0

I'm currently looking to roll-out a 3rd party software agent to my client's linux server infrastructure. The agent will run on startup and shutdown, and one of the pre-requisites for the agent to run is that it has a sudoers file entry of the form:

agent-user ALL=NOPASSWD: /opt/agent-executable

The client's security team have raised concerns about this, in particular the combination of being able to invoke sudo, without a password, on Internet-facing servers. And have asked if the security around this can be tightened up?

I'm kind of stuck with requirements of the 3rd party software (sudoers entry + NOPASSWD), but I wondered what other options there might be to make the deployment of this agent more secure?

P Burke
  • 163
  • 1
  • 10
  • 2
    The typical argument to allow such a thing, is that the "user-agent" account is not an interactive user account but a ***service account***, which can't be logged in to. Typically that allows some leeway in policies. - You shouldn't have to but probably need to explain, again, but that rule only allows that service account access to single command, which provides only limited risk. The more undesirable alternative is likely to run and operate the third party software as root, rather than under a less privileged account. That has much more risk associated, but you won't need sudo... – HBruijn Apr 01 '19 at 14:06
  • 2
    Or, to put it another way, this _is_ the tightened up configuration. – Michael Hampton Apr 01 '19 at 15:47
  • Thanks for the responses, that helped. A further question, if I may? The default position is that this agent runs as a crontab job as root, no service account. The vendor suggested a service account + sudoers entry to 'improve' security. **But has it?** At the end of the day whether /opt/agent-executable is run as root from crontab or via a service account with a sudoers entry, it still requires superuser privileges. And setting up a service account with sudoers entry potentially provides opportunities to make mistakes... – P Burke Apr 04 '19 at 07:57

0 Answers0