your feedback :-)

Christian,

here is my article on FreeIPA and AIX - https://powerdevops.substack.com/p/connecting-ibm-aix-to-red-hat-identity-419 You can find there some information about connecting AIX sudo to LDAP. If you want to know more, feel free to ping me here or write an e-mail.

Regarding my experience on RBAC and sudo. I prefer using RBAC. It is more AIX integrated and more fine-grained as sudo. I think even Linux guys started understanding that sudo is not so ultimative security tool as they thought. The systemd project announced last month (?) that they want to develop a sudo replacement.

sudo is a single SUID binary with complex syntax configuration. If you a mistake in your sudoers file, you effectively lost your privileged access.

If you use local sudoers files (especially in their standard delivery), you have a security hole on the system. You must control files in /etc/sudoers.d because every file is then interpreted by sudo as a sudoers configuration file. If I need security, I remove the directory and all includes from /etc/sudoers and re-deploy /etc/sudoers using Ansible regularly.

Because of the complex sudoers syntax, most of the administrators do only one thing in /etc/sudoers:

user01 ALL=(ALL) NOPASSWD: ALL

It doesn't make the system really secure. I also saw a lot of installations with

user01 ALL=(ALL) NOPASSWD: su

just because the administrator didn't learn sudo command line options.

The most interesting things in sudoers for me are still vi, cat, grep and similar "harmless" commands. With sudo vi you can always escape to the privileged shell and with cat or grep you can look at /etc/security/passwd and other files to fish for passwords.

If you want to manage sudoers centrally in a LDAP directory, you should install additional sudo-specific schema. Welcome to the fight with your Windows Active Directory administrators! It is relatively good implemented in FreeIPA/RH IdM, but still too complex for a beginner.

The biggest advantage of sudo is that it works everywhere. If you have heterogenous environment and must configure privileges on different UNIX systems, it is better to use sudo to centralize the configuration. There are also some commerical offering from QuestOne (? they changed their name so oft that I can't follow them anymore) the employer of the main sudo developer. AFAIR it allows better integration into Windows domains with group policies, but I may be wrong here because I never deployed it.

RBAC is AIX native and this is the biggest problem if you deploy it in a complex environment. I remember at times of AIX 6.1 some IBMers told that it will be a standard among UNIX systems and HP wanted to introduce some similar RBAC concept into HP-UX. But I didn't see any other similar implementation.

The RBAC concept is not something new invented by IBM. It is based on research paper of Ferraiolo and Kuhn from 1992, which is very worth reading. AFAIK there was some 3rd party RBAC implementation for different UNIX systems before AIX 6.1. But I will not find any documents on it in my archive now. It will take too much time :-)

But I think you know a lot about AIX RBAC and their advantages and disadvantages and I can save the place on the Internet and must not feed AI bots ;-)

------------------------------
Andrey Klyachkin

https://www.power-devops.com

Original Message:
Sent: Mon June 17, 2024 01:08 PM
From: Christian Sonnemans
Subject: Sudoers LDAP and AIX user experience ?

Hello I am wondering if someone has experience in sudoers stored on LDAP in combination with AIX.

I found this man page, but that's mainly Linux:

https://www.sudo.ws/docs/man/1.9.1/sudoers.ldap.man/

I am working on a new blog series about AIX RBAC and would like to make first a good comparing between sudo (eventually on LDAP) and AIX RBAC.

And experience is welcome!

Thanks in Advance

Greetings Christian Sonnemans

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank (Netherlands)
------------------------------

Hello Andrey,

That's very very kind of you, but please do not put too much effort in it, my upcoming blog will only will point that this is also an option, compared to RBAC, but not the best one :).

Greetings Christian Sonnemans.

I looked today at sudoers schema and attempted to apply it to IDS - unsuccessful. Even if IDS is iPlanet compatible, iPlanet schema couldn't be applied...

