So Trellix did not accept this as a bug in their healthcheck script. We put in a RFE with tem to do this healthcheck invocation using setpriv or su -c. Which doesn't trigger the LDAP queries.
Now we have an open case with RH Tech Support on this. Basically, when sudo is invoked as root and we have early in the /etc/sudoers file:
root ALL=(ALL) ALL
and then later on in /etc/sudoers file we have:
## Read drop-in files from /etc/sudoers. #includedir /etc/sudoers.d
then sudo should not be making group membership queries to enumerate all the various AD groups in /etc/sudoers.d/* files. which is triggering multiple LDAP queries on thousands of servers -- all on the hour and half-hour.
Spike
On Fri, Oct 6, 2023 at 12:16 PM Larkin, Patrick Patrick.Larkin@sabre.com wrote:
On 10/6/23, 11:52, "Sam Morris" sam@robots.org.uk wrote: ______________________________________________________________________ On 04/10/2023 17:02, Spike White wrote:
We see in other places in this McAfee script that they run this command using 'su' instead of 'sudo'.
su -s /bin/sh -c "LD_LIBRARY_PATH=... ${PROGROOT}/bin/macmnsvc status" mfe…
Anyway, it's McAfee's problem to fix now. We'll report it and I'm sure they'll figure out a solution.
If they are root and want to drop privileges then they would be better served by runuser or setpriv. …
…or start out as non-root user to begin with…
(It’s a peeve of mine when security companies don’t follow best practice of elevating only if absolutely necessary.)
--
Pat Larkin | Manager – LinuxIMO
Sabre TEO | Texas USA
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-users@lists.fedorahosted.org