Use sudo reinforcement Linux system security

The so-called reinforcement system is the use of manual configuration and related software to improve process safety systems. This article will detail the reader to control and audit to reinforce the security of Linux systems specific methods of operation for the use of open source software Root privileges sudo.
A, sudo functionality
Sudo is an open source security tool that is most commonly used to Root access control and auditing. Its guiding principle is "to ensure that people can work under normal conditions, to compress grant them permission." The system administrator can not only allow specified users or groups of users to run some commands as root or another user, it can also be specified by the user input commands and parameters for detailed records. Of course, the software can be downloaded for free, the specific address is www.gratisoft.us/sudo/download.html.
Sudo program is a security tool for working in the command line, and every time we execute only one command. It supports features are:
◆ command log: Logging commands and parameters. This function is used to track a user entered command, the system is particularly suitable for auditing. Because sudo
all (or any other user defined) under the command as the root user will be recorded, so many administrators often use it to replace the root
shell, the command to record their own use, not only can enhance system security, it can also be used troubleshooting.
◆ centralized system of record multiple log: Sudo joint after the system log daemon syslog, can all logs stored centrally on a host.
◆ limit command: command defining users or user groups can be used.
◆ collection system: collection system to set a time limit by when the user logs on to the bill sudo created. Ticket is only valid within the stipulated time. Each new command will refresh the preset time notes, the default preset time is five minutes. In reality, this feature is very useful, and with it, then forget to log out when leaving the system even if the root user, you will not be contacted by other users to spy on the system keyboard unscrupulous. Because after the ticket expires, the system must re-login. So, we'd better try to make it shorter effective time point, such as the default effective time of five minutes. Collection system may also be used to clear a user's ticket file.
◆ centralized management of multiple systems: Sudo
configuration generally written in the / etc / sudoers this file, and the file can be used for multiple systems, so that we can centrally manage these systems on a host of.
Sudo supports almost all of the UNIX operating system version, but if you want to install the source code, it must be prepared to make the C compiler and tools.
Two, Sudo
command arguments detailed
use Sudo, we can either allow a user as a super user to perform certain commands, you can make him as another user to execute certain commands - this is particularly useful for system management. specific configuration sudo command can be found in the / etc / sudoers file, the file specifies whether a command can be executed for a particular user.
The prerequisite for using sudo
, you must already have their own user name and password. If a user attempts via sudo
to run the command, but the user has not located sudoers file, the system will automatically send an e-mail to the administrator, pointed out that unauthorized users are accessing the system.
As mentioned earlier, because sudo has a ticket function, so sudo user login
time, he will be issued a ticket, which is valid default time of five minutes. However, users can also update the bill through sudo command with the -v flag, this bill will apply to additional five minutes. Commands are as follows:
the sudo
-V
If there is an unauthorized user to run the above command, then the administrator will receive an email to reflect the event.
Meanwhile, the -v flag will notice an unauthorized user, he is an illegal user. If the user is very stubborn, once again enter the sudo
command, the system will then send an e-mail to notify the administrator.
No matter whether the attempt to log in successfully, Sudo
will faithfully record to the default syslog (3) file. But we can also in Sudo
change this behavior profiles. The following table shows some options sudo command.
Options 
Option Name 
Description
-V 
Version 
print version number, then exit.
-h 
Help 
print help information and exit.
the -l 
List 
lists all the commands that have allowed and forbidden.
-v 
the Validate 
user's bill updates the time a pre-configured default for five minutes. If desired, the user must enter the password again.
-k 
Kill 
void the user's bill. This option will execute the command the user to re-enter the password to update the bill.
-K 
the Sure
the kill 
completely delete the user's bill. When re-run after this option, the user must log in with their user name and password.
-u 
the User 
As a user-specified user name to run specific commands. This user name specified by the user can be any user other than root.
If you want to entrance a uid, entrance #uid instead of the username. If you want to use uid, can be used in place of the #uid user name.
Third, install Sudo
will Sudor
compressed package to our specified directory, such as / root
directory. Regardless of which operating system to use these operations in any system are similar.
⒈
change to the directory where the compressed, then decompressed, the commands shown below. Note that when you execute the following command, not necessarily the same as the version used, so which version number of the real situation to be modified:
tar
-zxvf sudo-1.6.3p5.tar.gz
⒉
above command will create a new directory, such as sudo-1.6.3p5, this depends on your version may be.