Many years ago I had experience developing own schema for IDS, so I try to rewrite sudoers schema to be IDS-compatible. I love such challenges!

If it works, my Friday newsletter will come with the schema :-)

Hello Andrey and also Tommi Sihvo, for reacting to this discussion.

And yes preparing my next blog series about IBM Advanced RBAC I like to compare sudo and RBAC.

Therefore I liked to know a bit more on how to store sudo rules on LDAP, which I am not familiar with.

Thank you Andrey you give me some more amor to explain why sudo can cause very easy expoilts, and can even give you shell access.

>> If you want to manage sudoers centrally in a LDAP directory, you should install additional sudo-specific schema. Welcome to the fight with your Windows Active Directory administrators! It is relatively good implemented in FreeIPA/RH IdM, but still too complex for a beginner.

Yes I liked to do this exercise but that with IBM Ldap. And was wondering if someone already got this working?

Thanks also for the link Role-Based Access Controls (nist.gov)

Thank you all for your response, within a few weeks my first part of AIX RBAC will be posted.

@Tommi Sihvo thank you Tommi for your feedback :-)

Christian,

here is my article on FreeIPA and AIX - https://powerdevops.substack.com/p/connecting-ibm-aix-to-red-hat-identity-419 You can find there some information about connecting AIX sudo to LDAP. If you want to know more, feel free to ping me here or write an e-mail.

Regarding my experience on RBAC and sudo. I prefer using RBAC. It is more AIX integrated and more fine-grained as sudo. I think even Linux guys started understanding that sudo is not so ultimative security tool as they thought. The systemd project announced last month (?) that they want to develop a sudo replacement.

sudo is a single SUID binary with complex syntax configuration. If you a mistake in your sudoers file, you effectively lost your privileged access.

If you use local sudoers files (especially in their standard delivery), you have a security hole on the system. You must control files in /etc/sudoers.d because every file is then interpreted by sudo as a sudoers configuration file. If I need security, I remove the directory and all includes from /etc/sudoers and re-deploy /etc/sudoers using Ansible regularly.

Because of the complex sudoers syntax, most of the administrators do only one thing in /etc/sudoers:

user01 ALL=(ALL) NOPASSWD: ALL

It doesn't make the system really secure. I also saw a lot of installations with

user01 ALL=(ALL) NOPASSWD: su

just because the administrator didn't learn sudo command line options.

The most interesting things in sudoers for me are still vi, cat, grep and similar "harmless" commands. With sudo vi you can always escape to the privileged shell and with cat or grep you can look at /etc/security/passwd and other files to fish for passwords.

If you want to manage sudoers centrally in a LDAP directory, you should install additional sudo-specific schema. Welcome to the fight with your Windows Active Directory administrators! It is relatively good implemented in FreeIPA/RH IdM, but still too complex for a beginner.

The biggest advantage of sudo is that it works everywhere. If you have heterogenous environment and must configure privileges on different UNIX systems, it is better to use sudo to centralize the configuration. There are also some commerical offering from QuestOne (? they changed their name so oft that I can't follow them anymore) the employer of the main sudo developer. AFAIR it allows better integration into Windows domains with group policies, but I may be wrong here because I never deployed it.

RBAC is AIX native and this is the biggest problem if you deploy it in a complex environment. I remember at times of AIX 6.1 some IBMers told that it will be a standard among UNIX systems and HP wanted to introduce some similar RBAC concept into HP-UX. But I didn't see any other similar implementation.

The RBAC concept is not something new invented by IBM. It is based on research paper of Ferraiolo and Kuhn from 1992, which is very worth reading. AFAIK there was some 3rd party RBAC implementation for different UNIX systems before AIX 6.1. But I will not find any documents on it in my archive now. It will take too much time :-)

But I think you know a lot about AIX RBAC and their advantages and disadvantages and I can save the place on the Internet and must not feed AI bots ;-)

------------------------------
Andrey Klyachkin

https://www.power-devops.com

Original Message:
Sent: Mon June 17, 2024 01:08 PM
From: Christian Sonnemans
Subject: Sudoers LDAP and AIX user experience ?

