# CIS Debian 13 Benchmark - Sudo Hardening Configuration
# Implements CIS recommendations for secure sudo usage

# Default sudoers configuration
Defaults        env_reset
Defaults        timestamp_timeout=15
Defaults        lecture=always
Defaults        lecture_file=/etc/sudoers.d/lecture
Defaults        badpass_message="Authentication failed. Please check your password and try again."
Defaults        passwd_tries=3
Defaults        log_input,log_output
Defaults        iolog_dir=/var/log/sudo-io
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Security restrictions
Defaults        requiretty
Defaults        use_pty
Defaults        env_delete="FTP_PROXY HTTP_PROXY HTTPS_PROXY no_proxy"
Defaults        logfile="/var/log/security/sudo.log"
Defaults        syslog=authpriv

# Prevent access to sudoedit in uncontrolled environments
Defaults        editor=/usr/bin/nano

# Password confirmation for sensitive commands
Defaults        !authenticate for /usr/bin/apt-get, /usr/bin/apt, /usr/bin/dpkg
Defaults        authenticate

# User and group specifications
root    ALL=(ALL:ALL) ALL
%wheel  ALL=(ALL:ALL) ALL

# Specialized command restrictions
# Allow user to mount/unmount USB devices
user    ALL=(root) NOPASSWD: /bin/mount, /bin/umount
user    ALL=(root) NOPASSWD: /usr/bin/udisksctl

# Allow user to check system status (read-only operations)
user    ALL=(root) NOPASSWD: /usr/bin/free, /usr/bin/df, /usr/bin/ps, /usr/bin/top
user    ALL=(root) NOPASSWD: /usr/bin/tail, /usr/bin/cat, /usr/bin/grep, /usr/bin/less
user    ALL=(root) NOPASSWD: /usr/bin/systemctl status, /usr/bin/journalctl

# Allow user to manage network interfaces for VPN
user    ALL=(root) NOPASSWD: /usr/bin/wg, /usr/sbin/ip
user    ALL=(root) NOPASSWD: /usr/bin/ping, /usr/bin/traceroute

# Allow user to run system verification scripts
user    ALL=(root) NOPASSWD: /usr/local/bin/verify-system.sh

# Administrative commands require password and are restricted
%admin  ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL

# Security audit commands restricted to admin
%wheel  ALL=(root) /usr/sbin/auditctl, /usr/sbin/aureport, /usr/sbin/aureport, /usr/sbin/ausearch
%wheel  ALL=(root) /usr/bin/aide, /usr/sbin/aideinit

# System update commands
%wheel  ALL=(root) /usr/bin/apt-get, /usr/bin/apt, /usr/bin/dpkg
%wheel  ALL=(root) /usr/bin/aptitude, /usr/bin/apt-cache

# System service management
%wheel  ALL=(root) /usr/bin/systemctl, /usr/bin/service, /usr/sbin/service

# Firewall management
%wheel  ALL=(root) /usr/sbin/iptables, /usr/sbin/ip6tables, /usr/sbin/nft

# User management
%wheel  ALL=(root) /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod
%wheel  ALL=(root) /usr/sbin/groupadd, /usr/sbin/groupdel, /usr/sbin/groupmod

# Emergency commands (full password required)
%wheel  ALL=(root) /usr/sbin/reboot, /usr/sbin/shutdown, /usr/sbin/halt
%wheel  ALL=(root) /usr/bin/poweroff, /usr/sbin/init

# Path restrictions
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Command restrictions by directory
Defaults    !visiblepw in /etc/sudoers.d/
Defaults    always_set_home in /etc/sudoers.d/
Defaults    match_group_by_gid in /etc/sudoers.d/

# Environment variable restrictions
Defaults    env_reset
Defaults    env_delete="BASH_ENV ENV SHELL HOME TERM PS1 LS_COLORS EDITOR PAGER LANG LC_ALL"
Defaults    env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS PATH PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME XAUTHORIZATION XAUTHORITY"

# Sudo I/O logging for privileged commands
Defaults    log_output, log_input
Defaults    iolog_dir="/var/log/sudo-io/%{user}"
Defaults    iolog_file="/var/log/sudo-io/%{user}/%{seq}"

# Audit logging
Defaults    loglinelen=0
Defaults    log_host
Defaults    log_year
Defaults    syslog=authpriv

# TTY requirements for security
Defaults    use_pty
Defaults    requiretty

# Timeout configurations
Defaults    timestamp_timeout=15
Defaults    passwd_tries=3
Defaults    lecture=always
Defaults    lecture_file=/etc/sudoers.d/lecture

# Secure path
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# No shared sudo tickets
Defaults    !tty_tickets

# Network restrictions
Defaults    !visiblepw
Defaults    !authenticate for /usr/bin/apt-get, /usr/bin/apt, /usr/bin/dpkg
Defaults    authenticate