Hardening Security For Sudo Configuration On Red Hat/Centos

Hardening Security For Sudo Configuration On Red Hat/Centos

Posted by vmt1991 on 24 Jan 2021
Linux-Unix

Hardening Security For Sudo Configuration On Red Hat/Centos

I/ Configure send notification mail to admin when has sudo action:

1/Configure Postfix SMTP Relay To Gmail:

- Configure Postfix on CentOS 8 as SMTP smart host (relay host) which  passing mail to another mail servers.

- Create or modify a password file which will be used by Postfix to establish authentication with Gmail using SASL authentication.

- Create file /etc/postfix/sasl_passwd

- Secure this file which has sensitive information (username/password of gmail account)

# chmod 600 /etc/postfix/sasl_passwd

- Configure Postfix. Add new  configuration to this file /etc/postfix/main.cf

relayhost = [smtp.gmail.com]:587

smtp_use_tls = yes

smtp_sasl_auth_enable = yes

smtp_sasl_security_options =

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

- Use postmap to compile and hash the contents of sasl_passwd (postmap is tool used for actually creates the hash db file which postfix lookup information).

# postmap /etc/postfix/sasl_passwd

- Restart service postfix:

# systemctl restart postfix

­- Enable "Less Secure Apps" In Gmail Account: On Google Admin console > Click Security > Basic settings .

- Send Test Mail Message To Gmail account:

# mail -s <Subject mail> <Receive mailbox>

> Type content of message and use combine key Ctrl+D to send it

2/Configure sudo send notify email when has sudo events:

- Add mailbox account receive notify email when has any user sudo event

# visudo

Defaults mailto="monitorsystemmail@gmail.com"

Defaults mail_always

Defaults mail_badpass

- When user try to execute command by sudo system will use postfix SMTP Relay send mail to notify mailbox include some information about this event (username , hostname, timestamps,command which executed and PTY can used for kill session of user if neeed)

Example 1: User use sudo to execute command successful

Example 2: User sudo to execute command but type password wrong

II/Configure sudo log file location and sudo timer:

- Default sudo events log written to file /var/log/secure/ In RPM-based systems like CentOS and Red Hat and file /var/log/auth.log in Debian-based systems like Ubuntu.

- Add this configuration to change default sudo log file events

# visudo

Defaults log_host, log_year, logfile=/var/log/sudo.log

- Set passwd_timeout (default is 5 minutes). This means that once a user performs one sudo command and enters a password, he or she can perform another sudo command within 5 minutes without having to enter the password again.

# visudo

Defaults passwd_timeout=3