How to Restrict Access to Sudo Commands in Debian 12 Bookworm

Introduction

The sudo command in Debian 12 Bookworm allows authorized users to execute commands as another user, typically the root user. However, unrestricted sudo access can pose security risks, potentially leading to system compromise. To enhance security, it is crucial to restrict access to sudo commands using appropriate configurations.

In this guide, we will explore various methods to control sudo command access in Debian 12, including managing sudoers configurations, using user groups, limiting command execution, and employing logging and auditing techniques.

1. Understanding the Sudoers File

The sudoers file, located at /etc/sudoers, defines who can run what commands with sudo privileges. Instead of editing this file directly, it is recommended to use the visudo command to prevent syntax errors.

To edit the sudoers file safely, run:

sudo visudo

2. Restricting Sudo Access by User or Group

2.1. Granting Sudo Access to Specific Users

If you need to allow only certain users to run sudo commands, explicitly define them in the sudoers file. For example:

username ALL=(ALL) ALL

To restrict a user to specific commands, modify the entry as follows:

username ALL=(ALL) NOPASSWD: /usr/bin/apt, /usr/bin/systemctl restart apache2

This configuration allows username to run apt and restart the Apache2 service without needing a password.

2.2. Using Groups to Manage Sudo Access

Instead of assigning sudo privileges to individual users, it is best practice to use groups. By default, Debian has a sudo group. To add a user to this group:

sudo usermod -aG sudo username

To limit sudo access for a specific group, create a custom group:

sudo groupadd limitedsudo
sudo usermod -aG limitedsudo username

Then, define sudo permissions for this group in the sudoers file:

%limitedsudo ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx

3. Restricting Specific Commands

You can explicitly deny certain commands for users. For example, to prevent a user from using shutdown or reboot, add this rule:

username ALL=(ALL) ALL, !/sbin/shutdown, !/sbin/reboot

This allows the user to execute any command except for shutdown and reboot.

4. Creating Command Aliases for Easier Management

To simplify sudo restrictions, use command aliases in the sudoers file. For example:

Cmnd_Alias WEBADMIN = /usr/bin/systemctl restart apache2, /usr/bin/systemctl restart nginx
username ALL=(ALL) NOPASSWD: WEBADMIN

This method allows for easier modification and management of command restrictions.

5. Logging and Monitoring Sudo Usage

5.1. Enabling Logging

By default, sudo logs commands in /var/log/auth.log. You can monitor sudo usage with:

tail -f /var/log/auth.log

To search for specific sudo activity:

grep 'sudo' /var/log/auth.log

5.2. Using AuditD for Advanced Logging

To get detailed auditing, install and configure AuditD:

sudo apt install auditd audispd-plugins -y

Add a rule to log sudo usage:

audictl -a always,exit -F arch=b64 -S execve -F uid=1000 -F auid!=4294967295 -F key=restricted-sudo

6. Disabling Root Access via Sudo

If you want to prevent certain users from escalating privileges to root entirely, add this rule to sudoers:

username ALL=(ALL:ALL) ALL, !ALL

This ensures that username cannot run any command using sudo.

Conclusion

Restricting sudo access in Debian 12 Bookworm is a critical security practice. By managing sudoers configurations, limiting command execution, and enforcing logging and auditing, you can significantly reduce security risks while maintaining necessary administrative flexibility. Always review and refine sudo rules to align with best security practices and organizational policies.