Hello I am wondering if someone has experience in sudoers stored on LDAP in combination with AIX.

I found this man page, but that's mainly Linux:

https://www.sudo.ws/docs/man/1.9.1/sudoers.ldap.man/

I am working on a new blog series about AIX RBAC and would like to make first a good comparing between sudo (eventually on LDAP) and AIX RBAC.

And experience is welcome!

Thanks in Advance

Greetings Christian Sonnemans

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank (Netherlands)
------------------------------

I did it :-) In case someone will need it. I also submitted an issue to sudo project with IDS schema - https://github.com/sudo-project/sudo/issues/384.

Please vote for it or leave a comment on Github to include the schema into the next sudo release.

https://powerdevops.substack.com/p/centralizing-sudoers-configuration

Hello Andrey,

That's very very kind of you, but please do not put too much effort in it, my upcoming blog will only will point that this is also an option, compared to RBAC, but not the best one :).

Greetings Christian Sonnemans.

I looked today at sudoers schema and attempted to apply it to IDS - unsuccessful. Even if IDS is iPlanet compatible, iPlanet schema couldn't be applied...

Many years ago I had experience developing own schema for IDS, so I try to rewrite sudoers schema to be IDS-compatible. I love such challenges!

If it works, my Friday newsletter will come with the schema :-)

Hello Andrey and also Tommi Sihvo, for reacting to this discussion.

And yes preparing my next blog series about IBM Advanced RBAC I like to compare sudo and RBAC.

Therefore I liked to know a bit more on how to store sudo rules on LDAP, which I am not familiar with.

Thank you Andrey you give me some more amor to explain why sudo can cause very easy expoilts, and can even give you shell access.

>> If you want to manage sudoers centrally in a LDAP directory, you should install additional sudo-specific schema. Welcome to the fight with your Windows Active Directory administrators! It is relatively good implemented in FreeIPA/RH IdM, but still too complex for a beginner.

Yes I liked to do this exercise but that with IBM Ldap. And was wondering if someone already got this working?

Thanks also for the link Role-Based Access Controls (nist.gov)

Thank you all for your response, within a few weeks my first part of AIX RBAC will be posted.

@Tommi Sihvo thank you Tommi for your feedback :-)

Christian,

here is my article on FreeIPA and AIX - https://powerdevops.substack.com/p/connecting-ibm-aix-to-red-hat-identity-419 You can find there some information about connecting AIX sudo to LDAP. If you want to know more, feel free to ping me here or write an e-mail.

Regarding my experience on RBAC and sudo. I prefer using RBAC. It is more AIX integrated and more fine-grained as sudo. I think even Linux guys started understanding that sudo is not so ultimative security tool as they thought. The systemd project announced last month (?) that they want to develop a sudo replacement.

sudo is a single SUID binary with complex syntax configuration. If you a mistake in your sudoers file, you effectively lost your privileged access.

If you use local sudoers files (especially in their standard delivery), you have a security hole on the system. You must control files in /etc/sudoers.d because every file is then interpreted by sudo as a sudoers configuration file. If I need security, I remove the directory and all includes from /etc/sudoers and re-deploy /etc/sudoers using Ansible regularly.

Because of the complex sudoers syntax, most of the administrators do only one thing in /etc/sudoers:

user01 ALL=(ALL) NOPASSWD: ALL

It doesn't make the system really secure. I also saw a lot of installations with

user01 ALL=(ALL) NOPASSWD: su

just because the administrator didn't learn sudo command line options.

The most interesting things in sudoers for me are still vi, cat, grep and similar "harmless" commands. With sudo vi you can always escape to the privileged shell and with cat or grep you can look at /etc/security/passwd and other files to fish for passwords.

