Hey everyone! I'm the sole Linux admin at an organization with about 1000 employees, and my first task was to enforce a policy that disallows root user access throughout the company. We have Puppet set up already, so I'm using the `saz-sudo` module to manage this. I've started allowing specific commands for users, creating a permissions map based on groups, essentially whitelisting what tasks they can handle without root access. While it's working, I'm not entirely confident it's the best way to handle this or consistent enough across the board.
I have a few questions: Does my approach sound reasonable? How are other organizations managing rootless environments on a large scale? Are there better practices or tools that you recommend? I'd love to hear your experiences or insights! Thanks!
5 Answers
If you’re using Puppet or Ansible for these controls, it’s really important to understand what users typically need. It can be tough if some have a lot of commands while others don’t need much. Group-based permissions can keep things manageable without leading to a cluttered sudoers file.
Consider equipping developers with Docker or Podman to emulate root access within containers. It gives them flexibility while maintaining the rootless environment you're aiming for.
Just a heads up that root containers still run in root context, so keep that in mind!
Using CIS benchmarks is a smart move. They help lay out guidelines for securing your systems, and STIGs might be useful too if you need that level of detail. It’s good to have some foundational framework for your policy.
Before diving deeper, think about using a solid framework for implementing your rootless configuration. A systematic approach is definitely the best practice—check out the STIGs related to your Linux environment as a potential starting point.
STIGs might seem extensive. If you find relevant controls, feel free to cherry-pick what fits your needs or check out the CIS Benchmarks for more practical guidance.
Honestly, your approach isn’t bad! I’ve done something similar with Puppet and used group restrictions as well. You should explore what the core goal of this policy is—whether it’s for security controls, compliance, or something else. Understanding this can help you refine your strategy making better decisions along the way.
Instead of adding individual users, consider putting Active Directory groups in your sudoers. This makes management way easier, but remember to set the right uidNumber and gidNumber for users.