1. Home
  2. Training Library
  3. Linux Security and Hardening | CSL4 A3.1 |

Account Security Demo #3 (Sudo)

Start course
3h 21m

In this section, you’ll take a deep dive into Linux security. You’ll build your knowledge and skills through a comprehensive overview of the key areas that you need to know to secure Linux systems.

You’ll begin with Linux security in general before moving on to physical security and the countermeasures you can employ to protect your hardware. From there, you’ll explore authentication systems and the various account types on a Linux system, and how to secure each one. You'll also learn how to enforce strong passwords and manage account and password expirations.

In the networking section, you'll learn how to secure network services that run on Linux systems. You'll also learn how the local firewall works in Linux and how to configure it. You’ll learn about file system security and how permissions work in detail, including special modes, file attributes, and ACLs. You'll also discover what rootkits are, how to detect them, and how to remove them.

You’ll also find several security resources you can use to continue your security education and stay on top of the latest security issues for Linux distributions.

There are several knowledge checks as you go through these resources. These will help you identify any areas that you might need or want to review. At the end you’ll find a final exam, where you can test yourself on what you’ve learnt.

Learning Objectives

  • Get a general view of Linux security including roles, network services, encryption, accounts, and multifactor authentication
  • Learn specific strategies for mitigating physical security risks and protecting your Linux systems against the most common physical attacks
  • Learn about data encryption and how to implement it on new Linux systems, as well as those that are already in service
  • Understand the different types of accounts you'll find on a Linux system and the special precautions you need to take with each account type
  • Learn how to enforce good password security practices on your Linux systems
  • Learn about multi-factor authentication and how it can be implemented in Linux
  • Learn techniques and strategies to secure network services
  • Learn how to secure your files and directories on Linux through permissions, data sharing, special modes, file attributes, ACLs, and rootkits

For this demo, I'm just going to go ahead and use the root account. First, let's run Visudo. You can see that it starts an editor in this case it's VI, let me go ahead and exit out of that. And you can specify the editor that you want to use by setting the editor environment variable. I'll go ahead and do that for mine. Set it to nano, and then run Visudo again. Now you can see that the nano editor was started. I'm gonna go ahead and switch back to VI since I'm more comfortable with that editor, exit out there, editor equals VI, run Visudo yet again. One big advantage to using Visudo instead of directly editing the file is that it performs syntax checking. I'm just gonna put some invalid data here at the top of the file, and then go ahead and save that file like I'm going to write and quit and exit this file. So as you can see, Visudo detected an error and then asks you what you want to do next. So, I'm just gonna hit the enter key right here to show the options. So at this point, you can either edit the file again, you can abandon your changes, or you can force save them. Now don't do that because you don't want an invalid Sudoers configuration. So I'm gonna go ahead and edit the file again. And I will take out this bad data that I put in there. I wanna exit this time, there's no error, so the syntax is correct for that file. Let me just fire this up one last time here. Now let's create a specification for a user named Bob. I'll just put this at the bottom of the file. And let's allow Bob to run the user bin yum command as the root user on all systems. And we'll go ahead and exit out a Sudo here, and then so let's look at what Bob is allowed to run. I'll clear the screen and run Sudo dash L, and I'll specify Bob with a dash capital U what user's configuration I wanna list. And there it's shows that Bob can run the user bin, yum command. I can also do a dash double L which more or less gives more verbose output. I'll do that here for Bob, and then it just puts it in a slightly different format, and it gives a little bit more information here. So now I'm gonna go ahead and switch to the Bob account. And if I was Bob and logged into this system I could run Sudo dash L as myself, and it will show me what I can do. I'll enter my password there. And again, you can see that Bob is allowed to run the yum command. So, let's install some software as Bob since that's what the yum command allows us to do. I'll run yum, install, and install this program called dstat, which I kinda like to monitor system activity. So it's downloading and installing. And so that command got executed as the root user. I'll go ahead and exit out of here. Let's create a file in etc sudoers.d, so to do this, I'll use Visudo dash F and specify Sudoers. Now let's allow Bob to run the who am I command as anyone on the system. Now you can see Bob can run yum as root, and who am I as anyone? So I'll switch to the Bob's account, when Bob runs who am I, it's says he's Bob. So let's use Sudo with the dash lowercase U means to run the following command as this user and I'm going to do that with a user Jason. So now when I execute that command, who am I? it says, you're Jason. All right, let's do this again. And let's run a command as the Apache user. And again, the who am I command returns to the effect of user, which is Apache because we use Sudo to effectively execute the command as the Apache user. So even though this may be a bit of a contrived example the point is that you can give permissions to one user to run commands as another user, and tightly control that access. Also, there's a clear audit trail, this system is configured to log Sudo messages into VAR log secure. Let's look at that file real quick. You can see exactly what user ran what command and it even tells you what directory they were in when they executed that command.

About the Author