Which is better to set users up under: Wheel or SUDO

Latest response

So some of the Linux servers that I'm managing, the previous admin had some users in sudoers and had some in the wheel group.

Its my understanding that the wheel group is legacy. However if a user is placed under sudoers, then we can track their transactions under /var/log/secure.

So I'm wondering which one would be better to setup my power users under.

CM
Log in to join the conversation

Responses

thomas.jones2@dodiis.mil's picture Guru 6435 points
25 March 2015 2:25 AM

Being under wheel dosen't mean they're not under sudo ...and depending on how you've configured PAM, being in wheel doesn't automatically allow you to use /bin/su.

Aside from that, the auditing subsystems should track not only the euid of the user that used su rather than sudo, but the uid of the user for everything invoked under either method.

Overall, there isn't really a One Right Way To Do It. It all really depends on what works best in your environment and how well you configure either (or both) method(s).

James Radtke's picture Red Hat Guru 7081 points
25 March 2015 6:13 PM

Hey Christopher,
Like Tom mentioned, it is unikely you will find a single response that solves the issue.

I have found [https://www.michaelwlucas.com/nonfiction/sudo-mastery](Sudo Mastery by Michael Lucas) to be helpful - but, it was a bit of a read. He also has a video link from a presentation he did.

I have also used something like PowerBroker in the past that may be a consideration.

thomas.jones2@dodiis.mil's picture Guru 6435 points
25 March 2015 6:30 PM

Problem I've found with tools like PowerBroker and Centrify, for things beyond authentication, is that if your AD is laid out different than they expect, their documentation, recommendations and support become really iffy. And unless your AD team is really on board, the weight of getting AD-hosted policies properly implemented can be a real impediment to a project.

They can be great tools, but if you're only managing one or a few systems, using their "Enterprise" products is kind of like opening peanuts with a carnival hammer.

PS Guru 6494 points
25 March 2015 11:51 PM

I agree that Sudo Mastery by Michael Lucas is well worth the read.

I think the benefit of sudo is that there is then no need to share account passwords (eg root pw) if users only need to run specific actions.

On topic, does anyone have suggestions/recommendations for logging interactive user sessions? (replacement shells etc.)

Off topic... are you James Radtke Community Leader turned Red Hat employee now? or is it a coincidence?

thomas.jones2@dodiis.mil's picture Guru 6435 points
26 March 2015 12:00 AM

Other that using auditd to try to reconstruct things, most of the options are commercial. Both Centrify and PowerBroker claim to do full session recording - to the point that they'll play back a "movie" of what's happened during a session.

James Radtke's picture Red Hat Guru 7081 points
26 March 2015 12:18 AM

Off topic... are you James Radtke Community Leader turned Red Hat employee now? or is it a coincidence?

Both? ;-)

I joined a few weeks ago and it's awesome! And now I get a snazzy new badge on the Portal ;-)

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.