⒊ the following command to switch to sudo
directory:
cd
sudo-1.6.3p5
⒋ use the following command to create a makefile
and config.h file, we will use them to configure sudo:
./configure
⒌ ./configure You can also
join command sudo option to customize
the installation. Actually very simple, as long as the / configure additional command behind the desired option.
To understand the various available options, see / sudo / INSTALL file.
⒍ You can also edit the makefile
to change the default installation path, you can also edit / sudo / INSTALL
Other configuration file. To this end, we need to open the makefile in a text editor
. For example, type the following:
VI
Makefile
⒎ in makefile
find the file to "Where
passages to install things ..." at the beginning, as shown in:
FIG. 1
Sudo Makefile,
⒏, if necessary, can change the default path. But here we will use the default path.
⒐ exit the file. If you want to use the vi
text editor, you can use the following command:
: q
⒑ In fact, we run ./configure in front of the
command, you can also change the default installation path. To do this, we need to add an option in the back of the order. For example, the default sudoers
file is installed in the / etc
directory, we can use the following command to change the installation location of the file:
./configure
- -sysconfdir = DIR
DIR here
is the new installation directory.
⒒ to compile sudo
, you need to run the make command:
make
⒓ place if we want sudo installed outside the source directory, it will need to use GNU.
If an error occurs during installation, you can turn to TROUBLESHOOTING
files and PORTING file.
We must as a root ⒔
Users can install sudo, because it requires the use of super-user privileges. Become root
user, run the make
install command to install the man pages, visudo and sudoers
file:
the make
install
needs to be reminded that, do not overwrite any existing sudoers
file.
⒕ Well, we have sudo
installed, the following describes how to configure it to meet our needs.
Fourth, Sudo configuration
To configure sudo
, we must% / sudo-1.6.9p5 / sudoers
edited file, which defines which command which users can perform. In addition, only the root user has permission to edit the file, and you must also use visudo
its editing commands. In sudo
directory contains a file named sample.sudoers
sample files:
By default, visudo command uses the vi
text editor to open the sudoers
file. Of course, we can make visudo by compiler option
to change the default text editor. visudo use environment variables EDITOR represents a text editing program. In sudoers edit
a file, visudo command performs the following tasks:
(a) check the syntax wrong
even find a syntax error in the modification, visudo will not save your changes. When a syntax error is found, it will indicate the line number where the error, and prompt the appropriate guidelines. At this time, we will see a "What
? Now "prompt and three options:" e "represents the re-edit the file;" x "represents the exit without making any saved;" Q "represents the exit and save content changes if sudoers.
File for syntax errors, but we choose Q exit and save changes visudo of, then we can not function properly sudo until the problem is corrected grammar so far. in such cases, we have to run visudo again, fix the errors, and then save the file again. when the time to fix the problem, the best choice for e item; if you also for being wrong when misgivings, x can be selected item, so that when you exit will not become modified
(ii) prevents simultaneous multiple edit this file
when we edit the sudoers
file when running visudo, it will receive an error message, let us try .sudoers later
file consists of two types of entries: the user to define the rules and use the following aliases example describes how to use user-defined entries which users can run What command. alias is basically a number of variables.
sudoers file contains a root entry, Recognized rights provisions are as follows:
root
ALL = (ALL) ALL
This configuration allows the root user can execute all commands.
To get another user as root
to run the command, we have to add these users to the sudoers
file we must. provision allows the hosts on which to run these commands. Finally, we must also list these as the root user can
specific command to run. in the following steps, we will create the user bob
, and allowed him in as the root
user in our machines executing certain commands.
⒈ the sudoers file open command as follows:
the visudo
⒉ sudoers
Vi file will
open, where it found "the User
Privilege Specification" section. Then root
after entry, following an insert press i:
bob
your-hostname = / sbin / ifconfig, / bin / the kill, / bin / LS
⒊
role of this line is to allow users to perform bob ifconfig command as root, kill and ls.
Note that unless you have otherwise specified default all listed in the sudoers
file command will be run as the root user. For example, we can let the user as the user bob Tom to run commands. Commands are as follows:
Bob
your-hostname = (Tom) / sbin / the ifconfig
For this example, ifconfig command will Tom user
identity is performed. Of course, you can allow to bob
in a number of different user to execute commands, such as:
bob
your-hostname = (Tom) / sbin / ifconfig, (root) / bin / the kill, / bin / ls
where, kill
and ls
command will be run as the root user, and the ifconfig command as the user Tom to perform. Bob can type in the command line the following command:
sudo
-u Tom / sbin / ifconfig
⒋ written press ESC and exit the file, and then type the following command:
: WQ
The use vi commands to write and quit the file.
