Page History

...

Outlined here are the minimal security steps the Bonsa Framework uses in server builds. Given that these account names are on the Internet you may want to change them. However, this may be greatly mitigated with RSA SSH key based authentication.

Allow staff Group to sudo

New Ubuntu and Debian Approach

This approach ensures that system upgrades will not overwrite your changes,

From the the sudoers man pages,

#includedir /etc/sudoers.d
sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or contain a . character to avoid causing
problems with package manager or editor temporary/backup files.  Files are parsed in sorted lexical order.  That is,
/etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second.  Be aware that because the sorting is lexical, not
numeric, /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second.  Using a consistent number of leading
zeroes in the file names can be used to avoid such problems.
Note that unlike files included via #include, visudo will not edit the files in a #includedir directory unless one of them
contains a syntax error.  It is still possible to run visudo with the -f flag to edit the files directly. 

So rather then editing the /etc/sudoers, we create a file, 01_bonsai_disable_password_auth using the sudoers command to ensure proper permissions and locking,

# Creates file, locks its and validates for syntax errors.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth

... in process of verifying this works ...

Older Standard

Use account names associated with a user. For this example, I will be designating adminstrative users under the staff group. To see the list of groups available to you use the command, cat /etc/group.

The staff group by default does not normally have sudo access. To grant sudo access to the staff group,

sudo visudo

visudo launches your default editor to a special file. Add the following to the bottom of the file,

# Members of the staff group may gain root privileges
%staff ALL=(ALL) ALL

Naming Convention

You may want to understand the naming convention used here if you want to build your own. Otherwise, the examples are self-explanatory and have not encountered any issues.

Create Catch-All serveradmin user

The purpose of serveradmin is the catch-all place to setup things like scripts. It may also, depending on requirements for your organization be used to manually setup software like application servers.

...

Also, the serveradmin account is limited in that it can not use sudo. If an attacker compromises the application, sudo is still out of reach.

Finally, in order to easily use Zero Footprint, create serveradmin consistently (same GID's and name) across all your systems.

Add the user and assign a password to that user,

...

sudo useradd -d /home/bhitchbrian.hitch -m -g staff -u 2000 -c "Support Bryan Hitch" -s /bin/bash bhitchbrian.hitch
sudo useradd -d /home/jcassadayjohn.cassaday -m -g staff -u 2001 -c "Support John Cassaday" -s /bin/bash jcassadayjohn.cassaday
sudo useradd -d /home/welliswarren.ellis -m -g staff -u 2002 -c "Support Warren Ellis" -s /bin/bash welliswarren.ellis

Notice the -u which set's the user's GUIDs. We found it essential to standardize on the GUID of the accounts across all our systems consistently. Not doing so causes problems when it comes to cloning systems or moving programs across different environments. As a practice, we use the following GUID's ranges,

...

Additionally, we use the GUID range 4000-4999 for clients who would send in staff to work on the servers. Since the number of users with this kind of access should not be too large we can make the group blocks match the user blocks,

Next, we add to the Staff users the following groups,

...

sudo usermod -a -G adm bhitchbrian.hitch
sudo usermod -a -G adm jcassadayjohn.cassaday
sudo usermod -a -G adm welliswarren.ellis

...

sudo passwd bhitchbrian.hitch
Enter new Unix password:
Reenter new Unix password:
passwd: password updated successfully
sudo passwd jcassadayjohn.cassaday
sudo passwd welliswarren.ellis

Allow staff Group to sudo

Rather then editing the /etc/sudoers using visudo, this approach ensures that system upgrades will not overwrite your changes. 

Download File Using tscripts

Download tscripts,

sudo su - root
cd /etc/sudoers.d/
sudo wget www.bonsaiframework.com/tscripts/01_enable_sudo_for_staff
sudo chmod o-r /etc/sudoers.d/01_enable_sudo_for_staff
exit

Manual Method

If you want to create the file manually,

# Locks the file for single user access (important in a multi-user system) and validates for syntax errors.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth

visudo launches your default editor to a special file. Add the following to the file,

# Members of the staff group may gain root privileges.
%staff ALL=(ALL) ALL

Going forward, make sure to use visudo to edit the 01_bonsai_disable_password_auth file to ensure proper permissions and locking,

...

remotebackup - User to create remote backups. The assigned UID will be 3001.

sudo useradd -d /home/remotebackup -m -g backup -u 3001 -c "Remote Backup" -s /bin/bash remotebackup

Create regular Users

If you would like to add regular users without giving them sudo access then follow below instructions

Create regular group

sudo addgroup support

Create users and add them to group "support"

sudo useradd -d /home/tom.hitch -m -g support -u 2500 -c "Support Tom Hitch" -s /bin/bash tom.hitch
sudo useradd -d /home/rohan.cassaday -m -g support -u 2501 -c "Support Rohan Cassaday" -s /bin/bash rohan.cassaday
sudo useradd -d /home/dennis.ellis -m -g support -u 2502 -c "Support Dennis Ellis" -s /bin/bash dennis.ellis

Granting Non-staff User to use sudo with Certain Commands

...