Please enable JavaScript.
Coggle requires JavaScript to display documents.
π 12 Linux Enterprise Sudo - Least Privilege Access Control - Coggleβ¦
π 12 Linux Enterprise Sudo - Least Privilege Access Control
1οΈβ£ Introduction to Sudo
π What is Sudo?
Sudo = Super User DO
Purpose
Allow normal users to execute specific privileged commands
Execute commands with elevated permissions
Avoid giving users direct root login access
Enterprise Goal
Security
Accountability
Auditing
Least Privilege Access
π Why Sudo is Required in Enterprise
Without Sudo
Users need root password
No command tracking
High security risk
Difficult accountability
With Sudo
Users use their own accounts
Temporary privilege elevation
Every command is logged
Access can be controlled
2οΈβ£ Principle of Least Privilege (PoLP)
π Definition
Give users only the minimum permissions required
No unnecessary administrative access
π Example
Bad Security
Developer gets full root access
sudo ALL=(ALL) ALL
Good Security
Developer only restart application
sudo systemctl restart myapp
π Enterprise Benefits
Reduce insider threats
Reduce accidental damage
Limit malware impact
Improve compliance
3οΈβ£ Sudo Architecture in Linux
π Important Sudo Files
/etc/sudoers
Main sudo configuration file
Controls user privileges
Must edit using visudo
/etc/sudoers.d/
Directory for custom sudo policies
Enterprise recommended method
Separate files for teams
/var/log/auth.log
Ubuntu/Debian sudo logs
/var/log/secure
RHEL/CentOS sudo logs
4οΈβ£ visudo Command
π What is visudo?
Safe editor for sudo configuration
Command
sudo visudo
Why use visudo?
Checks syntax errors
Prevents broken sudo configuration
Locks file during editing
Edit separate policy file
sudo visudo -f /etc/sudoers.d/admin_team
5οΈβ£ Sudoers File Syntax
Format
USER HOST=(RUN_AS_USER) COMMANDS
Example
bilal ALL=(ALL) ALL
Breaking Down Each Field
π€ USER
Who receives permission
Example
bilal
ahmed
admin_group
π HOST
Where permission applies
Example
ALL
All hosts
server01
Only server01
π RUN AS USER
Which user can execute commands as
Example
root
Execute as root
ALL
Execute as any user
β COMMANDS
Which commands are allowed
Example
/usr/bin/systemctl
/usr/bin/journalctl
6οΈβ£ Understanding ALL Keyword
ALL means no restriction
First ALL
Host restriction
Example
bilal ALL=(root) ALL
Meaning
bilal can use sudo on any server
Second ALL
Run as user restriction
Example
bilal ALL=(ALL) ALL
Meaning
bilal can become any user
root
mysql
nginx
postgres
Third ALL
Command restriction
Example
bilal ALL=(root) ALL
Meaning
All commands allowed
7οΈβ£ User Based Sudo Access
Full Administrative User
Example
bilal ALL=(ALL) ALL
Permission
Complete root administration
Limited User
Example
backupuser ALL=(root) /usr/bin/rsync
Allowed
Backup operations only
8οΈβ£ Group Based Sudo Access
Why Groups?
Easier enterprise management
Manage many users together
Example Group
Linux Administrators
Create Group
sudo groupadd linux_admins
Add User
sudo usermod -aG linux_admins bilal
Sudo Rule
%linux_admins ALL=(ALL) ALL
Meaning
All members get sudo access
9οΈβ£ Command Restricted Sudo
Full Root Access
user ALL=(ALL) ALL
Restricted Example
user ALL=(root) /usr/bin/systemctl
Allowed
sudo systemctl restart nginx
Not Allowed
sudo useradd test
π Multiple Command Permissions
Example
bilal ALL=(root) /usr/bin/systemctl,\
/usr/bin/journalctl,\
/usr/bin/tail
Purpose
Allow required administration only
1οΈβ£1οΈβ£ NOPASSWD Sudo
Definition
Run sudo commands without password
Example
bilal ALL=(ALL) NOPASSWD: ALL
Enterprise Usage
Automation servers
Ansible
CI/CD pipelines
Security Risk
Dangerous for human users
1οΈβ£2οΈβ£ Sudo Command Aliases
Purpose
Create reusable permission groups
User Alias
User_Alias ADMINS = bilal, ahmed
Command Alias
Cmnd_Alias SERVICES = /usr/bin/systemctl
Apply Rule
ADMINS ALL=(root) SERVICES
1οΈβ£3οΈβ£ Enterprise Role Based Sudo Model
π¨βπ» Linux Administrators
Permission
Full server management
Example
%linux_admins ALL=(ALL) ALL
π SOC Analysts
Permission
Read security logs only
Commands
journalctl
tail
grep
π¨βπ» Developers
Permission
Restart applications
Example
systemctl restart application
πΎ Backup Team
Permission
rsync
backup scripts
1οΈβ£4οΈβ£ Enterprise Sudo Directory Structure
/etc
sudoers
sudoers.d
linux_admins
developers
backup_team
soc_team
1οΈβ£5οΈβ£ Example Enterprise Configuration
File
/etc/sudoers.d/linux_admins
Content
%linux_admins ALL=(ALL) ALL
File
/etc/sudoers.d/developers
Content
%developers ALL=(root) /usr/bin/systemctl
File
/etc/sudoers.d/soc
Content
%soc ALL=(root) /usr/bin/journalctl
1οΈβ£6οΈβ£ Checking Sudo Permissions
Check Current User
sudo -l
Check Another User
sudo -l -U username
1οΈβ£7οΈβ£ Sudo Logging and Auditing
Logs
Ubuntu
/var/log/auth.log
RHEL
/var/log/secure
Audit Information
User name
Command executed
Time
Target user
1οΈβ£8οΈβ£ Sudo Security Best Practices
β Never allow unnecessary ALL
β Disable direct root login
β Use groups instead of individual users
β Use /etc/sudoers.d/
β Always edit with visudo
β Review sudo permissions regularly
β Remove unused accounts
β Enable logging
1οΈβ£9οΈβ£ Enterprise Workflow
Step 1
Create user
Step 2
Create role group
Step 3
Add user to group
Step 4
Create sudo policy
Step 5
Validate with visudo
Step 6
Test sudo access
Step 7
Monitor logs
2οΈβ£0οΈβ£ Complete Enterprise Example
Requirement
Linux Admin Team
Full access
Database Team
Database commands only
Developers
Application restart only
SOC
Log investigation only
Implementation
Groups
linux_admins
database_admins
developers
soc_team
Sudo Policies
/etc/sudoers.d/linux_admins
%linux_admins ALL=(ALL) ALL
/etc/sudoers.d/developers
%developers ALL=(root) /usr/bin/systemctl restart app
/etc/sudoers.d/soc_team
%soc_team ALL=(root) /usr/bin/journalctl
π― Final Enterprise Concept
Sudo is not about giving root access
Sudo is about controlled privilege elevation
Enterprise Security Model
Identity
Who is the user?
Authentication
Verify user
Authorization
What can user do?
Least Privilege
Minimum required access
Auditing
Record every action