Blog | G5 Cyber Security

Sudo Hardening: Best Practices

G5 Cyber Security

TL;DR

This guide shows you how to make sudo more secure on your Linux system. We’ll cover restricting user access, logging, and preventing common mistakes.

1. Restrict User Access with /etc/sudoers

The /etc/sudoers file controls who can use sudo and what commands they can run. Never edit this file directly with a text editor! Use the visudo command instead. This provides syntax checking to prevent locking yourself out.

  1. Open /etc/sudoers safely:
    2. sudo visudo
  2. Grant specific commands: Instead of giving users full root access, allow only the commands they need. For example, to let a user restart Apache: 
    username ALL=(root) /usr/sbin/service apache2 restart
  3. Use groups: Add users to a group and grant permissions to the group instead of individual users. This is easier to manage. 
    %admin ALL=(ALL) ALL

    (This allows all members of the ‘admin’ group full sudo access – use with caution!)

  4. NOPASSWD: Avoid using NOPASSWD unless absolutely necessary. It removes the password prompt, reducing security.

2. Logging and Auditing

Good logging is essential for detecting misuse of sudo.

  1. Check syslog: sudo logs to your system’s syslog (usually in /var/log/auth.log or /var/log/syslog). Review these logs regularly for suspicious activity.
  2. Configure logging options: You can adjust the level of detail logged in /etc/sudoers using the log_output option. 
    Defaults log_output=SYSLOG,PRIVILEGED

    (This logs all privileged commands to syslog.)

  3. Consider auditd: For more advanced auditing, use the auditd system. This allows you to track specific sudo events in detail.

3. Prevent Common Mistakes

These steps help avoid common security pitfalls.

  1. Disable root login: Prevent direct root logins via SSH. Use sudo instead.
  2. Secure tty settings: Restrict access to the root account through tty devices in /etc/securetty`.
  3. Avoid wildcard characters: Don't use wildcards (*) in /etc/sudoers unless you fully understand the implications. They can easily grant unintended permissions.
  4. Regularly review /etc/sudoers: Periodically check your /etc/sudoers file to ensure it still reflects your security needs and that no unauthorized changes have been made.

4. Using `sudo -l` for Verification

The sudo -l command is a useful tool for checking what commands a user can run with sudo.

  1. Check user permissions: Run sudo -l -U username to see the list of allowed commands for that user.

5. Cyber security Best Practice: Principle of Least Privilege

Always grant users only the minimum necessary privileges they need to perform their tasks. This limits the potential damage from compromised accounts.

Exit mobile version