Use sudo to reinforce Linux system security

The so-called system reinforcement is to use manual configuration and related software to improve system security. This article describes how to use the open-source software sudo to control and audit Root permissions to reinforce Linux system security. I. sudo is an open-source security tool. The most common function of Sudo is to reinforce the system by using manual configuration and related software to improve system security. This article describes how to use the open-source software sudo to control and audit Root permissions to reinforce Linux system security.
I. sudo functions
Sudo is an open-source security tool that is most commonly used to control and audit Root permissions. Its guiding ideology is to "try to compress the permissions granted to people while ensuring their normal work ". The system administrator not only allows the specified user or user group to run some commands as the root user or other users, but also records the commands and parameters entered by the specified user in detail. Of course, this software can be downloaded for free at www. gratisoft. us/sudo/download.html.
The Sudo program is a security tool that works in the command line mode, and we only execute one command at a time. It supports the following functions:
◆ Command log: record commands and parameters. This function is used to track user input commands, especially for system auditing. Because sudo
All commands used as root users (or other users specified) are recorded. Therefore, many administrators often use this command to replace root users.
Shell to record your own commands, which not only improves system security, but also can be used for troubleshooting.
◆ Records logs of multiple systems in a centralized manner: After the Sudo logs are combined with the system log daemon syslog, all logs can be stored on one host.
◆ Command restrictions: commands that can be used by users or user groups.
◆ Ticket checking system: the ticket checking system sets the time limit by the ticket created when the user logs on to sudo. The ticket is valid only within the specified time. Each new command refreshes the default time of the ticket. the default time is five minutes. In reality, this function is very useful. even if the root user forgets to log out of the system when he leaves the system, it will not be snooped into the system by other users who can access the keyboard. Because after the ticket expires, the system must log on again. Therefore, we recommend that you set the validity period to a shorter value, for example, the default validity period is five minutes. The ticket checking system can also be used to clear users' ticket files.
◆ Centralized management of multiple systems: Sudo
The configuration is generally written in the/etc/sudoers file, which can be used by multiple systems. in this way, we can centrally manage these systems on a single host.
Sudo supports almost all UNIX operating system versions, but if you want to install it from the source code, you must prepare the C compiler and make tools.
II. Sudo
Command parameters
With Sudo, we can allow a user to execute certain commands as a super user and other users to execute certain commands. This is especially useful for system management. The specific configuration of the sudo command can be found in the/etc/sudoers file, which specifies whether a command can be executed by a specific user.
The prerequisite for using sudo is
You must have your own user name and password. If a user attempts to use sudo
If the user is not in the sudoers file, the system will automatically send an email to the administrator indicating that the unauthorized user is accessing the system.
As mentioned above, because sudo has the ticket check function, the user logs on to sudo
A bill is sent to him. by default, the bill is valid for five minutes. However, you can also use? The sudo command of the v sign to update the ticket. This will apply for another five minutes for the ticket. The command is as follows:
Sudo
? V
If an unauthorized user runs the preceding command, the administrator will receive an email indicating the event.
At the same time, the flag-v will also notify unauthorized users that they are illegal users. If the user is stubborn, enter the sudo
Command, then the system will send an email to notify the administrator.
Sudo
It will be recorded in the default syslog (3) file. However, we can also
The configuration file of is changed to this line. The following table provides some options for the sudo command.
Option
Option name
Description
-V
Version
Print the version number and exit.
-H
Help
Print the help information and exit.
-L
List
Lists all commands permitted and prohibited by the current user.
-V
Validate
Update the user's ticket to a pre-configured time. the default time is five minutes. If necessary, the user must enter the user password again.
-K
Kill
Invalidate the user's ticket. Run this option to re-enter the user password to update the ticket.
-K
Sure
Kill
Delete the user's ticket. Then, you must use the user name and password to log on.
-U
User
Run a specific command as a user specified by the user name. The user specified by the user name can be any user other than the root user.
If you want to enter a uid, the entry # uid replaces the user name. If you want to use uid, you can replace it with # uid.
