CentOS 8
Sponsored Link

Initial Settings : Sudo Settings
2019/09/25
 
Configure Sudo to separate users' duty if some people share privileges.
It does not need to install sudo manually because it is installed by default even if Minimal installed environment.
[1] Transfer root privilege all to a user.
[root@dlp ~]#
# add to the end: user [cent] can use all root privilege

cent  ALL=(ALL)       ALL
# how to write ⇒ destination host=(owner) command
# verify with user [cent]

[cent@dlp ~]$
/usr/bin/cat /etc/shadow

/usr/bin/cat: /etc/shadow: Permission denied  
# denied normally
[cent@dlp ~]$
sudo /usr/bin/cat /etc/shadow

Password:    
# user's own password
.....
.....
chrony:!!:18163::::::
tcpdump:!!:18163::::::  
# just executed
[2] In addition to the setting of [1], set some commands prohibit.
[root@dlp ~]#
# line 49: add

# for example, set aliase for the kind of shutdown commands

Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \
/usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl

# add ( prohibit commands in aliase [SHUTDOWN] )

cent  ALL=(ALL)       ALL, !SHUTDOWN

# verify with user [cent]

[cent@dlp ~]$
sudo /usr/sbin/reboot

[sudo] password for cent:
Sorry, user cent is not allowed to execute '/usr/sbin/reboot' as root on dlp.srv.world.  
# denied normally
[3] Transfer some commands with root privilege to users in a group.
[root@dlp ~]#
# line 51: add

# for example, set aliase for the kind of user managment commands

Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \
/usr/bin/passwd

# add to the end

%usermgr ALL=(ALL) USERMGR
[root@dlp ~]#
groupadd usermgr

[root@dlp ~]#
usermod -G usermgr redhat

# verify with user [redhat]

[redhat@dlp ~]$
sudo /usr/sbin/useradd testuser

[redhat@dlp ~]$
sudo /usr/bin/passwd testuser

Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.  
# just executed
[4] Transfer a command with root privilege to a user.
[root@dlp ~]#
# add to the end: settings for each user

fedora  ALL=(ALL)       /usr/sbin/visudo
ubuntu  ALL=(ALL)       /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
debian  ALL=(ALL)       /usr/bin/vi

# for example, verify with user [fedora]

[fedora@dlp ~]$
sudo /usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##  
# just executed
[5] The logs for sudo are kept in [/var/log/secure], but there are many kind of logs in it. So if you'd like to keep only Sudo logs in another file, Configure like follows.
[root@dlp ~]#
# add to the end

# for example, output logs to [local1] facility

Defaults syslog=local1
[root@dlp ~]#
vi /etc/rsyslog.conf
# line 46,47: add like follows

*.info;mail.none;authpriv.none;cron.none;local1.none   /var/log/messages
local1.*                /var/log/sudo.log

# The authpriv file has restricted access.
authpriv.*              /var/log/secure

[root@dlp ~]#
systemctl restart rsyslog

Matched Content