If you want to manage sudoers centrally in a LDAP directory, you should install additional sudo-specific schema. Welcome to the fight with your Windows Active Directory administrators! It is relatively good implemented in FreeIPA/RH IdM, but still too complex for a beginner.

The biggest advantage of sudo is that it works everywhere. If you have heterogenous environment and must configure privileges on different UNIX systems, it is better to use sudo to centralize the configuration. There are also some commerical offering from QuestOne (? they changed their name so oft that I can't follow them anymore) the employer of the main sudo developer. AFAIR it allows better integration into Windows domains with group policies, but I may be wrong here because I never deployed it.

RBAC is AIX native and this is the biggest problem if you deploy it in a complex environment. I remember at times of AIX 6.1 some IBMers told that it will be a standard among UNIX systems and HP wanted to introduce some similar RBAC concept into HP-UX. But I didn't see any other similar implementation.

The RBAC concept is not something new invented by IBM. It is based on research paper of Ferraiolo and Kuhn from 1992, which is very worth reading. AFAIK there was some 3rd party RBAC implementation for different UNIX systems before AIX 6.1. But I will not find any documents on it in my archive now. It will take too much time :-)

But I think you know a lot about AIX RBAC and their advantages and disadvantages and I can save the place on the Internet and must not feed AI bots ;-)

------------------------------
Andrey Klyachkin

https://www.power-devops.com

Original Message:
Sent: Mon June 17, 2024 01:08 PM
From: Christian Sonnemans
Subject: Sudoers LDAP and AIX user experience ?

Hello I am wondering if someone has experience in sudoers stored on LDAP in combination with AIX.

I found this man page, but that's mainly Linux:

https://www.sudo.ws/docs/man/1.9.1/sudoers.ldap.man/

I am working on a new blog series about AIX RBAC and would like to make first a good comparing between sudo (eventually on LDAP) and AIX RBAC.

And experience is welcome!

Thanks in Advance

Greetings Christian Sonnemans

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank (Netherlands)
------------------------------

I did it :-) In case someone will need it. I also submitted an issue to sudo project with IDS schema - https://github.com/sudo-project/sudo/issues/384.

Please vote for it or leave a comment on Github to include the schema into the next sudo release.

https://powerdevops.substack.com/p/centralizing-sudoers-configuration

Hello Andrey,

That's very very kind of you, but please do not put too much effort in it, my upcoming blog will only will point that this is also an option, compared to RBAC, but not the best one :).

Greetings Christian Sonnemans.

I looked today at sudoers schema and attempted to apply it to IDS - unsuccessful. Even if IDS is iPlanet compatible, iPlanet schema couldn't be applied...

Many years ago I had experience developing own schema for IDS, so I try to rewrite sudoers schema to be IDS-compatible. I love such challenges!

If it works, my Friday newsletter will come with the schema :-)

Hello Andrey and also Tommi Sihvo, for reacting to this discussion.

And yes preparing my next blog series about IBM Advanced RBAC I like to compare sudo and RBAC.

Therefore I liked to know a bit more on how to store sudo rules on LDAP, which I am not familiar with.

Thank you Andrey you give me some more amor to explain why sudo can cause very easy expoilts, and can even give you shell access.

>> If you want to manage sudoers centrally in a LDAP directory, you should install additional sudo-specific schema. Welcome to the fight with your Windows Active Directory administrators! It is relatively good implemented in FreeIPA/RH IdM, but still too complex for a beginner.

Yes I liked to do this exercise but that with IBM Ldap. And was wondering if someone already got this working?

Thanks also for the link Role-Based Access Controls (nist.gov)

Thank you all for your response, within a few weeks my first part of AIX RBAC will be posted.

@Tommi Sihvo thank you Tommi for your feedback :-)

Christian,

here is my article on FreeIPA and AIX - https://powerdevops.substack.com/p/connecting-ibm-aix-to-red-hat-identity-419 You can find there some information about connecting AIX sudo to LDAP. If you want to know more, feel free to ping me here or write an e-mail.

