CentOS Stream 9: Sudo Settings

By Fajar Vicky
step-1

Initial Settings

Configure Sudo to separate users' duty if some people share privileges. It does not need to install sudo manually because it is installed by default even if Minimal installed environment.

Step [1] Transfer root privilege all to a user.


[root@bizantum ~]# visudo
# add to the end: user [cent] can use all root privilege
cent  ALL=(ALL)       ALL

# how to write ⇒ destination host=(owner) command
# verify with user [cent]
[cent@bizantum ~]$ /usr/bin/cat /etc/shadow
/usr/bin/cat: /etc/shadow: Permission denied   # denied normally
[cent@bizantum ~]$ sudo /usr/bin/cat /etc/shadow
Password:     # user's own password

.....
.....
systemd-oom:!*:18957::::::
systemd-resolve:!*:18957::::::     # just executed

Step [2] In addition to the setting of Step [1], set some commands prohibit.


[root@bizantum ~]# visudo
# line 25 : add
# for example, set alias for the kind of shutdown commands
Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \
/usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl

# add ( prohibit commands in alias [SHUTDOWN] )
cent  ALL=(ALL)       ALL, !SHUTDOWN

# verify with user [cent]
[cent@bizantum ~]$ sudo /usr/sbin/reboot
[sudo] password for cent:
Sorry, user cent is not allowed to execute '/usr/sbin/reboot' as root on bizantum.local.   # denied normally

Step [3] Transfer some commands with root privilege to users in a group. 


[root@bizantum ~]# visudo
# line 25 : add
# for example, set alias for the kind of user management commands
Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \
/usr/bin/passwd

# add to the end
%usermgr ALL=(ALL) USERMGR

[root@bizantum ~]# groupadd usermgr
[root@bizantum ~]# usermod -aG usermgr redhat
# verify with user [redhat]
[redhat@bizantum ~]$ sudo /usr/sbin/useradd testuser
[redhat@bizantum ~]$ sudo /usr/bin/passwd testuser
Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.   # just executed

Step [4] Transfer a command with root privilege to a user


[root@bizantum ~]# visudo
# add to the end : settings for each user
fedora  ALL=(ALL)       /usr/sbin/visudo
ubuntu  ALL=(ALL)       /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
debian  ALL=(ALL)       /usr/bin/vi

# for example, verify with user [fedora]
[fedora@bizantum ~]$ sudo /usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##   # just executed

Step [5] It's possible to display Sudo logs on Journald ( with [journalctl] command ) or Rsyslogd ( in [/var/log/secure] file ), however, if you'd like to keep only Sudo logs in another file, Configure like follows.


[root@bizantum ~]# visudo
# add to the end
# for example, output logs to [local1] facility
Defaults syslog=local1
[root@bizantum ~]# vi /etc/rsyslog.conf
# line 46,47 : add like follows
*.info;mail.none;authpriv.none;cron.none;local1.none    /var/log/messages
local1.*                                                /var/log/sudo.log

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

[root@bizantum ~]# systemctl restart rsyslog

Comments

Post a Comment

Thank you for your comment! We appreciate your feedback, feel free to check out more of our articles.
Best regards, Bizantum Blog Team.

Popular posts from this blog

Cyber Security: ISO 27001 Overview

Cyber Security: ISO 27001 Overview

Introduction ISO 27001 is an international standard for information security management systems (ISMS). It provides a framework for managing sensitive company information to ensure it remains secure. Understanding ISO 27001 is crucial for organizations aiming to protect their information assets.
Continue reading
By Fajar Vicky
Comprehensive Guide to Windows Subsystem for Linux (WSL): Benefits, Setup, and Usage

Comprehensive Guide to Windows Subsystem for Linux (WSL): Benefits, Setup, and Usage

Introduction Windows Subsystem for Linux (WSL) is a compatibility layer for running Linux binary executables natively on Windows 10, Windows 11, and Windows Server. It allows users to run a GNU/Linux environment directly on Windows, including most command-line tools, utilities, and applications.
Continue reading
By
Ultimate Guide to COBIT: Framework, Benefits, Implementation, and Impact

Ultimate Guide to COBIT: Framework, Benefits, Implementation, and Impact

Introduction COBIT (Control Objectives for Information and Related Technologies) is a globally recognized framework for managing and governing enterprise IT. It provides comprehensive guidelines for organizations to achieve their objectives through the effective use of IT.
Continue reading
By
Understanding ISO/IEC 20000: A Comprehensive Guide to IT Service Management

Understanding ISO/IEC 20000: A Comprehensive Guide to IT Service Management

Introduction ISO/IEC 20000 is an international standard for IT Service Management (ITSM). It provides a framework for managing and delivering IT services that meet business needs and customer requirements. The standard ensures consistent and high-quality IT service delivery through a set of processes and best practices.
Continue reading
By
Top SEO Tools for Digital Marketing: A Comprehensive Guide

Top SEO Tools for Digital Marketing: A Comprehensive Guide

Introduction In today's digital landscape, search engine optimization (SEO) is a critical component for any business looking to enhance its online presence and drive organic traffic. With the myriad of SEO tools available, navigating the digital marketing space can seem daunting. To streamline your efforts and achieve optimal results, it's essential to leverage the right tools that cater to your specific needs.
Continue reading
By Fajar Vicky
Debian 12 Bookworm: Install Kubeadm

Debian 12 Bookworm: Install Kubeadm

Introduction In this article, we will explore the what, who, where, when, why, and how of Kubeadm functionality on the Debian 12 Bookworm platform, so let's get started.
Continue reading
By