NotesSecuritySystem

Exemple de configuration de sudoers

Parcourant les notes techniques de sécurisation d\'un serveur Linux proposées par l\'ANSII (Voir ce PDF),
je me suis penché sur les problématiques de configurations  de sudoers.

Pour que des normes de sécurité correctes soient misent en place,
il est nécessaire que les utilisateurs ne puissent pas usurper l\'identité d\'autre utilisateurs.

Pour les administrateurs, cette restriction peut être mise en place au niveau des sudoers en bloquant l\'accès à \"su\",
visudo et aux shells, les utilisateurs n\'ayant besoins d\'accéder qu\'à une liste de commandes spécifiques.

On peut ensuite n\'autoriser qu\'un groupe d\'administrateur bien spécifique à modifier les sudoers et placer des règles via SELinux pour réguler l\'édition.

L\'exemple de cas ci-dessous présente un panel complet des différentes fonctionnalités proposées par le fichier sudoers et permet de générer sa propre configuration.

# Sample /etc/sudoers file.
#
# This file MUST be edited with the \'visudo\' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

##
# User alias specification
##
User_Alias  FULLTIMERS = millert, mikef, dowdy
User_Alias  PARTTIMERS = bostley, jwfox, crawl
User_Alias  WEBMASTERS = will, wendy, wim

##
# Runas alias specification
##
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase

##
# Host alias specification
##
Host_Alias  SPARC = bigtime, eclipse, moet, anchor:
        SGI = grolsch, dandelion, black:
        ALPHA = widget, thalamus, foobar:
        HPPA = boa, nag, python
Host_Alias  CUNETS = 128.138.0.0/255.255.0.0
Host_Alias  CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias  SERVERS = master, mail, www, ns
Host_Alias  CDROM = orion, perseus, hercules

##
# Cmnd alias specification
##
Cmnd_Alias  DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, 
            /usr/sbin/rrestore, /usr/bin/mt
Cmnd_Alias  KILL = /usr/bin/kill
Cmnd_Alias  PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias  SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias  HALT = /usr/sbin/halt
Cmnd_Alias  REBOOT = /usr/sbin/reboot
Cmnd_Alias  SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, 
             /usr/local/bin/tcsh, /usr/bin/rsh, 
             /usr/local/bin/zsh
Cmnd_Alias      RESTRICTED      = /bin/vi /etc/sudoers, /bin/nano /etc/sudoers, /bin/su - root, 
             /bin/su - , /usr/sbin/visudo
Cmnd_Alias  VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, 
               /usr/bin/chfn

##
# Override built-in defaults
##
Defaults               syslog=auth
Defaults>root          !set_logname
Defaults:FULLTIMERS    !lecture
Defaults:millert       !authenticate
[email protected]       log_year, logfile=/var/log/sudo.log

##
# User specification
##

# root can run anything on any machine as any user
root        ALL = (ALL) ALL
# admin group can run anything except RESTRICTED and SHELLS commands
%admin      ALL = (ALL) ALL, !RESTRICTED, !SHELLS
# sudoers group can only edit sudoers file 
%sudoers        ALL = (ALL) /usr/sbin/visudo
# full time sysadmins can run anything on any machine without a password
FULLTIMERS  ALL = NOPASSWD: ALL

# part time sysadmins may run anything but need a password
PARTTIMERS  ALL = ALL

# jack may run anything on machines in CSNETS
jack        CSNETS = ALL

# lisa may run any command on any host in CUNETS (a class B network)
lisa        CUNETS = ALL

# operator may run maintenance commands and anything in /usr/oper/bin/
operator    ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,
        sudoedit /etc/printcap, /usr/oper/bin/

# joe may su only to operator
joe     ALL = /usr/bin/su operator

# pete may change passwords for anyone but root on the hp snakes
pete        HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root

# bob may run anything on the sparc and sgi machines as any user
# listed in the Runas_Alias \"OP\" (ie: root and operator)
bob     SPARC = (OP) ALL : SGI = (OP) ALL

# jim may run anything on machines in the biglab netgroup
jim     +biglab = ALL

# users in the secretaries netgroup need to help manage the printers
# as well as add and remove users
+secretaries    ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser

# fred can run commands as oracle or sybase without a password
fred        ALL = (DB) NOPASSWD: ALL

# on the alphas, john may su to anyone but root and flags are not allowed
john        ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

# jen can run anything on all machines except the ones
# in the \"SERVERS\" Host_Alias
jen     ALL, !SERVERS = ALL

# jill can run any commands in the directory /usr/bin/, except for
# those in the RESTRICTED and SHELLS aliases.
jill        SERVERS = /usr/bin/, !RESTRICTED, !SHELLS

# steve can run any command in the directory /usr/local/op_commands/
# as user operator.
steve       CSNETS = (operator) /usr/local/op_commands/

# matt needs to be able to kill things on his workstation when
# they get hung.
matt        valkyrie = KILL

# users in the WEBMASTERS User_Alias (will, wendy, and wim)
# may run any command as user www (which owns the web pages)
# or simply su to www.
WEBMASTERS  www = (www) ALL, (root) /usr/bin/su www

# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
ALL     CDROM = NOPASSWD: /sbin/umount /CDROM,
        /sbin/mount -o nosuid,nodev /dev/cd0a /CDROM

Sources