On almost every Linux system sudo is central to access control. It allows administrators to delegate privileges without handing out the root password. Used properly, it enforces least privilege. Used poorly, it creates a false sense of security and leaves audit gaps.
This article sets out the best practices for configuring and managing sudo. The aim is to provide accountability, limit risk, and align with compliance frameworks.
1. Why sudo Matters
-
Control:
sudolets users run specific commands with elevated rights. -
Accountability: Actions are logged under the individual’s account rather than just “root”.
-
Compliance: ISO27001, NIST, and CIS benchmarks all reference privilege separation.
-
Risk: I’ve often come across environments where
sudorules are too broad, effectively handing root access to everyone!
2. Understanding the sudoers File
The configuration for sudo is stored in /etc/sudoers.
-
Always edit it with
visudoto prevent syntax errors. -
The file is structured with rules mapping users and groups to allowed commands.
Example basic entry:
alice ALL=(ALL) ALL
This gives user alice full root privileges. In practice, this is no better than giving out the root password.
3. Delegating Specific Commands
The strength of sudo is in restricting what users can do.
Example: allow members of the dbadmin group to restart PostgreSQL but nothing else:
%dbadmin ALL=(ALL) /bin/systemctl restart postgresql
This ensures database admins can manage their service without having full system rights.
4. Avoid Overuse of NOPASSWD
I sometimes see organisations using NOPASSWD, which removes the requirement to enter a password when using sudo:
%admins ALL=(ALL) NOPASSWD: ALL
This may improve convenience but eliminates an important security barrier. It also breaks the audit trail if the user’s password is never verified. Use NOPASSWD only for automation accounts, and document every exception.
5. Use Aliases for Clarity
For larger environments, sudoers files become complex. Aliases simplify management.
-
User_Alias – group multiple users.
-
Host_Alias – group systems.
-
Cmnd_Alias – group commands.
Example:
User_Alias ADMINS = alice, bob
Cmnd_Alias NETWORK = /bin/ip, /sbin/ifconfig
ADMINS ALL=(ALL) NETWORK
This is easier to maintain and reduces errors.
6. Control Environment Variables
By default, sudo can preserve some environment variables. Attackers may exploit this to escalate privileges.
Best practice is to use Defaults env_reset and explicitly allow only what is required:
Defaults env_reset
Defaults env_keep += "http_proxy https_proxy no_proxy"
This prevents dangerous variables being passed into privileged commands.
7. Logging and Audit
Every use of sudo is logged. On Debian/Ubuntu, logs are in /var/log/auth.log. On RHEL/CentOS, check /var/log/secure.
I advise enabling session logging for critical users:
Defaults log_output
Defaults!/bin/bash log_output
This records input and output of privileged commands, which is invaluable for investigations.
Centralise sudo logs by forwarding them to syslog or your SIEM. In one environment I worked with, this made the difference in quickly identifying which admin accidentally brought down a service.
8. Restrict Access by Group
Instead of writing rules for each user, manage membership via groups.
Example:
%wheel ALL=(ALL) ALL
Only users in the wheel group can run sudo. Group management is easier to audit and fits with compliance requirements for role-based access control.
9. Separate Duties
Where possible, apply separation of duties. For example:
-
Database admins should not have system-level sudo rights.
-
Network admins should not have database restart rights.
Mapping privileges to roles keeps environments compliant and reduces insider risk.
10. Secure the sudo Binary
Check the integrity of the sudo binary with your package manager. Attackers may attempt to replace it.
-
Use
rpm -V sudoon RHEL-based systems. -
Use
debsums sudoon Debian-based systems.
This should be included in regular file integrity monitoring.
11. PAM Integration
sudo integrates with Pluggable Authentication Modules (PAM).
-
Enforce password complexity with
pam_pwquality. -
Restrict login times with
pam_time. -
Add multi-factor authentication with PAM modules such as
pam_google_authenticator.
This strengthens sudo beyond basic username/password controls.
12. Regular Reviews
I recommend reviewing the sudoers configuration quarterly. Look for:
-
Rules granting
ALLpermissions. -
Unused user or group entries.
-
Automation accounts with NOPASSWD enabled.
Removing stale or excessive rules is just as important as writing new ones.
Conclusion
sudo is one of the simplest yet most important security controls in Linux. When I audit systems, poorly configured sudo rules are common and often amount to uncontrolled root access.
By restricting commands, enforcing accountability through logging, and reviewing rules regularly, organisations can make sudo an effective tool for least privilege. In my view, no Linux environment is secure until sudo has been properly configured and audited.
Security gaps in Linux and cloud systems risk downtime, data compromise, lost business — and compliance failures.
With 20+ years’ experience and active UK Security Check (SC) clearance, I harden Linux and cloud platforms for government, corporate, and academic sectors — ensuring secure, compliant, and resilient infrastructure.
No related posts.