Regarding my experience on RBAC and sudo. I prefer using RBAC. It is more AIX integrated and more fine-grained as sudo. I think even Linux guys started understanding that sudo is not so ultimative security tool as they thought. The systemd project announced last month (?) that they want to develop a sudo replacement.

sudo is a single SUID binary with complex syntax configuration. If you a mistake in your sudoers file, you effectively lost your privileged access.

If you use local sudoers files (especially in their standard delivery), you have a security hole on the system. You must control files in /etc/sudoers.d because every file is then interpreted by sudo as a sudoers configuration file. If I need security, I remove the directory and all includes from /etc/sudoers and re-deploy /etc/sudoers using Ansible regularly.

Because of the complex sudoers syntax, most of the administrators do only one thing in /etc/sudoers:

user01 ALL=(ALL) NOPASSWD: ALL

It doesn't make the system really secure. I also saw a lot of installations with

user01 ALL=(ALL) NOPASSWD: su

just because the administrator didn't learn sudo command line options.

The most interesting things in sudoers for me are still vi, cat, grep and similar "harmless" commands. With sudo vi you can always escape to the privileged shell and with cat or grep you can look at /etc/security/passwd and other files to fish for passwords.

If you want to manage sudoers centrally in a LDAP directory, you should install additional sudo-specific schema. Welcome to the fight with your Windows Active Directory administrators! It is relatively good implemented in FreeIPA/RH IdM, but still too complex for a beginner.

The biggest advantage of sudo is that it works everywhere. If you have heterogenous environment and must configure privileges on different UNIX systems, it is better to use sudo to centralize the configuration. There are also some commerical offering from QuestOne (? they changed their name so oft that I can't follow them anymore) the employer of the main sudo developer. AFAIR it allows better integration into Windows domains with group policies, but I may be wrong here because I never deployed it.

RBAC is AIX native and this is the biggest problem if you deploy it in a complex environment. I remember at times of AIX 6.1 some IBMers told that it will be a standard among UNIX systems and HP wanted to introduce some similar RBAC concept into HP-UX. But I didn't see any other similar implementation.

The RBAC concept is not something new invented by IBM. It is based on research paper of Ferraiolo and Kuhn from 1992, which is very worth reading. AFAIK there was some 3rd party RBAC implementation for different UNIX systems before AIX 6.1. But I will not find any documents on it in my archive now. It will take too much time :-)

But I think you know a lot about AIX RBAC and their advantages and disadvantages and I can save the place on the Internet and must not feed AI bots ;-)

------------------------------
Andrey Klyachkin

https://www.power-devops.com

Original Message:
Sent: Mon June 17, 2024 01:08 PM
From: Christian Sonnemans
Subject: Sudoers LDAP and AIX user experience ?

Hello I am wondering if someone has experience in sudoers stored on LDAP in combination with AIX.

I found this man page, but that's mainly Linux:

https://www.sudo.ws/docs/man/1.9.1/sudoers.ldap.man/

I am working on a new blog series about AIX RBAC and would like to make first a good comparing between sudo (eventually on LDAP) and AIX RBAC.

And experience is welcome!

Thanks in Advance

Greetings Christian Sonnemans

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank (Netherlands)
------------------------------

@Tommi Sihvo thank you Tommi for your feedback :-)

Christian,

here is my article on FreeIPA and AIX - https://powerdevops.substack.com/p/connecting-ibm-aix-to-red-hat-identity-419 You can find there some information about connecting AIX sudo to LDAP. If you want to know more, feel free to ping me here or write an e-mail.

Regarding my experience on RBAC and sudo. I prefer using RBAC. It is more AIX integrated and more fine-grained as sudo. I think even Linux guys started understanding that sudo is not so ultimative security tool as they thought. The systemd project announced last month (?) that they want to develop a sudo replacement.

sudo is a single SUID binary with complex syntax configuration. If you a mistake in your sudoers file, you effectively lost your privileged access.

