Although not input using the sudo command in this step of the Site, in recent years that require compliance, the response in the enterprise security is important. Sometimes when many are open to human rights simply root, accidents caused by human error, even without malice.
By using sudo, you can increase the like prevent, the delegation of authority and privilege separation security root, the root password of your turn, it is also valid for an audit proof.
(If you set firmly SELinux, which is included by default), or software such considerable cost to operate also introduced sudo, but you will not need as long to introduce the access control software better than other this would be sudo for that is expected to take a long, without the cost too much, then you would not be able introduction and quick. Thus, in the early stages of building the server, we should set the sudo according to the policy of segregation of duties.
would be better if you also limit the su command when setting the sudo. restrictions su command initialization section of [3] Please refer to the. In su, only users who belong will be allowed to transition to another user, including root in, "wheel" group by setting the initialization section of [3]. Conversely, users who do not belong to you will not be able to transition to any other users not only in the su root command, "wheel" by its settings.
In addition, sudo because it comes in default installations also minimum configuration, you do not need to install a new one.
| |
[1]
| delegate all root privileges to specific users |
|
# Appended to the last line: cent root privileges are available to all
cent ALL = (ALL) ALL
# Command (original delegate) delegate host = ⇒ format
# Tested with user "cent"
[Cent @ dlp ~] $ shutdown: Need to be root
# Normally be denied
[Cent @ dlp ~] $
Password:
The system is going down for reboot NOW!
# Own password
# I was able to run
|
| [2] | In addition to setting [1], however, certain commands are not allowed. |
|
# Line 49 suitably added per Addendum: command alias system shutdown system
Cmnd_Alias SHUTDOWN = / sbin / halt, / sbin / shutdown, \
/ sbin / poweroff, / sbin / reboot, / sbin / init
# Append (alias "SHUTDOWN" is not allowed) to set part [1]
cent
ALL = (ALL)
ALL,
! SHUTDOWN
# Tested with user "cent"
[Cent @ dlp ~] $ Sorry, user cent is not allowed to execute '/ sbin / shutdown-r now' as root on dlp.server.world.
# Denied
|
| [3] | delegated to users who belong to a particular group specific commands that require root privileges |
|
# Line 51 suitably added per Addendum: command aliases for user management system
Cmnd_Alias usermgr = / usr / sbin / useradd, / usr / sbin / userdel, / usr / sbin / usermod, \
/ usr / bin / passwd
# Last line: append command authorization set that you defined in the "USERMGR" to users who belong to the group "usermgr"
% Usermgr ALL = (ALL) USERMGR
groupadd usermgr
# Append the user to belong
usermgr: x: 502:
cent
# Tested with user "cent"
[Cent @ dlp ~] $ [Cent @ dlp ~] $
# Successful
[Cent @ dlp ~] $ . Changing password for user testuser New UNIX password:
# Set the password of testuser
NEW Retype UNIX password: passwd: all authentication tokens updated successfully. |
| [4] | delegated to a specific user specific commands that require root privileges |
|
# Last line: append commands specific permission settings for each user
Cent ALL = (ALL) / usr / sbin / visudo fedora ALL = (ALL) / usr / sbin / useradd, / usr / sbin / userdel, / usr / sbin / usermod, / usr / bin / passwd Ubuntu ALL = (ALL ) / bin / vi
# Tested with user "cent"
# You can also open and save normally edit
# # SUDOers Particular Allows users to run Various commands as # # the root user, without needing the root password. # #
# Tested with user "fedora"
[Fedora @ dlp ~] $
[Fedora @ dlp ~] $
# Successful
# Tested with user "ubuntu"
# You can also open and save normally edit
# Grub.conf generated by anaconda # # Note That You do not have to rerun grub after Making changes to this File # NOTICE:. You have a / boot partition This means That |
| [5] | By default, the log is left to run sudo / var / log / secure. / Because it is not only the log of sudo, to var / log / secure when you only want to see the log of sudo, you need to something. May see only pick up sudo with "grep 'sudo' / var / log / secure", so you can also go to a separate file to record log of sudo or as follows. |
|
# Appended to the last line
Defaults syslog = local1
# Line 42 Addendum:
local1. * / var / log / sudo.log
authpriv. * / var / log / secure
[Root @ dlp ~] #
/ Etc / rc.d / init.d / rsyslog restart
Shutting down system logger:
[OK]
Starting system logger: |
Post a Comment
Trước khi comment mời bạn đăng ký theo dõi để chở thành thành viên của blog. Cám ơn bạn đã quan tâm và đã comment, Tôi sẻ reply... Chúc bạn ngày làm việc vui vẻ và thành công !