119 lines
4.4 KiB
Plaintext
119 lines
4.4 KiB
Plaintext
# CIS Debian 13 Benchmark - Sudo Hardening Configuration
|
|
# Implements CIS recommendations for secure sudo usage
|
|
|
|
# Default sudoers configuration
|
|
Defaults env_reset
|
|
Defaults timestamp_timeout=15
|
|
Defaults lecture=always
|
|
Defaults lecture_file=/etc/sudoers.d/lecture
|
|
Defaults badpass_message="Authentication failed. Please check your password and try again."
|
|
Defaults passwd_tries=3
|
|
Defaults log_input,log_output
|
|
Defaults iolog_dir=/var/log/sudo-io
|
|
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
|
|
# Security restrictions
|
|
Defaults requiretty
|
|
Defaults use_pty
|
|
Defaults env_delete="FTP_PROXY HTTP_PROXY HTTPS_PROXY no_proxy"
|
|
Defaults logfile="/var/log/security/sudo.log"
|
|
Defaults syslog=authpriv
|
|
|
|
# Prevent access to sudoedit in uncontrolled environments
|
|
Defaults editor=/usr/bin/nano
|
|
|
|
# Password confirmation for sensitive commands
|
|
Defaults !authenticate for /usr/bin/apt-get, /usr/bin/apt, /usr/bin/dpkg
|
|
Defaults authenticate
|
|
|
|
# User and group specifications
|
|
root ALL=(ALL:ALL) ALL
|
|
%wheel ALL=(ALL:ALL) ALL
|
|
|
|
# Specialized command restrictions
|
|
# Allow user to mount/unmount USB devices
|
|
user ALL=(root) NOPASSWD: /bin/mount, /bin/umount
|
|
user ALL=(root) NOPASSWD: /usr/bin/udisksctl
|
|
|
|
# Allow user to check system status (read-only operations)
|
|
user ALL=(root) NOPASSWD: /usr/bin/free, /usr/bin/df, /usr/bin/ps, /usr/bin/top
|
|
user ALL=(root) NOPASSWD: /usr/bin/tail, /usr/bin/cat, /usr/bin/grep, /usr/bin/less
|
|
user ALL=(root) NOPASSWD: /usr/bin/systemctl status, /usr/bin/journalctl
|
|
|
|
# Allow user to manage network interfaces for VPN
|
|
user ALL=(root) NOPASSWD: /usr/bin/wg, /usr/sbin/ip
|
|
user ALL=(root) NOPASSWD: /usr/bin/ping, /usr/bin/traceroute
|
|
|
|
# Allow user to run system verification scripts
|
|
user ALL=(root) NOPASSWD: /usr/local/bin/verify-system.sh
|
|
|
|
# Administrative commands require password and are restricted
|
|
%admin ALL=(ALL) ALL
|
|
%sudo ALL=(ALL:ALL) ALL
|
|
|
|
# Security audit commands restricted to admin
|
|
%wheel ALL=(root) /usr/sbin/auditctl, /usr/sbin/aureport, /usr/sbin/aureport, /usr/sbin/ausearch
|
|
%wheel ALL=(root) /usr/bin/aide, /usr/sbin/aideinit
|
|
|
|
# System update commands
|
|
%wheel ALL=(root) /usr/bin/apt-get, /usr/bin/apt, /usr/bin/dpkg
|
|
%wheel ALL=(root) /usr/bin/aptitude, /usr/bin/apt-cache
|
|
|
|
# System service management
|
|
%wheel ALL=(root) /usr/bin/systemctl, /usr/bin/service, /usr/sbin/service
|
|
|
|
# Firewall management
|
|
%wheel ALL=(root) /usr/sbin/iptables, /usr/sbin/ip6tables, /usr/sbin/nft
|
|
|
|
# User management
|
|
%wheel ALL=(root) /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod
|
|
%wheel ALL=(root) /usr/sbin/groupadd, /usr/sbin/groupdel, /usr/sbin/groupmod
|
|
|
|
# Emergency commands (full password required)
|
|
%wheel ALL=(root) /usr/sbin/reboot, /usr/sbin/shutdown, /usr/sbin/halt
|
|
%wheel ALL=(root) /usr/bin/poweroff, /usr/sbin/init
|
|
|
|
# Path restrictions
|
|
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
|
|
|
|
# Command restrictions by directory
|
|
Defaults !visiblepw in /etc/sudoers.d/
|
|
Defaults always_set_home in /etc/sudoers.d/
|
|
Defaults match_group_by_gid in /etc/sudoers.d/
|
|
|
|
# Environment variable restrictions
|
|
Defaults env_reset
|
|
Defaults env_delete="BASH_ENV ENV SHELL HOME TERM PS1 LS_COLORS EDITOR PAGER LANG LC_ALL"
|
|
Defaults env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS PATH PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME XAUTHORIZATION XAUTHORITY"
|
|
|
|
# Sudo I/O logging for privileged commands
|
|
Defaults log_output, log_input
|
|
Defaults iolog_dir="/var/log/sudo-io/%{user}"
|
|
Defaults iolog_file="/var/log/sudo-io/%{user}/%{seq}"
|
|
|
|
# Audit logging
|
|
Defaults loglinelen=0
|
|
Defaults log_host
|
|
Defaults log_year
|
|
Defaults syslog=authpriv
|
|
|
|
# TTY requirements for security
|
|
Defaults use_pty
|
|
Defaults requiretty
|
|
|
|
# Timeout configurations
|
|
Defaults timestamp_timeout=15
|
|
Defaults passwd_tries=3
|
|
Defaults lecture=always
|
|
Defaults lecture_file=/etc/sudoers.d/lecture
|
|
|
|
# Secure path
|
|
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
|
|
# No shared sudo tickets
|
|
Defaults !tty_tickets
|
|
|
|
# Network restrictions
|
|
Defaults !visiblepw
|
|
Defaults !authenticate for /usr/bin/apt-get, /usr/bin/apt, /usr/bin/dpkg
|
|
Defaults authenticate |