9.1.1.6. Authorize Access to Security Functions

One of the main mechanisms to control access to security functions is the use of sudo. SIMP installs the following sudo rules:

Account

Sudo Commands

Run As Account

Password Required

administrators

/bin/su - root -l

root

no

administrators

/usr/sbin/puppetd

root

no

administrators

/usr/sbin/puppetca

root

no

administrators

/bin/rm -rf /var/lib/puppet/ssl

root

no

auditors

/bin/cat, /bin/ls, /usr/bin/lsattr, /sbin/aureport, /sbin/ausearch, /sbin/lspci, /sbin/lsusb, /sbin/lsmod, /usr/sbin/lsof, /bin/netstat, /sbin/ifconfig -a, /sbin/route, /sbin/route -[venC], /usr/bin/getent, /usr/bin/tail

root

no

References: AC-6 (1) : AUTHORIZE ACCESS TO SECURITY FUNCTIONS