Hardening Security For Sudo Configuration On Red Hat/Centos
I/ Configure send notification mail to admin when has sudo action:
1/Configure Postfix SMTP Relay To Gmail:
- Configure Postfix on CentOS 8 as SMTP smart host (relay host) which passing mail to another mail servers.
- Create or modify a password file which will be used by Postfix to establish authentication with Gmail using SASL authentication.
- Create file /etc/postfix/sasl_passwd
- Secure this file which has sensitive information (username/password of gmail account)
# chmod 600 /etc/postfix/sasl_passwd
- Configure Postfix. Add new configuration to this file /etc/postfix/main.cf
relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
- Use postmap to compile and hash the contents of sasl_passwd (postmap is tool used for actually creates the hash db file which postfix lookup information).
# postmap /etc/postfix/sasl_passwd
- Restart service postfix:
# systemctl restart postfix
- Enable "Less Secure Apps" In Gmail Account: On Google Admin console > Click Security > Basic settings .
- Send Test Mail Message To Gmail account:
# mail -s <Subject mail> <Receive mailbox>
> Type content of message and use combine key Ctrl+D to send it
2/Configure sudo send notify email when has sudo events:
- Add mailbox account receive notify email when has any user sudo event
- When user try to execute command by sudo system will use postfix SMTP Relay send mail to notify mailbox include some information about this event (username , hostname, timestamps,command which executed and PTY can used for kill session of user if neeed)
Example 1: User use sudo to execute command successful
Example 2: User sudo to execute command but type password wrong
II/Configure sudo log file location and sudo timer:
- Default sudo events log written to file /var/log/secure/ In RPM-based systems like CentOS and Red Hat and file /var/log/auth.log in Debian-based systems like Ubuntu.
- Add this configuration to change default sudo log file events
Defaults log_host, log_year, logfile=/var/log/sudo.log
- Set passwd_timeout (default is 5 minutes). This means that once a user performs one sudo command and enters a password, he or she can perform another sudo command within 5 minutes without having to enter the password again.