3. install Sudo
Run
Download the compressed package to the specified directory, such as/root
Directory. Regardless of the operating system used, these operations are similar in any system.
Bytes
Switch to the directory where the compressed package is located and decompress it. the command is as follows. Note that when you execute the following command, because the versions used are not necessarily the same, modify the actual version number:
Tar
? Zxvf sudo-1.6.3p5.tar.gz
Bytes
The preceding command creates a directory, such as a sudo-1.6.3p5, depending on your version.
Supervisor switches to sudo using the following command
Directory:
Cd
Sudo-1.6.3p5
Secret uses the following commands to create makefile
And config. h files, we will use them to configure sudo:
./Configure
You can also
Add options to the command to customize sudo
. In fact, it is very easy to append the required options after the/configure command.
For more information about available options, see The/sudo/INSTALL file.
You can also edit makefile
To change the default installation path, or edit/sudo/INSTALL
File. To solve this problem, you must first use a text editor to open makefile.
. For example, enter the following command:
Vi
Makefile
Pipeline in makefile
In the file
To install things ,:

Makefile file of Sudo
If necessary, you can change the default path. But here we will use the default path.
Quit to exit the file. If you want to use vi
Run the following command to edit a program:
: Q
In fact, we run./configure in front
You can also change the default installation path. Therefore, you must add an option after the command. For example, sudoers
The file is installed in/etc
Directory, we can use the following command to change the installation location of this file:
./Configure
--Sysconfdir = DIR
DIR here
Is the new installation directory.
Compile for sudo compilation
Run the make command:
Make
If we want to install sudo outside the source file directory, GNU is required.
If an error occurs during installation, you can turn to TROUBLESHOOTING.
File and PORTING file.
Token We must act as root
Only users can install sudo, because this requires the superuser permission. Change to root
Run make
Install Command installation manual, mongodo, and sudoers
File:
Make
Install
It should be noted that the existing sudoers cannot be overwritten.
File.
Finished. we have added sudo
After the installation is complete, we will introduce how to configure it to meet our needs.
4. configure Sudo
To configure sudo
, We must pair %/sudo-1.6.9p5/sudoers
File, which defines which users can execute which commands. In addition, only the root user has the permission to edit the file, and must also use do
Command to edit it. In sudo
The directory contains a file named sample. sudoers.
Example File:
By default, the mongodo command uses vi
The text editor opens sudoers.
File. Of course, we can use the compilation option to make the producer do
Change the default text editing program. Visudo uses the environment variable EDITOR to represent the text editing program. In edit sudoers
The mongodo command will execute the following tasks:
(1) Check for syntax errors
Even if a syntax error is found in the modification, mongodo does not save the modification. When a syntax error is found, it indicates the row number of the error and provides a guiding prompt. At this time, we will see
Now ?" Tip and three options: "e" indicates re-editing the file; "x" indicates exit and no save; "Q" indicates exit and save the changed content. If sudoers
If a syntax error exists in the file and Q is selected to exit and save the mongodo modification, sudo cannot run normally until the syntax problem is corrected. In this case, we must run mongodo again, correct the error, and save the file again. You are advised to select item e when fixing the problem. if you are still concerned about the incorrect situation, you can select item x, so that it will not change when you exit.
(2) prevent multiple edits to the file at the same time
When we edit sudoers
If you run mongodo in the file, you will receive an error message. let's try again later. Sudoers
A file consists of two types of entries: user requirements and aliases. The following example describes how to use user defined entries to define which users can run commands. Aliases are basically some variables.
The Sudoers file contains a root entry. the default permission rules are as follows:
Root
ALL = (ALL) ALL
This configuration allows the root user to execute all commands.
To make other users as root users
To run the command, we must add these users to sudoers
File. We must also specify which hosts are allowed to run these commands. Finally, we must also list these users as root users.
. In the following steps, we will create user bob
And allow him as root
The user executes some commands on our machine.
To open the sudoers file, run the following command:
Mongodo
⒉ Sudoers
The file will be stored in the vi
Open, and find "User
Privilege specification "section. Then in the root