⒌ Now we need to create a user bob, the following commands:
useradd
bob
6.
The following command bob users
create passwords:
the Passwd
bob
Changing
password for the User bob
New
UNIX password:
the Retype
new new UNIX password:
passwd:
All authentication tokens Updated successfully
V. run sudo
we have configured sudo, it gives the user bob to superuser privileges to execute ifconfig, kill and the ls command. When bob
To run these commands, he must type sudo
command, and enter their password.
⒈ first login as a user bob.
⒉ find bob as the root user command execution, this, type the following command:
sudo
the -l
⒊ If the first time as the bob run sudo user
, it will give a warning:
We
Trust you have have Received at The usual Lecture at The local System from
Administrator.
It
THESE boils Down to Three usually Things:
# 1)
Respect at The Privacy of Others.
# 2)
of Think the before you of the type
# 3)
With Great Power Comes Great Responsibility
⒋ you are prompted for a password, be careful not to enter the root password, but bob password.
Password:
⒌ allow each command listed on the bob run host as follows:
the User
bob On May RUN ON the this Host Commands The following:
(the root)
/ sbin / the ifconfig
(the root)
/ bin / Lill
(the root)
/ bin / LS
⒍ run ifconfig
to our test configuration of sudo. If you do not have sudo
, then this option requires root privileges. Commands are as follows:
/ sbin / the ifconfig
eth0 Down
this command is invalid, because no right bob deactivation system connecting device.
⒎ To disable the connection device, bob
must sudo, commands are as follows:
the sudo
/ sbin / Down the ifconfig eth0
This will be executed successfully. Note that if the bob
ticket has expired (default is valid for five minutes), then, sudo password will be asked to enter the bob.
If we run this command during the life of the bill, then we are not prompted to type the password.
⒏ with the following command to reactivate the device is connected:
the sudo
/ sbin / the ifconfig eth0 up
⒐ Then, the httpd kill command to restart the
process, as shown below:
PS
AUX | grep httpd
⒑ select from a displayed list Apache
the PID; If Apache is not installed
, you can also choose to start other services process. Command is as follows:
the kill
-HUP [PID NUMBER]
⒒
it will not make you restart the httpd process, because you are not the root user. It will receive the following message:
bash:
the kill: (PID NUMBER) - Not owner
⒓ now, we instead use sudo as root user to run the command, as shown below:
sudo
the kill -HUP (PID NUMBER)
This time success a.
⒔ Next, we use ls as user bob's
command to display the root directory. Commands are as follows:
LS
/ root
results we were rejected because we are not the root user.
⒕ Well, now we use sudo to execute the command as the root user and see how the results:
sudo
LS / root
See, our request was executed. root user's directory already listed.
⒖ To make bob timestamp expires, you can sudo
to achieve this goal -k command. As a result, bob
the next time you use sudo you must enter the password again.
Sixth, the case without a password in
some cases, there is no need to have to enter a password each time you run sudo, because the user has logged on to the system. So, sudo
provides us with an effective way to avoid this tedious task, is the way in sudoers
added NOPASSWD file
label.
⒈ order to remove the requirement for a password in the sudoers file, please log in as root
user, and then type the following command:
visudo
⒉ sudoers
file opens in vi. Bob modify
user rights provisions, as follows:
bob
your-hostname = NOPASSWD: / sbin / ifconfig, / bin / the kill, / bin / LS
⒊ press the ESC key, then type: wq
to write and quit the file:
⒋ Login for the bob
, use the following command to disable the connected devices:
sudo
/ sbin / ifconfig eth0 Down
this time we will not be asked to enter a password, because the command will be run as the root user.
⒌ use the following command to re-activate the attached device:
sudo
/ sbin / ifconfig eth0 up
seven logging Sudo's
already said, sudo can record what each user runs the command. However, these need to sudo
and syslogd
properly configured. To this end, we must first create a log file in / var / log directory, you must also make the appropriate configuration for syslog.conf, it recorded sudo
command. Configuring sudo
specific steps log function follows:
⒈ log in as root
user, then create a sudo at / var / log / directory
log file. Specific command is as follows:
Touch
/ var / log / sudo
After ⒉, syslog.conf you must
add the corresponding command line in the file will be recorded into a log file sudo. We can use the following command to open the syslog.conf:
vi
/etc/syslog.conf
⒊
the following line into the end of the syslog.conf file. In operation, we can insert text by pressing the button i. Note that the following spaces must use the TAB
key instead of the spacebar.
local2.debug
/ var / log / sudo
⒋ this syslog.conf entries will all successful and unsuccessful sudo
Commands are logged to the file / var / log / sudo in. You can also make logging on to the host through a network instead of a local directory with a network host. syslog.conf file shown in FIG.
