# CIS Benchmark Sudo Configuration
# Implements least privilege principle

# ============================================================================
# Defaults
# ============================================================================

# Use lecture mode
Defaults lecture = always
Defaults lecture_file = /etc/sudoers.d/lecture

# Log all sudo commands
Defaults logfile = /var/log/sudo.log
Defaults log_input, log_output

# Secure path
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# Ignore duplicate passwords in terminal
Defaults !tty_tickets

# Require password for sudo
Defaults !targetpw

# Set timestamp timeout (5 minutes)
Defaults timestamp_timeout = 5

# Require authentication
Defaults !authenticate

# No insults
Defaults !insults

# ============================================================================
# User Permissions
# ============================================================================

# User account can run sudo with password
user ALL=(ALL:ALL) ALL

# ============================================================================
# Security Restrictions
# ============================================================================

# No root login via sudo
root ALL=(ALL) ALL

# Disable ability to run commands as other users without password
Defaults env_reset
Defaults env_delete = "EDITOR VISUAL PAGER DISPLAY XAUTHORITY"
Defaults !env_editor

# Disable running as specific users
Defaults!/usr/bin/su !root