SUDO Policy Scenario
1) Default setting and used the sudo login
[nilesh@oem ~]$ id
uid=500(nilesh) gid=100(users) groups=100(users)
[nilesh@oem ~]$
[nilesh@oem ~]$ sudo /bin/su - grid
[sudo] password for nilesh:
nilesh is not in the sudoers file. This incident will be reported.
[nilesh@oem ~]$
can I login directly to grid ?
let's try
[nilesh@oem ~]$
[nilesh@oem ~]$ su - grid
Password:
[grid@oem ~]$ id
uid=54323(grid) gid=54321(oinstall) groups=54321(oinstall),54322(dba)
[grid@oem ~]$ whoami
grid
[grid@oem ~]$
yes with su we can login to grid directly. but this not good practice login as directly
2)Lets Use sudo Policy to avoid the direct login.
for that use visudo command to add configuration /etc/sudoers file
# PolicyName in EAF : POLICY
# PolicyTech:
User_Alias POLICY_LOCAL_USERS= \
nilesh, \
empty_value
Host_Alias POLICY_LOCAL_HOSTS= \
ALL, \
empty_value
# END OF LIST
Cmnd_Alias POLICY_LOCAL_CMNDS= \
/bin/su grid /bin/su - grid, \
/empty_value
# END OF LIST
POLICY_LOCAL_USERS POLICY_LOCAL_HOSTS=POLICY_LOCAL_CMNDS, \
/empty_value
# END OF LIST
login to grid user with nilesh password and its work.
[nilesh@oem ~]$ sudo /bin/su - grid
[sudo] password for nilesh: ---------------------- Here tried grid password
Sorry, try again.
[sudo] password for nilesh:----------------------- here use nilesh password and then i can login successfully
[grid@oem ~]$ whoami
grid
[grid@oem ~]$ id
uid=54323(grid) gid=54321(oinstall) groups=54321(oinstall),54322(dba)
[grid@oem ~]$
Now lets lock the Grid account
lets try again login to grid with sudo
Before lock lets look at shadow file
[root@oem ~]# cat /etc/shadow | grep grid
grid:$6$hy3ZZvcS$dRj39slZEvZA0yUBWAxb1FgQnFMbBSBHZ3m8RZrtLZAf3d9PH0XNlo6QrG.isBhtvJOsmIGw9wQqGS8hYY6D61:18397:0:99999:7:::
After locking account , the ! is password field show the accunt lock
[root@oem ~]# sudo usermod -L grid
[root@oem ~]# cat /etc/shadow | grep grid
grid:!$6$hy3ZZvcS$dRj39slZEvZA0yUBWAxb1FgQnFMbBSBHZ3m8RZrtLZAf3d9PH0XNlo6QrG.isBhtvJOsmIGw9wQqGS8hYY6D61:18397:0:99999:7:::
Now lets login with nilesh userid
login as: nilesh
nilesh@192.168.xx.24's password:
Last login: Thu May 14 21:29:27 2020 from 192.168.56.1
[nilesh@oem ~]$ sudo /bin/su - grid
[sudo] password for nilesh:
[grid@oem ~]$
[grid@oem ~]$ id
uid=54323(grid) gid=54321(oinstall) groups=54321(oinstall),54322(dba)
[grid@oem ~]$ whoami
grid
[grid@oem ~]$
Now lets add NP parameter in shadow file /etc/shadow
[root@oem ~]# cat /etc/shadow | grep grid
grid:NP:18397:0:99999:7:::
[root@oem ~]#
Lets Login with nilesh one more time and then use sudo policy
to login as grid ?
login as: nilesh
nilesh@192.168.56.24's password:
Last login: Thu May 14 22:18:18 2020 from XXXXXXXXXXX
[nilesh@oem ~]$
[nilesh@oem ~]$
[nilesh@oem ~]$
[nilesh@oem ~]$ sudo /bin/su - grid
[sudo] password for nilesh:
[grid@oem ~]$ id
uid=54323(grid) gid=54321(oinstall) groups=54321(oinstall),54322(dba)
[grid@oem ~]$ whoami
grid
[grid@oem ~]$
Now here Grid password is lock and its Non-expiry account
[root@oem ~]# chage -l grid
Last password change : May 15, 2020
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Good things is without sharing grid password within team we can do lots of stuffs.
You can do same for other admin users.
Lets login as Root with Grid password
Is it possible to grid user to login directly as root
yes if grid has the root password ................> But this not good practice share the root password with grid Admin user
CASE :1
login as grid only
login as: grid
grid@192.168.56.24's password:
Last login: Thu May 14 23:28:56 2020 from 192.168.56.1
[grid@oem ~]$
also check the log file for login information.
tail -10f /var/log/secure
May 14 23:31:25 oem sshd[27751]: Accepted password for grid from 192.XX.XX.1 port 56791 ssh2
May 14 23:31:25 oem sshd[27751]: pam_unix(sshd:session): session opened for user grid by (uid=0)
[grid@oem ~]$ su - root -----------------> enter root password
Password:
[root@oem ~]#
[root@oem ~]# id
uid=0(root) gid=0(root) groups=0(root),489(sfcb)
[root@oem ~]# whoiam
[root@oem ~]# whoami
root
[root@oem ~]#
snippest from the /var/log/secure
May 14 23:37:43 oem su: pam_unix(su-l:session): session opened for user root by grid(uid=54323)
only limited information recorded.