2
Edit the syslog.conf file logging
⒌ written press ESC and exit the file, and then type the following command:
: WQ
⒍ because syslog.conf file has been modified, you must restart syslogd
. To syslogd
send HUP signal, you must first know the syslogd
process identifier for this type the following command to obtain syslogd
PID:
PS
the AUX | grep syslogd
second column shows the PID number is displayed, the last column indicates the PID display
the corresponding process.
⒎ to restart syslogd
, find syslogdPID from the above command output
, and then type the following command:
the kill
-HUP [PID NUMBER]
⒏ because we want to build a log entry for the user bob, bob so as a user login.
After ⒐ log in as the user bob, type the following ifconfig command:
sudo
the -l
sudo
/ sbin / ifconfig eth0 Down
sudo
/ sbin / ifconfig eth0 up
⒑ use kill
Command to restart the httpd process (or other process), the command as follows:
PS
AUX | grep httpd
⒒ identify from the output of the above command in the Apache
(httpd) the PID, and enter the following command:
the sudo
the kill -HUP [the PID NUMBER]
⒓ now, the identity of the user bob will be listed in the directory root user, as shown using the following command:
sudo
LS / root
⒔ as the root
user login, look sudo
log file. bob
all sudo input
commands are down, as shown below:
On May
18 is 21:10:18 sudo localhost: bob: PTS = the TTY /. 1; the PWD = / Home / bob; the USER = the root;
the COMMAND = List
On May
18 is localhost the sudo 21:10:28: Bob: PTS = the TTY /. 1; the PWD = / Home / Bob; the USER = the root;
the COMMAND = / sbin / Down the ifconfig eth0
On May
18 is the sudo 21:10:50 localhost: Bob: the TTY = PTS /. 1; the PWD = / Home / Bob; the USER = the root;
the COMMAND = / sbin / up the ifconfig eth0
On May
21:10:60 localhost sudo 18: bob: TTY = PTS / 1; PWD = / Home / bob; the USER = root;
the COMMAND = / bin / LS / root
⒕ You can record any root command, the method is very simple, as long as the these add sudo command before
you can. For example, all commands as root used to record, you can do like this:
sudo
useradd susan
sudo
passwd susan
sudo
vi / hosts
⒖ sudo order to access and view
the log file, we can use the following command:
sudo
CAT / var / log / sudo
All Root user input will be recorded, including the cat just typed
commands. As follows:
On May
18 is the sudo 21:10:18 localhost: Bob: PTS = the TTY /. 1; the PWD = / Home / Bob; the USER = the root;
the COMMAND = List
On May
18 is the sudo 21:10:28 localhost: Bob: the TTY = PTS /. 1; the PWD = / Home / Bob; the USER = the root;
the COMMAND = / sbin / Down the ifconfig eth0
On May
18 is the sudo 21:10:50 localhost: Bob: PTS = the TTY /. 1; the PWD = / Home / Bob; the USER = root;
COMMAND=/sbin/ifconfig eth0 up
May
18 21:10:60 localhost sudo: bob: TTY=pts/1;PWD=/home/bob;USER=root;
COMMAND=/bin/ls /root
May
18 21:30:22 localhost sudo: root: TTY=pts/1;PWD=/root;USER=root;
COMMAND=/usr/sbin/useradd susan
May
18 21:30:56 localhost sudo: root: TTY=pts/1;PWD=/root;USER=root;
COMMAND=/usr/bin/passwd susan
May
18 21:31:18 localhost sudo: root: TTY=pts/1;PWD=/root;USER=root;
COMMAND=/bin/vi /hosts
May
18 21:31:30 localhost sudo: root: TTY=pts/1;PWD=/root;USER=root;
COMMAND=/bin/vi /etc/hosts
May
18 21:32:11 localhost sudo: root: TTY=pts/1;PWD=/root;USER=root;
COMMAND=/bin/cat /var/log/sudo
As you can see, sudo
to control and audit access to the root user is extremely beneficial. It allows the system administrator root user's system administration tasks can be assigned to someone else, without having to give them root password. Administrators can also customize system access based on each user root access actually required to achieve the objective of minimizing privileges.