Skip to main content

Initial Settings : Sudo Settings

 Configure Sudo to separate users' duty if some people share privileges.

It does not need to install sudo manually because it is installed by default even if Minimal installed environment.

[1]. Transfer root privilege all to a user.

[root@dlp ~]# visudo

# add to the end: user [cent] can use all root privilege

cent  ALL=(ALL)       ALL

# how to write ⇒ destination host=(owner) command

# verify with user [cent]

[cent@dlp ~]$ /usr/bin/cat /etc/shadow

/usr/bin/cat: /etc/shadow: Permission denied   # denied normally

[cent@dlp ~]$ sudo /usr/bin/cat /etc/shadow

Password:     # user's own password

.....

.....

chrony:!!:18163::::::

tcpdump:!!:18163::::::   # just executed

[2]. In addition to the setting of [1], set some commands prohibit.

[root@dlp ~]# visudo

# line 49: add

# for example, set aliase for the kind of shutdown commands

Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \

/usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl


# add ( prohibit commands in aliase [SHUTDOWN] )

cent  ALL=(ALL)       ALL, !SHUTDOWN


# verify with user [cent]

[cent@dlp ~]$ sudo /usr/sbin/reboot

[sudo] password for cent:

Sorry, user cent is not allowed to execute '/usr/sbin/reboot' as root on dlp.srv.world.   # denied normally

[3]. Transfer some commands with root privilege to users in a group.

[root@dlp ~]# visudo

# line 51: add

# for example, set aliase for the kind of user managment commands

Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \

/usr/bin/passwd


# add to the end

%usermgr ALL=(ALL) USERMGR

[root@dlp ~]# groupadd usermgr

[root@dlp ~]# usermod -G usermgr redhat

# verify with user [redhat]

[redhat@dlp ~]$ sudo /usr/sbin/useradd testuser

[redhat@dlp ~]$ sudo /usr/bin/passwd testuser

Changing password for user testuser.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.   # just executed

[4]. Transfer a command with root privilege to a user.

[root@dlp ~]# visudo

# add to the end: settings for each user

fedora  ALL=(ALL)       /usr/sbin/visudo

ubuntu  ALL=(ALL)       /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd

debian  ALL=(ALL)       /usr/bin/vi


# for example, verify with user [fedora]

[fedora@dlp ~]$ sudo /usr/sbin/visudo

## Sudoers allows particular users to run various commands as

## the root user, without needing the root password.

##   # just executed

[5]. The logs for sudo are kept in [/var/log/secure], but there are many kind of logs in it. So if you'd like to keep only Sudo logs in another file, Configure like follows.

[root@dlp ~]# visudo

# add to the end

# for example, output logs to [local1] facility

Defaults syslog=local1

[root@dlp ~]# vi /etc/rsyslog.conf

# line 46,47: add like follows

*.info;mail.none;authpriv.none;cron.none;local1.none   /var/log/messages

local1.*                /var/log/sudo.log


# The authpriv file has restricted access.

authpriv.*              /var/log/secure


[root@dlp ~]# systemctl restart rsyslog

Comments

Post a Comment

Popular posts from this blog

Lambda Function with Amazon SNS

  Amazon SNS is a service used for push notification. In this chapter, we will explain working of AWS Lambda and Amazon SNS with the help of an example where will perform the following actions − Create Topic in SNS Service and use AWS Lambda Add Topics to CloudWatch Send SNS text message on phone number given. Requisites To create Topic in SNS Service and use AWS Lambda Add Topics to CloudWatch, we need not follow the steps given below − Create Topic in SNS Create Role for permission in IAM Create AWS Lambda Function Publish to topic to activate trigger Check the message details in CloudWatch service. To send SNS text message on phone number given, we need to do the following − Add code in AWS Lambda to send message to your phone. Example In this example, we will create a topic in SNS. When details are entered in the topic to publish, AWS Lambda is triggered. The topic details are logged in CloudWatch and a message is sent on phone by AWS Lambda. Here is a basic block diagram which...
Post a Comment
Read more

Building the Lambda Function

AWS Lambda function executes a code when it is invoked. This chapter discusses all these steps involved in the life cycle of AWS Lambda function in detail. Steps for Building a Lambda function The lifecycle of Lambda function includes four necessary steps − Authoring Deploying Monitoring Troubleshooting Authoring Lambda Code AWS Lambda function code can be written in following languages − NodeJS Java, Python C# Go. We can write code for AWS Lambda using the AWS console, AWS CLI, from Eclipse IDE, from Visual Studio IDE, serverless framework etc. The following table shows a list of languages and the different tools and IDE that can be used to write the Lambda function −   NodeJS :  AWS Lambda Console | Visual Studio IDE Java : Eclipse IDE Python : AWS Lambda Console C# : Visual Studio IDE | .NET core Go : AWS Lambda Console Deploying Lambda Code Once you decide the language you want to write the Lambda function, there are two ways to deploy the code − Directly write the code in...
Post a Comment
Read more

Lambda Function with Amazon DynamoDB

DynamoDB can trigger AWS Lambda when the data in added to the tables, updated or deleted. In this chapter, we will work on a simple example that will add items to the DynamoDB table and AWS Lambda which will read the data and send mail with the data added. Requisites To use Amazon DB and AWS Lambda, we need to follow the steps as shown below − Create a table in DynamoDB with primary key Create a role which will have permission to work with DynamoDBand AWS Lambda. Create function in AWS Lambda AWS Lambda Trigger to send mail Add data in DynamoDB Let us discuss each of this step in detail. Example We are going to work out on following example which shows the basic interaction between DynamoDB and AWS Lambda. This example will help you to understand the following operations − Creating a table called customer in Dynamodb table and how to enter data in that table. Triggering AWS Lambda function once the data is entered and sending mail using Amazon SES service. The basic block diagram that ...
Post a Comment
Read more