• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 620
  • Last Modified:

Switch to sudo

I have been the lone Linux administrator for a couple of years at my office.  We have approx 64 linux servers.

We recently hired two additional junior admin to assist.

In the past it was easy to know who made the changes, since I was the only person with the root password.

Now I would like to change to sudo, so I can track which "admin" is making which changes.  

I would like them to have full root access.  Since I am not familiar with sudo, I was wondering what is the best way to go about this?

Any input would be appreciated.
0
savone
Asked:
savone
  • 3
  • 3
  • 2
  • +2
7 Solutions
 
comfortjeaniusCommented:
You can create them  user accounts and grant them administrative privileges....
Grant Users Administrative Privileges

Now that you have a new user on your system, you need to decide if this user should be able to perform administrative tasks with sudo.

If the user you created will be your primary user on the system, you usually want to enable sudo privileges so that you can do routine configuration and maintenance.

We give users access to the sudo command with the visudo command. If you have not assigned additional privileges to any user yet, you will need to be logged in as root to access this command:

visudo

Open in new window

This will open the sudoers file in the vi editor

This file will look something like this..
# User privilege specification
root    ALL=(ALL:ALL) ALL

You can add the line...
newuser    ALL=(ALL:ALL) ALL

Save and quit, now the user's will have their own account with administrative privileges.
0
 
Ricardo MartínezInformation SecurityCommented:
I think the best way to track them is to grant sudo privilegies to their own users, so you can see who did any task in the logs, check this link that explains how to do it on Debian and derivated distros:

How To Add, Delete, and Grant Sudo Privileges to Users on a Debian VPS

You can create a script to add those users with privilegies on all the servers.

If you need it for other distro, just tell me.
0
 
woolmilkporcCommented:
... or make the new admins members of a special group. Your "sudoers" file (and probably your OS as well) should have a predefined group "wheel" for that purpose.

Look for an entry like this in the sudoers file (use "visudo" as suggested):

%wheel ALL=(ALL) ALL

If there is a comment sign in front ("#") remove it, then save the sudoers file. If there is no such line add it.

Now check your OS if there is a group "wheel". If there isn't  such a group, add it.

Make the concerned users members of that group and you're done.

Please remember that the users must prefix any command to be run under root priviliges with "sudo", e.g.:

sudo passwd savone

wmp
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
savoneAuthor Commented:
I am sorry, I should have been clear.  We all do have our own accounts since remote root access if disabled.  So we do log in as ourselves then switch to root for admin.
0
 
woolmilkporcCommented:
>> We all do have our own accounts <<

No problem. Just add the group "wheel" to the user's group set:

usermod -a -G wheel savone
0
 
Ricardo MartínezInformation SecurityCommented:
That's why we said to change your own accounts privilegies, to stop using the root user, so the logs will reflect the changes you made with each one and be easy to track their actions. Then, you will have to change the root user password to prevent the Junior Admins to keep using it.
0
 
serialbandCommented:
How much tracking do you want to do?  Do you want to disable the su command too?  A whole lot of people would just run sudo su to become root anyway.   That defeats the logging, except for the initial sudo su.  You would only be able to correlate the time frame of the changes want's they do that.  Once you've entered a shell, there's no sudo tracking.

Here are 2 other ways to enter a root shell:
sudo -s
sudo bash


If you want to exclude su and bash, you would add them like this.
wheel ALL=(ALL) ALL, !/bin/su, !/bin/bash

Unfortunately, this will exclude the junior admins ability to su to user accounts too, which will prevent account management access.  You could also sudo emacs or sudo vi and enter shells from them.

Sudo tracking is easier when giving users privileges to individual commands, but it's not really meant for detailed tracking of root usage.
Here's an example to give the webmasters group access to httpd so they can restart apache.
webmasters ALL=(ALL) /etc/init.d/httpd

or giving someone MySQL access
MySQLadmins ALL=(ALL) /usr/bin/mysql,/usr/bin/mysqlcheck,/usr/bin/mysqld

http://www.onlamp.com/pub/a/bsd/2002/09/12/Big_Scary_Daemons.html?page=2

The real solution is to have sudo and also have your junior admins document changes they've made.  My current place requires us to update a weekly internal wiki.  When you get into a larger group, you'll need documentation, and a sign off before allowing the junior admins access to change it.  You'd have to reprimand them for not following procedure and fire them for failing to do it too many times.
0
 
savoneAuthor Commented:
Thanks for all the information, one more question.

I see that the /etc/sudoers file should be edited by using visudo.  

BUT, we have 60+ systems now which is growing fast.  I would like to centrally manage this file on my REDHAT Satellite server and push the /etc/sudoers file out to each server.  This way if we need to add sudo access, or remove it, we can change it in one place.

Can I do this, or will it cause issues?
0
 
woolmilkporcCommented:
This is possible, of course. "visudo" does syntax checking, so it's the preferred tool to edit the sudoers file, but once the file looks as desired you can deploy it to other servers without problems. Just take care to leave the permissions (0440) and ownership (root/UID 0) intact.

You can even restrict settings in sudoers to be valid on certain hosts/host groups only, so even if different hosts must be treated differently this can be achieved with a single sudoers file.

See the rather informative manpage of "sudoers", or here:
http://www.sudo.ws/sudoers.man.html
0
 
savoneAuthor Commented:
Thanks everybody, I did not want to single out one answer as all of you were helpful.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now