Deep understanding of sudo,
[Root @ cairui ~] # Cat/etc/sudoers # Sudoers allows special users to run varous commands as # the root user, without needing the root password. # sudoers allows specific users to execute various commands as rot without the root password. #### Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particle # users or groups. #### This file must be edited with the 'usually do 'command. ##Host Aliases# Groups of machines. you may prefer to use hostnames (perhaps using # wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ##User Aliases# These aren't often necessary, as you can use regular groups # (ie, from files, LDAP, NIS, etc) in this file-just use % groupname # rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ##Command Aliases# These are groups of related commands... # Networking # Cmnd_Alias NETWORKING =/sbin/route,/sbin/ifconfig,/bin/ping,/sbin/dhclient,/usr/bin/net,/sbin/iptables, /usr/bin/rfcomm,/usr/bin/wvdial,/sbin/iwconfig, /sbin/mii-tool # Installation and management of software # Cmnd_Alias SOFTWARE =/bin/rpm,/usr/bin/up2date, /usr/bin/yum # Services # Cmnd_Alias SERVICES =/sbin/service,/sbin/chkconfi G # Updating the locate database # Cmnd_Alias LOCATE =/usr/bin/updatedb # Storage # Cmnd_Alias STORAGE =/sbin/fdisk,/sbin/sfdisk,/sbin/parted, /sbin/partprobe,/bin/mount,/bin/umount # Delegating permissions # Cmnd_Alias DELEGATING =/usr/sbin/mongodo,/bin/chown,/bin/chmod, /bin/chgrp # Processes # Cmnd_Alias PROCESSES =/bin/nice,/bin/kill,/usr/bin/kill,/usr/bin/killall # Drivers # Cmnd_Alia S DRIVERS =/sbin/modprobe # Defaults specification # Refuse to run if unable to disable echo on the tty. # Defaults! Visib1_w # Preserving HOME has security implications since extends programs # use it when searching for configuration files. note that HOME # is already set when the env_reset option is enabled, so # this option is only valid for changes where either # env_reset is disabled or HOME is present in the env_keep list. # Defaults publish messages = "colors display hostname histsize inclukdedir LS_COLORS" Defaults env_keep + = "MAIL PS1 PS2 qtdir username lang LC_ADDRESS LC_CTYPE" Defaults env_keep + = "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep + = "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER limit" Defaults env_keep + = "LC_TIME LC_ALL language linguas _ Your XAUTHORITY" # Adding HOME to env_keep may enable a user to run commands # commands via sudo. # Defaults env_keep + = "HOME" Defaults secure_path =/sbin:/bin:/usr/sbin:/usr/bin # Next comes the main part: which users can run what software on # which machines (the sudoers file can be shared between multiple # systems ). # Syntax: #### user MACHINE = COMMANDS #### The COMMANDS section may have other options added to it. ####Allow root to run any commands anywhereRoot ALL = (ALL) ALL # Allows members of the 'sys 'group to run networking, software, # service management apps and more. # % sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS # Allows people in group wheel to run all commands # % wheel ALL = (ALL) ALL ## Same thing without a password # % wheel ALL = (ALL) NOPASSWD: ALL # Allows members of the users group to mount and unmount the # cdrom as root # % users ALL =/sbin/mount/mnt/cdrom, /sbin/umount/mnt/cdrom # Allows members of the users group to shutdown this system # % users localhost =/sbin/shutdown-h now # Read drop-in files from /etc/sudoers. d (the # here does not mean a comment) # includedir/etc/sudoers. d
Note: after the modification, you need to check whether there are any errors.
Sudo-l view user permissions.
1. Introduction to sudoers configuration file alias
(1)Host Aliases (Host alias)
Generally, host aliases are not frequently used in production environments.
RootALL= (ALL) ALL # The first ALL is the application location of the host alias
(2)User Aliases (User alias)
If the user group is used, add %
Root ALL= (ALL) ALL # root is the application location of the user alias
User_Aliases ADMINS = jsmith, mikem
(3) Runas_Alias alias
This alias specifies the "user identity", that is, the user that sudo allows to switch.
Root ALL= (ALL) ALL # The second ALL is the application location of the user alias.
Runas_Alias OP = root
(4) Cmnd_Alias (command alias)
Defines an alias that can contain a bunch of commands (a collection of related commands)
Root ALL= (ALL)ALL
Cmnd_Alias DRIVERS =/sbin/modpro
2. sudo log audit
(1) log solution in the production environment
A. All syslog operation logs are audited. This method is informative and cannot be viewed.
B. Configure the syslog service in sudo logs for log Review
C. bastion host log Review
D. Install the bash monitor and record user operations
(2) Cooperate with sudo log auditing
Install sudo and syslog services
Configuration Service
Create a log storage directory
[Root @ localhost ~] # Mkdir-p/var/log/
Check the server version. The value of 6.x is/etc/rsyslog. conf, and the value of 5.x is syslog. conf.
The above is the rsyslog configuration file
The above is the sudoers configuration file
Test results:
[root@localhost ~]# su - cairui[cairui@localhost ~]$ sudo visudo[sudo] password for cairui: visudo: /etc/sudoers.tmp unchanged[cairui@localhost ~]$ cd /tmp/[cairui@localhost tmp]$ touch 123.txt[cairui@localhost tmp]$ sudo llsudo: ll: command not found[cairui@localhost tmp]$ sudo ls -lltotal 0-rw-rw-r-- 1 cairui cairui 0 Feb 12 09:41 123.txt-rw-------. 1 root root 0 Feb 9 09:57 yum.log[cairui@localhost tmp]$ sudo cat /var/log/sudo.log Feb 12 09:41:19 : cairui : TTY=pts/0 ; PWD=/home/cairui ; USER=root ; COMMAND=/usr/sbin/visudoFeb 12 09:41:47 : cairui : TTY=pts/0 ; PWD=/tmp ; USER=root ; COMMAND=/bin/ls -llFeb 12 09:42:12 : cairui : TTY=pts/0 ; PWD=/tmp ; USER=root ; COMMAND=/bin/cat /var/log/sudo.log