CASE 2: Login as root by using grid password.
Please monitor the log tail -10f /var/log/secure on other window
[root@oem ~]# tail -100f /var/log/secure
Step 1. use visudo to add policy
Step 2. add below line and sudoers file
User_Alias Nil_ROOT_LOCAL_USERS= \
grid, \
empty_value
Host_Alias Nil_ROOT_LOCAL_HOSTS= \
ALL, \
empty_value
# END OF LIST
Cmnd_Alias Nil_ROOT_LOCAL_CMNDS= \
/bin/su root, /bin/su - root, \
/empty_value
# END OF LIST
POLICY_ROOT_LOCAL_USERS POLICY_ROOT_LOCAL_HOSTS=POLICY_ROOT_LOCAL_CMNDS, \
/empty_value
# END OF LIST
Step 3. Open a new putty session
login as: grid
grid@192.168.XX.24's password:
Last login: Thu May 14 23:31:25 2020 from 192.168.56.1
[grid@oem ~]$
[grid@oem ~]$ sudo /bin/su - root
[sudo] password for grid:
[root@oem ~]#
Now add user or do any admin activity it will recorded here in security log
I simply add user gangesh look what happened its record in log.
Snippest from log file
May 14 23:43:30 oem sshd[27932]: pam_unix(sshd:session): session opened for user grid by (uid=0)
May 14 23:43:45 oem sudo: grid : TTY=pts/1 ; PWD=/home/grid ; USER=root ; COMMAND=/bin/su - root
May 14 23:43:45 oem su: pam_unix(su-l:session): session opened for user root by grid(uid=0)
May 14 23:57:56 oem useradd[28551]: new user: name=gangesh, UID=501, GID=501, home=/home/gangesh, shell=/bin/bash
So here by simply adding simple policy we can avoid to share the root password with everyone
Here if you want you can locked the root password so no one can able to login as root to the system.
Importance of Sudo POLICY
1)Sudo policy can make some easiness for system administrator to manage the user account securely.
2)with sudo policy we can assign certain privileges to do certain duty and responsibility.
3)with sudo policy no need to remember root password you can simply used your password.
4)its not easy to intruder to break a system easily because using sudo policy your are login on the system and root user password and account
is disable so where to attack its difficult to attacker.
1) Default setting and used the sudo login
[nilesh@oem ~]$ id
uid=500(nilesh) gid=100(users) groups=100(users)
[nilesh@oem ~]$
[nilesh@oem ~]$ sudo /bin/su - grid
[sudo] password for nilesh:
nilesh is not in the sudoers file. This incident will be reported.
[nilesh@oem ~]$
can I login directly to grid ?
let's try
[nilesh@oem ~]$
[nilesh@oem ~]$ su - grid
Password:
[grid@oem ~]$ id
uid=54323(grid) gid=54321(oinstall) groups=54321(oinstall),54322(dba)
[grid@oem ~]$ whoami
grid
[grid@oem ~]$
yes with su we can login to grid directly. but this not good practice login as directly
2)Lets Use sudo Policy to avoid the direct login.
for that use visudo command to add configuration /etc/sudoers file
# PolicyName in EAF : POLICY
# PolicyTech:
User_Alias POLICY_LOCAL_USERS= \
nilesh, \
empty_value
Host_Alias POLICY_LOCAL_HOSTS= \
ALL, \
empty_value
# END OF LIST
Cmnd_Alias POLICY_LOCAL_CMNDS= \
/bin/su grid /bin/su - grid, \
/empty_value
# END OF LIST
POLICY_LOCAL_USERS POLICY_LOCAL_HOSTS=POLICY_LOCAL_CMNDS, \
/empty_value
# END OF LIST
login to grid user with nilesh password and its work.
[nilesh@oem ~]$ sudo /bin/su - grid
[sudo] password for nilesh: ---------------------- Here tried grid password
Sorry, try again.
