Documentation

Configuring sudo Options Properly

  • Use the targetpw option in the sudo command to require the password for the target user to be entered by default. This prevents all users from running system commands as the root user without entering the password after the sudo rule is added. This option is not added by default. You are advised to add this option.

    Run the cat /etc/sudoers | grep -E "^[^#]*Defaults[[:space:]]+targetpw" command to check whether the Defaults targetpw or Defaults rootpw configuration item exists. If the item does not exist, add it to #Defaults specification in the /etc/sudoers file.

  • Prevent common users or groups from escalating privileges to the root user by using all commands.

    Run the cat /etc/sudoers command to check whether the /etc/sudoers file contains (ALL) ALL and (ALL:ALL) ALL of users or groups other than root ALL=(ALL:ALL) ALL and root ALL=(ALL) ALL. For example, if user ALL=(ALL) ALL, %admin ALL=(ALL) ALL, or %sudo ALL=(ALL:ALL) ALL exist, determine whether to delete them based on actual service requirements.

Parent topic: Hardening OS Security