From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-3621-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RZpbk-000203-Ct
	for garchives@archives.gentoo.org; Sun, 11 Dec 2011 20:02:49 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6081121C0BC;
	Sun, 11 Dec 2011 20:02:33 +0000 (UTC)
Received: from mail-yx0-f181.google.com (mail-yx0-f181.google.com [209.85.213.181])
	by pigeon.gentoo.org (Postfix) with ESMTP id 22CDF21C0A4
	for <gentoo-hardened@lists.gentoo.org>; Sun, 11 Dec 2011 20:01:41 +0000 (UTC)
Received: by yenm3 with SMTP id m3so4261895yen.40
        for <gentoo-hardened@lists.gentoo.org>; Sun, 11 Dec 2011 12:01:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        bh=LaJWBN0vi/FOepYmEZ8QSi3vTGNX4ZzcqVNYFu6/fa8=;
        b=xbNdQG4ix1qsZFOjZ4AmugvBaBP9UYl2kuXUW6agx1ctmhlT2yndJdpRFd6WpIeGIH
         C+tUnIEKHsQBsmtZyloY6iK1LuVQV9Jy0zPQ9TW0EqHukaSE/CmIM5JeP+r0NvYVfFs8
         bzDMxtbfX8daaxOrHFN2joAb/INiUR3f0QxuU=
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.236.165.98 with SMTP id d62mr1765731yhl.15.1323633701638; Sun,
 11 Dec 2011 12:01:41 -0800 (PST)
Received: by 10.236.27.200 with HTTP; Sun, 11 Dec 2011 12:01:41 -0800 (PST)
In-Reply-To: <20111211145302.GE1990@home.power>
References: <4EE3BE6B.6050507@libertytrek.org>
	<20111210145204.39ec9cba@khorne.mthode.org>
	<20111211101851.GA1810@gentoo.org>
	<20111211122043.GD1990@home.power>
	<20111211142519.GA12313@gentoo.org>
	<20111211145302.GE1990@home.power>
Date: Sun, 11 Dec 2011 12:01:41 -0800
Message-ID: <CAE1pOi1JNGR4EPt2Uz1X_fvaKJS12npp8RnnR85uMimPeST=OA@mail.gmail.com>
Subject: Re: [gentoo-hardened] New Server, considering hardened, need pointers
 to tfm...
From: Hilco Wijbenga <hilco.wijbenga@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 89e0bc76-bf54-41aa-9dd0-103fc27fa9be
X-Archives-Hash: 0aec2f7c6fe06e3a2914bf45a79c1616

On 11 December 2011 06:53, Alex Efros <powerman@powerman.name> wrote:
> On Sun, Dec 11, 2011 at 02:25:19PM +0000, Sven Vermeulen wrote:
>> > 1) =C2=A0How can
>> > =C2=A0 =C2=A0 4.2.4.1. Root Logon Through SSH Is Not Allowed
>> > =C2=A0 =C2=A0 increase security, if we're already using
>> > =C2=A0 =C2=A0 4.2.4.2. Public Key Authentication Only
>> > =C2=A0 =C2=A0 Disabling root may have sense with password auth, but wi=
th keys it is
>> > =C2=A0 =C2=A0 just useless inconvenience.
>>
>> I read somewhere that security is about making things more inconvenient =
for
>> malicious people than for authorized ones.
>>
>> For me, immediately logging in as root is not done. I want to limit root
>> access through the regular accounts on the system (with su(do)). I never=
 had
>> the need to log on as root immediately myself.
>
> Understood. But I still don't see how this can increase security.

It is my understanding this is not so much about security per se as it
is about auditing. Especially in an environment with more than one
admin.

Let's say there are two admins (A and B) who both log on (remotely) as
root. Then there is no easy way to tell who did what. Leaving an audit
trail is useful and in many environments simply required.

Moreover, if admin A's account is compromised then a black hat can use
admin A's access to root to remotely log on to any machine admin A has
access to. This will be hard to detect and it will be hard(er) to
determine how the black hat gained access. If admin A had logged on as
admin A instead of root then it would be more obvious it was admin A's
account that had been compromised.