[sudo] password for nilesh:----------------------- here use nilesh password and then i can login successfully
[grid@oem ~]$ whoami
grid
[grid@oem ~]$ id
uid=54323(grid) gid=54321(oinstall) groups=54321(oinstall),54322(dba)
[grid@oem ~]$
Now lets lock the Grid account
lets try again login to grid with sudo
Before lock lets look at shadow file
[root@oem ~]# cat /etc/shadow | grep grid
grid:$6$hy3ZZvcS$dRj39slZEvZA0yUBWAxb1FgQnFMbBSBHZ3m8RZrtLZAf3d9PH0XNlo6QrG.isBhtvJOsmIGw9wQqGS8hYY6D61:18397:0:99999:7:::
After locking account , the ! is password field show the accunt lock
[root@oem ~]# sudo usermod -L grid
[root@oem ~]# cat /etc/shadow | grep grid
grid:!$6$hy3ZZvcS$dRj39slZEvZA0yUBWAxb1FgQnFMbBSBHZ3m8RZrtLZAf3d9PH0XNlo6QrG.isBhtvJOsmIGw9wQqGS8hYY6D61:18397:0:99999:7:::
Now lets login with nilesh userid
login as: nilesh
nilesh@192.168.xx.24's password:
Last login: Thu May 14 21:29:27 2020 from 192.168.56.1
[nilesh@oem ~]$ sudo /bin/su - grid
[sudo] password for nilesh:
[grid@oem ~]$
[grid@oem ~]$ id
uid=54323(grid) gid=54321(oinstall) groups=54321(oinstall),54322(dba)
[grid@oem ~]$ whoami
grid
[grid@oem ~]$
Now lets add NP parameter in shadow file /etc/shadow
[root@oem ~]# cat /etc/shadow | grep grid
grid:NP:18397:0:99999:7:::
[root@oem ~]#
Lets Login with nilesh one more time and then use sudo policy
to login as grid ?
login as: nilesh
nilesh@192.168.56.24's password:
Last login: Thu May 14 22:18:18 2020 from XXXXXXXXXXX
[nilesh@oem ~]$
[nilesh@oem ~]$
[nilesh@oem ~]$
[nilesh@oem ~]$ sudo /bin/su - grid
[sudo] password for nilesh:
[grid@oem ~]$ id
uid=54323(grid) gid=54321(oinstall) groups=54321(oinstall),54322(dba)
[grid@oem ~]$ whoami
grid
[grid@oem ~]$
Now here Grid password is lock and its Non-expiry account
[root@oem ~]# chage -l grid
Last password change : May 15, 2020
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Good things is without sharing grid password within team we can do lots of stuffs.
You can do same for other admin users.
Lets login as Root with Grid password
Is it possible to grid user to login directly as root
yes if grid has the root password ................> But this not good practice share the root password with grid Admin user
CASE :1
login as grid only
login as: grid
grid@192.168.56.24's password:
Last login: Thu May 14 23:28:56 2020 from 192.168.56.1
[grid@oem ~]$
also check the log file for login information.
tail -10f /var/log/secure
May 14 23:31:25 oem sshd[27751]: Accepted password for grid from 192.XX.XX.1 port 56791 ssh2
May 14 23:31:25 oem sshd[27751]: pam_unix(sshd:session): session opened for user grid by (uid=0)
[grid@oem ~]$ su - root -----------------> enter root password
Password:
[root@oem ~]#
[root@oem ~]# id
uid=0(root) gid=0(root) groups=0(root),489(sfcb)
[root@oem ~]# whoiam
[root@oem ~]# whoami
root
[root@oem ~]#
snippest from the /var/log/secure
May 14 23:37:43 oem su: pam_unix(su-l:session): session opened for user root by grid(uid=54323)
only limited information recorded.
CASE 2: Login as root by using grid password.
Please monitor the log tail -10f /var/log/secure on other window
[root@oem ~]# tail -100f /var/log/secure
Step 1. use visudo to add policy
Step 2. add below line and sudoers file
User_Alias Nil_ROOT_LOCAL_USERS= \
grid, \
empty_value
Host_Alias Nil_ROOT_LOCAL_HOSTS= \
ALL, \
empty_value
# END OF LIST
Cmnd_Alias Nil_ROOT_LOCAL_CMNDS= \
/bin/su root, /bin/su - root, \
/empty_value
# END OF LIST
POLICY_ROOT_LOCAL_USERS POLICY_ROOT_LOCAL_HOSTS=POLICY_ROOT_LOCAL_CMNDS, \
/empty_value
# END OF LIST
Step 3. Open a new putty session
login as: grid
grid@192.168.XX.24's password:
Last login: Thu May 14 23:31:25 2020 from 192.168.56.1
[grid@oem ~]$
[grid@oem ~]$ sudo /bin/su - root
[sudo] password for grid:
[root@oem ~]#
Now add user or do any admin activity it will recorded here in security log
I simply add user gangesh look what happened its record in log.
Snippest from log file
May 14 23:43:30 oem sshd[27932]: pam_unix(sshd:session): session opened for user grid by (uid=0)
May 14 23:43:45 oem sudo: grid : TTY=pts/1 ; PWD=/home/grid ; USER=root ; COMMAND=/bin/su - root
May 14 23:43:45 oem su: pam_unix(su-l:session): session opened for user root by grid(uid=0)
May 14 23:57:56 oem useradd[28551]: new user: name=gangesh, UID=501, GID=501, home=/home/gangesh, shell=/bin/bash
So here by simply adding simple policy we can avoid to share the root password with everyone
Here if you want you can locked the root password so no one can able to login as root to the system.
Importance of Sudo POLICY
1)Sudo policy can make some easiness for system administrator to manage the user account securely.
2)with sudo policy we can assign certain privileges to do certain duty and responsibility.
3)with sudo policy no need to remember root password you can simply used your password.
4)its not easy to intruder to break a system easily because using sudo policy your are login on the system and root user password and account
is disable so where to attack its difficult to attacker.
