SUDO Permissions for Linux Servers
Purpose
This policy outlines the guidelines for granting root-level access to Dartmouth College individuals who obtain Linux servers from ITC for the purpose of installing and running their own applications and services. The aim is to provide maximum privileges necessary for application management while ensuring compliance with Dartmouth's DISC policies, particularly those related to auditing and tracking server activity.
Scope
This policy applies to all Dartmouth College staff, faculty, and students who are recipients of Linux servers provisioned by Infrastructure Services for application hosting and management.
Policy
1. SUDO Permissions
- Recipients of Linux servers will be granted full SUDO permissions with their designated accounts.
- SUDO access allows users to execute commands as the root user or another user, as specified by the security policy, while maintaining an audit trail of command history.
2. Prohibition of Direct Root Access
- Direct access to the root account using
su - root and any variation that drops you into the root account is strictly prohibited except in specific approved use cases.
- All administrative tasks should be performed using SUDO to ensure that all actions are logged and auditable.
- It is acceptable to
su into other service accounts, such as oracle, mysql, or apache, as needed by those vendors, provided that the risks associated with auditability have been agreed upon by their department head.
3. Use Cases for Direct Root Access
- Direct root access may be granted in exceptional circumstances where SUDO cannot provide the necessary functionality. Such cases must be documented and approved by the department head and the Information Security Team.
4. Auditing and Compliance
- All server activities must be auditable in accordance with Dartmouth’s DISC policies, specifically control 2.10 under the "compliance" category.
- Users must ensure that their use of SUDO commands is compliant with these policies and that command histories are preserved and accessible for auditing purposes.
5. Responsibilities of Server Recipients
- Recipients of the servers are responsible for the security and compliance of their applications and services.
- Users must not share their SUDO-enabled accounts with others and must ensure that their credentials are kept secure.
- Any suspected security breaches or policy violations must be reported immediately to the Infrastructure Services team.
6. Enforcement
- Violation of this policy may result in the revocation of server privileges, disciplinary action, or other consequences as deemed appropriate by Dartmouth College.
Implementation
- This policy will be effective immediately upon publication.
- Regular audits will be conducted to ensure adherence to this policy.
- Policy reminders will be implemented within Linux systems by means of warning banners.