Use sudo instead of su for init startup scripts
MichaelMcClanahan opened this issue · 2 comments
As per the CIS Benchmark standards, the su command should be replaced with sudo.
Background: The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su.
Rationale: Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program.
Locations:
https://github.com/brianbianco/redisio/blob/v2.6.1/templates/default/sentinel.init.erb#L18
https://github.com/brianbianco/redisio/blob/v2.6.1/templates/default/redis.init.erb#L21
https://github.com/brianbianco/redisio/blob/v2.6.1/templates/default/sentinel.upstart.conf.erb#L18
https://github.com/brianbianco/redisio/blob/v2.6.1/templates/default/redis.upstart.conf.erb#L18
https://github.com/brianbianco/redisio/blob/v2.6.1/test/integration/multisentinel/serverspec/multiple_sentinels_spec.rb#L32
Closing due to inactivity.
If this is still an issue please reopen or open another issue. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help!
Thanks,
Sous-Chefs
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.