If you use local sudoers files (especially in their standard delivery), you have a security hole on the system. You must control files in /etc/sudoers.d because every file is then interpreted by sudo as a sudoers configuration file. If I need security, I remove the directory and all includes from /etc/sudoers and re-deploy /etc/sudoers using Ansible regularly.

Because of the complex sudoers syntax, most of the administrators do only one thing in /etc/sudoers:

user01 ALL=(ALL) NOPASSWD: ALL

It doesn't make the system really secure. I also saw a lot of installations with

user01 ALL=(ALL) NOPASSWD: su

just because the administrator didn't learn sudo command line options.

The most interesting things in sudoers for me are still vi, cat, grep and similar "harmless" commands. With sudo vi you can always escape to the privileged shell and with cat or grep you can look at /etc/security/passwd and other files to fish for passwords.

If you want to manage sudoers centrally in a LDAP directory, you should install additional sudo-specific schema. Welcome to the fight with your Windows Active Directory administrators! It is relatively good implemented in FreeIPA/RH IdM, but still too complex for a beginner.

The biggest advantage of sudo is that it works everywhere. If you have heterogenous environment and must configure privileges on different UNIX systems, it is better to use sudo to centralize the configuration. There are also some commerical offering from QuestOne (? they changed their name so oft that I can't follow them anymore) the employer of the main sudo developer. AFAIR it allows better integration into Windows domains with group policies, but I may be wrong here because I never deployed it.

RBAC is AIX native and this is the biggest problem if you deploy it in a complex environment. I remember at times of AIX 6.1 some IBMers told that it will be a standard among UNIX systems and HP wanted to introduce some similar RBAC concept into HP-UX. But I didn't see any other similar implementation.

The RBAC concept is not something new invented by IBM. It is based on research paper of Ferraiolo and Kuhn from 1992, which is very worth reading. AFAIK there was some 3rd party RBAC implementation for different UNIX systems before AIX 6.1. But I will not find any documents on it in my archive now. It will take too much time :-)

But I think you know a lot about AIX RBAC and their advantages and disadvantages and I can save the place on the Internet and must not feed AI bots ;-)

------------------------------
Andrey Klyachkin

https://www.power-devops.com

Original Message:
Sent: Mon June 17, 2024 01:08 PM
From: Christian Sonnemans
Subject: Sudoers LDAP and AIX user experience ?

Hello I am wondering if someone has experience in sudoers stored on LDAP in combination with AIX.

I found this man page, but that's mainly Linux:

https://www.sudo.ws/docs/man/1.9.1/sudoers.ldap.man/

I am working on a new blog series about AIX RBAC and would like to make first a good comparing between sudo (eventually on LDAP) and AIX RBAC.

And experience is welcome!

Thanks in Advance

Greetings Christian Sonnemans

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank (Netherlands)
------------------------------

Hi!

While I agree in general in what you wrote - especially about mistakes done by many admins - in all fairness I would like to point out, that sudo offers some functionality not available via alternatives (or not as usable).  The second main reason (beside it being available on nearly all platforms) why we use sudo  is its io log feature.  Not only can you log the full input and output of a sudo session, you can also send it to a remote log server in real time.  So you can always look up and trace what your users did on a system your normal users have no access too at all.

When we introduced that, we found the sudo approach easiest to introduce and maintain compared to the alternatives we found.

Best regards,

  Alexander

@Tommi Sihvo thank you Tommi for your feedback :-)

Christian,

here is my article on FreeIPA and AIX - https://powerdevops.substack.com/p/connecting-ibm-aix-to-red-hat-identity-419 You can find there some information about connecting AIX sudo to LDAP. If you want to know more, feel free to ping me here or write an e-mail.

