"CentOS" Linux sudo permissions centrally managed case

Objective

So that the company's Linux system Rights management more standardized, so that each user has their own permissions, to prevent some users because of the permissions too large after some misoperation, causing the server is not functioning properly.

Operation

1. Edit the sudoers file in the Linux system

[Email protected] ~]# Vim/etc/sudoers#edit by Rootuser_alias NETMAN = net01, net02 #用户别名User_Alias ADMIN = Admin01, Admi N02user_alias SA =%sa# The aliases defined must all be in uppercase letters, aliases followed by parameters are used, (comma) + space-delimited cmnd_alias netcmd =/sbin/ifconfig,/etc/init.d/network #命令 Alias Cmnd_alias admincmd =/usr/sbin/useradd,/usr/sbin/userdelnetman all = (All) netcmdadmin all = (All) Admincmdsa all = (A LL) All

In the/etc/sudoers file, redefine the alias (alias as a group of collections that have the same attributes)

Aliases include: Host alias (Host_alias), user alias (user_alias), command alias (Cmnd_alias), Identity alias (Runas_alias)

(where host aliases and identity aliases are less useful, host aliases are used for multiple servers sharing the same sudoers file)

The location of the alias and Sudoers configuration is:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/2F/6E/wKioL1Of-Mfx_Q6mAABIBCOZqEo151.jpg "title=" QQ picture 20140108095139.jpg "alt=" Wkiol1of-mfx_q6maabibcozqeo151.jpg "/>

Note:

The user involved in the ①, identity alias must be a real presence in the system.

②, the path to the command alias must use an absolute path

③, when referencing a user group, you must precede the user group name by adding%

2, the above sudoers configuration results to verify

[[email protected] ~]# su - net01[[email  protected] ~]$ sudo -l  #用户所拥有的sudo权限查看 [sudo] password for net01:user  Net01 may run the following commands on this host: (All)  /sbin/ ifconfig, /etc/init.d/network[[email protected] ~]# su - admin01[[email  Protected] ~]$ sudo -luser admin01 may run the following commands  on this host: (All)  /usr/sbin/useradd, /usr/sbin/userdel[[email protected]  ~]# id nowsunuid=500 (Nowsun)  gid=508 (sa)  groups=508 (SA) [[email protected] ~]#  su - nowsun[[email protected] ~]$ sudo -l[sudo] password for  nowsun:User nowsun may run the following commands on this  Host: (All)  all 

Compared to the discovery, it is consistent with the configuration in/etc/sudoers.

3. Configuration of sudo log audit

①, installing sudo (the service in CentOS 6.4 is Rsyslog)

[[Email protected] ~] #yum Install sudo

②, Configuration/etc/sudoers

[Email protected] ~]# echo "Defaults logfile=/var/log/sudo/log"; /etc/sudoers[[email protected] ~]# tail-1/etc/sudoersdefaults logfile=/var/log/sudo/log

③, under normal user, execute sudo command

[[email protected]/]$ sudo lsapp boot etc lib lost+found misc net proc sbin srv tmp varbin Dev home lib64 Media mnt opt R Oot selinux sys usr[[email protected]/]$ sudo/usr/sbin/useradd kkkuseradd:user KKK exists

④, viewing/var/log/sudo/log log files

[Email protected] ~]# Cat/var/log/sudo/logjan 8 10:44:45:nowsun:tty=pts/1; Pwd=/home/nowsun; User=root; Command=/bin/lsjan 8 10:44:51:NOWSUN:TTY=PTS/1; Pwd=/home/nowsun; User=root; Command=/bin/lsjan 8 10:44:57:NOWSUN:TTY=PTS/1; pwd=/; User=root; Command=/bin/lsjan 8 10:45:36:NOWSUN:TTY=PTS/1; pwd=/; User=root; Command=/usr/sbin/useradd KKK

The discovery has been recorded, the following can be based on this log to catch the destruction of the system of the real killer.

This article is from the "Nowsun" blog, make sure to keep this source http://nowsun.blog.51cto.com/522159/1427337