sudo设计方案
1.用户分类
给不同的用户组设置不同的命令权限,新加用户只用加入相应的用户组即可继承该组权限
暂时设定3个组
PRO 高级管理员 ADM 中级管理员 GST 非管理员
实操
groupadd -f PRO && groupadd -f ADM && groupadd -f GST
useradd -g ADM zhuyu useradd sh -g PRO 等等
2.命令分类
参照sudoer文件把命令分为多个类别
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
Cmnd_Alias LOCATE = /usr/bin/updatedb
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
Cmnd_Alias DELEGATING = /bin/chown, /bin/chmod, /bin/chgrp
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
Cmnd_Alias LOCATE = /usr/bin/updatedb
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
Cmnd_Alias DELEGATING = /bin/chown, /bin/chmod, /bin/chgrp
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
Cmnd_Alias DRIVERS = /sbin/modprobe
Cmnd_Alias DRIVERS = /sbin/modprobe
Cmnd_Alias USERCTL = /usr/sbin/passwd, /usr/sbin/userdel, /usr/bin/passwd,
Cmnd_Alias DANGER = /bin/rm -rf , /bin/rm -r , /bin/rm -f , /usr/sbin/visudo , /usr/bin/chattr
(具体可是在实际应用中完善)
实操:
root 用户下 visudo
1、取消 Cmnd_*前面的所有注释
2、在# Defaults specification 上面添加Cmnd_Alias USERCTL = /usr/sbin/passwd, /usr/sbin/userdel, /usr/bin/passwd,
Cmnd_Alias DANGER = /bin/rm -rf , /bin/rm -r , /bin/rm -f , /usr/sbin/visudo ,
以及自己定制的命令组
3.权限匹配
目前规划是
PRO组用户可以运行 除USERCTL、DANGER(主要是不能编辑sudo,不能修改root和别人密码,不能删除用户)外所有的命令,并且不用输入root和自己密码
ADM组用户可以运行 除DELEGATING、PROCESSES、USERCTL、DANGER
GST组用户可以运行 暂时顺延普通用户权限
实操:
root用户下visudo
1./root找到## Allow root to run any commands anywhere 这行
2.在内容中添加
%PRO ALL=(ALL) NOPASSWD: ALL,!DELEGATING,!USERCTL,!DANGER
%ADM ALL=(ALL) NOPASSWD: ALL,!DELEGATING,!PROCESSES,!USERCTL,!DANGER
3.sudo -l 查看当前用户的权限
[admin@test zhuyu]$ sudo -l
User admin may run the following commands on this host:
(ALL) NOPASSWD: ALL, (ALL) !/usr/sbin/visudo, !/bin/chown, !/bin/chmod, !/bin/chgrp,
(ALL) !/bin/nice, !/bin/kill, !/usr/bin/kill, !/usr/bin/killall, (ALL)
!/usr/sbin/passwd, !/usr/sbin/useradd, !/usr/sbin/userdel, !/usr/sbin/usermod,
!/usr/sbin/visudo, !/usr/bin/passwd, (ALL) !/bin/rm, !/usr/sbin/visudo
User admin may run the following commands on this host:
(ALL) NOPASSWD: ALL, (ALL) !/usr/sbin/visudo, !/bin/chown, !/bin/chmod, !/bin/chgrp,
(ALL) !/bin/nice, !/bin/kill, !/usr/bin/kill, !/usr/bin/killall, (ALL)
!/usr/sbin/passwd, !/usr/sbin/useradd, !/usr/sbin/userdel, !/usr/sbin/usermod,
!/usr/sbin/visudo, !/usr/bin/passwd, (ALL) !/bin/rm, !/usr/sbin/visudo
[zhuyu@test root]$ sudo -l
User zhuyu may run the following commands on this host:
(ALL) NOPASSWD: ALL, (ALL) !/usr/sbin/visudo, !/bin/chown, !/bin/chmod, !/bin/chgrp,
(ALL) !/usr/sbin/passwd, !/usr/sbin/useradd, !/usr/sbin/userdel, !/usr/sbin/usermod,
!/usr/sbin/visudo, !/usr/bin/passwd
User zhuyu may run the following commands on this host:
(ALL) NOPASSWD: ALL, (ALL) !/usr/sbin/visudo, !/bin/chown, !/bin/chmod, !/bin/chgrp,
(ALL) !/usr/sbin/passwd, !/usr/sbin/useradd, !/usr/sbin/userdel, !/usr/sbin/usermod,
!/usr/sbin/visudo, !/usr/bin/passwd
4.日志
1、visudo
最后面加上
Defaults logfile=/var/log/sudo.log
Defaults loglinelen=0Defaults !syslog
2、touch /var/log/sudo.conf
3、vi /etc/rsyslog.conf
在RULES条目中加入
local2.debug /var/log/sudo.log
然后service rsyslog restart
3.然后就可以通过 /var/log/sudo.log 查看sudo记录了,以下是试验结果
[root@test ~]# tail -n 10 /var/log/sudo.log
Aug 28 07:02:40 : zhuyu : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/yum install syslog
Aug 28 07:03:42 : zhuyu : command not allowed ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/passwd
Aug 28 07:03:49 : zhuyu : command not allowed ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/useradd
Aug 28 07:03:53 : zhuyu : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/sbin/ifconfig
Aug 28 07:02:40 : zhuyu : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/yum install syslog
Aug 28 07:03:42 : zhuyu : command not allowed ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/passwd
Aug 28 07:03:49 : zhuyu : command not allowed ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/useradd
Aug 28 07:03:53 : zhuyu : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/sbin/ifconfig
5.维护
通过添加新的权限组和更改各组的命令池来满足现实环境中的应用
文件安全设计方案
采取加锁的方式保护重要文件,root用户可以使用chattr +i/-i file 给文件加/去 锁定 ,而在sudoers里面禁止除root外用户使用chattr命令
暂时加锁定 /etc/passwd /etc/shadow /etc/group /etc/gshadow
这样即使是root用了rm -rf 也删不掉这些文件,除非先解锁
如果不希望别的用户和用户组查看这些文件,也可以chmod +/- 读写执 改变
实操 chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow
实验环境结果:
[root@test zhuyu]# ls
1 2 3 4 5
[root@test zhuyu]# chattr +i 1 2 3 4
[root@test zhuyu]# ls
1 2 3 4 5
[root@test zhuyu]# rm -rf *
rm: cannot remove `1': Operation not permitted
rm: cannot remove `2': Operation not permitted
rm: cannot remove `3': Operation not permitted
rm: cannot remove `4': Operation not permitted
[root@test zhuyu]# chattr -i 1 2 3 4
[root@test zhuyu]# ls
1 2 3 4
[root@test zhuyu]# rm -rf *
[root@test zhuyu]# ls
[root@test zhuyu]# ls
1 2 3 4 5
[root@test zhuyu]# chattr +i 1 2 3 4
[root@test zhuyu]# ls
1 2 3 4 5
[root@test zhuyu]# rm -rf *
rm: cannot remove `1': Operation not permitted
rm: cannot remove `2': Operation not permitted
rm: cannot remove `3': Operation not permitted
rm: cannot remove `4': Operation not permitted
[root@test zhuyu]# chattr -i 1 2 3 4
[root@test zhuyu]# ls
1 2 3 4
[root@test zhuyu]# rm -rf *
[root@test zhuyu]# ls
[root@test zhuyu]# ls