Initial Settings : Sudo Settings

 Configure Sudo to separate users' duty if some people share privileges.

It does not need to install sudo manually because it is installed by default even if Minimal installed environment.

[1]. Transfer root privilege all to a user.

[root@dlp ~]# visudo

# add to the end: user [cent] can use all root privilege

cent  ALL=(ALL)       ALL

# how to write ⇒ destination host=(owner) command

# verify with user [cent]

[cent@dlp ~]$ /usr/bin/cat /etc/shadow

/usr/bin/cat: /etc/shadow: Permission denied   # denied normally

[cent@dlp ~]$ sudo /usr/bin/cat /etc/shadow

Password:     # user's own password

.....

.....

chrony:!!:18163::::::

tcpdump:!!:18163::::::   # just executed

[2]. In addition to the setting of [1], set some commands prohibit.

[root@dlp ~]# visudo

# line 49: add

# for example, set aliase for the kind of shutdown commands

Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \

/usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl


# add ( prohibit commands in aliase [SHUTDOWN] )

cent  ALL=(ALL)       ALL, !SHUTDOWN


# verify with user [cent]

[cent@dlp ~]$ sudo /usr/sbin/reboot

[sudo] password for cent:

Sorry, user cent is not allowed to execute '/usr/sbin/reboot' as root on dlp.srv.world.   # denied normally

[3]. Transfer some commands with root privilege to users in a group.

[root@dlp ~]# visudo

# line 51: add

# for example, set aliase for the kind of user managment commands

Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \

/usr/bin/passwd


# add to the end

%usermgr ALL=(ALL) USERMGR

[root@dlp ~]# groupadd usermgr

[root@dlp ~]# usermod -G usermgr redhat

# verify with user [redhat]

[redhat@dlp ~]$ sudo /usr/sbin/useradd testuser

[redhat@dlp ~]$ sudo /usr/bin/passwd testuser

Changing password for user testuser.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.   # just executed

[4]. Transfer a command with root privilege to a user.

[root@dlp ~]# visudo

# add to the end: settings for each user

fedora  ALL=(ALL)       /usr/sbin/visudo

ubuntu  ALL=(ALL)       /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd

debian  ALL=(ALL)       /usr/bin/vi


# for example, verify with user [fedora]

[fedora@dlp ~]$ sudo /usr/sbin/visudo

## Sudoers allows particular users to run various commands as

## the root user, without needing the root password.

##   # just executed

[5]. The logs for sudo are kept in [/var/log/secure], but there are many kind of logs in it. So if you'd like to keep only Sudo logs in another file, Configure like follows.

[root@dlp ~]# visudo

# add to the end

# for example, output logs to [local1] facility

Defaults syslog=local1

[root@dlp ~]# vi /etc/rsyslog.conf

# line 46,47: add like follows

*.info;mail.none;authpriv.none;cron.none;local1.none   /var/log/messages

local1.*                /var/log/sudo.log


# The authpriv file has restricted access.

authpriv.*              /var/log/secure


[root@dlp ~]# systemctl restart rsyslog

Comments

Post a Comment

Popular posts from this blog

LINUX Move and copy files using SSH

Often you will need to move one or more files/folders or copy them to a different location. You can do so easily using an SSH connection. The commands which you would need to use are mv (short from move) and cp (short from copy). The mv command syntax looks like this: mv configuration.php-dist configuration.php By issuing the above command we will move (rename) the file configuration.php-dist to configuration.php. You can also use mv to move a whole directory and its content: mv includes/* ./ This will move all files (and folders) in the includes/ directory to the current working directory. In some cases however, we will need to only update the files and move only files that were changed, which we can do by passing ‘ -u ’ as argument to the command: mv -u includes/* admin/includes The copy (cp) command works the same way as mv, but instead of moving the files/folders it copies them. For example: cp configuration.php-dist configuration.php The command will copy the co
Read more

Java : Variables Declaring

[1]. Java Variables Variables are containers for storing data values. In Java, there are different types of variables, for example: String - stores text, such as "Hello". String values are surrounded by double quotes int - stores integers (whole numbers), without decimals, such as 123 or -123 float - stores floating point numbers, with decimals, such as 19.99 or -19.99 char - stores single characters, such as 'a' or 'B'. Char values are surrounded by single quotes boolean - stores values with two states: true or false [2]. Declaring (Creating) Variables To create a variable, you must specify the type and assign it a value: Syntax type variable = value ; Where type is one of Java's types (such as int or String), and variable is the name of the variable (such as x or name). The equal sign is used to assign values to the variable. To create a variable that should store text, look at the following example: Example Create a variable called  name  of type  Stri
Read more

SQL Self JOIN

SQL Self JOIN A self JOIN is a regular join, but the table is joined with itself. Self JOIN Syntax SELECT column_name(s) FROM table1 T1, table1 T2 WHERE condition; T1 and T2 are different table aliases for the same table.
Read more