...
Outlined here are the minimal security steps the Bonsa Framework uses in server builds. Given that these account names are on the Internet you may want to change them. However, this may be greatly mitigated with RSA SSH key based authentication.
Allow staff Group to sudo
Rather then editing the /etc/sudoers using visudo, this approach ensures that system upgrades will not overwrite your changes.
Download File Using tscripts
Download tscripts,
Code Block | ||
---|---|---|
| ||
cd ~
wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo cp 01_enable_sudo_for_staff /etc/sudoers.d/
rm 01_enable_sudo_for_staff |
Manual Method
If you want to create the file manually,
Code Block | ||
---|---|---|
| ||
# Locks its and validates for syntax errors.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth |
visudo launches your default editor to a special file. Add the following to the file,
Code Block | ||
---|---|---|
| ||
# Members of the staff group may gain root privileges.
%staff ALL=(ALL) ALL |
Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,
Naming Convention
You may want to understand the naming convention used here if you want to build your own. Otherwise, the examples are self-explanatory and have not encountered any issues.
...
Code Block | ||
---|---|---|
| ||
sudo passwd brian.hitch Enter new Unix password: Reenter new Unix password: passwd: password updated successfully sudo passwd john.cassaday sudo passwd warren.ellis |
Allow staff Group to sudo
Rather then editing the /etc/sudoers using visudo, this approach ensures that system upgrades will not overwrite your changes.
Download File Using tscripts
Download tscripts,
Code Block | ||
---|---|---|
| ||
cd ~
wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo cp 01_enable_sudo_for_staff /etc/sudoers.d/
rm 01_enable_sudo_for_staff |
Manual Method
If you want to create the file manually,
Code Block | ||
---|---|---|
| ||
# Locks its and validates for syntax errors.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth |
visudo launches your default editor to a special file. Add the following to the file,
Code Block | ||
---|---|---|
| ||
# Members of the staff group may gain root privileges.
%staff ALL=(ALL) ALL |
Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,
Warning |
---|
At this point it is important to log out and log in with your staff account to continue any new work. This will allow for a proper audit trail of the system from this point forward. |
...
Code Block | ||
---|---|---|
| ||
sudo useradd -d /home/remotebackup -m -g backup -u 3001 -c "Remote Backup" -s /bin/bash remotebackup |
Create regular Users
If you would like to add regular users without giving them sudo access then follow below instructions
Create regular group
Code Block | ||
---|---|---|
| ||
sudo addgroup support |
Create users and add them to group "support"
Code Block | ||
---|---|---|
| ||
sudo useradd -d /home/tom.hitch -m -g support -u 2500 -c "Support Tom Hitch" -s /bin/bash tom.hitch
sudo useradd -d /home/rohan.cassaday -m -g support -u 2501 -c "Support Rohan Cassaday" -s /bin/bash rohan.cassaday
sudo useradd -d /home/dennis.ellis -m -g support -u 2502 -c "Support Dennis Ellis" -s /bin/bash dennis.ellis |
Granting Non-staff User to use sudo with Certain Commands
...
Code Block | ||
---|---|---|
| ||
bob ALL=(root) NOPASSWD: /bin/mkdir, /usr/bin/find |
Allow staff Group to sudo
Rather then editing the /etc/sudoers using visudo, this approach ensures that system upgrades will not overwrite your changes.
Download File Using tscripts
Download tscripts,
Code Block | ||
---|---|---|
| ||
cd ~
wget http://www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo cp 01_enable_sudo_for_staff /etc/sudoers.d/
rm 01_enable_sudo_for_staff |
Manual Method
If you want to create the file manually,
Code Block | ||
---|---|---|
| ||
# Locks its and validates for syntax errors.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth |
visudo launches your default editor to a special file. Add the following to the file,
Code Block | ||
---|---|---|
| ||
# Members of the staff group may gain root privileges.
%staff ALL=(ALL) ALL |
Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,