sudo_pair is a plugin for sudo that enforces a two-person rule for privileged commands. It requires another human to approve and monitor sudo sessions before they can proceed. This enhances security by preventing a single user from acting autonomously on sensitive systems.

Who should use sudo_pair?

sudo_pair is designed for organizations and system administrators managing sensitive systems where strict access control and accountability are paramount. It is particularly useful in environments where preventing individual autonomy for critical operations is a security requirement.

When is sudo_pair most beneficial for system security?

sudo_pair is most beneficial when operating on highly sensitive systems, such as those managing internal access-control, accounting ledgers, or financial transactions. It adds an essential layer of oversight and accountability, ensuring that no single individual can perform critical actions without peer approval and monitoring.

How does sudo_pair enhance standard sudo functionality?

Standard sudo allows users to run commands as root or other privileged users based on configured rules. sudo_pair extends this by mandating real-time, explicit approval and monitoring from a second human, thus preventing unilateral privileged actions and increasing operational transparency.

How is sudo_pair configured to specify enforced or exempted groups?

sudo_pair is configured via options in `/etc/sudo.conf`. The `gids_enforced` option specifies a comma-separated list of GIDs whose members always require pairing, while `gids_exempted` lists GIDs whose users are exempt from the pairing requirements.

github.com · 20 OCT '20

sudo_pair

Item: sudo_pair
Rating: 5
Author: Simon Frey

sudo_pair is a `sudo` plugin that enforces a two-person rule, requiring another human to approve and monitor privileged sessions. I find this crucial for sensitive systems where no individual should act autonomously.

Visit github.com →

Questions & Answers

What is sudo_pair?: sudo_pair is a plugin for sudo that enforces a two-person rule for privileged commands. It requires another human to approve and monitor sudo sessions before they can proceed. This enhances security by preventing a single user from acting autonomously on sensitive systems.
Who should use sudo_pair?: sudo_pair is designed for organizations and system administrators managing sensitive systems where strict access control and accountability are paramount. It is particularly useful in environments where preventing individual autonomy for critical operations is a security requirement.
When is sudo_pair most beneficial for system security?: sudo_pair is most beneficial when operating on highly sensitive systems, such as those managing internal access-control, accounting ledgers, or financial transactions. It adds an essential layer of oversight and accountability, ensuring that no single individual can perform critical actions without peer approval and monitoring.
How does sudo_pair enhance standard sudo functionality?: Standard sudo allows users to run commands as root or other privileged users based on configured rules. sudo_pair extends this by mandating real-time, explicit approval and monitoring from a second human, thus preventing unilateral privileged actions and increasing operational transparency.
How is sudo_pair configured to specify enforced or exempted groups?: sudo_pair is configured via options in `/etc/sudo.conf`. The `gids_enforced` option specifies a comma-separated list of GIDs whose members always require pairing, while `gids_exempted` lists GIDs whose users are exempt from the pairing requirements.

sudo_pair

Questions & Answers

More from DevOps

DuckDB

Kubeshark

pg_bouncer

Talos

Pritunl

kwatch