Posted January 19Jan 19 You are reading Part 18 of the 57-part series: Harden and Secure Linux Servers. [Level 2]This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.The sudo command grants elevated privileges, allowing users to execute system-critical commands. If an unauthorized or compromised user gains sudo access, they can modify system files, install malware, or escalate privileges, leading to a full system takeover.By limiting sudo access to only trusted users and necessary commands, you minimize the risk of privilege escalation attacks and enhance system security.1. Edit the sudoers File SecurelyTo modify sudo permissions, always use visudo, which checks for syntax errors before saving:sudo visudo This opens the /etc/sudoers file for editing.2. Grant sudo Access to Specific Users for Specific CommandsInstead of giving full sudo access, allow users to execute only necessary commands:Example: Allow username to restart Apache without a password:username ALL=(ALL) NOPASSWD: /bin/systemctl restart apache2 (The user can restart Apache but nothing else.)Example: Allow developer to only edit web server configs:developer ALL=(ALL) NOPASSWD: /bin/nano /etc/nginx/nginx.conf (The user can edit the Nginx config but cannot modify other system files.)3. Restrict sudo Access by User Groups (Recommended Approach)Instead of assigning permissions to individual users, create a specific sudo group:Create a sudo-restricted group (e.g., limitedsudo):sudo groupadd limitedsudo Add users to the group:sudo usermod -aG limitedsudo username Grant sudo access to the group only for specific tasks:%limitedsudo ALL=(ALL) NOPASSWD: /bin/systemctl restart nginx (Only users in limitedsudo can restart Nginx, nothing else.)4. Audit sudo Privileges RegularlyCheck which users have sudo access:sudo grep 'sudo' /etc/group View sudo logs to track user activity:sudo cat /var/log/auth.log | grep sudo Remove sudo access for unauthorized users:sudo deluser username sudo Best Practices for Securing sudo Access✅ Apply the Principle of Least Privilege (PoLP) → Only grant minimum necessary privileges.✅ Use timestamped sudo sessions → Set session expiration so users must re-enter passwords (Defaults timestamp_timeout=5).✅ Enable sudo logging → Monitor logs for suspicious activity (journalctl -xe | grep sudo).✅ Disable root login (PermitRootLogin no in /etc/ssh/sshd_config).✅ Require multi-factor authentication (MFA) for sudo (auth required pam_google_authenticator.so in /etc/pam.d/sudo).By restricting sudo access, limiting privileges, and auditing user activity, you prevent privilege escalation attacks and secure critical system operations.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.