Regarding my experience on RBAC and sudo. I prefer using RBAC. It is more AIX integrated and more fine-grained as sudo. I think even Linux guys started understanding that sudo is not so ultimative security tool as they thought. The systemd project announced last month (?) that they want to develop a sudo replacement.

sudo is a single SUID binary with complex syntax configuration. If you a mistake in your sudoers file, you effectively lost your privileged access.

If you use local sudoers files (especially in their standard delivery), you have a security hole on the system. You must control files in /etc/sudoers.d because every file is then interpreted by sudo as a sudoers configuration file. If I need security, I remove the directory and all includes from /etc/sudoers and re-deploy /etc/sudoers using Ansible regularly.

Because of the complex sudoers syntax, most of the administrators do only one thing in /etc/sudoers:

user01 ALL=(ALL) NOPASSWD: ALL

It doesn't make the system really secure. I also saw a lot of installations with

user01 ALL=(ALL) NOPASSWD: su

just because the administrator didn't learn sudo command line options.

The most interesting things in sudoers for me are still vi, cat, grep and similar "harmless" commands. With sudo vi you can always escape to the privileged shell and with cat or grep you can look at /etc/security/passwd and other files to fish for passwords.

If you want to manage sudoers centrally in a LDAP directory, you should install additional sudo-specific schema. Welcome to the fight with your Windows Active Directory administrators! It is relatively good implemented in FreeIPA/RH IdM, but still too complex for a beginner.

The biggest advantage of sudo is that it works everywhere. If you have heterogenous environment and must configure privileges on different UNIX systems, it is better to use sudo to centralize the configuration. There are also some commerical offering from QuestOne (? they changed their name so oft that I can't follow them anymore) the employer of the main sudo developer. AFAIR it allows better integration into Windows domains with group policies, but I may be wrong here because I never deployed it.

RBAC is AIX native and this is the biggest problem if you deploy it in a complex environment. I remember at times of AIX 6.1 some IBMers told that it will be a standard among UNIX systems and HP wanted to introduce some similar RBAC concept into HP-UX. But I didn't see any other similar implementation.

The RBAC concept is not something new invented by IBM. It is based on research paper of Ferraiolo and Kuhn from 1992, which is very worth reading. AFAIK there was some 3rd party RBAC implementation for different UNIX systems before AIX 6.1. But I will not find any documents on it in my archive now. It will take too much time :-)

But I think you know a lot about AIX RBAC and their advantages and disadvantages and I can save the place on the Internet and must not feed AI bots ;-)

------------------------------
Andrey Klyachkin

https://www.power-devops.com

Original Message:
Sent: Mon June 17, 2024 01:08 PM
From: Christian Sonnemans
Subject: Sudoers LDAP and AIX user experience ?

Hello I am wondering if someone has experience in sudoers stored on LDAP in combination with AIX.

I found this man page, but that's mainly Linux:

https://www.sudo.ws/docs/man/1.9.1/sudoers.ldap.man/

I am working on a new blog series about AIX RBAC and would like to make first a good comparing between sudo (eventually on LDAP) and AIX RBAC.

And experience is welcome!

Thanks in Advance

Greetings Christian Sonnemans

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank (Netherlands)
------------------------------

Hello I am wondering if someone has experience in sudoers stored on LDAP in combination with AIX.

I found this man page, but that's mainly Linux:

https://www.sudo.ws/docs/man/1.9.1/sudoers.ldap.man/

I am working on a new blog series about AIX RBAC and would like to make first a good comparing between sudo (eventually on LDAP) and AIX RBAC.

And experience is welcome!

Thanks in Advance

Greetings Christian Sonnemans

Hello I am wondering if someone has experience in sudoers stored on LDAP in combination with AIX.

I found this man page, but that's mainly Linux:

https://www.sudo.ws/docs/man/1.9.1/sudoers.ldap.man/

I am working on a new blog series about AIX RBAC and would like to make first a good comparing between sudo (eventually on LDAP) and AIX RBAC.

And experience is welcome!

Thanks in Advance

Greetings Christian Sonnemans